@modelcontextprotocol/client@2.0.0-alpha.2

Patch Changes

• #1840 424cbae Thanks @KKonstantinov! - tsdown exports resolution
  fix

@modelcontextprotocol/client@2.0.0-alpha.1

Major Changes

• #1783 045c62a Thanks @felixweinberger! - Remove
  WebSocketClientTransport. WebSocket is not a spec-defined transport; use stdio or Streamable HTTP. The Transport interface remains exported for custom implementations. See #142.

Minor Changes

• #1527 dc896e1 Thanks @felixweinberger! - Add
  discoverOAuthServerInfo() function and unified discovery state caching for OAuth

  • New discoverOAuthServerInfo(serverUrl) export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server
    URL outside of auth().
  • New OAuthDiscoveryState type and optional OAuthClientProvider methods saveDiscoveryState() / discoveryState() allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This
    avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost.
  • New 'discovery' scope for invalidateCredentials() to clear cached discovery state.
  • New OAuthServerInfo type exported for the return value of discoverOAuthServerInfo().

• #1673 462c3fc Thanks @KKonstantinov! - refactor: extract task
  orchestration from Protocol into TaskManager

  Breaking changes:

  • taskStore, taskMessageQueue, defaultTaskPollInterval, and maxTaskQueueSize moved from ProtocolOptions to capabilities.tasks on ClientOptions/ServerOptions

• #1763 6711ed9 Thanks @felixweinberger! - Add
  reconnectionScheduler option to StreamableHTTPClientTransport. Lets non-persistent environments (serverless, mobile, desktop sleep/wake) override the default setTimeout-based SSE reconnection scheduling. The scheduler may return a cancel function that is invoked on
  transport.close().

• #1443 4aec5f7 Thanks @NSeydoux! - The client credentials providers now
  support scopes being added to the token request.

• #1689 0784be1 Thanks @felixweinberger! - Support Standard Schema
  for tool and prompt schemas

  Tool and prompt registration now accepts any schema library that implements the Standard Schema spec: Zod v4, Valibot, ArkType, and others. RegisteredTool.inputSchema, RegisteredTool.outputSchema, and RegisteredPrompt.argsSchema now use
  StandardSchemaWithJSON (requires both ~standard.validate and ~standard.jsonSchema) instead of the Zod-specific AnySchema type.

  Zod v4 schemas continue to work unchanged — Zod v4 implements the required interfaces natively.

  import { type } from 'arktype';
  
  server.registerTool(
      'greet',
      {
          inputSchema: type({ name: 'string' })
      },
      async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] })
  );

  For raw JSON Schema (e.g. TypeBox output), use the new fromJsonSchema adapter:

  import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core';
  
  server.registerTool(
      'greet',
      {
          inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator())
      },
      handler
  );

  Breaking changes:

  • experimental.tasks.getTaskResult() no longer accepts a resultSchema parameter. Returns GetTaskPayloadResult (a loose Result); cast to the expected type at the call site.
  • Removed unused exports from @modelcontextprotocol/core: SchemaInput, schemaToJson, parseSchemaAsync, getSchemaShape, getSchemaDescription, isOptionalSchema, unwrapOptionalSchema. Use the new standardSchemaToJsonSchema and validateStandardSchema instead.
  • completable() remains Zod-specific (it relies on Zod's .shape introspection).

• #1710 e563e63 Thanks @felixweinberger! - Add AuthProvider for
  composable bearer-token auth; transports adapt OAuthClientProvider automatically

  • New AuthProvider interface: { token(): Promise<string | undefined>; onUnauthorized?(ctx): Promise<void> }. Transports call token() before every request and onUnauthorized() on 401 (then retry once).

  • Transport authProvider option now accepts AuthProvider | OAuthClientProvider. OAuth providers are adapted internally via adaptOAuthProvider() — no changes needed to existing OAuthClientProvider implementations.

  • For simple bearer tokens (API keys, gateway-managed tokens, service accounts): { authProvider: { token: async () => myKey } } — one-line object literal, no class.

  • New adaptOAuthProvider(provider) export for explicit adaptation.

  • New handleOAuthUnauthorized(provider, ctx) helper — the standard OAuth onUnauthorized behavior.

  • New isOAuthClientProvider() type guard.

  • New UnauthorizedContext type.

  • Exported previously-internal auth helpers for building custom flows: applyBasicAuth, applyPostAuth, applyPublicAuth, executeTokenRequest.

    Transports are simplified internally — ~50 lines of inline OAuth orchestration (auth() calls, WWW-Authenticate parsing, circuit-breaker state) moved into the adapter's onUnauthorized() implementation. OAuthClientProvider itself is unchanged.

