Mature

Stateful MCP Sessions

📄 Model Context ProtocolEU AI ActISO/IEC 42001

[EAAPL-MCP005] Stateful MCP Sessions

Category: MCP Sub-category: Session Management Version: 1.0 Maturity: Emerging Tags: mcp, sessions, stateful, context-persistence, session-lifecycle, resumption, long-running, streaming Regulatory Relevance: EU AI Act Art. 9/15, APRA CPS 234, ISO/IEC 42001 §8.4, NIST AI RMF (MANAGE 2.2, MANAGE 4.1), Privacy Act 1988 (Cth)

1. Executive Summary

The Stateful MCP Sessions Pattern defines how to design, manage, and secure MCP sessions that persist state across multiple tool invocations, survive connection interruptions, and maintain consistent context for the duration of a long-running AI workflow. While the MCP protocol is built on stateless JSON-RPC 2.0 messages, meaningful enterprise AI workflows are inherently stateful — they accumulate context, produce intermediate results, hold open connections to backend systems, and may span minutes or hours of elapsed time. This pattern covers session creation and identity binding, state persistence and retrieval, session resumption after transport interruption, session expiry and clean termination, and the governance controls required to prevent session state from becoming a security or compliance liability.

For CIO/CTO audiences: the difference between a stateless MCP interaction (each tool call is independent, no memory between calls) and a stateful MCP session (the session accumulates context, holds open backend connections, and can be resumed) is the difference between a calculator and a workflow. Stateful sessions are what enable AI workflows to execute multi-step processes — like a customer onboarding flow or a contract analysis workflow — without losing context between steps. But persistent session state introduces risks that stateless interactions avoid: session hijacking, stale authorisation, data leakage between sessions, and resource exhaustion from abandoned sessions. This pattern provides the architecture to capture the value of stateful sessions while controlling these risks.

2. Problem Statement

Business Problem

Enterprise AI workflows routinely span multiple interactions and require accumulated context to function correctly — a compliance review workflow needs to remember which documents have already been checked, a customer advisory workflow needs to maintain the context of the customer's stated goals across multiple turns. Without a structured session management pattern, this context either lives entirely in the model's context window (expensive, lossy, vulnerable to overflow), is re-fetched on every turn (high latency, high backend load), or is stored ad hoc in client-side state with no governance.

Technical Problem

MCP sessions are established over transports (HTTP+SSE, WebSocket, stdio) that have different durability characteristics. HTTP+SSE connections drop on network interruptions; WebSocket connections time out; stdio sessions end with the process. Without a session layer that abstracts over the transport, any network interruption terminates the workflow — the client must restart from scratch, losing accumulated context and any in-progress backend operations. Additionally, long-running sessions that hold open backend connections (database cursors, API sessions, file locks) can exhaust backend resources if abandoned sessions are not detected and cleaned up.

Symptoms of Absence

Long-running AI workflows restart from the beginning when a network interruption occurs
Model context windows grow unboundedly as each session turn appends to the context, degrading reasoning quality on long workflows
Abandoned MCP sessions hold open backend database connections, causing connection pool exhaustion under load
Two concurrent sessions for the same user can observe inconsistent state because session isolation is not enforced
After session termination, sensitive intermediate data persists in server-side state indefinitely with no TTL or cleanup

Cost of Inaction

Security: Persistent session state without TTL enforcement is an attack surface; stolen session tokens provide indefinite access; cross-session data leakage exposes sensitive workflow data
Compliance: Sensitive data in session state may persist beyond its permitted retention period, violating Privacy Act data minimisation requirements
Operational: Resource exhaustion from abandoned sessions causes cascading backend failures; no visibility into live session count or resource consumption per session
User Experience: Workflow restarts from the beginning on any interruption; large enterprise workflows (30+ minutes) cannot be reliably completed

3. Context

When to Apply

AI workflows span multiple tool invocations over a period longer than a single HTTP request-response cycle
Workflow context must survive transport interruptions (network drops, client reconnections)
Multiple turns of model reasoning need access to a consistent, accumulated context without re-fetching all state from backend systems on every turn
Backend resources (database cursors, file handles, API sessions) must be shared across multiple tool invocations within the same logical workflow
Session isolation is required — concurrent sessions for the same or different users must not observe each other's state

