SEP-2127: MCP Server Cards - HTTP Server Discovery via .well-known#2127
SEP-2127: MCP Server Cards - HTTP Server Discovery via .well-known#2127
Conversation
774dde0 to
b199c35
Compare
|
Just adding a note of context for any readers here that as of the current commit, this is the text of the original SEP proposal, but a lot of folks have contributed feedback to the specifics of reworking the shape in this Google Doc. Pasting here for readability: {
"$schema": "https://static.modelcontextprotocol.io/schemas/2025-10-17/server.schema.json",
"name": "io.modelcontextprotocol.anonymous/brave-search",
"description": "MCP server for Brave Search API integration",
"title": "Brave Search",
"websiteUrl": "https://anonymous.modelcontextprotocol.io/examples",
"repository": {
"url": "https://github.com/modelcontextprotocol/servers",
"source": "github",
"subfolder": "src/everything"
},
"version": "1.0.2",
"supportedProtocolVersions": [ "2025-03-12", "2025-06-15" ],
"icons": [ ... ],
"remotes": [ ... ],
"packages": [ ... ],
"capabilities": { ... },
"requires": { ... },
"resources": [ ... ],
"tools": [ ... ],
"prompts": [ ... ],
"_meta": { ... }
}Most significant sticking points so far:
The rest is largely just details we can bikeshed. I think it's important to design this so we introduce no breaking changes to server.json, as any breaking changes would cause major problems for a lot of production registry-related infrastructure and systems in the ecosystem. So my high level thinking would be to:
I also liked @yoannarz's points here that there is a use case for non-owners of MCP servers to use Server Cards. So if we're going to require Server Cards to be comprehensive descriptors of all the capabilities of a server that only a server owner can advertise, we still have a gap like "how do I as a restaurant owner advertise that Yelp's MCP server is the way to make bookings on my website; I don't actually control the details of its tools and capabilities but I know where it lives and want to put that on my website's .well-known" So maybe there is a path where we make Server Card a strict subset of server.json to elegantly fulfill all the above (e.g. perhaps Server Cards = purely Discovery concerns; then server.json is Discovery+Capabilities); will think more on that and circle back. |
|
Shall we also add an optional extended card for ancillary information (such as additional metadata)? |
|
@tadasant It would be great if we can avoid getting two different formats. Instead we could extend the MCP Registry server.json to also cover the requirements that came up here. Then an MCP Server Card would basically be conventions of what has to be provided (required) for describing remote MCP Servers. The discovery mechanism (.well-known) could be moved to the AI Card initiative, then MCP and A2A (potentially also other AI protocols) could share the discovery mechanism and providers / registries can use one instead of multiple. For this, I just drafted a SEP in AI Cards: Agent-Card/ai-card#14 My colleagues Vyshnavi and Raluca prepared a JSON Schema of how the MCP Server Card could look like if we combine it as hinted at above. This may help to see if we can get this together. In discussions with @dsp-ant the question came also up if we need two formats or not. As stated, we should not have two different formats to describe an MCP Server for the same protocol. But the registry itself may have additional information, so for consumers of the registry it is plausible to have a superset model of what the registry provides (like calculated properties, more context). I would keep this separate from the format for self-description and publishing to keep that as simple as possible. |
|
@dsp-ant Hi David fyi @tadasant |
|
@dsp-ant to help drive this forward, I've opened a PR against your branch here. If you are aligned with the direction it's going, could we get it merged and then continue community discussion on the remaining open questions (more detail below)? I'm happy to formally sign on as sponsor for this or as an author if helpful. I've taken into account all the feedback from:
Big thank you to @ggoodman, @PederHP, @sdatspun2, @connor4312, @SamMorrowDrums, @Fannon, @maiargu, @electrocucaracha, @ibuildthecloud, @yoannarz, @pcarleton and everyone else commenting and contributing so far; the feedback is all helping progress this forward. I have avoided iterating on some of the more controversial topics, like Pasting the rest of the text from my PR for readability here: Some highlights worth pulling out Relationship to AI CardThe AI Card standard is paving a path to providing a protocol-agnostic MCP Server Cards will provide a richer, MCP-specific definition that can be used by MCP clients to actually connect and start performing MCP operations. We will store these values at Example:
We can develop and iterate on MCP Server Cards largely independently from the broader effort to integrate with AI Cards, as long as we maintain some integration point so it is possible to understand when an entry in an AI Card references an MCP Server Card that is hosted and maintained elsewhere. Instructions as a field in the Server Card@PederHP had a good point here. I think it's reasonable to consider, but we don't have it in supportedProtocolVersionI've moved this field inside the I think it would be reasonable to consider removing this from the SEP to simplify, as we don't currently have it in authenticationI've also moved this field inside the Some topics I think we should continue discussing (but out of scope for landing this PR) into the SEP -- Removing $schema from server.json and not including it in Server CardI've removed the explicit $schema field in this PR. We were planning to do this for the MCP Registry in the next iteration of server.json (rationale here, cc @rdimitrov). Basically, hardcoding the $schema field there introduces an unnecessary breaking change across versions, when we don't have intention to make breaking changes to these shapes. A better solution here would probably be to use something like @vyshnavigadamsetti's suggestion of Removing
