Skip to content

Releases: modelcontextprotocol/go-sdk

v1.3.1

18 Feb 16:18
@maciej-kisiel maciej-kisiel
v1.3.1
This tag was signed with the committer’s verified signature.
maciej-kisiel Maciej Kisiel
SSH Key Fingerprint: KqPZd4n3AN05jyvoqCVz5TeysdqkO8uI2QcsGsy9Nvk
Verified
Learn about vigilant mode.
6e8ca56
This commit was signed with the committer’s verified signature.
maciej-kisiel Maciej Kisiel
SSH Key Fingerprint: KqPZd4n3AN05jyvoqCVz5TeysdqkO8uI2QcsGsy9Nvk
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.3.1 Latest
Latest

This release is a patch release for v1.3.0.

It contains a cherry-pick for a security issue reported in #805, which takes advantage of the default behavior of Go's standard library JSON decoder that allows case-insensitive matches to struct field names (or "json" tags). The issue has been addressed by changing the JSON decoder to one that supports case sensitive matching.

Fixes

New external dependencies

Full Changelog: v1.3.0...v1.3.1

Contributors

maciej-kisiel
Assets 2
Loading

v1.3.0

09 Feb 15:14
@maciej-kisiel maciej-kisiel
v1.3.0
6b75899

Choose a tag to compare

View all tags
v1.3.0

This release is equivalent to v1.3.0-pre.1. Thank you to those who tested the pre-release.

This release includes several enhancements and bugfixes. Worth mentioning is the addition of schema caching, which significantly improves the performance in some stateless server deployment scenarios.

Dependency updates

  • go.mod: upgrade to jsonschema v0.4.2 by @jba in #732

Enhancements

  • perf: add schema caching to avoid repeated reflection by @SamMorrowDrums in #685
  • mcp: add DisableListening option to StreamableClientTransport by @zxxf18 in #729
  • feat: deprecated logger in client & add Logger in ClientOption by @CocaineCong in #738
  • feat: deleted the old logger in client by @CocaineCong in #744
  • Export GetError and SetError methods by @jba in #753

Bugfixes

Chores

  • docs: adds SDK version support matrix by @La002 in #737
  • .github/workflows: add nightly conformance tests by @findleyr in #752

New Contributors

Full Changelog: v1.2.0...v1.3.0

Contributors

maciej-kisiel, SamMorrowDrums, and 7 other contributors
Loading

v1.3.0-pre.1

27 Jan 11:55
@maciej-kisiel maciej-kisiel
v1.3.0-pre.1
6b75899

Choose a tag to compare

View all tags
v1.3.0-pre.1 Pre-release
Pre-release

This release includes several enhancements and bugfixes. Worth mentioning is the addition of schema caching, which significantly improves the performance in some stateless server deployment scenarios.

Dependency updates

  • go.mod: upgrade to jsonschema v0.4.2 by @jba in #732

Enhancements

  • perf: add schema caching to avoid repeated reflection by @SamMorrowDrums in #685
  • mcp: add DisableListening option to StreamableClientTransport by @zxxf18 in #729
  • feat: deprecated logger in client & add Logger in ClientOption by @CocaineCong in #738
  • feat: deleted the old logger in client by @CocaineCong in #744
  • Export GetError and SetError methods by @jba in #753

Bugfixes

Chores

  • docs: adds SDK version support matrix by @La002 in #737
  • .github/workflows: add nightly conformance tests by @findleyr in #752

New Contributors

Full Changelog: v1.2.0...v1.3.0-pre.1

Contributors

maciej-kisiel, SamMorrowDrums, and 7 other contributors
Loading

v1.2.0

22 Dec 14:52
@findleyr findleyr
v1.2.0
411d5a0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.2.0

This release is equivalent to v1.2.0-pre.2. Thank you to those who tested the prerelease.

This release adds partial support for the 2025-11-25 version of the MCP spec and fixes some bugs in the streamable transports. It also includes some minor new APIs, changes to contributing flows, and small bugfixes.

Contributing changes

  • CONTRIBUTING.md is updated to remove the ad-hoc antitrust policy (#651), and add a dependency update policy (#635).
  • An example server (examples/server/conformance) is added for the new conformance tests at modelcontextprotocol/conformance. Test can be run with scripts/conformance.sh (#650).

Partial support for the 2025-11-25 spec

The following SEPs from the 2025-11-25 spec are now supported. Please see #725 for the proposed API additions included to support these SEPs.