When NOT to Apply

Single-turn tool invocations where each call is fully independent — stateless MCP server is simpler and has no session management overhead
Workflows that complete in under 5 seconds — the overhead of session creation and state persistence exceeds the benefit for very short interactions
Deployments where all session state can live in the model's context window without overflow risk and where no workflow resumption is needed

Prerequisites

A durable session state store (not in-process memory) that survives server restarts
A session token issuance and validation mechanism (independent of the MCP bearer token — session tokens are a separate identity layer)
Backend connection pooling infrastructure that can associate open connections with session identifiers
A session lifecycle management job that detects and terminates abandoned sessions
Clear data classification for all data that may be stored in session state

Industry Applicability

Industry	Requirement	Key Concern	Adoption Level
Financial Services	High — multi-step advisory, credit assessment, and transaction workflows require persistent context across turns	Session isolation between customer accounts, authorisation token refresh within sessions, audit completeness for session-spanning workflows	Pilot
Healthcare	High — clinical AI workflows (patient assessment, treatment planning) span multiple interactions and require accumulated clinical context	Patient session isolation, PHI in session state (retention, encryption), workflow resumption for interrupted clinical interactions	Pilot
Government	Medium — complex case assessment workflows span multiple AI-assisted interactions over days or weeks	Session data sovereignty, long-retention session audit records, citizen consent to session state persistence	Early Evaluation
Technology/SaaS	High — AI coding assistants, document editors, and interactive agents require persistent session context for product quality	Session durability for developer workflows, cost efficiency (avoid re-fetching context), multi-device session continuity	Early Adopter
Retail	Medium — multi-step customer advisory and configuration workflows benefit from persistent session context	Customer consent for session state, session expiry after purchase completion, cross-channel session continuity	Pilot

4. Architecture Overview

A stateful MCP session is composed of three distinct layers: the transport layer (the physical connection — HTTP+SSE, WebSocket, or stdio), the session layer (a server-side logical session identified by a unique session ID, persisted in durable storage, independent of the transport connection), and the state layer (the data accumulated within the session — capability negotiation results, workflow progress, references to open backend resources).

Session creation occurs as part of the MCP initialize handshake. Upon successful capability negotiation and authentication, the server creates a session record in the durable state store and returns a session token to the client in the initialize response. This session token is distinct from the authentication bearer token — it identifies the session, not the user. The session record stores the session ID, the authenticated identity, the negotiated capabilities, the session creation timestamp, the last activity timestamp, and a reference to any backend resources opened during the session.

Transport resumption is the mechanism by which a client reconnects to an interrupted session without restarting the workflow. When the client reconnects, it presents the session token in the initialize request. The server validates the token, retrieves the session record from the state store, re-establishes backend resource connections, and returns the current session state to the client — enabling the workflow to continue from its last durable checkpoint rather than restarting from the beginning. The server must verify that the reconnecting client presents the same authenticated identity as the original session creator; session tokens must not be transferable to a different identity.

Session lifecycle management is a critical operational concern. Every session has a configurable inactivity timeout (time since last tool invocation) and an absolute maximum duration. Sessions that exceed these limits are terminated by a lifecycle management job that runs on a regular schedule. Session termination must close all open backend resource connections, flush any pending audit log entries, encrypt and archive the session state record per the data classification policy, and then delete the live session state. The termination record — session ID, identity, duration, termination reason, resource cleanup confirmation — is written to the session audit log.

Wire Protocol Detail

The MCP protocol supports session resumption through the initialize handshake extended with a session token carried in the _meta field. The following examples show the exact wire format for session creation, resumption, and expiry handling.

Session creation — the server issues a session token in the initialize response _meta field after successful capability negotiation:

// Client → Server: initialize (no session token — new session)
{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"clientInfo":{"name":"contract-review-agent","version":"1.0"}}}

// Server → Client: initialize response with session token in _meta
{"jsonrpc":"2.0","id":1,"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true},"resources":{"subscribe":true,"listChanged":true}},"serverInfo":{"name":"document-server","version":"1.0"},"_meta":{"sessionToken":"sess_7f3d2a1b4c8e9f0a2b3c4d5e6f708192.v1","sessionExpiresAt":"2024-06-14T16:30:00Z","sessionId":"sess-550e8400-e29b-41d4-a716-446655440002"}}}

The sessionToken is an opaque, server-signed token. The client stores it and presents it on reconnection. The sessionId (a UUID) is the stable identifier used in audit logs — it is safe to log; the sessionToken is secret and must never be logged.

