This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!
Client-side OAuth support
This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.
- all: client side OAuth support by @maciej-kisiel in #785
Sampling with Tools
Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.
Behavior changes
We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.
Introduced DNS rebinding protection (MCPGODEBUG=disablelocalhostprotection=1)
The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The option to remove this protection will be removed in v1.6.0.
- feat: add automatic DNS rebinding protection for localhost servers by @pcarleton in #760
Removed JSON content escaping when marshaling (MCPGODEBUG=jsonescaping=1):
By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default. The option to bring back the escaping will be removed in v1.6.0.
- mcp: update JSON marshaling to not HTML-escape messages by @maciej-kisiel in #769
Bug fixes
Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.
- all: use case-sensitive JSON unmarshaling by @maciej-kisiel in #807
Other fixes:
- mcp: validation only for accept action by @CocaineCong in #766
- mcp: allow SSE messages with empty data (SEP-1699) by @maciej-kisiel in #779
- jsonrpc2: fix Content-Length header parsing to be case-insensitive by @nithinputhenveettil in #789
- mcp: fix multi-select enum elicitation by @maciej-kisiel in #795
- mcp: return 400 instead of 500 when body read fails in stateless mode by @roncodingenthusiast in #817
Enhancements
Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.
Other enhancements:
- mcp: enforce retry limit when SSE stream makes no progress by @majiayu000 in #742
- mcp: export session missing error by @CocaineCong in #771
- fix: add JSON tags to ElicitationCapabilities fields by @awschmeder in #774
- mcp: improve http transports error handling and make transport work with any size message by @alexbumbacea in #734
- examples: bind auth-middleware server to localhost by default by @TheodorNEngoy in #784
Repository organization
Some effort was put into better organization of the repository, as well as making sure it's up to date and secure. As a highlight, the repository is not integrated with OSSF Scorecard with a positive score of 8.7. Additionally, the full conformance test suite is now run on every PR and push to main.
- chore: update licensing to Apache 2.0 for new contributions by @domdomegg in #750
- chore: update dependencies to newest versions, require Go 1.24 by @maciej-kisiel in #765
- conformance: prepare the conformance test suite by @maciej-kisiel in #764
- chore: use rand.Text and slog.DiscardHandler over intrernal implementation by @IAmSurajBobade in #773
- conformance: mark the new
dns-rebinding-protectionscenario as failing by @maciej-kisiel in #775 - conformance: trigger conformance tests automatically by @maciej-kisiel in #776
- mcp: finalize cleanup of Go 1.23, make Go version support explicit by @maciej-kisiel in #780
- Use omitzero json tag for byte array field in ResourceContents, instead of omitempty by @IAmSurajBobade in #782
- Testing: use synctest for timing-dependent tests by @La002 in #756
- chore: add ROADMAP.md by @maciej-kisiel in #788
- chore: bump node.js version for conformance test runs. by @maciej-kisiel in #796
- Update issue templates by @maciej-kisiel in #797
- chore: add an issue template for enhancements by @maciej-kisiel in #798
- chore: setup dependabot to update github actions. by @maciej-kisiel in #800
- build(deps): bump actions/setup-node from 4.1.0 to 6.2.0 by @dependabot[bot] in #801
- build(deps): bump actions/setup-go from 5.5.0 to 6.2.0 by @dependabot[bot] in #804
- build(deps): bump actions/checkout from 4.3.0 to 6.0.2 by @dependabot[bot] in #803
- Update SECURITY.md to use GitHub Security Advisories by @localden in #809
- chore: Configure OSSF Scorecard action by @maciej-kisiel in #811
- chore: configure a simple AGENTS.md file and a skill for fixing GitHu… by @maciej-kisiel in #810
- chore: update publish-docs permissions to be more targeted. by @maciej-kisiel in #812
- chore: increase timeout for conformance server start. by @maciej-kisiel in #813
- chore: update the version of the conformance suite. by @maciej-kisiel in #814
- chore: Configure advanced CodeQL setup by @maciej-kisiel in #819
New Contributors
- @domdomegg made their first contribution in #750
- @majiayu000 made their first contribution in #742
- @awschmeder made their first contribution in #774
- @alexbumbacea made their first contribution in #734
- @TheodorNEngoy made their first contribution in #784
- @pcarleton made their first contribution in #760
- @nithinputhenveettil made their first contribution in #789
- @ymmt2005 made their first contribution in #794
- @localden made their first contribution in #809
- @roncodingenthusiast made their first contribution in #817
Full Changelog: v1.3.0...v1.4.0