v1.2.0-pre.1

This release adds partial support for the 2025-11-25 version of the MCP spec and fixes some bugs in the streamable transports. It also includes some minor new APIs, changes to contributing flows, and small bugfixes.

Please test the prerelease if you can, and review any pending proposals included in the release. Your feedback is greatly appreciated!

Contributing changes

• CONTRIBUTING.md is updated to remove the ad-hoc antitrust policy (#651), and add a dependency update policy (#635).
• An example server (examples/server/conformance) is added for the new conformance tests at modelcontextprotocol/conformance. Test can be run with scripts/conformance.sh (#650).

Partial support for the 2025-11-25 spec

The following SEPs from the 2025-11-25 spec are now supported. Please see #725 for the proposed API additions included to support these SEPs.

• SEP-973: icons and metadata (#570)
• SEP-986: tool name validation (#640)
• SEP-1024: elicitation defaults (#644)
• SEP-1036: URL mode elicitation (#646)
• SEP-1699: SSE polling (#663)
• SEP-1330: elicitation enum improvements (#676)

Other API additions

• Common error codes are now available through the sentinel jsonrpc.Error (#452)
• OAuth 2.0 Protected Resource Metadata support (#643)
• ClientCapabilities.RootsV2 and RootCapabilities are added to work around an API bug (#607)
• Capabilities fields are added to ServerOptions and ClientOptions, to simplify capability configuration (#706)

Streamable fixes

Several bug fixes are included for the streamable transports:

• mcp: relax SSE connection response handling in non-strict mode by @zhxie in #611
• Fix: Skip non-message SSE events in processStream by @raphaelmansuy in #637
• mcp: better handling for streamable context cancellation by @findleyr in #677
• mcp: don't break the streamable client connection for transient errors by @findleyr in #723

Other notable bugfixes

• fix: handle Windows CRLF in MCP client(#664) by @isfzhang in #665
• auth, mcp: add UserID to TokenInfo for session hijacking prevention by @findleyr in #695
• internal/docs: document UserID for session hijacking prevention by @findleyr in #697
• mcp: allow re-using connections in more cases by @howardjohn in #709
• oauthex: validate URL schemes in auth server metadata and DCR by @findleyr in #712
• mcp: debounce server change notifications by @findleyr in #717
• oauthex: fix content type check in getJSON by @nikolavp in #721

New Contributors

• @zhxie made their first contribution in #611
• @SpringMT made their first contribution in #614
• @raphaelmansuy made their first contribution in #637
• @markus-kusano made their first contribution in #644
• @isfzhang made their first contribution in #665
• @orius123 made their first contribution in #643
• @howardjohn made their first contribution in #709
• @nikolavp made their first contribution in #721

Full Changelog: v1.1.0...v1.2.0-pre.1

v1.1.0

This release introduces a few new features, and includes improvements and bug fixes for the streamable transport. Notably, the default behavior of the streamable server transport is changed to disable streams resumption (see #580).

Behavior Changes

Stream resumption disabled by default. In the StreamableServerTransport, the default value of nil for the EventStore field now disables stream resumption, rather than defaulting to use an in-memory event store. Resumption is not desirable in many cases, particularly for servers that must serve a large number of users and/or streams.

If you want to enable resumption, set StreamableHTTPOptions.EventStore.

In general, we will avoid changing behaviors that may be relied upon by users, but in this case the old default was deemed to be an oversight/bug, and fixing it now will benefit future users.

API Additions

• IOTransport is a new general-purpose transport constructed from an io.ReadCloser and io.WriteCloser (#444 ).
• ServerOptions.Logger and StreamableHTTPOptions.Logger enable server-side logging (#170).
• StreamableHTTPOptions.EventStore enables stream resumption (#587).
• StreamableHTTPOptions.SessionTimeout adds a timeout which, when set, causes idle sessions to be automatically closed (#499).

Experimental client-side oauth support

The auth package now includes experimental APIs when build with the mcp_go_client_oauth build tag. See auth/client.go for more details. These APIs may change before their official release.

New Contributors

• @atomAltera made their first contribution in #376
• @Adebayo120 made their first contribution in #555
• @jhrozek made their first contribution in #561
• @AdrielVelazquez made their first contribution in #566
• @appleboy made their first contribution in #567
• @RyoKusnadi made their first contribution in #563
• @TomCN0803 made their first contribution in #581
• @rutu1717 made their first contribution in #603

Full Changelog: v1.0.0...v1.1.0

v1.1.0-pre.2

This change fixes a few bugs in v1.1.0-pre.1. We plan to release it as v1.1.0 later today or tomorrow.