Session resumption — the client presents the session token in a new initialize request after a transport interruption:

// Client → Server: initialize with session token (resumption attempt)
{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"clientInfo":{"name":"contract-review-agent","version":"1.0"},"_meta":{"sessionToken":"sess_7f3d2a1b4c8e9f0a2b3c4d5e6f708192.v1"}}}

// Server → Client: resumption response (session found and valid)
{"jsonrpc":"2.0","id":1,"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"document-server","version":"1.0"},"_meta":{"sessionResumed":true,"sessionId":"sess-550e8400-e29b-41d4-a716-446655440002","lastActivityAt":"2024-06-14T14:47:22Z","workflowStep":3,"workflowStepStatus":"awaiting_resume","sessionToken":"sess_NEW_ROTATED_TOKEN.v1","sessionExpiresAt":"2024-06-14T17:00:00Z"}}}

Note that the server issues a new rotated session token on every successful resumption — the previous token is immediately invalidated. This prevents replay attacks using an intercepted session token.

Session expiry — when the client presents an expired or invalid session token, the server returns a structured application error and the client must start a fresh session:

// Client → Server: initialize with expired session token
{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"clientInfo":{"name":"contract-review-agent","version":"1.0"},"_meta":{"sessionToken":"sess_EXPIRED_TOKEN.v1"}}}

// Server → Client: session expired — client must reinitialise
{"jsonrpc":"2.0","id":1,"error":{"code":-32000,"message":"Session expired","data":{"sessionId":"sess-550e8400-e29b-41d4-a716-446655440002","expiredAt":"2024-06-14T15:30:00Z","reason":"inactivity_timeout","action":"reinitialize"}}}

Session activity update — the server refreshes the session's last_activity_at timestamp and optionally rotates the session token on every successful tools/call response. This is done transparently in the response _meta field without requiring a separate protocol round-trip:

// Server → Client: tools/call response with refreshed session token in _meta
{"jsonrpc":"2.0","id":5,"result":{"content":[{"type":"text","text":"Document locked for review"}],"isError":false},"_meta":{"sessionToken":"sess_REFRESHED_TOKEN.v2","sessionExpiresAt":"2024-06-14T17:15:00Z"}}

5. Architecture Diagram

ARCHITECTURE DIAGRAM

6. Components

Component	Responsibility	Technology Examples
Session Registry	Creates, retrieves, and invalidates session records; validates session tokens on every request; enforces session-to-identity binding	Custom session service backed by Redis or PostgreSQL; JWT-based session tokens with server-side revocation list
Durable Session State Store	Persists session state (workflow progress, accumulated context references, backend resource handles) with TTL enforcement	Redis with persistence (AOF), DynamoDB with TTL attribute, PostgreSQL with row-level TTL via pg_cron
Session Token Issuer	Issues signed, opaque session tokens at session creation; validates tokens on resumption	JWT with short expiry (refreshed on activity) or opaque token with HMAC-SHA256 server-side validation
Backend Resource Pool	Manages per-session open connections (database cursors, API sessions, file handles) with session-scoped lifecycle	Connection pool keyed by session ID; resource released on session termination
Session Lifecycle Manager	Runs scheduled job to detect and terminate sessions exceeding inactivity or absolute timeout; triggers resource cleanup	AWS Lambda cron, Kubernetes CronJob, Temporal scheduled workflow
Session Audit Logger	Records session lifecycle events: creation, activity, resumption, expiry, termination; written to immutable audit log	Integrated with main MCP audit logger; session events written as structured audit records

7. Implementation Steps

Step 1: Design the Session State Schema

Define what data will be stored in session state and what will be derived or re-fetched. Session state should store only references and checksums, not copies of large data objects — a reference to a document ID and its last-modified checksum, not the document content. Classify every field in the session state schema: PII fields must be encrypted at rest and excluded from logs; sensitive fields must have a retention policy. The session state schema is a governance artefact — it is reviewed by security and privacy teams before implementation.

Step 2: Implement Session Creation in the Initialise Handler

Modify the initialize handler to create a session record after successful capability negotiation and authentication. Generate a cryptographically random session ID (128 bits minimum), create the session record in the durable state store with the authenticated identity, negotiated capabilities, and TTL metadata, and include the signed session token in the initialize response in the _meta extension field. The session token must be signed with a server-managed key (not the auth bearer token signing key) and must have a short expiry that is refreshed on each successful tool invocation.

