MCP Migration Studio

48 days until the 2026-07-28 MCP spec ships

On July 28, the MCP spec breaks your server. We make sure it doesn't.

We migrate your remote MCP server, pass Claude connectors directory review, and keep you compliant through every spec revision.

Spec-ready by July 28. Directory-accepted. Or you don't pay.

Book a migration sprintRead the migration guide →

2026-07-28 is the largest MCP revision since launch — seven groups of breaking changes, including a stateless core, session-ID removal, and OAuth hardening.

The deadline is real

What breaks on July 28

The 2026-07-28 release is not an incremental bump. The release candidate locked on 2026-05-21, the final spec ships 2026-07-28, and clients that track the spec — including Claude — will negotiate the new protocol version. Seven groups of breaking changes, straight from the official RC announcement:

SEP-2575 · SEP-2567

Stateless core & session-ID removal

The initialize handshake and the Mcp-Session-Id header are removed — anything keyed on the session (auth context, caches, rate limits) loses its anchor, and protocol identity moves into _meta on every request.

We make every handler self-contained and replace session-keyed state with explicit handles that tools return and accept as ordinary arguments.

SEP-2243

Mandatory Mcp-Method + Mcp-Name headers

Streamable HTTP requests must carry Mcp-Method and Mcp-Name headers, and servers must reject header/body mismatches — a WAF or proxy that strips unknown Mcp-* headers breaks you silently.

We upgrade the SDK to enforce the new headers and audit your WAF, proxy, and firewall rules so nothing on the path strips them.

SEP-2260 · SEP-2322

Multi-round-trip replaces long-lived SSE

Server-initiated requests are only allowed while a client request is actively being processed — anything that pushes over a long-lived GET SSE stream stops working.

We redesign tools to complete within one request and move interactive flows to the new InputRequiredResult round-trip pattern.

SEP-2164

Error code -32002 → -32602

Resource-not-found moves from the custom -32002 code to the standard -32602 — hardcoded checks in clients and test suites start failing.

We sweep your server, clients, and tests for the old code and re-validate every error path against the RC.

SEP-2663

Tasks lifecycle rewritten

Tasks moves from the experimental core into an extension with a new lifecycle — tools/call returns a task handle, and tasks/list is removed entirely.

We port anything built on the 2025-11-25 experimental tasks API to the new extension lifecycle before clients drop the old one.

SEP-2468 · 837 · 2352 · 2207 · 2350 · 2351

OAuth & auth hardening

Clients must validate the iss parameter per RFC 9207, credentials become bound to the issuing authorization server, and migrating a resource between auth servers now forces re-registration.

We publish accurate RFC 9728 protected-resource metadata, keep your issuer stable, and validate audience-bound tokens.

SEP-2577

Roots, Sampling & Logging deprecated

All three are deprecated with 12-month removal windows — anything you build on them today is on a countdown from day one.

We move you to the replacements: tool parameters and config, direct LLM provider APIs, and stderr or OpenTelemetry for logging.

Full breakdown of every breaking change, with migration steps, in the migration guide.

Fixed scope, fixed price

What you get

Three ways to be on the right side of the cutover. Every engagement ends with a server that passes real client handshakes and directory review — that outcome is the deliverable, not the hours.

Before July 28

Spec-Migration Sprint

$1,500–$2,500fixed price

5 business days

Your existing remote MCP server, migrated to the 07-28 release candidate and back in production before the cutover.

  • Day-0 audit against the 07-28 RC
  • Migration of transport, sessions, and auth
  • Re-validation with real client handshakes
  • Redeploy + connectors directory resubmission
Book a migration sprint

Production MCP Build

$2,500–$5,000fixed price

1–2 weeks

No server yet, or one you'd rather replace? We build a production remote MCP server on the new spec from day one.

  • OAuth 2.1 with Dynamic Client Registration
  • Tool design that agents actually use well
  • Security scan pass before ship
  • Registry + connectors directory submission
Scope a build

Keep-Alive Retainer

$199/mocancel anytime

ongoing

The spec will keep moving after July 28. We keep your server hosted, monitored, and compliant so you never scramble again.

  • Hosting and uptime monitoring
  • Spec-churn updates as revisions land
  • Directory re-compliance on policy changes
  • Monthly health report
Start the retainer

The guarantee: spec-ready by July 28 and accepted into the Claude connectors directory — or you don't pay.

Proof, not a portfolio page

We run our own.

Slipstack's JSON→PDF API serves agents in production through the same MCP stack we will ship you. Same transport, same OAuth flow, same monitoring — battle-tested on our own revenue before it touches yours.

slipstack.dev/mcp

One week, start to shipped

How a sprint runs

  1. Day 0

    1. Audit

    We diff your server against the 07-28 RC: transport, session handling, auth, tool schemas. You get the findings in writing before any code changes.

  2. Day 1–3

    2. Migrate

    Stateless core, session-ID removal, OAuth hardening, and the rest — implemented on a branch, reviewed with you, behind your existing deploy process.

  3. Day 4

    3. Validate

    Real client handshakes, not mocks. We run the new protocol negotiation end to end against the actual clients your users connect from.

  4. Day 5

    4. Redeploy + submit

    Production cutover and Claude connectors directory submission. If review bounces anything, we fix and resubmit until it lands.

Straight answers

FAQ

What if the directory rejects us?

We fix and resubmit — that is the guarantee. Directory acceptance is the deliverable you're paying for, not a submission attempt. Rejections come with reviewer feedback; we address every item and resubmit at no additional cost until you're listed.

What actually changes on July 28, 2026?

It's the largest revision since MCP launched — seven groups of breaking changes, headlined by a stateless core, removal of session IDs, and hardened OAuth requirements. The full list, with per-change migration steps, is in our free migration guide.

We built on the official SDK. Doesn't an upgrade handle this?

The SDK upgrade is the easy 20%. The breaking changes are architectural: if your server keeps per-session state, keys auth or rate limits on session IDs, or runs a looser OAuth flow, bumping a dependency won't fix it — and pinning the old version only works until clients stop negotiating the old protocol.

How is the price fixed if it's a range?

The range covers small-to-large servers. After a 30-minute scoping call we quote a single fixed number inside the published range, in writing, before you pay anything. It doesn't move after that — scope surprises are our problem, not yours.

What do you need from us to start?

Read access to the server's repo (or a tarball), a way to test your OAuth flow, and a deploy path — either credentials or a 30-minute window with whoever ships your code. Most sprints start within two business days of the scoping call.

What does the $199/mo retainer actually cover?

Hosting and uptime monitoring for your MCP server, code updates whenever the spec or the directory's policies change, re-validation and resubmission if the directory's requirements move, and a monthly health report. No hourly billing, cancel anytime.

Not sure which engagement fits?

Email us a link to your server. We'll reply with what breaks and a fixed quote — usually within one business day.

hello@mcpmigrate.dev