• #1614 1a78b01 Thanks @pcarleton! - Apply resolved scope consistently
  to both DCR and the authorization URL (SEP-835)

  When scopes_supported is present in the protected resource metadata (/.well-known/oauth-protected-resource), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request
  body, ensuring both use a consistent value.

  • registerClient() now accepts an optional scope parameter that overrides clientMetadata.scope in the registration body.
  • auth() now computes the resolved scope once (WWW-Authenticate → PRM scopes_supported → clientMetadata.scope) and passes it to both DCR and the authorization request.

Patch Changes

• #1758 e86b183 Thanks @KKonstantinov! - tasks - disallow requesting
  a null TTL

• #1824 fcde488 Thanks @felixweinberger! - Drop zod from
  peerDependencies (kept as direct dependency)

  Since Standard Schema support landed, zod is purely an internal runtime dependency used for protocol message parsing. User-facing schemas (registerTool, registerPrompt) accept any Standard Schema library. zod remains in dependencies and auto-installs; users no
  longer need to install it alongside the SDK.

• #1761 01954e6 Thanks @felixweinberger! - Convert remaining
  capability-assertion throws to SdkError(SdkErrorCode.CapabilityNotSupported, ...). Follow-up to #1454 which missed Client.assertCapability(), the task capability helpers in experimental/tasks/helpers.ts, and the sampling/elicitation capability checks in
  experimental/tasks/server.ts.

• #1632 d99f3ee Thanks @matantsach! - Continue OAuth metadata discovery
  on 502 (Bad Gateway) responses, matching the existing behavior for 4xx. This fixes MCP servers behind reverse proxies that return 502 for path-aware metadata URLs. Other 5xx errors still throw...

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @felixweinberger in #1749
• [v1.x] fix: disallow null (infinite) requested TTL by @LucaButBoring in #1339
• [v1.x] fix: add missing size field to ResourceSchema by @olaservo in #1575
• Add typings exports by @tdraier in #1623
• v1.x npm audit fix by @KKonstantinov in #1780
• v1.x #1623 follow up -add missing types to package.json by @KKonstantinov in #1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @localden in #1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @jnMetaCode in #1640
• chore: bump version to 1.29.0 by @felixweinberger in #1820

New Contributors

• @tdraier made their first contribution in #1623
• @jnMetaCode made their first contribution in #1640

Full Changelog: v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @antogyn in #757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @pcarleton in #1611
• fix: reject plain JSON Schema objects passed as inputSchema by @tiluckdave in #1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @pcarleton in #1462
• fix(server/auth): RFC 8252 loopback port relaxation by @poteat in #1738
• chore: bump version to 1.28.0 by @felixweinberger in #1746

New Contributors

• @antogyn made their first contribution in #757
• @tiluckdave made their first contribution in #1596
• @poteat made their first contribution in #1738

Full Changelog: v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @felixweinberger in #1545
• docs: add governance documentation for SEP-1730 by @felixweinberger in #1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @felixweinberger in #1548
• fix: prevent command injection in example URL opening (v1.x backport) by @maxisbey in #1579
• fix: call onerror for silently swallowed transport errors by @qing-ant in #1580
• chore: bump version to 1.27.1 by @felixweinberger in #1581

New Contributors

• @qing-ant made their first contribution in #1580

Full Changelog: v1.27.0...v1.27.1

v1.27.0

What's Changed

• feat: add conformance test infrastructure for v1.x by @felixweinberger in #1518
• feat: backport discoverOAuthServerInfo() and discovery caching to v1.x by @felixweinberger in #1533
• feat: add url property to RequestInfo interface by @valentinbeggi in #1353
• [v1.x] feat(tasks): add streaming methods for elicitation and sampling by @LucaButBoring in #1528
• chore: bump version for v1.27.0 by @felixweinberger in #1541

New Contributors

• @valentinbeggi made their first contribution in #1353

Full Changelog: v1.26.0...v1.27.0

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @pcarleton in #1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in #1382
• Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in #1442
• chore: bump version to 1.26.0 by @pcarleton in #1479

New Contributors

• @samuv made their first contribution in #1382
• @NSeydoux made their first contribution in #1442

Full Changelog: v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in #1407
• fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in #1411

Full Changelog: v1.25.2...v1.25.3

v1.25.2

What's Changed

• ci: trigger workflow on v1.x branch by @felixweinberger in #1319
• fix: README badges links destinations by @antonpk1 in #907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in #1365

New Contributors

• @antonpk1 made their first contribution in #907

Full Changelog: 1.25.1...v1.25.2

1.25.1

What's Changed

• spec types - backwards compatibility changes by @KKonstantinov in #1306
• chore: bump version for patch fix by @felixweinberger in #1307

Full Changelog: 1.25.0...1.25.1