[BUG] non-JSON on initialize #262
Description
We built client that calls into this mcp expecting a json for initialize call. Seems like the response is non-JSON
Command: authprobe scan --llm-max-tokens=1080 --openai-api-key=***REDACTED*** http://localhost:8020/mcp
Scanning: http://localhost:8020/mcp
Scan time: Feb 20, 2026 06:48:56 UTC
Github: https://github.com/authprobe/authprobe
Funnel
[1] MCP probe (401 + WWW-Authenticate) [-] SKIP
probe returned 405; checking PRM for OAuth config
[2] MCP initialize + tools/list [X] FAIL
initialize -> 200 (non-JSON response)
[3] PRM fetch matrix [X] FAIL
PRM unreachable or unusable; OAuth discovery unavailable
[4] Auth server metadata [-] SKIP
auth not required
[5] Token endpoint readiness (heuristics) [-] SKIP
auth not required
[6] Dynamic client registration (RFC 7591) [-] SKIP
auth not required
Primary Finding (HIGH): MCP_INITIALIZE_FAILED (confidence 1.00)
Evidence:
initialize -> 200 (non-JSON response)
MCP servers should accept the initialize JSON-RPC request and return a valid JSON response
per the MCP specification.
┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe
┌────────────┐ ┌────────────┐
│ authprobe │ │ MCP Server │
└─────┬──────┘ └─────┬──────┘
│ │
│ ╔═══ Step 1: MCP probe ═══════╪═══════════════════╗
│ GET http://localhost:8020/mcp
│ Reason: 401 + WWW-Authenticate discovery
│ Accept: text/event-stream
│ Host: localhost:8020
├─────────────────────────────────────────────────────────────────►│
│ 405 Method Not Allowed
│ Connection: keep-alive
│ Date: Fri, 20 Feb 2026 06:48:51 GMT
│ Keep-Alive: timeout=5
│ X-Powered-By: Express
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ ╔═══ Step 2: MCP initialize ═══════╪═══════════════════╗
│ POST http://localhost:8020/mcp
│ Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
│ Accept: application/json, text/event-stream
│ Content-Type: application/json
│ Host: localhost:8020
│ Mcp-Protocol-Version: 2025-11-25
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Cache-Control: no-cache
│ Connection: keep-alive
│ Content-Type: text/event-stream
│ Date: Fri, 20 Feb 2026 06:48:51 GMT
│ X-Powered-By: Express
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ POST http://localhost:8020/mcp
│ Reason: Step 2: MCP initialize + tools/list (initialize)
│ Accept: application/json, text/event-stream
│ Content-Type: application/json
│ Host: localhost:8020
│ Mcp-Protocol-Version: 2025-11-25
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Cache-Control: no-cache
│ Connection: keep-alive
│ Content-Type: text/event-stream
│ Date: Fri, 20 Feb 2026 06:48:52 GMT
│ X-Powered-By: Express
│◄─────────────────────────────────────────────────────────────────┤
▼ ▼
┌──────────────────┤ ROOT-CAUSE ANALYSIS ├───────────────────┐
Summary:
The primary failure (MCP_INITIALIZE_FAILED) is valid and justified. The MCP server at http://localhost:8020/mcp incorrectly responds to the required MCP initialize JSON-RPC request with a 200 HTTP status but a non-JSON response, violating the MCP 2025-11-25 specification and JSON-RPC 2.0 requirements. This failure prevents proper client-server communication initialization and is a critical non-compliance.
Relevant Specifications and Requirements
-
MCP 2025-11-25 (Media Client Profile)
- Section 4.3.1 (Initialization) mandates that MCP servers accept an
initializeJSON-RPC request as the first valid interaction and respond with a valid JSON-RPC response object. - MCP clients MUST NOT send other MCP requests (e.g.,
tools/list) before a successfulinitializeresponse is received. - Servers MUST reply with valid JSON responses per JSON-RPC 2.0, signaling that the server is ready and confirming configuration.
- Section 4.3.1 (Initialization) mandates that MCP servers accept an
-
JSON-RPC 2.0 (RFC 792)
- Defines the protocol for requests and responses:
- Requests and responses must be valid JSON Objects.
- A successful response includes at minimum:
{ "jsonrpc": "2.0", "result": <data>, "id": <request id> } - Errors must be signaled with a proper JSON error object.
- Returning a non-JSON response violates the JSON-RPC protocol and breaks client expectations of syntactic parsing.
- Defines the protocol for requests and responses:
-
RFC 8414 (OAuth 2.0 Authorization Server Metadata) and RFC 9728 (OAuth 2.0 Mutual TLS Profiles for OAuth Clients)
- Relevant for OAuth discovery and communication but secondary here: since MCP requires OAuth metadata retrieval (PRM fetch) after successful
initialize. - Because initialization failed, OAuth discovery (step 3) also failed, which cascades from this primary failure.
- Relevant for OAuth discovery and communication but secondary here: since MCP requires OAuth metadata retrieval (PRM fetch) after successful
-
General HTTP Semantics (RFC 3986, etc.)
- HTTP 200 alone does not guarantee semantic correctness. Returning HTTP 200 with a non-JSON payload for a JSON-RPC endpoint is inconsistent and non-compliant.
Explanation of the Scan Outcome (Primary Failure)
-
Step [2] MCP initialize + tools/list: FAIL
- Server responded HTTP 200 to the
initializerequest but the body was not valid JSON per JSON-RPC 2.0 expectations. - The initialize request is mandated by MCP 2025-11-25 §4.3.1 to establish session parameters.
- The tool received a non-parseable response, thus it cannot proceed with client initialization or further authenticated MCP commands.
- Server responded HTTP 200 to the
-
Effect:
- Initialization of MCP session fails.
- Since MCP initialization is prerequisite for other MCP calls, all subsequent MCP commands fail or become undefined.
- The PRM (Policy Reference Matrix) OAuth discovery scan (step 3) fails as a consequence of failing MCP initialization.
Correct Server Behavior According to MCP 2025-11-25 and JSON-RPC 2.0
-
On receiving
initializerequest:- The server MUST parse the incoming JSON-RPC request.
- Perform any initialization steps as configured.
- Respond with a valid JSON-RPC 2.0 response object containing JSON:
{ "jsonrpc": "2.0", "result": { "mcpVersion": "2025-11-25", "capabilities": [ ... ], "supportedAuth": [ ... ] }, "id": <request-id> } - Return HTTP status code 200 with content-type
application/json(or equivalent JSON media type).
-
Enforce Initialization Ordering:
- No MCP server method other than
initializeshould be accepted before initialization succeeds. - Example:
tools/listbefore initialize must fail or be rejected with appropriate JSON error response.
- No MCP server method other than
-
Maintain Proper Content-Type Headers:
- Ensure response headers match payload type (
application/json). - Avoid non-JSON or HTML pages for JSON-RPC calls.
- Ensure response headers match payload type (
Why the Failure is Justified
- The
initializecall is mandatory and foundational; failure to process it with valid JSON-RPC response breaks the MCP protocol flow. - This is a high severity failure because:
- It prevents clients from establishing a session or moving forward.
- It causes cascading failures like inability to fetch PRM or OAuth metadata.
- Returning a 200 with a non-JSON body is effectively misrepresenting the response, making the server non-compliant with MCP 2025-11-25 and JSON-RPC 2.0.
- Best-effort mode still expects minimal compliance on the essential
initializecall.
Recommendations to Fix the Failure
- Implement JSON-RPC 2.0 compliant handling for the
/mcpendpoint, especially theinitializemethod.