MCP Updates March 2026

Last updated: April 17, 2026

The Model Context Protocol (MCP) March 2026 release brings meaningful improvements for developers building Claude Code workflows. This article covers the key changes, what they mean in practice, and how to migrate existing configurations.

What Changed in March 2026

The update focuses on three areas: enhanced tool discovery, improved state management, and streamlined authentication for enterprise deployments.

Enhanced Tool Discovery

Previously, MCP tools had to be registered at server startup. The March 2026 update supports dynamic tool registration, meaning servers can expose additional capabilities based on runtime context without restarting.

To take advantage of this, update your MCP server packages:

npm install @modelcontextprotocol/server-core@latest

Dynamic registration is useful when skills need to expose context-specific tools, for example, surfacing different data-access tools depending on which project directory is open.

On the server side, dynamic registration uses the new registerTool method available at any point after the server initializes. Here is a minimal example in Node.js:

import { MCPServer } from "@modelcontextprotocol/server-core";
const server = new MCPServer();
// Register a base set of tools at startup
server.registerTool("list_files", listFilesHandler);
// Later, register a tool in response to a context change
async function onProjectOpen(projectType) {
 if (projectType === "python") {
 server.registerTool("run_pytest", runPytestHandler);
 } else if (projectType === "node") {
 server.registerTool("run_jest", runJestHandler);
 }
}

Claude Code picks up newly registered tools on the next tool-discovery pass without requiring a restart or a new conversation session. This is a practical improvement for skills that need to adapt to the active repository, such as a /review skill that should expose different lint tools depending on whether you are working in a TypeScript monorepo versus a Python service.

Improved State Persistence

The update introduces a standardized checkpoint format for tool state. This allows MCP servers to serialize and restore internal state across sessions, so workflows don’t lose progress when you switch between projects.

Practically, this means skills like the tdd skill can maintain test context between Claude Code sessions without requiring you to re-explain the project structure each time.

The checkpoint format is a JSON document stored by default at ~/.claude/mcp-state/<server-name>.json. Your MCP server opts in by implementing two lifecycle hooks:

server.onCheckpoint(async () => {
 // Return a serializable snapshot of your server's state
 return {
 activeProject: currentProject,
 cachedSchema: dbSchemaCache,
 sessionFlags: featureFlags,
 };
});
server.onRestore(async (checkpoint) => {
 // Rehydrate state from the checkpoint on session resume
 currentProject = checkpoint.activeProject;
 dbSchemaCache = checkpoint.cachedSchema;
 featureFlags = checkpoint.sessionFlags;
});

For teams running shared MCP servers, you can redirect the checkpoint directory to a shared network location by setting MCP_STATE_DIR in the server’s environment block. This lets multiple developers resume from a consistent state, which is particularly useful for long-running code review or migration workflows where context would otherwise be lost between sessions.

OAuth 2.1 Authentication

Enterprise teams benefit from a cleaner OAuth 2.1 integration. The new flow supports:

• Automatic token refresh without interrupting tool execution
• Scope-based access controls at the tool level
• Cross-service authentication for complex workflows

Here is an example MCP server configuration using the updated auth block:

{
 "mcpServers": {
 "internal-api": {
 "command": "node",
 "args": ["./mcp-server/index.js"],
 "env": {
 "AUTH_PROVIDER": "azure-ad",
 "AUTH_AUTO_REFRESH": "true"
 }
 }
 }
}

The env block passes auth settings to your MCP server process. The actual OAuth implementation lives in your server code; Claude Code passes through the environment variables.

On the server side, the @modelcontextprotocol/auth-oauth2 package handles the OAuth 2.1 flow and token lifecycle. A minimal setup looks like this:

import { OAuth2Provider } from "@modelcontextprotocol/auth-oauth2";
const auth = new OAuth2Provider({
 provider: process.env.AUTH_PROVIDER, // e.g. "azure-ad"
 clientId: process.env.OAUTH_CLIENT_ID,
 clientSecret: process.env.OAUTH_CLIENT_SECRET,
 scopes: ["read:data", "write:data"],
 autoRefresh: process.env.AUTH_AUTO_REFRESH === "true",
});
server.useAuth(auth);

Once useAuth is called, every tool invocation is automatically gated behind a valid access token. If the token has expired, the library refreshes it silently before the tool handler is called, no user interaction required. Scope-based controls let you restrict individual tools: a tool that writes to a production database can require write:prod while read-only tools only need read:data.

For teams already using Azure AD or Okta, this eliminates the custom token-refresh code that most teams were maintaining in their own server wrappers.

Connecting to Multiple Data Sources

The updated MCP makes multi-database configurations simpler. Here is an example ~/.claude/settings.json snippet connecting two PostgreSQL instances:

{
 "mcpServers": {
 "postgres_main": {
 "command": "npx",
 "args": ["@modelcontextprotocol/server-postgres", "postgresql://localhost/main"]
 },
 "postgres_analytics": {
 "command": "npx",
 "args": ["@modelcontextprotocol/server-postgres", "postgresql://localhost/analytics"]
 }
 }
}

With both servers active, Claude Code can query either database in the same session. This pairs well with the pdf skill when generating reports that pull from multiple sources.