  • SEP-973: icons and metadata (#570)
  • SEP-986: tool name validation (#640)
  • SEP-1024: elicitation defaults (#644)
  • SEP-1036: URL mode elicitation (#646)
  • SEP-1699: SSE polling (#663)
  • SEP-1330: elicitation enum improvements (#676)

Other API additions

  • Common error codes are now available through the sentinel jsonrpc.Error (#452)
  • OAuth 2.0 Protected Resource Metadata support (#643)
  • ClientCapabilities.RootsV2 and RootCapabilities are added to work around an API bug (#607)
  • Capabilities fields are added to ServerOptions and ClientOptions, to simplify capability configuration (#706)

Streamable fixes

Several bug fixes are included for the streamable transports:

  • mcp: relax SSE connection response handling in non-strict mode by @zhxie in #611
  • Fix: Skip non-message SSE events in processStream by @raphaelmansuy in #637
  • mcp: better handling for streamable context cancellation by @findleyr in #677
  • mcp: don't break the streamable client connection for transient errors by @findleyr in #723

Other notable bugfixes

  • fix: handle Windows CRLF in MCP client by @isfzhang in #665
  • auth, mcp: add UserID to TokenInfo for session hijacking prevention by @findleyr in #695
  • internal/docs: document UserID for session hijacking prevention by @findleyr in #697
  • mcp: allow re-using connections in more cases by @howardjohn in #709
  • oauthex: validate URL schemes in auth server metadata and DCR by @findleyr in #712
  • mcp: debounce server change notifications by @findleyr in #717
  • oauthex: fix content type check in getJSON by @nikolavp in #721

New Contributors

Full Changelog: v1.1.0...v1.2.0

Contributors

nikolavp, SpringMT, and 7 other contributors
Loading

v1.2.0-pre.2

20 Dec 15:14
@jba jba
v1.2.0-pre.2
411d5a0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.2.0-pre.2 Pre-release
Pre-release

This release brings one minor change to v1.2.0-pre.1: the icon themes "light" and "dark" now have their own type and constants.

What's Changed

New Contributors

Full Changelog: v1.2.0-pre.1...v1.2.0-pre.2

Contributors

jonathanhefner and findleyr
Loading

v1.2.0-pre.1

12 Dec 20:39
@findleyr findleyr
v1.2.0-pre.1
875d1d3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.2.0-pre.1 Pre-release
Pre-release

This release adds partial support for the 2025-11-25 version of the MCP spec and fixes some bugs in the streamable transports. It also includes some minor new APIs, changes to contributing flows, and small bugfixes.

Please test the prerelease if you can, and review any pending proposals included in the release. Your feedback is greatly appreciated!

Contributing changes

  • CONTRIBUTING.md is updated to remove the ad-hoc antitrust policy (#651), and add a dependency update policy (#635).
  • An example server (examples/server/conformance) is added for the new conformance tests at modelcontextprotocol/conformance. Test can be run with scripts/conformance.sh (#650).

Partial support for the 2025-11-25 spec

The following SEPs from the 2025-11-25 spec are now supported. Please see #725 for the proposed API additions included to support these SEPs.

  • SEP-973: icons and metadata (#570)
  • SEP-986: tool name validation (#640)
  • SEP-1024: elicitation defaults (#644)
  • SEP-1036: URL mode elicitation (#646)
  • SEP-1699: SSE polling (#663)
  • SEP-1330: elicitation enum improvements (#676)

Other API additions

  • Common error codes are now available through the sentinel jsonrpc.Error (#452)
  • OAuth 2.0 Protected Resource Metadata support (#643)
  • ClientCapabilities.RootsV2 and RootCapabilities are added to work around an API bug (#607)
  • Capabilities fields are added to ServerOptions and ClientOptions, to simplify capability configuration (#706)

Streamable fixes

Several bug fixes are included for the streamable transports:

  • mcp: relax SSE connection response handling in non-strict mode by @zhxie in #611
  • Fix: Skip non-message SSE events in processStream by @raphaelmansuy in #637
  • mcp: better handling for streamable context cancellation by @findleyr in #677
  • mcp: don't break the streamable client connection for transient errors by @findleyr in #723

Other notable bugfixes

  • fix: handle Windows CRLF in MCP client(#664) by @isfzhang in #665
  • auth, mcp: add UserID to TokenInfo for session hijacking prevention by @findleyr in #695
  • internal/docs: document UserID for session hijacking prevention by @findleyr in #697
  • mcp: allow re-using connections in more cases by @howardjohn in #709
  • oauthex: validate URL schemes in auth server metadata and DCR by @findleyr in #712
  • mcp: debounce server change notifications by @findleyr in #717
  • oauthex: fix content type check in getJSON by @nikolavp in #721

New Contributors

Full Changelog: v1.1.0...v1.2.0-pre.1

Contributors

nikolavp, SpringMT, and 7 other contributors
Loading

v1.1.0

30 Oct 14:32
@findleyr findleyr
v1.1.0
72afbc9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.1.0

This release introduces a few new features, and includes improvements and bug fixes for the streamable transport. Notably, the default behavior of the streamable server transport is changed to disable streams resumption (see #580).

Behavior Changes

Stream resumption disabled by default. In the StreamableServerTransport, the default value of nil for the EventStore field now disables stream resumption, rather than defaulting to use an in-memory event store. Resumption is not desirable in many cases, particularly for servers that must serve a large number of users and/or streams.

If you want to enable resumption, set StreamableHTTPOptions.EventStore.

In general, we will avoid changing behaviors that may be relied upon by users, but in this case the old default was deemed to be an oversight/bug, and fixing it now will benefit future users.

