The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for MCP Dev Summit North America to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration..
IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
The impulse to rewrite the auth stack for AI agents is strong, but we cannot design away the fundamental relationships standards protect. This session explores how MCP is reshaping OAuth—not abandoning it—to meet the ecosystem's unique challenges:
The "Unregistered Client" Problem: Traditional OAuth requires pre-registration. MCP breaks this. We’ll see how Client ID Metadata Documents (CIMD) allow agents to bring their own identities to arbitrary servers, how it improves on Dynamic Client Registration, and how to mitigate the risks of unregistered clients.
Separation of Concerns: Why your MCP server shouldn't be your Authorization Server. We’ll cover how Protected Resource Metadata (RFC 9728) enables dynamic auth server discovery, keeping agents lightweight and security boundaries clean.
Enterprise-Managed Authorization: To stop "click-through fatigue," we’ll introduce the Identity Assertion Authorization Grant. This moves consent to the enterprise policy layer, enabling secure, scalable adoption.
Join me to secure the agent ecosystem—from discovery to governance—not by reinventing the wheel, but by making incremental improvements to the way it turns.
Aaron Parecki is Director of Identity Standards at Okta, and active in multiple standards development organizations including IETF, OpenID Foundation, W3C, and MCP. He is an editor of OAuth 2.1 along with several other OAuth specifications, and has been influential in shaping how... Read More →
MCP is becoming stateless in one of the largest changes to the protocol since its launch.
This change simplifies the deployment of robust servers, making MCP ready for the next wave of scaled usage driven by agents and use cases like MCP Apps.
This session led by members of the Transports Working Group: - Explores the upcoming changes - and sharing real data from Google and Hugging Face on the motivation behind them. - Details the latest approaches on handling serverless Elicitation, Sampling and Sessions. - Introduces the application and infrastructure patterns that can take advantage of the stateless protocol.
We'll also update on the latest roadmap status and expected migration timelines and approach
Shaun Smith leads Open Source MCP at Hugging Face, and is an MCP Steering Committee member serving as a Community Moderator and within the Transports Working Group.
Kurtis Van Gent is a MCP Core Maintainer and leads the MCP Transports Working Group. By day, he leads AI Ecosystems + Integrations for Google Cloud Databases and helped create MCP Toolbox for Databases.
As the MCP specification evolves, so do the subtle behavioral differences between implementations that undermine the protocol's core promise: compatibility without coordination. How do you ensure a client built with the Python SDK behaves identically to one built with TypeScript, C#, or Go?
This talk introduces MCP's conformance testing infrastructure. Real SDK implementations run against scenarios that analyze their behavior and assess conformance. Each scenario exercises a specific protocol interaction from OAuth flows and Client ID Metadata Documents to resource metadata discovery, verifying that every SDK handles it correctly.
I'll cover how we built this, what we found when we ran it across SDKs, and how it's changed the way we develop and ship spec changes. You'll learn how conformance testing prevents entire categories of bugs, accelerates code generation of new implementations, increases security guarantees by simulating attacks, and enables evidence-based SDK tiering. I'll also cover how you can get involved: writing new scenarios, running tests against implementations, and helping close the gap between spec and reality.
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosy... Read More →
In November 2025 the Model Context Protocol introduced Tasks, which deliver first-class async semantics, something that is both excellent, and hard. Tasks define long-running operations with explicit client/server coordination, TTLs, and lifecycle states. They require durable state beyond ephemeral connections and require developers address distributed-systems concerns like stable task identity, rediscovery via tasks/list, mismatched sync/async expectations, and failures across retries and restarts.
This talk digs into all of those concerns through real implementations. We’ll examine what the spec requires, and what it intentionally leaves open (i.e. how durability is achieved), as well as what happens when clients or servers restart mid-task. We’ll talk about how to do idempotency right, and how those choices shape polling, backpressure, and error handling. We’ll also cover how to best do human-in-the-loop when the Task has input_required, all while avoiding any tight coupling between the client and server.
You’ll come away with concrete practices for building robust async MCP clients and servers, and a clearer mental model of the distributed systems issues the spec encodes.