The updated connection pooling in this release means both servers can hold persistent connections without each request incurring a fresh TCP handshake. For databases on the same host, this is a minor convenience. For remote databases or those behind a VPN, the latency savings are noticeable, queries that previously took 200–400ms due to connection setup now return results in closer to 20–30ms.

You can also mix data source types. Here is an example that connects a PostgreSQL instance alongside a Filesystem server:

{
 "mcpServers": {
 "postgres_main": {
 "command": "npx",
 "args": ["@modelcontextprotocol/server-postgres", "postgresql://localhost/main"]
 },
 "local_docs": {
 "command": "npx",
 "args": ["@modelcontextprotocol/server-filesystem", "/Users/you/projects/docs"]
 }
 }
}

With this configuration, Claude Code can cross-reference database records against local documentation files in a single response, a pattern that works well for generating release notes or compliance reports.

Migration Path

Existing MCP configurations continue to work without changes. The March 2026 release is fully backward-compatible: old-style static tool registration, pre-checkpoint state management, and existing auth approaches all continue to function. You only need to take action if you want to adopt new capabilities.

To use the new features:

1. Update server packages: npm install @modelcontextprotocol/server-core@latest
2. Test dynamic tool registration with your specific server implementation
3. Implement onCheckpoint and onRestore hooks if you want persistent state across sessions
4. Review OAuth configuration if you are on an enterprise deployment, the new @modelcontextprotocol/auth-oauth2 package replaces any custom token-management code
5. Verify your settings.json is valid JSON before restarting: a single syntax error silently prevents all MCP servers from loading

If you are on a team, coordinate the package update so all developers move to server-core@latest together. Mixed versions can cause checkpoint format mismatches if one server writes a checkpoint that an older server version cannot parse.

Performance Improvements

The March release includes internal optimizations:

• Tool invocation overhead reduced by approximately 40% for cached tools
• Connection pooling for frequently accessed resources
• Lazy loading of tool definitions on first use

These gains compound when running multiple MCP servers in parallel.

Security Updates

This release adds sandboxing defaults and audit logging for enterprise compliance. Sensitive data in tool responses can be automatically redacted using response filters configured in your MCP server.

Audit logging is opt-in and writes a structured JSON log to ~/.claude/mcp-audit.log by default. Each entry records the tool name, calling session ID, timestamp, and the sanitized input parameters. You can redirect this log to a centralized SIEM by setting MCP_AUDIT_LOG to a file path or a syslog:// URI in your server environment.

Response filters let you declare patterns that should never appear in tool output. A common use case is redacting credentials or PII that might appear in database query results:

server.addResponseFilter({
 pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z]{2,}\b/i,
 replacement: "[REDACTED_EMAIL]",
});
server.addResponseFilter({
 pattern: /password\s*[:=]\s*\S+/i,
 replacement: "password: [REDACTED]",
});

Filters run on all tool responses before Claude Code receives them, so there is no path by which filtered content reaches the model or appears in conversation history. This is important for teams subject to SOC 2 or HIPAA requirements, where sensitive data must not transit through third-party AI services.

What’s Coming

The March 2026 update lays groundwork for:

• Native streaming tool responses for real-time feedback
• Cross-session memory sharing between Claude instances
• Enhanced debugging tools for tool chain development

Summary

The March 2026 MCP update improves tool discovery, state persistence, and authentication. The migration is straightforward for existing deployments, and the performance gains are noticeable in workflows that use multiple skills like /tdd, /pdf, and /supermemory together. Update your server packages to take advantage of these changes.

---

---

I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel. These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code. **[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=anthropic-model-context-protocol-updates-march-2026)** $99 once. Free forever. 47/500 founding spots left.

Related Reading

• Best Claude Skills for Developers in 2026. Where MCP fits in the developer stack
• Claude Skills Auto Invocation: How It Works. How Claude decides when to load skills
• Claude Skills Token Optimization: Reduce API Costs. Keep API costs down as you scale
• Claude Code for Seldon Core Model Serving Guide
• Claude Code Announcements 2026: Complete Developer Overview
• Claude Code March 2026 Update: What Is New
• Claude Code Model Compression and Quantization Guide
• Claude Code + Supabase MCP setup — connect Supabase through MCP
• Claude Code hooks — hooks complement MCP servers

Built by theluckystrike. More at zovo.one

Configure it → Build your MCP config with our MCP Config Generator.

See Also

Configure permissions → Build your settings with our Permission Configurator.

Try it: Paste your error into our Error Diagnostic for an instant fix.

• MCP Protocol Version Mismatch in Claude — Fix (2026)