MCP stateless GA is 18 days out: the week-three handle migration sprint I run before July 28
The MCP 2026-07-28 spec publishes July 28 with a stateless core: no initialize handshake, no Mcp-Session-Id, routing on Mcp-Method headers, and application state as explicit tool handles. Week 3 is where teams either mint basket_id-style handles or learn from 502s. Here is the sprint checklist I run 18 days before GA.
In this post (6 sections)
Introduction
I have watched three teams hit week 3 of the MCP stateless migration and discover their checkout flow still assumed Mcp-Session-Id would route the second tools/call to the same pod. Stateless MCP is not "delete Redis and hope." It is "move state into handles your server owns and test round-robin before GA."
July 28 is 18 days out. If you finished week 1 (grep for session assumptions) and week 2 (SDK RC bumps), week 3 is the handle sprint. This post is the checklist I run on engagements when GA is close enough that procrastination becomes an outage.
What week 3 actually means
- Every multi-step workflow gets an explicit handle schema documented in the tool definition.
- Server mints the handle on step 1; client passes it on steps 2–N as a required argument.
- Handles are bound to oauth_subject or tenant_id; cross-tenant replay must fail closed.
- Round-robin load tests run without sticky sessions on the gateway.
- List/read endpoints emit ttlMs and cacheScope before you rely on client-side caching.
The week-three sprint checklist
- 01Document handle schemas in tool definitionsAdd handle fields to inputSchema with format and description. Clients should not guess handle shape from error messages. If your MCP server uses OpenAPI-style tools, publish handle lifecycle in the tool description "when to use" block.
- 02Mint handles server-side on step 1 onlyNever trust client-generated UUIDs for stateful workflows unless you also verify ownership on every subsequent call. Bind handle creation to the authenticated principal from OAuth or EMA.
- 03Run round-robin without sticky sessionsPoint two or more server instances behind a plain load balancer. Execute a three-step tool flow ten times. Any 502 or empty response on step 2 means state still lives in protocol memory or pod-local RAM.
- 04Verify cacheScope before enabling client cachesHit tools/list as two different OAuth identities. cacheScope must prevent cross-user bleed. Wrong scope is a confidentiality bug, not a performance tweak.
- 05Pair with header security auditWeek 3 handle work often touches gateway routing. Re-run the MCP header security checklist so Mcp-Method paths do not accidentally carry secrets into proxy logs.
What not to do in week 3
- Deleting Redis before handles work in staging.
- Treating handles as optional "nice to have" on checkout flows.
- Running EMA rollout and stateless cutover in the same maintenance window.
- Skipping load tests because "we only have one instance in prod."
- Assuming deprecated Roots/Sampling disappear on GA day (12-month window).
How this connects to observability
Add handle_id, Mcp-Method, cache hit/miss, and oauth_subject as required dimensions in the agent observability stack. Week 3 failures show up as mysterious step-2 errors until you can trace which instance served which call.
If you run MCP through a governance gateway, confirm handle minting events appear in audit exports. Stateless routing makes session IDs disappear; handles become your correlation key.
Conclusion
Week 3 is the difference between stateless MCP on paper and stateless MCP in production. Mint handles, test round-robin, verify cache scope, audit headers. July 28 should be boring. Boring is the goal.
Sources: MCP 2026-07-28 release candidate at https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/; SEP-2567 explicit state handles; SEP-2575 stateless transport.
Agentic AI patterns, delivered Thursdays
What I am shipping, watching, and pruning out of client stacks each week. One email. No fluff.