# Builder's Daily — MCP Tooling > Rolling 14-day signal for beat `mcp-tooling`. Ephemeral context — not evergreen corpus. > Author: Amit Kumar Agrawal | https://artificialcuriositylabs.ai > Generated: 2026-06-06 > Human index: https://artificialcuriositylabs.ai/daily/mcp-tooling/ > RSS: https://artificialcuriositylabs.ai/daily/mcp-tooling/rss.xml --- # MCP Tooling — June 6, 2026 **URL:** https://artificialcuriositylabs.ai/daily/mcp-tooling/2026-06-06/ **Beat:** mcp-tooling **Date:** 2026-06-06 **Topics:** mcp-spec, transport, stateless, oauth, mcp-gateway, jwt **Summary:** MCP 2026-07-28 release candidate makes Streamable HTTP stateless; AWS documents OAuth code flow for AgentCore Gateway MCP inbound auth; mcp-auth-gateway… ## The read MCP is the tool surface layer — table stakes, not a moat. What matters is which tools get wired, how auth and policy gate them, and whether your org's skills compound. Ubiquitous protocol; scarce execution context. ## What moved - **MCP 2026-07-28 release candidate makes Streamable HTTP stateless** — [Model Context Protocol Blog](https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/) The MCP team published the 2026-07-28 release candidate, the largest spec revision since launch. It removes the initialize handshake and Mcp-Session-Id (SEP-2575, SEP-2567), requires Mcp-Method and Mcp-Name headers for routing (SEP-2243), adds tools/list caching via ttlMs and cacheScope (SEP-2549), graduates MCP Apps and Tasks as official extensions, and hardens OAuth with iss validation (SEP-2468). Final spec ships July 28, 2026. **Builder angle:** Agents behind gateways can drop sticky sessions and route MCP calls on HTTP headers instead of parsing JSON-RPC bodies. - **AWS documents OAuth code flow for AgentCore Gateway MCP inbound auth** — [AWS Machine Learning Blog](https://aws.amazon.com/blogs/machine-learning/building-a-secure-auth-code-flow-setup-using-agentcore-gateway-with-mcp-clients/) AWS describes wiring Kiro IDE to Amazon Bedrock AgentCore Gateway with JWT inbound auth. Unauthenticated POSTs to /mcp return HTTP 401 with www-authenticate pointing to /.well-known/oauth-protected-resource; clients discover the IdP, run PKCE authorization code flow, then send Bearer tokens the Gateway validates (iss, exp, audience/custom claims) before proxying to MCP servers. Optional mcp-remote bridges stdio clients to the OAuth-protected HTTP endpoint. **Builder angle:** Production MCP gateways can enforce per-user IdP tokens at the routing layer before any tool invocation reaches backend servers. - **mcp-auth-gateway wraps stdio MCP servers with OAuth 2.1 and HTTP transport** — [GitHub](https://github.com/nicknikolakakis/mcp-auth-gateway) Open-source Go gateway exposes any stdio-only MCP server over Streamable HTTP/SSE with OAuth 2.1/OIDC (PKCE, dynamic client registration, token refresh). YAML config selects the OIDC provider and upstream MCP command; each authenticated user gets an isolated MCP process with credentials injected via Unix domain socket rather than environment variables. **Builder angle:** Teams can add MCP-spec OAuth and remote HTTP access to existing stdio servers without rewriting server code.