New Features in Anthropic’s Model Context Protocol: Tasks, OAuth & Security

Model Context Protocol (MCP) 1‑Year Anniversary Release

The MCP maintainers announced a new version of the specification to mark one year since the protocol was open‑sourced by Anthropic. The update introduces experimental task‑based workflows, URL‑based client registration, several security hardenings, and a set of extension components for custom functionality.

Task‑Based Workflow

Tasks provide an abstraction for tracking work performed by an MCP server. Each task progresses through one of the following states:

working

input_required

completed

failed

cancelled

Clients can actively poll a task’s status and retrieve the result once the task reaches completed. This model is useful for large‑scale scenarios such as healthcare data analysis, code‑migration tools, and multi‑agent systems where agents operate concurrently.

URL‑Based Client Registration

Instead of relying on Dynamic Client Registration (DCR) with an authorization server, developers can supply a URL that points to a JSON metadata document describing the client. The client identifier is then expressed as that URL, simplifying registration when an AS does not support public‑API registration or when an OAuth proxy would otherwise be required.

Security Enhancements

New security requirements for locally installed clients.

Updated authorization specification that defines default scopes.

Stricter server‑side validation of client‑provided data.

Extension Components

Extension components run outside the core protocol, allowing developers to experiment with custom features without modifying the stable core. Two initial authorization extensions are shipped:

Support for machine‑to‑machine OAuth client‑credential flows.

IdP‑policy‑controlled MCP OAuth flow.

Additional Specification Updates

URL‑mode requests enable browsers to redirect to the appropriate OAuth flow without exposing client credentials.

The MCP server can run a client‑token proxy loop.

Standardized tool‑name formatting.

Decoupled request payloads from RPC method definitions.

Server‑side Server‑Sent Events (SSE) polling for disconnect handling.

Improvements to the SDK.

Version‑management for the specification.

Roadmap Outlook

Future work will focus on reliability, observability, richer server composition patterns, and an enhanced security model.

Reference URLs:

https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1024

https://blog.modelcontextprotocol.io/posts/2025-11-25-first-mcp-anniversary/