MCP Spec Updated to Add Structured Tool Output and Improved OAuth 2.1 Compliance

The Model Context Protocol (MCP) specification has been updated since its last revision in March 2025, introducing two major enhancements aimed at improving integration reliability and tightening security across implementations.

This update adds support for structured tool output, allowing tools to return well-defined, machine-readable data instead of relying on ad-hoc text. It also formally classifies MCP servers as OAuth Resource Servers and requires clients to adopt Resource Indicators, aligning MCP with modern OAuth security expectations to prevent misuse of access tokens.

Structured Tool Output#

Tools can now declare an outputSchema, a JSON Schema describing the precise structure of their results. When present, servers must return the tool’s output in a new structuredContent field that strictly validates against the declared schema. For tools that don’t declare an outputSchema, behavior remains unchanged: results are returned as free-form text or content arrays.

This improvement makes it far easier to handle tool results programmatically and securely. Developers can trust that structured outputs match a predictable shape, reducing the need for fragile text parsing. This is especially important when integrating tools from untrusted servers: clients can validate data before using it, adding a layer of protection.

This update specifically targets simpler, fully schema-described result cases. Support for more advanced, multi-part or dynamically structured tool outputs remains available via the flexible content array and is still evolving under separate proposals.

Stronger OAuth 2.1 Security & Discovery#

MCP servers must now be treated as OAuth Resource Servers and align with modern OAuth standards:

• Protected Resource Metadata (RFC 9728): Servers publish metadata describing trusted authorization servers.
• Authorization Server Metadata (RFC 8414): Clients discover how to interact with authorization servers.
• Dynamic Client Registration (RFC 7591): Clients can automatically register with new authorization servers, avoiding manual setup.
• Resource Indicators (RFC 8707): Clients bind tokens explicitly to the intended MCP server.
• PKCE and Redirect Security: Clients must protect authorization codes and secure redirects, per OAuth 2.1 best practices.
• Strict Token Audience Binding: Servers must validate that tokens are issued specifically for them, blocking misuse or passthrough to upstream APIs.

These upgrades close several known OAuth weaknesses and make MCP suitable for secure, large-scale use. They help prevent stolen tokens from being reused on other services and make it harder for attackers to intercept or replay tokens in the first place.

While this update brings MCP’s OAuth handling much closer to modern standards with better binding and validation, it does not fully eliminate the risk of phishing if a user configures a malicious MCP server. Alibaba Cloud Security raised this concern in a recent issue, showing that an attacker could trick users into trusting a fake MCP server which then points to a rogue OAuth server to steal tokens. The new resource parameter and audience checks greatly limit misuse of stolen tokens, but stronger binding between each MCP server and its legitimate OAuth server is still being discussed in the community to fully address this advanced scenario.

Other Notable Changes#

Structured Tool Output and OAuth improvements are the headline features, but the revision also includes many supportive improvements to boost consistency and usability:

• Protocol Versioning: When using HTTP, once a version is negotiated, clients must send the MCP-Protocol-Version header in all subsequent requests to avoid version mismatches.
• Elicitation: Adds a mechanism for servers to request additional clarifying input from users during a session, improving interaction quality.
• Resource Links in Tool Calls: Tools can now include actionable links in their results, increasing interoperability in workflows.
• Schema Enhancements: New fields like _meta, context, and title improve structure and display clarity.
• Removed JSON-RPC batching: The spec drops batching support because modern streaming and stateless scaling cover its intended use cases more effectively.

A complete list of changes, including all minor schema revisions, is available in the full changelog on GitHub.