Step 3: Implement Session Resumption in the Transport Layer

Modify the transport handler to check for a session token in incoming initialize requests before performing a new capability negotiation. If a valid, non-expired session token is present, retrieve the session record from the state store, verify the authenticated identity matches the session's bound identity, restore the backend resource pool associations, and return a resumption response that includes the current session state (workflow progress, last activity timestamp, available capabilities). If the session token is invalid or expired, perform a fresh initialisation and issue a new session token.

Step 4: Implement Session Lifecycle Management and Termination

Deploy a lifecycle management job (cron or event-driven) that queries the session state store for sessions whose last_activity_at timestamp is older than the configured inactivity timeout or whose created_at timestamp exceeds the absolute session duration limit. For each expired session, the job must: close all backend resource connections associated with the session, flush and archive the session state per the data classification policy, write a session termination audit record, and delete the live session state. Test the lifecycle job against adversarial conditions: what happens if the job crashes mid-cleanup? Implement idempotent cleanup with a termination_in_progress flag to prevent incomplete cleanup from leaving orphaned resources.

AU Compliance Note — APRA CPS 234 Attachment C, APS 330 & Privacy Act APP 11.1: Session state introduces two distinct compliance obligations that stateless MCP interactions do not. First, under APRA CPS 234 Attachment C, session audit records (creation, activity count, resumption events, termination, and resource cleanup confirmation) must be retained for at least 7 years per APS 330 — these records are the evidence that session-held access to information assets was time-bounded and cleaned up. Second, under Privacy Act 1988 (Cth) Schedule 1 APP 11.1, personal information held in session state must not be retained beyond the purpose of collection — the session lifecycle management job is the technical mechanism that enforces this. Session state containing customer data that persists for weeks after the workflow completed is a material Privacy Act obligation failure. Document the inactivity timeout and absolute session duration in the Session Lifecycle Policy artefact, map them to the data classification of session contents, and include the lifecycle job's execution history in your CPS 234 Attachment C control testing evidence.

8. Security Considerations

OWASP LLM Top 10 Mapping

OWASP ID	Threat	Mitigation
LLM06	Excessive Agency — long-lived session tokens grant extended, un-revoked access to capabilities	Short-TTL session tokens refreshed on activity; absolute session duration limit regardless of activity
LLM01	Prompt Injection via session state — malicious content written to session state in an earlier turn influences a later turn	Session state stores only structured data (references, checksums, typed fields), not free-text model outputs
LLM08	Excessive Data Exposure — session state containing PII or sensitive data accessible after the session's legitimate purpose ends	Mandatory session expiry with state archival and deletion; per-field retention policies; PII encryption at rest in session state
LLM04	Model Denial of Service — unbounded session creation exhausts state store capacity	Per-identity maximum concurrent session limit; total session count alerting; state store capacity monitoring
LLM07	Insecure Plugin Design — session token leakage allows session hijacking	Session tokens bound to authenticated identity; re-authentication required for high-privilege operations within session; session token rotation on privilege escalation

Additional Controls

Implement session token rotation: issue a new session token on every session resumption and invalidate the previous token, preventing replay attacks using intercepted tokens
Bind session tokens to the client's TLS session or IP address for high-assurance deployments — allows detection of token theft even before TTL expiry
Encrypt all session state at rest using keys managed in the secrets manager; rotate session state encryption keys annually
Implement per-identity maximum concurrent session limits to prevent resource exhaustion from session flooding
Never include raw tool invocation results in session state — store only structured references; prevent sensitive intermediate data from accumulating in long-lived session records

9. Governance Artefacts

Session State Schema — definition of all fields stored in session state, their data classification, encryption requirements, and retention policy; reviewed by security and privacy teams
Session Audit Log — immutable record of session lifecycle events: creation, activity (tool call count and timestamps), resumption, expiry, termination, and resource cleanup confirmation
Active Session Inventory — real-time view of live sessions: session ID (anonymised), authenticated identity tier, creation time, last activity, resource count; used for capacity management and incident response
Session Lifecycle Policy — documented inactivity timeout, absolute duration limit, and state retention/deletion policy per session type and data classification
Session Termination Record — per-session termination log entry confirming that backend resources were closed and session state was archived or deleted per policy