Cornelia has spent a career at the forefront of technological innovation, starting with image processing algorithm development, moving to web-centric computing in the late 1990s, and then more than a decade working in cloud-native software and DevOps platforms. As a Developer Advocate... Read More →
Since its inception, we've talked about MCP from the perspective of Clients and Servers. This session focuses on an interesting paradigm taking advantage of the intentional asymmetry of the MCP spec - what if a Client was also a Server? What happens when we break out of a singular client-server pair and into multiple? What can this idea tell us about the future of MCP?
This session will cover the concept of an "MCP Agent" - a Client that is also a Server. We'll construct a system design for this MCP Agent to other servers and MCP agents and touch on several key considerations including auth and scalability.
Participants are expected to have an introductory knowledge of MCP, the mechanics of how Clients and Servers interact with each other, and a general interest in agent-to-agent communication!
Rohit is an AI Product Manager at Descope, where he leads the MCP Auth and Agentic Identity efforts. Previously, he worked in Microsoft's Developer Division across products like the Azure SDKs and VS Code before launching the Azure MCP Server.
You approve one sudo command (Ubuntu's default timeout is 15 minutes), so now your agent can `rm -rf /` your entire machine without asking again. You could run in a sandbox, but even there, `gh` can add a public SSH key to your account, or leak a token into the context window.
These aren't hypotheticals. Agents have deleted production databases and wiped drives using interfaces designed for humans, not autonomous AI. CLIs optimize for human ergonomics; APIs optimize for programmatic flexibility. Neither provides what agents need: structural safety boundaries, workflow context, graceful error recovery and auditable actions.
MCP can solve virtually all of these. This talk explores what breaks when agents use CLIs and APIs, and how MCP addresses these failures through protocol-level security, structured tool definitions, workflow guidance, consent flows, and registries.
We'll see why MCP offers the only sane path forward for safe agentic AI, and how it enables enterprise governance that unlocks mass corporate adoption. We'll also discuss gaps that still need addressing. You'll leave knowing exactly why "just use CLIs" is dangerous advice—and what to do instead.
Sam is a Senior Software Engineer at GitHub, where he leads development of the GitHub MCP server. He works on AI developer tools and helps shape agentic workflows at GitHub. In a past life he was also a professional drummer.
What if your workflow engine wasn't just a consumer of MCP servers, but was itself built entirely on the MCP protocol? This talk explores a novel architecture that uses MCP's newest primitives to create a production-ready workflow orchestration system. We'll demonstrate how MCP's task framework provides natural workflow step management, while sampling enables intelligent decision-making at each stage. You'll see how dynamic tool definition works at both workflow and step levels, allowing workflows to adapt their capabilities on the fly. We'll also cover practical challenges like handling OAuth authentication flows mid-execution and coordinating multiple MCP servers within a single workflow. Through a real-world case study you'll see how MCP's composability transforms workflow design. Rather than building yet another workflow engine that happens to use MCP tools, we'll show how treating MCP as the foundation protocol unlocks new patterns for distributed, intelligent automation. Attendees will leave with a deeper understanding of the MCP specification and how the capabilities can be composed to create production-ready workflow applications.
Donnie Adams is a Software Architect at Obot AI, where he builds enterprise MCP infrastructure including the Obot MCP Gateway and agent orchestration systems. His work focuses on MCP gateway architecture, OAuth integration, and distributed AI systems. He specializes in building production-grade... Read More →
The Nov 2025 release of MCP introduced a new client capability: URL Elicitation. This capability is game-changing for MCP servers that interact with external systems. But don't just take our word for it... Hear it straight from the author of the spec!
In this talk, Nate (lead author of URL Elicitation) will break down the "what" and "why" of this new addition to the protocol. You'll learn about: - Why it's a mistake to reuse or "pass through" OAuth tokens from one server to another - The confused deputy problem and other common pitfalls to watch out for - How URL Elicitation unlocks a secure way for MCP servers to call external services that use OAuth or API keys, require payments, or gather sensitive information - The correct security patterns for any remote MCP server project today
No need to be a security expert to attend! Nate will break down the problems and solutions in clear, relatable language, and provide crucial guidance for anyone building MCP servers in 2026 and beyond.
Nate Barbettini is a leading voice in security and AI. At Arcade.dev, he's building the MCP runtime that helps enterprises deploy multi-user AI agents that take actions across any system. As an active MCP contributor, Nate is focused on security-critical work, authoring URL Elicitation... Read More →
Goose serves as a real-world proving ground for new MCP capabilities before they're widely adopted. In this talk, you'll learn how to use advanced and early versions of MCP features that go beyond basic tool calling—with practical examples from production.
