In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.
Add ClientCredentialsHandler for OAuth client credentials grant
Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.
2026-06-30 Release related PRs
-
feat: add automatic application_type inference by @guglielmo-san in #904
New
application_typefield is added to theClientRegistrationMetadatafor DynamicClientRegistration. If not specified, theapplication_typewill be inferred from the RedirectURIs. This implements SEP-837. -
feat: HTTP Header Standardization for method and name by @guglielmo-san in #907
By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.
Behavior Changes
SetError Behavior Change
Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.
Cross-Origin Protection Default Change
Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil.
You can restore the previous behavior (enable by default) by setting enableoriginverification=1.
- mcp: remove default cross origin protection by @maciej-kisiel in #906
disablecrossoriginprotection was replaced by enableoriginverification after the default was changed to not enable cross-origin protection.
jsonescaping option was removed, according to plan.
Other Changes to the SDK
- internal: remove unused util functions by @alexandear in #871
- build(deps): bump github/codeql-action from 4.32.4 to 4.35.1 by @dependabot[bot] in #873
- build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #874
- build(deps): bump actions/setup-node from 6.2.0 to 6.3.0 by @dependabot[bot] in #875
- build(deps): bump dominikh/staticcheck-action from 1.4.0 to 1.4.1 by @dependabot[bot] in #872
- oauthex: accept 200 in client registration by @MatyasVondraOutreach in #877
- mcp: allow Content-Type parameters in streamable transport by @rafaeljusto in #878
- mcp: preserve existing Content in SetError by @ravyg in #864
- mcp: fix race condition in
ServerSession.startKeepaliveby @begelundmuller in #856 - chore: preserve CNAME when deploying to GitHub pages by @maciej-kisiel in #884
- extauth: refactor enterprise auth tests by @maciej-kisiel in #879
- feat: Add Support for mkdocs by @Dinesht04 in #883
- mcp: add DNS rebinding and cross origin protections to SSE transport by @maciej-kisiel in #891
- mcp: log out-of-band errors instead of dropping them by @ravyg in #887
- mcp: don't close session when keepalive ping returns method-not-found by @maciej-kisiel in #900
- mcp: accept parameterized Content-Type types by @kalvinnchau in #890
- mcp: remove default cross origin protection by @maciej-kisiel in #906
- Update README.md by @N-Masi in #896
- mcp: preserve transport errors in Write error chain by @jpugliesi in #888
- mcp: do not re-prompt OAuth after cancelled Authorize by @ravyg in #885
- mcp: Upgrade jsonschema-go by @rafaeljusto in #912
- internal/jsonrpc2: remove unused code by @maciej-kisiel in #910
- MCPGODEBUG update for 1.6.0 by @maciej-kisiel in #893
New Contributors
- @MatyasVondraOutreach made their first contribution in #877
- @rafaeljusto made their first contribution in #878
- @begelundmuller made their first contribution in #856
- @Dinesht04 made their first contribution in #883
- @N-Masi made their first contribution in #896
- @jpugliesi made their first contribution in #888
- @guglielmo-san made their first contribution in #904
Full Changelog: v1.5.0...v1.6.0-pre.1