fix: use correct HTTP status codes for session errors per MCP spec

its-mash · alexhancock · commit d4801bd266e2 · 2026-02-24T13:24:08.000-05:00
MCP spec (2025-11-25) section "Session Management" requires:
- Missing session ID header → 400 Bad Request (not 401)
- Unknown/terminated session → 404 Not Found (not 401)

Using 401 Unauthorized caused MCP clients (e.g. VS Code) to
trigger full OAuth re-authentication on server restart, instead
of simply re-initializing the session.

Signed-off-by: Mohammod Al Amin Ashik &lt;maa.ashik00@gmail.com&gt;
diff --git a/crates/rmcp/src/transport/streamable_http_server/tower.rs b/crates/rmcp/src/transport/streamable_http_server/tower.rs
@@ -299,10 +299,10 @@ where
             .and_then(|v| v.to_str().ok())
             .map(|s| s.to_owned().into());
         let Some(session_id) = session_id else {
-            // unauthorized
+            // MCP spec: servers that require a session ID SHOULD respond with 400 Bad Request
             return Ok(Response::builder()
-                .status(http::StatusCode::UNAUTHORIZED)
-                .body(Full::new(Bytes::from("Unauthorized: Session ID is required")).boxed())
+                .status(http::StatusCode::BAD_REQUEST)
+                .body(Full::new(Bytes::from("Bad Request: Session ID is required")).boxed())
                 .expect("valid response"));
         };
         // check if session exists
@@ -312,10 +312,10 @@ where
             .await
             .map_err(internal_error_response("check session"))?;
         if !has_session {
-            // unauthorized
+            // MCP spec: server MUST respond with 404 Not Found for terminated/unknown sessions
             return Ok(Response::builder()
-                .status(http::StatusCode::UNAUTHORIZED)
-                .body(Full::new(Bytes::from("Unauthorized: Session not found")).boxed())
+                .status(http::StatusCode::NOT_FOUND)
+                .body(Full::new(Bytes::from("Not Found: Session not found")).boxed())
                 .expect("valid response"));
         }
         // Validate MCP-Protocol-Version header (per 2025-06-18 spec)
@@ -444,10 +444,10 @@ where
                     .await
                     .map_err(internal_error_response("check session"))?;
                 if !has_session {
-                    // unauthorized
+                    // MCP spec: server MUST respond with 404 Not Found for terminated/unknown sessions
                     return Ok(Response::builder()
-                        .status(http::StatusCode::UNAUTHORIZED)
-                        .body(Full::new(Bytes::from("Unauthorized: Session not found")).boxed())
+                        .status(http::StatusCode::NOT_FOUND)
+                        .body(Full::new(Bytes::from("Not Found: Session not found")).boxed())
                         .expect("valid response"));
                 }
 
@@ -647,10 +647,10 @@ where
             .and_then(|v| v.to_str().ok())
             .map(|s| s.to_owned().into());
         let Some(session_id) = session_id else {
-            // unauthorized
+            // MCP spec: servers that require a session ID SHOULD respond with 400 Bad Request
             return Ok(Response::builder()
-                .status(http::StatusCode::UNAUTHORIZED)
-                .body(Full::new(Bytes::from("Unauthorized: Session ID is required")).boxed())
+                .status(http::StatusCode::BAD_REQUEST)
+                .body(Full::new(Bytes::from("Bad Request: Session ID is required")).boxed())
                 .expect("valid response"));
         };
         // Validate MCP-Protocol-Version header (per 2025-06-18 spec)
diff --git a/crates/rmcp/tests/test_sse_channel_replacement_bug.rs b/crates/rmcp/tests/test_sse_channel_replacement_bug.rs
@@ -577,9 +577,10 @@ async fn reconnect_after_stream_timeout() {
 
 // ─── Tests: Edge cases ──────────────────────────────────────────────────────
 
-/// GET without a valid session ID should return 401 Unauthorized.
+/// GET with an unknown session ID should return 404 Not Found per MCP spec.
+/// This signals the client to re-initialize (not re-authenticate).
 #[tokio::test]
-async fn get_without_valid_session_returns_401() {
+async fn get_without_valid_session_returns_404() {
     let ct = CancellationToken::new();
     let trigger = Arc::new(Notify::new());
     let url = start_test_server(ct.clone(), trigger).await;
@@ -595,16 +596,16 @@ async fn get_without_valid_session_returns_401() {
 
     assert_eq!(
         resp.status().as_u16(),
-        401,
-        "GET with invalid session ID should return 401"
+        404,
+        "GET with unknown session ID should return 404 Not Found per MCP spec"
     );
 
     ct.cancel();
 }
 
-/// GET without session ID header should return an error (400 or similar).
+/// GET without session ID header should return 400 Bad Request per MCP spec.
 #[tokio::test]
-async fn get_without_session_id_header_returns_error() {
+async fn get_without_session_id_header_returns_400() {
     let ct = CancellationToken::new();
     let trigger = Arc::new(Notify::new());
     let url = start_test_server(ct.clone(), trigger).await;
@@ -617,11 +618,10 @@ async fn get_without_session_id_header_returns_error() {
         .await
         .expect("GET without session ID");
 
-    // Should fail (400 Bad Request or similar)
-    assert!(
-        !resp.status().is_success(),
-        "GET without session ID should fail, got {}",
-        resp.status()
+    assert_eq!(
+        resp.status().as_u16(),
+        400,
+        "GET without session ID should return 400 Bad Request per MCP spec"
     );
 
     ct.cancel();
