From 82745065f4c11c42ce860a45444da9610d3eafd9 Mon Sep 17 00:00:00 2001
From: kai-agent-free <kai@kdn.agency>
Date: Fri, 13 Mar 2026 11:31:39 +0000
Subject: [PATCH] fix: return 404 instead of 400 for invalid session IDs in
 examples

The MCP spec states that servers should return HTTP 404 for invalid
session IDs so clients know to start a new session. The SDK transport
(streamableHttp.ts) already correctly returns 404, but the example
servers and conformance test server were returning 400.

Fixes #389
---
 examples/server/src/elicitationFormExample.ts             | 4 ++--
 examples/server/src/elicitationUrlExample.ts              | 4 ++--
 examples/server/src/simpleStreamableHttp.ts               | 4 ++--
 examples/server/src/simpleTaskInteractive.ts              | 4 ++--
 examples/server/src/standaloneSseWithGetStreamableHttp.ts | 2 +-
 test/conformance/src/everythingServer.ts                  | 6 +++---
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/examples/server/src/elicitationFormExample.ts b/examples/server/src/elicitationFormExample.ts
index 9c13b739e..f121752f8 100644
--- a/examples/server/src/elicitationFormExample.ts
+++ b/examples/server/src/elicitationFormExample.ts
@@ -400,7 +400,7 @@ async function main() {
     const mcpGetHandler = async (req: Request, res: Response) => {
         const sessionId = req.headers['mcp-session-id'] as string | undefined;
         if (!sessionId || !transports[sessionId]) {
-            res.status(400).send('Invalid or missing session ID');
+            res.status(404).send('Invalid or missing session ID');
             return;
         }
 
@@ -415,7 +415,7 @@ async function main() {
     const mcpDeleteHandler = async (req: Request, res: Response) => {
         const sessionId = req.headers['mcp-session-id'] as string | undefined;
         if (!sessionId || !transports[sessionId]) {
-            res.status(400).send('Invalid or missing session ID');
+            res.status(404).send('Invalid or missing session ID');
             return;
         }
 
diff --git a/examples/server/src/elicitationUrlExample.ts b/examples/server/src/elicitationUrlExample.ts
index c38dd75e8..f28842c80 100644
--- a/examples/server/src/elicitationUrlExample.ts
+++ b/examples/server/src/elicitationUrlExample.ts
@@ -644,7 +644,7 @@ app.post('/mcp', authMiddleware, mcpPostHandler);
 const mcpGetHandler = async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
@@ -683,7 +683,7 @@ app.get('/mcp', authMiddleware, mcpGetHandler);
 const mcpDeleteHandler = async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
diff --git a/examples/server/src/simpleStreamableHttp.ts b/examples/server/src/simpleStreamableHttp.ts
index be025c04c..d3560c91e 100644
--- a/examples/server/src/simpleStreamableHttp.ts
+++ b/examples/server/src/simpleStreamableHttp.ts
@@ -726,7 +726,7 @@ if (useOAuth && authMiddleware) {
 const mcpGetHandler = async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
@@ -757,7 +757,7 @@ if (useOAuth && authMiddleware) {
 const mcpDeleteHandler = async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
diff --git a/examples/server/src/simpleTaskInteractive.ts b/examples/server/src/simpleTaskInteractive.ts
index 9092926d9..81023dcfa 100644
--- a/examples/server/src/simpleTaskInteractive.ts
+++ b/examples/server/src/simpleTaskInteractive.ts
@@ -696,7 +696,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
 app.get('/mcp', async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
@@ -708,7 +708,7 @@ app.get('/mcp', async (req: Request, res: Response) => {
 app.delete('/mcp', async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
diff --git a/examples/server/src/standaloneSseWithGetStreamableHttp.ts b/examples/server/src/standaloneSseWithGetStreamableHttp.ts
index b1b2ccf51..1a4018b3a 100644
--- a/examples/server/src/standaloneSseWithGetStreamableHttp.ts
+++ b/examples/server/src/standaloneSseWithGetStreamableHttp.ts
@@ -120,7 +120,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
 app.get('/mcp', async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
diff --git a/test/conformance/src/everythingServer.ts b/test/conformance/src/everythingServer.ts
index bebdcf9a3..39bf64db5 100644
--- a/test/conformance/src/everythingServer.ts
+++ b/test/conformance/src/everythingServer.ts
@@ -926,7 +926,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
             await transport.handleRequest(req, res, req.body);
             return;
         } else {
-            res.status(400).json({
+            res.status(404).json({
                 jsonrpc: '2.0',
                 error: {
                     code: -32_000,
@@ -958,7 +958,7 @@ app.get('/mcp', async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
 
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }
 
@@ -985,7 +985,7 @@ app.delete('/mcp', async (req: Request, res: Response) => {
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
 
     if (!sessionId || !transports[sessionId]) {
-        res.status(400).send('Invalid or missing session ID');
+        res.status(404).send('Invalid or missing session ID');
         return;
     }