Eight months of MCP spelunking yields tricks, traps, and oddities
u/Icy_Finding9828 shares a collection of non-obvious MCP protocol behaviors discovered while building an observability system and proxy, covering OAuth quirks, session handling, tool errors, and more.
Score breakdown
These findings expose a set of silent failure modes in MCP — particularly the `isError` flag trap and deceptive OAuth flows — that can cause observability gaps and hard-to-debug authentication failures in production MCP integrations.
- 01Some MCP servers like Figma enforce OAuth client ID allowlisting, blocking unregistered clients.
- 02A deceptively successful OAuth flow can still result in unauthenticated errors — a post-auth tool listing is the recommended verification step.
- 03Some OAuth-gated servers still allow unauthenticated tool listing.
u/Icy_Finding9828 spent eight months building an MCP observability system and a proxy for a client, and used the experience to compile a detailed list of protocol oddities, tricks, and subtleties. On the authentication front, some servers such as Figma enforce OAuth client ID allowlisting, meaning spoofed client IDs simply redirect users to the spoofed client's website. Other servers present a deceptively successful OAuth flow but then fail with unauthenticated errors on actual requests — the post recommends always attempting a tool listing after auth to confirm it worked. Interestingly, some OAuth-gated servers still permit unauthenticated tool listing, and weak models are noted as not uncommonly producing tool calls and resource reads that violate the required schema.
On the tricks side, tool and resource lists can be dynamic, with clients expected to re-query when they receive a list-changed notification.
On the tricks side, tool and resource lists can be dynamic, with clients expected to re-query when they receive a list-changed notification. Stateless servers can accept an `mcp-session-id` header but silently ignore all notifications, which the post flags as useful for observability or user tracking. Session IDs are not required to be UUIDs — the protocol only mandates visible ASCII characters. Servers can also send logs to clients within a session via the `notifications/message` notification, with verbosity controlled by a `logging/setLevel` request. The post also recommends implementing transparent transport failover — trying Streamable HTTP first and falling back to SSE — since the SDKs do not handle this automatically.
Among the subtleties, the post highlights that tool errors are reported as successes at both the HTTP and JSON-RPC layers, requiring callers to explicitly check the `isError` flag in the tool call result. Stdio servers are stateful, with the session lasting as long as the pipe stays open. Finally, adding an MCP server mid-conversation with an agent does not necessarily inject it into the current chat context, and a new chat session may need to be started for the server to be available.
Key facts
- 01Some MCP servers like Figma enforce OAuth client ID allowlisting, blocking unregistered clients.
- 02A deceptively successful OAuth flow can still result in unauthenticated errors — a post-auth tool listing is the recommended verification step.
- 03Some OAuth-gated servers still allow unauthenticated tool listing.
- 04Tool and resource lists can be dynamic; clients should re-query on list-changed notifications.
- 05Stateless MCP servers accept an `mcp-session-id` but silently drop all notifications.
- 06Session IDs only need to be visible ASCII strings, not UUIDs.
- 07Tool errors return HTTP and JSON-RPC success — callers must check the `isError` flag in the result to detect them.
- 08Stdio servers are stateful: the session lives as long as the pipe remains open.
- 09Adding an MCP server mid-chat may not inject it into the current context; a new chat session may be required.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 12, 2026 · 10:05 UTC. How this works →