10. SLOs

SLO	Target	Measurement
Session creation latency (p99)	< 100 ms from `initialize` receipt to session token issued	Session creation span in distributed trace
Session resumption success rate	> 99% for valid, non-expired session tokens	Count of successful vs failed resumption attempts per period
Session resumption latency (p99)	< 500 ms from reconnection to first tool invocation available	Resumption span in distributed trace
Session state write durability	100% — no session state lost on server restart	State store persistence verification; test via controlled server restart
Abandoned session cleanup timeliness	All expired sessions cleaned up within 5 minutes of expiry threshold	Lifecycle manager execution time; alert on sessions older than TTL + 10 minutes still active

11. Cost Model

Cost Driver	Estimate	Notes
Session state store — Redis (ElastiCache t3.small, ap-southeast-2)	~AU$55/month	Single-node; suitable for < 1000 concurrent sessions at 10 KB avg state size. cache.t3.medium (~AU$110/month) with Multi-AZ for production HA
Session state store — DynamoDB on-demand (ap-southeast-2)	~AU$1.40 per million read/write units	Better for sparse, long-TTL sessions; TTL deletion is free; at 10,000 sessions × 20 operations/session/day ≈ AU$2.80/month
Lifecycle manager compute (Lambda cron, ap-southeast-2)	~AU$0.10–0.50/month	Lambda cron every 2 minutes; < 1s execution; well within free tier at low session volumes
Session audit log storage — 7yr APRA CPS 234 tier (ap-southeast-2)	~AU$0.033/GB/month	Session lifecycle events at 0.5 KB each; 100,000 sessions/month = 0.05 GB/month → < AU$0.01/month in Glacier Deep Archive
Session token signing key (AWS Secrets Manager, ap-southeast-2)	~AU$1.10/month	2 keys (current + previous for rotation grace period) × AU$0.55/key/month
Session state field-level encryption (AWS KMS, ap-southeast-2)	~AU$1.40/month + AU$0.0035 per 10,000 API calls	1 KMS key per data classification tier; at 10,000 sessions/month × 10 encrypt/decrypt ops ≈ AU$0.0035/month in API calls
Engineering (session layer implementation)	2–4 weeks	Session creation, resumption, lifecycle management, and tests; reusable as shared library across MCP servers
Total TCO at 10M tool calls/month (across 10,000 concurrent sessions)	~AU$380–650/month	Session management component is typically AU$60–170/month of the total; dominated by state store (Redis vs DynamoDB choice) and audit log retention tier

12. Trade-off Analysis

Dimension	Benefit	Trade-off
Durable external state store vs in-process session state	Survives server restarts; supports horizontal scaling	External state store becomes a critical dependency; adds 5–20 ms latency per session operation
Short session token TTL with refresh	Limits exposure window of stolen tokens	Requires session token refresh logic in every client; slightly higher auth overhead per tool call
Storing only references vs full data in session state	Limits sensitive data accumulation; smaller state store footprint	Requires re-fetching referenced data on resumption; adds latency to workflow resumption
Per-session backend resource pool	Avoids re-establishing backend connections on every tool call within a session	Resources held open for session duration; abandoned sessions hold resources until lifecycle cleanup fires
Absolute session duration limit	Bounds worst-case resource holding time; forces re-authentication for very long workflows	Interrupts legitimately long workflows that exceed the limit; requires workflow checkpoint/resume design

13. Failure Modes

Failure	Trigger	Recovery
Session state store unavailable	Redis or database cluster failure	New sessions cannot be created; in-flight sessions lose state on next server operation; alert fires; client falls back to stateless mode with degraded context
Session resumption with expired token	Client presents session token after TTL expiry	Server returns structured `SESSION_EXPIRED` error; client performs fresh initialisation; workflow restarts from last application-level checkpoint
Lifecycle manager crash mid-cleanup	Termination job exits before completing resource cleanup	Idempotent cleanup flag prevents double-cleanup; next lifecycle job run detects `termination_in_progress` sessions and resumes cleanup
Backend resource leak from crashed server	Server process crashes mid-session without executing cleanup	Lifecycle manager detects sessions with `last_heartbeat_at` > threshold and force-terminates them, including resource cleanup via separate cleanup path
Session state store full	State store approaches capacity limit	Alert fires at 70% capacity; at 90%, new session creation is blocked; lifecycle manager increase frequency to recover capacity