What's Changed

• docs: document support for resumability and redelivery by @findleyr in #606
• mcp: establish the streamable client standalone SSE stream in Connect by @findleyr in #604
• mcp: don't persist failed streamable sessions by @findleyr in #605
• auth: change OAuthHandler to take http Request and Response by @rutu1717 in #603

New Contributors

• @rutu1717 made their first contribution in #603

Full Changelog: v1.1.0-pre.1...v1.1.0-pre.2

v1.1.0-pre.1

This release introduces a few new features, and includes improvements and bug fixes for the streamable transport. Notably, the default behavior of the streamable server transport is changed to disable streams resumption (see #580).

Behavior Changes

Stream resumption disabled by default. In the StreamableServerTransport, the default value of nil for the EventStore field now disables stream resumption, rather than defaulting to use an in-memory event store. Resumption is not desirable in many cases, particularly for servers that must serve a large number of users and/or streams.

If you want to enable resumption, set StreamableHTTPOptions.EventStore.

In general, we will avoid changing behaviors that may be relied upon by users, but in this case the old default was deemed to be an oversight/bug, and fixing it now will benefit future users.

API Additions

• IOTransport is a new general-purpose transport constructed from an io.ReadCloser and io.WriteCloser (#444 ).
• ServerOptions.Logger and StreamableHTTPOptions.Logger enable server-side logging (#170).
• StreamableHTTPOptions.EventStore enables stream resumption (#587).
• StreamableHTTPOptions.SessionTimeout adds a timeout which, when set, causes idle sessions to be automatically closed (#499).

Experimental client-side oauth support

The auth package now includes experimental APIs when build with the mcp_go_client_oauth build tag. See auth/client.go for more details. These APIs may change before their official release.

New Contributors

• @atomAltera made their first contribution in #376
• @Adebayo120 made their first contribution in #555
• @jhrozek made their first contribution in #561
• @AdrielVelazquez made their first contribution in #566
• @appleboy made their first contribution in #567
• @RyoKusnadi made their first contribution in #563
• @TomCN0803 made their first contribution in #581

Full Changelog: v1.0.0...v1.1.0-pre.1

v1.0.0

This is a stable release of the Go SDK.

This release is functionally equivalent to v0.8.0, but formalizes a compatibility guarantee: going forward we won’t make breaking API changes. The API we have is not perfect, but it’s important that we commit to supporting it so that others can depend on the SDK without further churn. If we want to improve the current API in the future, we’ll do so in backward compatible ways, such as by deprecating and adding. For example, #396, #460 and #533 propose new functions that improve the ergonomics of the current API. Given the rate of change of the MCP spec, it seems likely that we’ll want to go to v2 at some point, but we should delay that event for as long as possible.

This release also marks a level of relative completeness. You should be able to implement essentially any behavior described in the MCP spec using the SDK (except client-side OAuth—see #19). See our feature documentation for information on how the SDK models different aspects of the spec.

Finally, this release represents a certain level of maturity. With the help of our contributors, we’ve endeavored to be responsive to bug reports, and as of writing have fixed 60 out of 61 bugs that have been reported against the SDK. Furthermore, the SDK is getting real-world usage both at Google and in the broader Go community. Much of this usage appears to be using the simpler stdio or sse transports; we anticipate further bug reports and feature requests as the SDK is used in larger, distributed streamable servers.

We owe a great deal of thanks to everyone who has filed bugs or contributed to the SDK. To date, we’ve accepted PRs from 58 distinct contributors, and many more people have filed issues or commented. We’d also like to thank those who have helped maintain the many other SDKs that compose the Go MCP ecosystem.

The plan now is to pay close attention to incoming bug reports, finalize client-side OAuth support, revisit our current set of proposals, and prepare for the next version of the MCP spec. Please use the SDK and continue to file issues. Thanks again!

What's Changed

Not much has changed since v0.8.0, though notably #539 partially addresses the security issue described in #526 (see also https://verialabs.com/blog/from-mcp-to-shell).

New Contributors

• @chuckha made their first contribution in #541

Full Changelog: v0.8.0...v1.0.0

v0.8.0

This release exists to include the API change from #518, mentioned in the v0.7.0 release. It also includes a small change to remove extraneous API.

This concludes our API audit. Barring a realization over the weekend, we will cut v1.0.0 and any further API changes will be handled in a backwards compatible way.

API Changes

• #518: JSON schema fields are relaxed to type any, to decouple the SDK's API from the github.com/google/jsonschema-go/jsonschema package. Now that package is only used for inference (in mcp.AddTool) and validation.
• #535: remove error code constants that were functionally inaccessible.

Full Changelog: v0.7.0...v0.8.0

v0.7.0

This release fixes a couple bugs related to the StreamableClientTransport, and relaxes it to be less strict so that it can talk to certain servers that don't perfectly conform to the spec. It also updates to google/[email protected], which includes a couple backwards incompatible bug fixes (see below).

For more details, see the v0.7.0 milestone.

