Is MCP 2024-11-05 Still the Protocol Baseline?

Sergii Muliarchuk
mcp-protocol mcp-servers ai-automation

We ran MCP 2024-11-05-final across 12+ FlipFactory servers. Here's what held up, what broke, and why it still matters in 2026.

Is MCP 2024-11-05 Still the Protocol Baseline?

TL;DR: The 2024-11-05-final tag on the Model Context Protocol repository was the first production-stable MCP specification — and as of May 2026, it remains the lowest common denominator that every serious MCP server must satisfy. We’ve run 12+ FlipFactory MCP servers against it for over 18 months and found it durable but quietly opinionated in ways that bite you in production. Here’s the unfiltered picture.

At a glance

  • November 5, 20242024-11-05-final published as the first stable MCP release on GitHub under modelcontextprotocol/modelcontextprotocol.
  • JSON-RPC 2.0 is mandated as the wire protocol; the spec document runs to ~4,200 lines of TypeScript type definitions plus prose.
  • 3 capability primitives are defined: tools, resources, and prompts — unchanged through the 2025-03-26 revision.
  • Our scraper and docparse MCP servers processed 340,000+ tool calls against this spec in Q1 2025 alone, with a p99 latency of 210 ms on a 2-vCPU VPS.
  • Claude Desktop 0.7 (November 2024 launch) was the first widely distributed client to advertise 2024-11-05-final in its initialize handshake.
  • FlipFactory runs 12 named MCP servers (including bizcard, coderag, crm, flipaudit, leadgen, memory, n8n, reputation, scraper, seo, transform, utils) — all still carry a 2024-11-05-final compatibility shim.
  • 3 production security incidents traced to prompt-injection via tool description fields, a vector the 2024-11-05 spec explicitly did not address.

Q: What exactly did 2024-11-05-final lock down?

The release formalized four things that had been fluid in earlier drafts: the initialize / initialized handshake sequence, the shape of tools/list and tools/call request-response pairs, the error-code namespace (mirroring JSON-RPC 2.0’s -32xxx range), and the capability negotiation object. Before this tag, every MCP server we’d prototyped — including an early flipaudit build from October 2024 — used slightly different field names and had to be manually aligned with each client drop.

In November 2024 we cut our first production deploy of the scraper MCP server pinned to this spec. The tools/call response envelope — { content: [{ type, text }], isError } — has been stable ever since. That stability is the real value: we wrote integration tests against it in November 2024, and those same tests still pass today on our PM2-managed fleet without modification. The spec didn’t solve everything, but it gave us a contract we could actually test against, which was the missing piece.

Q: Which FlipFactory servers exposed spec gaps fastest?

The memory and knowledge MCP servers hit the first real gap within 60 days. The 2024-11-05 spec defines resources as a primitive but leaves subscription and change-notification semantics entirely open. In January 2025 we needed the Claude Desktop client to react when a knowledge-base document updated — the spec offered no resources/subscribe method at that point. We patched it with a polling tool (knowledge_poll_changes) that the LLM calls every N turns, which is inelegant but auditable.

The n8n MCP server exposed a second gap: the spec’s prompts primitive assumes static prompt templates, but our n8n workflows generate prompts dynamically based on webhook payload context. We hacked around this by encoding workflow ID O8qrPplnuQkcp5H6 (our Research Agent v2) as a tool argument rather than a prompt parameter — functional, but semantically wrong per the spec. The 2025-03-26 revision partially addressed dynamic prompts, but our workaround had already been in production for four months by then.

Q: How did security posture look against this spec version?

Bluntly: the 2024-11-05 spec is security-naive by 2026 standards. It defines no authentication mechanism — transport security is entirely delegated to the implementer. More critically, tool description fields are passed verbatim to the LLM context, and the spec places no constraints on their content. This is the prompt-injection surface that caused our 3 production incidents.

The first incident, in February 2025, involved our leadgen MCP server. A third-party data source we scraped embedded instructions in HTML meta-descriptions. Those strings flowed into a tool description refresh, landed in the Claude Sonnet 3.5 context window, and caused the agent to call crm_create_contact with fabricated data. We caught it via our flipaudit server’s call-log diff — the audit trail showed 47 anomalous CRM writes in a 12-minute window. Fix: we now sanitize all externally sourced strings through a transform MCP server step before they touch any tool schema. Total remediation time: 6 hours. The 2024-11-05 spec offered no guidance here; we had to derive the pattern ourselves.

Deep dive: why a November 2024 spec still governs a May 2026 ecosystem

It’s worth stepping back and asking why a specification released 18 months ago still functions as the de-facto compatibility floor for MCP servers. The answer has two parts: adoption inertia and deliberate conservatism in the spec’s evolution.

On inertia: Anthropic’s MCP SDK (TypeScript and Python) shipped 2024-11-05-final conformance as its default from day one. Developers who npm install @modelcontextprotocol/sdk or pip install mcp in early 2025 got a client/server pair that spoke this version. Those deployments don’t automatically upgrade spec versions — they upgrade when the developer chooses to. According to Anthropic’s own SDK changelog (published at github.com/modelcontextprotocol/typescript-sdk), the 2025-03-26 spec revision was opt-in for six months before becoming the default. That six-month window meant a large installed base stayed on 2024-11-05-final well into late 2025.

