Add Events design sketch proposal

[pja-ant]

Initial design sketch for the MCP Events primitive — subscription model, delivery modes (poll/push/webhook), and protocol surface.

Draft for WG discussion.

[clareliguori]

What should applications do about this? What is our current guidance how to treat tool results as injection risks?

[pja-ant]

I think MCP is generally (and perhaps intentionally) a bit vague on this. In practice, it could mean things doing scanning for prompt injection attacks, perhaps audit logging, etc.

[panyam]

One clarification - are UI-originated events (user interactions) in scope of this, or is this strictly about external/backend events? Because the delivery patterns and the 'how does it reach the LLM' answer may be quite different for the two cases?

[pja-ant]

One clarification - are UI-originated events (user interactions) in scope of this, or is this strictly about external/backend events? Because the delivery patterns and the 'how does it reach the LLM' answer may be quite different for the two cases?

This is for MCP, so it is about events between an MCP client and an MCP server.

Hosts are welcome to, e.g. spin up a local MCP server and publish events for UI stuff over an MCP channel if that helps them in some way, but I don't imagine that to be a common interaction pattern. For that, it would likely make sense for the host to just have its own in-process event system that doesn't use MCP (but could hook into the same handlers if needed).

[caseychow-oai]

question: Is sending an event after TTL expiry considered non-conformance? Implicitly I think yes, but there's certainly some infrastructural considerations here that a softer TTL limit would help.

[pja-ant]

I think it's allowed, but they should expect an error back from the client that the sub is not found. There are races here, and that's fine, server should just expect it near the TTL boundary.

[caseychow-oai]

question: Certainly more philosophical in nature: we could theoretically build this on top of resource templates. What would the relationship between this shape and a resources/read response?

[pja-ant]

Not sure I follow the relationship to resource templates. Do you mean e.g. define a template that is something like event://{slack-channel-id}/messages/{cursor}?

[caseychow-oai]

nitpick: "events per subscription" is a bit ambiguous here, would be nice to make it clear it's per subscription in the poll context

[caseychow-oai]

question: This section seems to push pretty hard into MCP server implementation internals, is the goal to say that principal confusion is such a huge issue we should be making a prescription here?

[pja-ant]

I agree to an extent, but subscription identity is a protocol issue, and especially since we need to deal with the webhook receiver that doesn't have the principal, so we do need to say something. Aligned with trying not to be over-prescriptive and please push back if you feel it is.

[srikalyan]

Should we also consider UDP in push mode. This will be super helpful for voice and video scenarios.

[panyam]

Today we leverage http for the transports. Two areas that this might be considered at/by:

1. SEP 2322 - For relaxing some of the dependence specific transport types to make the transport stateless overall
2. UDP (as a transport level requirement for events) would mean decoupling events with transports. I beleive there is a Custom Transports effort that allows one to swap these in - but would also need hosts to support (and proxies/firewalls in between)

Definitely would be interesting to see this blossom - but i also suspsect our shortest path to UDP might be http 3.0?

[pja-ant]

Mentioned in the meeting, but will mention again here: I'd love for MCP to support voice and video! For this SEP and WG though (and perhaps this should be made clearer), I'm considering real-time media streaming as out of scope. My read is that the protocols and interactions needed for them are very different, e.g. media probably needs something like WebRTC or similar and I expect the signaling layer protocol to be quite different from what we're trying to do here (which is more discrete event delivery).

I'd actually be very interested in whether folks have LLM use cases for voice and video over MCP. It's not something I've explored.

[srikalyan]

The broader point I was trying to get at is whether the events model should leave room for more continuous or high-frequency event sources, not just discrete business events like “email received” or “incident
created”.

Examples:

• long-running job progress: queued → running → 30% → retrying → completed/failed
• monitoring/agent telemetry: CPU/memory/error-rate threshold changes, health state transitions, periodic stats snapshots
• media-adjacent events: “audio stream started”, “speech segment detected”, “transcript chunk ready”, “video analysis result available”

So I agree media payload transport itself can be out of scope, but I’d like to get clarity on whether event streams can represent status/progress/telemetry-style updates, and where the boundary is
between:

1. discrete MCP events,
2. progress/logging/notifications that already exist,
3. high-frequency telemetry,
4. actual real-time media streams.