API Additions

  • IOTransport is a new general-purpose transport constructed from an io.ReadCloser and io.WriteCloser (#444 ).
  • ServerOptions.Logger and StreamableHTTPOptions.Logger enable server-side logging (#170).
  • StreamableHTTPOptions.EventStore enables stream resumption (#587).
  • StreamableHTTPOptions.SessionTimeout adds a timeout which, when set, causes idle sessions to be automatically closed (#499).

Experimental client-side oauth support

The auth package now includes experimental APIs when build with the mcp_go_client_oauth build tag. See auth/client.go for more details. These APIs may change before their official release.

New Contributors

Full Changelog: v1.0.0...v1.1.0

Contributors

appleboy, jhrozek, and 6 other contributors
Loading

v1.1.0-pre.2

29 Oct 14:11
@findleyr findleyr
v1.1.0-pre.2
72afbc9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.1.0-pre.2 Pre-release
Pre-release

This change fixes a few bugs in v1.1.0-pre.1. We plan to release it as v1.1.0 later today or tomorrow.

What's Changed

  • docs: document support for resumability and redelivery by @findleyr in #606
  • mcp: establish the streamable client standalone SSE stream in Connect by @findleyr in #604
  • mcp: don't persist failed streamable sessions by @findleyr in #605
  • auth: change OAuthHandler to take http Request and Response by @rutu1717 in #603

New Contributors

Full Changelog: v1.1.0-pre.1...v1.1.0-pre.2

Contributors

findleyr and rutu1717
Loading

v1.1.0-pre.1

23 Oct 13:45
@findleyr findleyr
v1.1.0-pre.1
1a907bc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.1.0-pre.1 Pre-release
Pre-release

This release introduces a few new features, and includes improvements and bug fixes for the streamable transport. Notably, the default behavior of the streamable server transport is changed to disable streams resumption (see #580).

Behavior Changes

Stream resumption disabled by default. In the StreamableServerTransport, the default value of nil for the EventStore field now disables stream resumption, rather than defaulting to use an in-memory event store. Resumption is not desirable in many cases, particularly for servers that must serve a large number of users and/or streams.

If you want to enable resumption, set StreamableHTTPOptions.EventStore.

In general, we will avoid changing behaviors that may be relied upon by users, but in this case the old default was deemed to be an oversight/bug, and fixing it now will benefit future users.

API Additions

  • IOTransport is a new general-purpose transport constructed from an io.ReadCloser and io.WriteCloser (#444 ).
  • ServerOptions.Logger and StreamableHTTPOptions.Logger enable server-side logging (#170).
  • StreamableHTTPOptions.EventStore enables stream resumption (#587).
  • StreamableHTTPOptions.SessionTimeout adds a timeout which, when set, causes idle sessions to be automatically closed (#499).

Experimental client-side oauth support

The auth package now includes experimental APIs when build with the mcp_go_client_oauth build tag. See auth/client.go for more details. These APIs may change before their official release.

New Contributors

Full Changelog: v1.0.0...v1.1.0-pre.1

Contributors

appleboy, jhrozek, and 5 other contributors
Loading

v1.0.0

30 Sep 20:15
@findleyr findleyr
v1.0.0
1c3f38f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0

This is a stable release of the Go SDK.

This release is functionally equivalent to v0.8.0, but formalizes a compatibility guarantee: going forward we won’t make breaking API changes. The API we have is not perfect, but it’s important that we commit to supporting it so that others can depend on the SDK without further churn. If we want to improve the current API in the future, we’ll do so in backward compatible ways, such as by deprecating and adding. For example, #396, #460 and #533 propose new functions that improve the ergonomics of the current API. Given the rate of change of the MCP spec, it seems likely that we’ll want to go to v2 at some point, but we should delay that event for as long as possible.

This release also marks a level of relative completeness. You should be able to implement essentially any behavior described in the MCP spec using the SDK (except client-side OAuth—see #19). See our feature documentation for information on how the SDK models different aspects of the spec.

Finally, this release represents a certain level of maturity. With the help of our contributors, we’ve endeavored to be responsive to bug reports, and as of writing have fixed 60 out of 61 bugs that have been reported against the SDK. Furthermore, the SDK is getting real-world usage both at Google and in the broader Go community. Much of this usage appears to be using the simpler stdio or sse transports; we anticipate further bug reports and feature requests as the SDK is used in larger, distributed streamable servers.

We owe a great deal of thanks to everyone who has filed bugs or contributed to the SDK. To date, we’ve accepted PRs from 58 distinct contributors, and many more people have filed issues or commented. We’d also like to thank those who have helped maintain the many other SDKs that compose the Go MCP ecosystem.

The plan now is to pay close attention to incoming bug reports, finalize client-side OAuth support, revisit our current set of proposals, and prepare for the next version of the MCP spec. Please use the SDK and continue to file issues. Thanks again!

What's Changed

Not much has changed since v0.8.0, though notably #539 partially addresses the security issue described in #526 (see also https://verialabs.com/blog/from-mcp-to-shell).

New Contributors

Full Changelog: v0.8.0...v1.0.0

Contributors

chuckha
Loading