You'll see:
* Code mode MCP: handling massive tool catalogs without overwhelming context windows * MCP Apps: rich user experiences for MCP servers that go beyond chat * How ACP (Agent Client Protocol) can complement and interoperate with an MCP-aware agent, and how we use it in goose
The audience will learn from our experience building goose how they can use and contribute to emerging MCP features.
Alex is a core maintainer of goose, and maintainer of the Rust SDK for the Model Context Protocol. Alongside teammates at Block he built and contributed goose as a founding project of the Agentic AI Foundation. He lives in Connecticut in the US with his wonderful family.
Software Engineer from New Zealand, previously worked at Rocket Lab designing and maintaining telemetry and command systems for rockets and satellites. Now relocated to London and working at Anthropic primarily focused on maintaining the MCP Python SDK.
Most technical talks feel like a one-way street: I talk, you listen, and maybe you ask a question at the end if we have time. But the Model Context Protocol (MCP) isn't about one-way communication; it's about creating a living connection between a "brain" (the LLM) and the "world" (your data and tools).
To prove this, we aren't going to look at static slides. Instead, we are going to use a Live Audience Agent.
At the start of the talk, a QR code will go up on the screen. Anyone in the room can scan it and access a simple web interface. You can send in "Live Vibe Checks"—short text snippets, emoji reactions, or "Heckles"—that feed directly into a database. My MCP server is the bridge. It connects my LLM assistant to that live database of your thoughts.
This is a high-stakes demo. If the protocol works, the AI will be my co-speaker, responding to the room's energy in real-time. If I break the protocol, which I plan to do, repeatedly, the AI will lose its connection to you. We're going to perform "Selective Sabotage" to see exactly which parts of the MCP spec keep the lights on.
Joey Stout is a Solutions Architect at Spacelift.io, CKA-certified, and creator of manifests.io. He specializes in Kubernetes, OpenTofu, and GitOps—and goes by The Outdoor Programmer.
The best MCP server is the one you didn't have to build.
At Cloudflare we have a lot of products. Our REST OpenAPI spec is over 2.3 million tokens. When teams started building MCP servers, they did what everyone does: cherry-picked important endpoints for their product, wrote some tool definitions and shipped a separate service that covered a small fraction of their API.
This was driven by a fundamental context limit of the end users' agent. And tools use a bunch of context just to describe themselves. MCP felt like a Mega Context Problem (and a separate service to maintain).
I think we got it all wrong.
The context limit is not an MCP problem. It's an agent problem. Tools should probably be discovered on demand and clients are coming around to this. But maybe we can also do it on the server?
CLIs get this for free, self-discoverable and documented by design. APIs just need a little help.
This talk will cover some of the techniques we've been exploring at Cloudflare, such as codemode and tool search, to make complete APIs accessible to agents through MCP.
I'll also cover some of the work we are doing with the MCP Typescript SDK to make stateless servers the default.
MCP standardized how agents connect to tools and context, but enterprise deployments need control between the model and the data. Today, MCP lacks a standard way to apply these controls, leading to a fragmented landscape of bespoke sidecars and proxies that shifts the M×N integration problem from the data layer to the middleware layer. This session is a Protocol-in-Depth walkthrough of SEP-1763 (Interceptors), which proposes a protocol-native framework to intercept, validate, and transform messages across the MCP lifecycle, elevating middleware to a first-class capability alongside core MCP concepts. We will cover the concrete protocol semantics implementers need to align on: capability negotiation, hook points and invocation models, deterministic ordering/composition, enforcement semantics, error handling and observability. We motivate the proposal with Bloomberg’s production experience in adopting interceptors to build agents in a regulated financial environment, sharing lessons on what must be standardized for interoperability. To ground the design, we map the proposed semantics to AWS Bedrock AgentCore Gateway Interceptors and OpenAI Guardrails’ staged validation guidance.