|
|
Thanks for driving this forward! Just a quick question for clarity, there was a PR previously opened for community feedback iteration. Happy to align with whatever works best for you and the group. |
My suggestion (feel free to direct us otherwise @dsp) would be that going forward, now that we have solid high level alignment, folks should open PRs for discrete sub-topics. For example, one PR proposing Then David can choose what he wants to pull it on a topic by topic basis and/or make changes to the SEP directly himself. Open threads worth iterating on:
I think each of these could be separate PRs. I'll definitely work on (1) very soon, and can draft more if other folks don't jump on them first. Edit: and maybe some of the smaller changes that are pretty constrained to modifying just one section of the SEP could be made directly as comments and discussed as threads, PR might be overkill for all of them. |
|
Thanks for the suggestion, @tadasant . This makes sense to me. Breaking things down into discrete PRs per sub-topic feels like the right next step now that there's high-level alignment. I'd also be interested to see a bit more community feedback on this approach, and then I'd be happy to help review or contribute where it's most useful. Looking forward to the follow-up PRs! |
|
I opened #2186 as a follow up to @dsp's comment
In the meantime I'll start working on a PR for:
Edit: that PR^ is somewhat intertwined with AI Card discussions, so will likely see where those land before putting something up here. |
|
I tried to clarify the reverse-DNS namespacing for Some ambiguity around reverse-DNS namespacing surfaced during discussions about the modelcontextprotocol/registry#926 Please let me know if this matches the intended interpretation. |
|
Thanks for the thoughtful work on this proposal! (let me know if this feedback/comment is better suited for a different PR) Wanted to raise a scenario we're seeing frequently in practice. We’re working with many small services businesses (gyms, home services, restaurants, spas..etc) to stand up MCP servers or MCP Apps for their business. A large number of these businesses run their websites on hosted platforms like Wix, or Squarespace, and similar builders. They own their custom domains, but many don't have the ability to place arbitrary files at Some more advanced hosting setups for WordPress sites could likely serve files from These businesses are building capabilities like bookings, availability, quotes..etc and will want to adopt server cards to enable better discoverability of their tools, but likely won’t be able to without support from their website hosting platform (which could prioritize platform specific features versus the range of saas products that the small business might be using to enable their tools). I might be misunderstanding how the Just wanted to raise this scenario and consideration to small services businesses building MCP capabilities and looking to evolve with new standards for discoverability. |
|
Excited to see this specification moving forward! On our end, we have a strong need to support localized Would it make sense to extend the current schema to accommodate localized fields? For example, we could modify the description field (and similarly for title) to support either:
To ensure consistency, we should also apply this localization pattern to tool metadata (title and description). This would allow MCP hosts to display tool information in the user’s language, aligning with the broader goal of a localized UX. Happy to discuss about it and see if others feel the need of localization. |
Hi @HenriChabert I think a minor update to the streamable HTTP spec that simply proposes servers CAN respond dynamically to the Accept-Language header (most MCP clients support setting custom headers and actually host applications could send system languages here), and server cards could of course also be served based on standard HTTP content negotiation using the same process. STDIO servers I think can handle it via direct configuration or language packs. GitHub MCP for example enables ability to export and override descriptions for STDIO. I have written a PR #2355 that simply adds a reference to using existing http i18n standards to produce locale friendly MCP content. It's one of the features that is both implicit in the spec as it just extends HTTP, but is also under-utilized so I think an explicit mention is a good idea. |
WebMCP Support in Server CardsWebMCP tools are registered client-side after navigation, acting as an MCP server. We should support WebMCP in Server Cards. ProposalAdd
iframe isolation
Discovery
Note: While WebMCP lists discoverability as a non-goal, Server Cards fill could fill gap from the MCP side. Example{
"name": "com.example.site",
"version": "1.0.0",
"title": "Example Site",
"description": "WebMCP page tools at example.com.",
"websiteUrl": "https://example.com",
"remotes": [
{
"type": "webmcp",
"url": "https://example.com/mail",
"name": "com.example.mail",
"title": "Example Mail",
