Skip to content

Implement SEP-1036: URL mode elicitation for secure out-of-band interactions #1580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Implement SEP-1036: URL mode elicitation for secure out-of-band interactions #1580

wants to merge 6 commits into from
+498 −12

Conversation

@cbcoutinho
Copy link
Contributor

@cbcoutinho cbcoutinho commented Nov 5, 2025
edited
Loading

Summary

This PR implements SEP-1036 (URL mode elicitation) as specified in modelcontextprotocol/specification#887, adding support for secure out-of-band interactions that bypass the MCP client.

Note

SEP 1036 is currently Pending, so this feature should be considered experimental

Key Changes

Type System (src/mcp/types.py):

  • Added ELICITATION_REQUIRED error code (-32000)
  • Updated ElicitationCapability to support both form and url modes
  • Added ElicitTrackRequest and ElicitTrackResult for progress tracking
  • Added UrlElicitationInfo and ElicitationRequiredErrorData types
  • Enhanced ElicitRequestParams with mode field and URL mode parameters

Server Implementation (src/mcp/server/):

  • Added elicit_url() helper function for URL mode elicitation
  • Added elicit_form() and elicit_url() methods to ServerSession
  • Maintained backward compatibility with existing elicit() method

Client Implementation (src/mcp/client/session.py):

  • Updated capability negotiation to declare form and URL mode support
  • Added track_elicitation() method for monitoring URL mode progress

Tests (tests/server/fastmcp/test_url_elicitation.py):

  • Comprehensive test coverage for URL mode elicitation
  • Tests for accept, decline, and cancel actions
  • Verification of backward compatibility with form mode
  • All 311 existing tests continue to pass

Use Cases Enabled

This implementation enables servers to:

  • Direct users to OAuth authorization flows with third-party services
  • Collect sensitive credentials (API keys, passwords) securely
  • Handle payment and subscription flows
  • Manage any sensitive interaction requiring out-of-band processing

Breaking Changes

  • ElicitRequestParams now requires a mode field ("form" or "url")
  • Clients must declare which elicitation modes they support during initialization

Testing

  • ✅ 6 new URL elicitation tests pass
  • ✅ 5 existing elicitation tests pass
  • ✅ All 311 server and client tests pass
  • ✅ Type checking passes (pyright)
  • ✅ Linting passes (ruff)

Related

cbcoutinho and others added 5 commits November 5, 2025 15:39
@cbcoutinho
Implement SEP-1036: URL mode elicitation for secure out-of-band inter…
87b8d21 
…actions

This commit adds support for URL mode elicitation as specified in SEP-1036,
enabling servers to direct users to external URLs for sensitive interactions
that must not pass through the MCP client.

Key changes:

Types (src/mcp/types.py):
- Add ELICITATION_REQUIRED error code (-32000)
- Update ElicitationCapability to support form and url modes
- Add ElicitTrackRequest and ElicitTrackResult for progress tracking
- Add UrlElicitationInfo and ElicitationRequiredErrorData types
- Update ElicitRequestParams with mode field and URL mode parameters

Server (src/mcp/server/):
- Add elicit_url() helper function in elicitation.py
- Add elicit_form() and elicit_url() methods to ServerSession
- Maintain backward compatibility with existing elicit() method

Client (src/mcp/client/session.py):
- Update capability negotiation for form and URL modes
- Add track_elicitation() method for progress monitoring

Tests:
- Comprehensive test coverage for URL mode elicitation
- Verify backward compatibility with form mode
- All 311 existing tests pass

Use cases enabled:
- OAuth authorization flows with third-party services
- Secure credential collection (API keys, passwords)
- Payment and subscription flows
- Any sensitive interaction requiring out-of-band handling

Breaking changes:
- ElicitRequestParams now requires mode field ("form" or "url")
- Clients must declare which elicitation modes they support

Closes: modelcontextprotocol/modelcontextprotocol#887
@cbcoutinho
fix formatting
e2a4dc3
@cbcoutinho
Fix pyright type checking errors in URL elicitation tests
19cb01c 
Remove unnecessary isinstance check for CancelledElicitation since type
narrowing makes it redundant, and remove the unused import.
@cbcoutinho
Fix pyright error in test_elicitation.py
e4dbf71 
Add None check for requestedSchema before accessing properties to fix
type narrowing error that was blocking CI.
@cbcoutinho
Merge branch 'main' into feat/sep-1036-url-elicitation
86b0356
@maxisbey maxisbey added spec Specification compliance pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage. labels Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage. spec Specification compliance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cbcoutinho @maxisbey