14. Regulatory Mapping

Regulation	Clause	Requirement	How Pattern Addresses It
Privacy Act 1988 (Cth)	Schedule 1 APP 11.1	"reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure"	Session expiry with mandatory state archival and deletion enforces data minimisation; per-field retention policy maps session state fields to their collection purpose and permitted retention period; PII fields in session state are encrypted at rest with KMS-managed keys
APRA CPS 234	§21	"An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets"	Session token validation, identity binding on every resumption, and absolute TTL enforcement protect session-held access to information assets throughout the session lifecycle; the session audit log is the evidence of this protection
APRA CPS 234	§24	Notification of material information security incidents within 72 hours	Per-identity session kill-switch enables immediate termination of all sessions for a compromised identity; the session audit log provides the timeline of all session activity for the incident notification evidence package
EU AI Act	Art. 9(5)	"appropriate data governance and management practices covering the data used by the AI system"	Session state schema (governance artefact) documents the data classification and retention policy for every field stored in session state; lifecycle manager enforces those policies at runtime
EU AI Act	Art. 15	AI systems must be resilient to errors, faults, and inconsistencies	Session resumption pattern ensures workflow resilience against transport faults; idempotent lifecycle cleanup prevents resource exhaustion from abandoned sessions, protecting against consistency faults
NIST AI RMF	MANAGE 4.1	Mechanisms to respond to AI risks in real time	Emergency session termination capability and per-identity session kill-switch, accessible via the administrative API, satisfy the real-time response requirement

15. Reference Implementations

AWS

Use Amazon ElastiCache for Redis (cluster mode, Multi-AZ) as the session state store with AOF persistence enabled. Store session records with a DynamoDB TTL attribute as a secondary store for post-expiry archival (DynamoDB Streams trigger an archival Lambda on TTL deletion). Implement the lifecycle manager as an EventBridge-scheduled Lambda running every 2 minutes. Use AWS KMS for session state encryption at rest — one KMS key per session data classification tier. Session audit events are forwarded via Kinesis Firehose to S3 with Object Lock (WORM) for compliance retention.

Azure

Deploy Redis using Azure Cache for Redis (Premium tier for persistence and geo-replication). Store session expiry metadata in Azure Table Storage with TTL-based lifecycle rules. Implement the lifecycle manager as an Azure Functions timer trigger (every 2 minutes). Use Azure Key Vault with a dedicated key for session state field-level encryption. Route session audit events to Azure Monitor Log Analytics with an immutable storage policy. Use Azure Managed Identity for the lifecycle manager's access to Redis and Key Vault — no stored credentials.

On-Premises / Self-Hosted

Deploy Redis Cluster (3 primary + 3 replica nodes) with AOF and RDB persistence for session state. Implement the lifecycle manager as a Temporal scheduled workflow — Temporal's durable execution guarantees that the lifecycle job completes even if the worker crashes mid-execution. Use HashiCorp Vault Transit secrets engine for session state encryption — Vault manages key rotation transparently without re-encrypting existing data. Archive session state to Elasticsearch on expiry with an ILM policy enforcing the data classification retention period. Deploy the full stack on Kubernetes with Istio for mTLS between all components.

EAAPL-MCP001: MCP Server Design — stateful session management is an extension of the base server architecture
EAAPL-MCP002: MCP Gateway — the gateway layer manages session token validation across the fleet
EAAPL-MCP003: Multi-Server Orchestration — orchestrated multi-server workflows depend on stateful sessions to maintain workflow progress across server boundaries
EAAPL-MCP004: MCP Authentication & Authorisation — session tokens complement (not replace) the auth bearer token; both must be valid for a session to be active
EAAPL-AGT007: Agent Checkpoint and Recovery — workflow-level checkpoint pattern that stateful MCP sessions support

17. Maturity Assessment

Dimension	Level	Notes
Tooling	2	No dedicated MCP session management library exists; pattern is implemented by combining MCP SDK, Redis, and custom lifecycle management
Community Adoption	2	Session resumption is supported at the protocol level in MCP spec; production implementations are limited to sophisticated adopters
AU Enterprise Readiness	2	Pattern is architecturally sound; Privacy Act data minimisation requirements for session state are well-understood; reference implementations are practitioner-built
Regulatory Clarity	2	Session state data retention maps clearly to Privacy Act and APRA CPS 234 requirements; no MCP-specific regulatory guidance exists yet

18. Revision History

Version	Date	Change
1.0	2026-06-14	Initial release

← Back to Library More Model Context Protocol →