Describe the Bug
When the initial initialize request carries a MCP-Protocol-Version HTTP header that disagrees with initialize.params.protocolVersion in the JSON-RPC body, the server accepts the request without error. The negotiated protocol version follows the JSON-RPC body rather than the MCP-Protocol-Version request header.
The current MCP 2025-11-25 specification does not explicitly require the server to check body/header consistency on initialize, so this is filed as an implementation observation rather than a strict spec-violation claim.
- Environment
- Reproduced with stable release
v1.6.0 (f5f20154)
- Also reproduced with a
main snapshot from 2026-05-16 (1253d17a)
- Transport: Streamable HTTP server (stateful and stateless profile)
To reproduce
- Start a Go SDK Streamable HTTP server.
- Send an
initialize request where the body protocolVersion is 2025-11-25 but the MCP-Protocol-Version header is 2025-03-26 (or vice versa).
- Observe that the server returns HTTP 200 with a normal
initialize result.
- Check the negotiated protocol version in the response.
Expected behavior
Option A: the server rejects the mismatch before negotiation, for example with HTTP 400 or a JSON-RPC Invalid Request error.
Option B: the spec clarifies which field is authoritative, and the SDK documents that behavior and covers it with a regression test.
Logs
Both mismatch directions were accepted:
body=2025-11-25 header=2025-03-26 -> HTTP 200, negotiated version follows body (2025-11-25)
body=2025-03-26 header=2025-11-25 -> HTTP 200, negotiated version follows body (2025-03-26)
After initialization, later responses used the body-negotiated version in the MCP-Protocol-Version header, not the original mismatched header value.
With a Streamable HTTP server running, set ENDPOINT to the server endpoint and send an initial initialize request whose HTTP header and JSON-RPC body disagree:
ENDPOINT=http://127.0.0.1:8080/mcp
curl -i -sS --http1.1 -X POST "$ENDPOINT" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
-H 'MCP-Protocol-Version: 2025-03-26' \
--data '{"jsonrpc":"2.0","id":"init-conflict-1","method":"initialize","params":{"protocolVersion":"2025-11-25","capabilities":{},"clientInfo":{"name":"version-conflict-repro","version":"0.1.0"}}}'Then repeat the same request with the values reversed: body 2025-03-26, header 2025-11-25.
Additional context
- Related: SEP-2575 introduces a related future-state requirement that, for HTTP requests, the MCP-Protocol-Version header match _meta["io.modelcontextprotocol/protocolVersion"].
Describe the Bug
When the initial
initializerequest carries aMCP-Protocol-VersionHTTP header that disagrees withinitialize.params.protocolVersionin the JSON-RPC body, the server accepts the request without error. The negotiated protocol version follows the JSON-RPC body rather than theMCP-Protocol-Versionrequest header.The current MCP
2025-11-25specification does not explicitly require the server to check body/header consistency oninitialize, so this is filed as an implementation observation rather than a strict spec-violation claim.v1.6.0(f5f20154)mainsnapshot from 2026-05-16 (1253d17a)To reproduce
initializerequest where the bodyprotocolVersionis2025-11-25but theMCP-Protocol-Versionheader is2025-03-26(or vice versa).initializeresult.Expected behavior
Option A: the server rejects the mismatch before negotiation, for example with HTTP 400 or a JSON-RPC Invalid Request error.
Option B: the spec clarifies which field is authoritative, and the SDK documents that behavior and covers it with a regression test.
Logs
Both mismatch directions were accepted:
After initialization, later responses used the body-negotiated version in the
MCP-Protocol-Versionheader, not the original mismatched header value.With a Streamable HTTP server running, set
ENDPOINTto the server endpoint and send an initialinitializerequest whose HTTP header and JSON-RPC body disagree:Then repeat the same request with the values reversed: body
2025-03-26, header2025-11-25.Additional context