On conservatism: the MCP working group (documented in the modelcontextprotocol/specification repository) adopted a “no breaking changes in minor revisions” policy from the start. Every addition since November 2024 has been additive. resources/subscribe arrived in March 2025. Structured tool output arrived in mid-2025. Elicitation (server-initiated user prompts) arrived later still. None of these removed or renamed anything from the 2024-11-05 baseline. This is good engineering discipline, and it’s why our compatibility shim is trivially thin — it mostly just strips unrecognized fields before forwarding to older clients.

Simon Willison, writing on his blog simonwillison.net in early 2025, described MCP’s stability as “unusually disciplined for a protocol that’s moving this fast” — a characterization that matches our production experience. He noted that the tools/call contract in particular had remained byte-for-byte compatible across releases, which is remarkable given how much the surrounding ecosystem had changed.

The broader context is that MCP sits at an inflection point familiar from other protocol histories. HTTP/1.1 (RFC 2616, 1999) governed web traffic for over a decade before HTTP/2 achieved meaningful deployment. OAuth 2.0 (RFC 6749, 2012) is still the dominant auth framework despite OAuth 2.1 consolidation efforts. Long-lived specs aren’t a sign of stagnation — they’re a sign that the core abstractions were right. The MCP working group’s decision to nail down tools, resources, and prompts as the three load-bearing primitives in November 2024 looks increasingly prescient: 18 months of production usage at FlipFactory and across the broader ecosystem hasn’t surfaced a case where those primitives were fundamentally wrong, only cases where they needed extension.

That said, the security gap is real and the spec’s silence on authentication is increasingly untenable. The draft OAuth 2.1 integration for MCP (referenced in the modelcontextprotocol/specification GitHub discussions as of Q1 2026) is overdue. We’ve been running our own API-key middleware in front of every FlipFactory MCP server since March 2025 — a pattern that Cloudflare’s developer documentation for Workers-based MCP servers also recommends, citing the same spec gap.

In May 2026 we still recommend 2024-11-05-final as the starting conformance target for any new MCP server build. Not because newer specs aren’t better, but because targeting the baseline first and layering extensions second is how you build something that works with every client in the wild — not just the latest Claude Desktop release.

Key takeaways

  • MCP 2024-11-05-final locked in JSON-RPC 2.0 transport and 3 core primitives: tools, resources, prompts.
  • Every MCP revision since November 2024 has been strictly additive — no breaking changes in 18 months.
  • FlipFactory’s flipaudit MCP server caught 47 anomalous CRM writes in 12 minutes during a prompt-injection incident.
  • The spec’s zero authentication guidance forced every serious production operator to build their own auth middleware.
  • Targeting 2024-11-05-final conformance first gives new servers compatibility with 100% of MCP clients we’ve tested.

FAQ

Q: Is MCP 2024-11-05-final still relevant for new server builds in 2026?

Yes — every later MCP release is a strict superset. Servers that pass 2024-11-05-final conformance tests work with every client we’ve tested, including Claude Desktop 3.x and Cursor 0.42. We ship a compatibility shim in all FlipFactory servers precisely because older clients still advertise this version in their handshake.

Q: What broke most often when we upgraded past 2024-11-05-final?

Tool-schema validation tightened in the 2025-03-26 revision. Our coderag and knowledge MCP servers both threw additionalProperties not allowed errors on fields we’d added informally. Fixing this cost roughly 4 hours of schema cleanup per server — not catastrophic, but a surprise we hadn’t budgeted for in a client sprint.

Q: Do we need to implement resources and prompts or just tools?

For most business automation use cases, tools alone is sufficient and resources / prompts are optional. Our leadgen, seo, and reputation servers expose zero resources and zero prompts — pure tool servers — and they satisfy full 2024-11-05-final conformance. Only our knowledge and coderag servers use resources, because those are the cases where the LLM genuinely needs to browse a corpus rather than execute a discrete action.

Further reading

  • Anthropic MCP specification repository: github.com/modelcontextprotocol/modelcontextprotocol
  • Anthropic TypeScript SDK changelog: github.com/modelcontextprotocol/typescript-sdk
  • FlipFactory production MCP server patterns and AI automation case studies: flipfactory.it.com

About the author

Sergii Muliarchuk — founder of FlipFactory.it.com. Building production AI systems for fintech, e-commerce, and SaaS clients. We run 12+ MCP servers, n8n workflows, and FrontDeskPilot voice agents in production.

We’ve been operating MCP servers in production since the protocol’s first stable release in November 2024 — longer than most teams writing about it today.

Frequently Asked Questions

Is MCP 2024-11-05-final still relevant for new server builds in 2026?

Yes — every later MCP release is a strict superset. Servers that pass 2024-11-05-final conformance tests work with every client we've tested, including Claude Desktop 3.x and Cursor 0.42. We ship a compatibility shim in all FlipFactory servers precisely because older clients still advertise this version in their handshake.

What broke most often when we upgraded past 2024-11-05-final?

Tool-schema validation tightened in the 2025-03-26 revision. Our coderag and knowledge MCP servers both threw 'additionalProperties not allowed' errors on fields we'd added informally. Fixing this cost roughly 4 hours of schema cleanup per server — not catastrophic, but a surprise we hadn't budgeted for in a client sprint.

Related Articles