"description": "Email client. Tools for composing, searching, and managing messages.",
"supportedProtocolVersions": ["2025-06-15"]
},
{
"type": "webmcp",
"url": "https://example.com/sheets",
"name": "com.example.sheets",
"title": "Example Sheets",
"description": "Spreadsheet editor. Tools for creating and analyzing spreadsheet data.",
"supportedProtocolVersions": ["2025-06-15"]
}
]
}Happy to iterate on the details. |
Follow-on SEP: Payment Awareness ExtensionFollowing the discussion here about keeping Server Cards minimal and deferring specialized concerns to follow-on SEPs, we've been prototyping a payment awareness extension at neul-labs/mcp-pay. The GapAgent-to-service payments are fragmenting across incompatible discovery layers:
There's no rail-agnostic way for agents to discover pricing before connecting. Proposal:
|
|
I opened a PR with a few cleanups from our WG discussion last week and an attempt to fully align server.json with Server Card: #2443 From the PR:
Besides the PR, list of open threads I think we need to resolve to get this SEP into Core Maintainer review-ready state:
And the TODO items we enumerated in our last call:
|
…2152) * First pass * Fix Prettier formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Refactor cardinality * Remove note about Initialization * Tweak intro to reflect discovery as one use case * Update seps/2127-mcp-server-cards.md Co-authored-by: David Soria Parra <14013+dsp@users.noreply.github.com> * Update seps/2127-mcp-server-cards.md Co-authored-by: David Soria Parra <14013+dsp@users.noreply.github.com> * Move AI Card .well-known consideration into a Discovery section * Re-add * Reframe mirror section --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: David Soria Parra <14013+dsp@users.noreply.github.com>
Server cards should focus on identity, transport, and capability discovery. Primitive definitions (tools, resources, prompts) are removed because MCP servers are inherently dynamic — primitives vary by auth scope, feature flags, configuration, deployment state, session state, and more. A static manifest cannot reliably represent this dynamic surface. The 'dynamic' escape hatch acknowledged the problem but did not solve it. Until the protocol provides a mechanism for clients to understand which primitive surface applies to their context (e.g. server variants), server cards should not include information that cannot be reliably interpreted. Primitives remain discoverable through the protocol's standard list operations after connection establishment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Clarify that including primitives in server cards risks creating a structural bias toward static servers, penalising servers that are dynamic for legitimate reasons. Call for a follow-on SEP to address prerequisites (variant enumeration, auth-scope signalling, partial listing contracts) before primitives are added. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add three further arguments for excluding primitives: - Deployment is not atomic: rolling deploys make server cards transiently wrong even for nominally static servers. - No substitute for runtime listing: only the protocol's list operations reflect the actual surface for the authenticated user. - Cache-invalidation analogy: a server card with primitives is an incoherent cache with no invalidation signal, and introducing caches without invalidation strategies is a well-known source of subtle distributed-systems bugs. - If primitives are ever reintroduced they must be treated as documentation-only, never for caching or signatures. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Server cards without primitives already enable the core use cases: autoconfiguration, domain-level discovery, reduced-latency metadata, and registry integration. Primitives can follow in a future revision once the ecosystem has the right mechanisms. Shipping discovery now and correctly is more important than shipping a larger surface that risks being wrong. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The detailed arguments belong in the PR discussion, not the spec itself. The SEP now states the position concisely and defers the full reasoning to the PR body. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove 'full server surface' phrasing from design philosophy - Soften MUST to SHOULD for primitive discovery after connection Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Make description required to match server.json schema - Make capabilities optional to avoid breaking existing server.json files - Remove MCP Resource endpoint (mcp://server-card.json) — discovery should happen pre-connection via .well-known, not post-connection - Remove registry endpoint section — registry already serves server.json - Clarify that local/stdio servers use server.json + Registry path Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Switch from .well-known/mcp/server-card to .well-known/mcp-server-card to
register a single, precise IANA suffix rather than claiming the broader
mcp/ namespace. Also spec the {server-name} sub-path for hosts that serve
multiple MCP servers from one origin.
63c7f5a to
6bb3fb9
Compare
This SEP proposes adding a standardized discovery mechanism for HTTP-based MCP servers using a
.well-known/mcp.jsonendpoint.Moved from: #1649
Summary
This enables clients to automatically discover:
...all before establishing a connection.
Key Features
.well-known/mcp/server-card.json: HTTP endpoint for pre-connection discoverymcp://server-card.json: MCP resource for post-connection discoverySee the full specification in
seps/2127-mcp-server-cards.md.