Reject standalone GET in stateless streamable HTTP mode

[vrv]

Summary

Reject standalone GET /mcp in stateless WebStandardStreamableHTTPServerTransport mode by returning 405 Method Not Allowed with Allow: POST.

Motivation and Context

In stateless mode (sessionIdGenerator === undefined), the transport requires a fresh transport instance per HTTP request. However, handleGetRequest() still permits creation of a standalone SSE stream (_GET_stream), which is transport-local state with no durable owner across requests.

This change aligns the implementation with the SDK’s own examples:

• simpleStatelessStreamableHttp.ts rejects GET /mcp with 405
• jsonResponseStreamableHttp.ts also rejects GET /mcp with 405

How Has This Been Tested?

Tested in a real application using @modelcontextprotocol/sdk 1.29.0 in stateless mode.

Scenarios tested:

• Fresh transport per HTTP request with sessionIdGenerator: undefined
• Concurrent long-running tool calls with client disconnects
• Before this change:
  • standalone GET /mcp streams accumulated
• After this change:
  • standalone GET /mcp is rejected with 405
  • the same workload no longer accumulated long-lived GET streams

Breaking Changes

Potentially, yes for stateless servers that currently rely on standalone GET /mcp for out-of-band server-to-client notifications while a request is in flight.

This change makes stateless mode effectively POST-only for Streamable HTTP. Stateful servers are unchanged.

I'm not entirely sure whether this aligns with the stateless transport goals going forward, but offering this change in case this is actually a bug; can add tests for this if someone thinks this is the right fix.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

[changeset-bot]

⚠️ No Changeset found

Latest commit: 47591fe

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@1884

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@1884

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@1884

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@1884

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@1884

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@1884

commit: 47591fe