API Changes

No changes in the API of the SDK itself, but the updated google/[email protected] contained the following incompatible bug fixes:

• google/jsonschema-go#26: the key for ForOptions.TypeSchemas must be a reflect.Type, as incomparable values are not valid map keys.
• google/jsonschema-go#23: validation of struct values is disallowed, because it can't verify certain schema properties such as 'required', and doesn't respect custom JSON marshalling

See #518 for a proposal to significantly decouple the SDK from the jsonschema-go package (though it would still be used for inference and validation). This decision blocks the v1.0.0 release.

New Contributors

• @xieyuschen made their first contribution in #509
• @manuelibar made their first contribution in #514

Full Changelog: v0.6.0...v0.7.0

v0.6.0

This release makes a couple minor API tweaks that arose in preparation for v1.0.0, and adds significant feature documentation in the docs/ directory.

This is a release candidate, and all release blocking issues have now been addressed. We will tag v1.0.0 following a final audit (see also #328).

For more details, see the v0.6.0 milestone.

API Changes

• Remove the distinguished StreamID type, which was inconsistent with (for example) session IDs, which are strings (#484).
• Moved GetSessionID onto ServerOptions, as that is more generally useful, and since ServerSession exposes an ID method (#478).
• Added options for the SSE HTTP handler (#503). The SSE transport is legacy, but it was still inconsistent that this constructor did not accept options.

Bug fixes

• Unstructured content is now byte-wise equivalent to structured content (#475).
• A few performance optimizations were made for streamable HTTP serving (capping off #190).

New Contributors

• @frenchi made their first contribution in #456
• @fgrosse made their first contribution in #488
• @IAmSurajBobade made their first contribution in #508

Full Changelog: v0.5.0...v0.6.0

v0.5.0

This release fixes several bugs related to schema validation, and makes the final set of breaking changes planned before the v1 release.

For more details, see the v0.5.0 milestone.

API Changes

• Removed transport constructors (#305). These were deprecated in #272, but we left the constructors so that they could more easily be inlined away via the go:fix inline directive and gopls. Now they are removed.
• Removed support for batching when the spec version is 2025-06-18 or higher (#21). This is newly strict, but aligns with the MCP spec.

Bug fixes

The following notable bugs are fixed, related to JSON schema validation.

• JSON schema for nested structs is now handled correctly (#437).
• Validation of types with custom JSON marshalling is fixed (#447).
• Validation now correctly catches missing fields (#449).
• Validation is now strictly case-sensitive (a consequence of the preceding fixes).

New Contributors

• @flc1125 made their first contribution in #427
• @cruffinoni made their first contribution in #363
• @ankitm123 made their first contribution in #451

Full Changelog: v0.4.0...v0.5.0

v0.4.0

This release fixes several bugs, and expands on OAuth support and examples. It also makes a few (hopefully minor) API changes as we approach a release candidate (see #328).

For more details, see the v0.4.0 milestone.

Thank you to all who tested the SDK, filed bugs, and contributed.

API Changes

This release includes the following incompatible changes:

• mcp.CallToolRequest now holds an mcp.CallToolParamsRaw, to avoid confusion about the raw state of Arguments (see proposal #377)
• mcp.ToolFor is unexported, as it was also a footgun: modifying the resulting schema was ineffective (see proposal #401).
• auth.TokenVerifier is changed from func(context.Context, string) (*TokenInfo, error) to func(context.Context, string, *net/http.Request) (*TokenInfo, error), to allow access to the HTTP request (see proposal #403).

Additionally, it includes the following additions:

• mcp.StreamableServerTransport.JSONResponse and mcp.StreamableHTTPOptions.JSONResponse are exported, to configure serving responses as application/json rather than text/event-stream (#397).
• auth.ErrOAuth is added.

New Examples

Several new examples are added to demonstrate different ways to use the SDK. We will continue to expand on these examples and other documentation as we approach the release.

• examples/server/auth-middleware provides an example of server-side auth middleware.
• examples/http provides an example of HTTP logging middleware.
• examples/server/distributed provides an example of an MCP server distributed across multiple subprocesses.
• examples/server/toolschemas provides several examples of configuring tool schemas.

Bug fixes

Several notable bugs or misbehaviors are addressed:

• Typed tool handlers now verify against their output schema (#301).
• The streamable hanging GET now sends HTTP headers immediately, to avoid client timeouts (#410).
• Strictness around notifications/initialized is relaxed, to fix flaky initialization with Claude (#395).
• Mcp-Session-Id response headers are now sent only for the Initialize request, per the spec (#416).

New Contributors

• @bradhoekstra made their first contribution in #392
• @CCpro10 made their first contribution in #397
• @KasonBraley made their first contribution in #420

Full Changelog: v0.3.1...v0.4.0