In 2025-2026, MCP evolved beyond STDIO with the Streamable HTTP transport — replacing the deprecated SSE-only approach. Streamable HTTP is a single HTTP endpoint that supports both request-response and streaming patterns, making it ideal for remote MCP servers deployed to the cloud.
Remote MCP servers now support OAuth 2.1 with PKCE for secure authentication. This enables enterprise-grade access control — users authenticate via their identity provider, and the MCP server validates tokens before granting tool access. This is critical for production deployments connecting to sensitive systems like Salesforce, Jira, or internal databases.
Organizations deploy MCP Gateways as central control planes that sit between clients and servers. These gateways enforce rate limits, audit trails, and policy-based access control across all MCP connections. The Linux Foundation now governs the MCP specification, ensuring vendor-neutral evolution.