Kurt Degiorgio is a Senior Engineer at Bloomberg, working on building platforms for Generative AI. With 14 years of experience, his background includes Monzo, Diffblue and GFI Software (of TeamViewer fame), covering a wide technical spectrum—from developing network drivers to building... Read More →
Cannis Chan is a Technical Product Manager in the Office of the CTO at Bloomberg, building infrastructure platforms for AI products. With 10 years in B2B and Enterprise (AutogenAI, Deutsche Bank, Ondat/Akamai), she specializes in navigating complex products through pre- and post-product... Read More →
You give an agent a complex task. It says "Absolutely!" Then it deletes your production database.
As engineers adopt AI agents, a common frustration is emerging: agents confidently make the wrong move. The response has been "skill issue," "write better prompts," "add more context," "make a plan first." But not everyone wants to master prompt engineering or maintain context files just to get an agent to understand them.
The missing layer is Intent. Unlike context, intent is ambiguous, implicit, and dynamic. Users don’t always know what they want upfront, and they change their minds once they see options. Forcing that complexity into a one-way text prompt is brittle by design and leads to "context rot."
This talk introduces intent engineering: designing agent workflows that don’t require perfect prompts or perfect context, but instead discover, confirm, and align user intent over time.
Using goose, Rizel will show how MCP Elicitation, MCP Sampling, and MCP Apps let agents ask what you mean, reason about what you might mean, and show you what they think you mean before acting.
Together, these patterns move us beyond mono-directional prompts and toward genuine collaboration.
Tech Lead, Open Source Developer Relations, Block, Inc.
Rizel Scarlett is driven by a singular mission: ensuring powerful technology feels human, joyful, and real. As the Tech Lead for Open Source DevRel at Block, she drives technical storytelling for goose, an open source AI agent. Previously at GitHub, she helped devs adopt GitHub Copilot... Read More →
Picture your MCP server exposing your database to an overeager LLM that tries to "optimize" your schemas at 3 AM. Sinful? Absolutely. As MCP becomes the standard for connecting LLMs to real systems, teams are speedrunning mistakes like this—causing memory leaks, runaway polling, and permission scopes so wide they make the sudo commands executed in production look cautious.
This session breaks down the seven deadly sins developers must be aware about MCP: gluttony (resource abuse), sloth (lazy errors), wrath (aggressive polling), greed (permission overreach), pride (overengineering), envy (tool sprawl), and lust (unsafe exposure). Each of these sins can turn a powerful protocol like MCP into a recipe for disaster.
By examining each sin, its patterns, and its symptoms, you'll learn how to spot and avoid them, along with the technical practices that make MCP deployments reliable. Come learn how to ship with absolution. Instead of yet another pager alert.
Ricardo leads the developer relations team at Redis. He built a successful career in DevRel working for companies such as AWS, Elastic, and Confluent. He spent two decades working as a software engineer, instructor, and solution architect before diving into the world of developer... Read More →
MCP made agents portable. But it also made them fragile—every tool call lives or dies by its network connection, and long-running work has been a liability we've all been working around in different (incompatible) ways.
SEP 1686 introduces native task orchestration to the protocol. This talk covers what's changing, why it matters, and what it unlocks for anyone building serious MCP infrastructure.
I'll walk through the design decisions, demonstrate the new primitives in FastMCP, and share what we've learned from helping teams scale MCP Tasks.
If you've ever wished MCP would just let you run real workloads without holding your breath, this one's for you.
Adam Azzam, Ph.D. is VP of Product at Prefect, where he leads product development for their open source automation and context platform. He is a maintainer of FastMCP.
Before joining Prefect, Adam co-founded Openrole AI, where he served as CTO building an AI career co-pilot. He was previously Director of Product at Insight Data Science (YC S11). Adam holds a PhD in Mathematics from UCLA... Read More →
As AI agents become more autonomous through the Model Context Protocol (MCP), one question becomes unavoidable => why, when, and how should humans be asked to intervene to provide feedback or approval?
In this talk, we explore MCP elicitation as a core design pattern for agentic systems, not just as a UX or AX (Agent Experience) feature, but as a security, authorization, and trust mechanism.
We will
-Trace how human interaction models evolved across web, APIs, and OAuth, and why MCP requires a new balance
-Break down elicitation patterns in agent workflows
-Show how elicitation integrates with fine-grained authorization, consent, and delegation
-Explore step-up authentication and human-in-the-loop approvals for accountability
-Discuss how proper elicitation improves trust, explainability, and compliance, without harming DX, UX, or AX
The goal is simple but critical: delivering agentic AI that users can trust, by design, not by trade-off.
