fix(examples): return 404 for unknown session IDs, 400 for missing

[felixweinberger]

Splits the session ID check in example servers so unknown session IDs return 404 (signaling clients to start a new session) while missing session IDs return 400.

Motivation and Context

Per spec, clients interpret 404 on a request with Mcp-Session-Id as "start a new session." The examples were returning 400 for both cases, breaking client recovery logic. Issue was reported by the VS Code team.

Fixes #389

How Has This Been Tested?

pnpm check:all passes. Covers all example servers plus conformance test servers.

Breaking Changes

None — examples only.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Supersedes #1331, #1560, #1678, #1707 — thanks @lraveri and @owendevereaux for the earlier work. This consolidates on a tighter diff and covers authTestServer.ts and jsonResponseStreamableHttp.ts which the previous PRs missed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 15e5b36

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1770

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1770

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1770

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1770

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1770

commit: 15e5b36

[claude]

LGTM, straightforward mechanical split of session ID checks across example and conformance test servers.

Extended reasoning...

Overview

This PR modifies 7 example server files and 2 conformance test server files to split the combined session ID check into two separate branches: 400 for missing session ID, 404 for unknown session ID.

Security risks

None. Changes are in example and test servers only.

Level of scrutiny

Low. Mechanical, repetitive change to example and test code, not library code.

Other factors

Consolidates 4 previous PRs. Pattern is consistent across all files. No bugs found.