Maybe the SEP should explicitly say real-time media transport is out of scope, while control-plane events and derived events from media or monitoring systems are in scope if they fit the cursor/dedup/delivery
model.

[panyam]

The tradoff id see with adding voice/video - is it couples the intent of events (as triggers of changes?) with specific app payloads. Today we dont have guarantees on latencies of events (or even notifications/pushes etc). And lack of these guarantees means we are looking at best efforts scenarios for now? Realtime to me feels like starting to have clearer guarantees there - so not being in scope makes sense.

[panyam]

@srikalyan Good point. One thing - For long running job progress - tasks (SEP 2663) may be a better option (which already posts notifications on progress etc). Events to me looks like sources of progress where the work did NOT orginate from a (mcp) host.

But the monitoring/telemetry is a good use case and may actually fit here - "start monitoring for cpu usage on X" and this would be a windowed listing (last N events or X seconds).

[pja-ant]

@srikalyan I'd be interested in the use cases you have in mind for the high frequency events? I think this proposal doesn't explicitly disallow that, though if we're thinking about events that e.g can fire consistently multiple per second then we probably need to think more about things like flow control, aggregation operations, rx-style stream handling.

[srikalyan]

Let me clarify my question: I’m not specifically asking for voice/video support. Those were examples where TCP-based push may not be the right fit.

The broader question is whether this SEP expects to support raw high-frequency event streams at all.

For example:

• per-request events from a high-QPS service
• raw observability / telemetry samples
• agent monitoring signals at high frequency
• market-data-like event feeds
• realtime experiment exposure or metric events

If the answer is “no, Events are intended for lower-volume discrete state changes only,” then I agree UDP/WebRTC/QUIC-style concerns are probably out of scope and the doc should maybe say that explicitly.

But if raw high-frequency events are in scope, then I wonder whether tying push delivery primarily to TCP-style transports creates the wrong assumptions around latency, backpressure, ordering, retransmission, and head-of-line blocking. In those cases, UDP or QUIC-like transports may be more appropriate, depending on whether the application prefers freshness over reliable delivery of every event.

So maybe the scope question is:

Should MCP Events support only reliable discrete event delivery, or should it also support best-effor event streams where dropping stale events is acceptable?

If it is the former, that helps clarify the boundary. If it is the latter, I think transport choices like UDP/QUIC become more relevant, possibly in coordination with the Transports WG rather than directly in this SEP.

For example, imagine an MCP server (datadog or sentry) exposing live request telemetry for a high-QPS service during an incident:

{
  "name": "service.request_sample",
  "params": {
    "service": "checkout",
    "sampleRate": 0.01,
    "fields": ["status", "latencyMs", "region", "variant"],
    "maxEventsPerSecond": 1000
  }
}

The server might emit sampled request events like:

{
  "eventId": "sample_789",
  "name": "service.request_sample",
  "timestamp": "2026-04-30T12:10:00Z",
  "data": {
    "status": 500,
    "latencyMs": 842,
    "region": "us-west",
    "variant": "B"
  }
}

In this kind of use case, the client may prefer fresh samples over reliable delivery of every sample. If the agent is already behind, old samples may be less useful than the latest view of the system. TCP-style ordered reliable delivery can create head-of-line blocking and backlog behavior that is actively undesirable.

[pja-ant]

Thanks for clarifying, understood that you're not asking specifically for voice/video.

My question then is around the specific use cases you have in mind, e.g.

For example, imagine an MCP server (datadog or sentry) exposing live request telemetry for a high-QPS service during an incident:

I understand this use case in abstract, but I'm wondering what the user journey that you have in mind looks like when an AI agent is involved. e.g. for this one, I guess I'm asking my agent to help debug some live incident. It then subscribes to this high-frequency event stream, and then what?

• Putting all events into context feels like a non-starter since it will quickly explode at 100s of events per second, and gives the agent no time to actually process things.
• Perhaps the agent is doing some code-mode things where it writes a script to subscribe, collect, and aggregate? I could imagine this!
• Or is the agent just subscribing to a small window of events, e.g. get the last 100 events, stick those in context and then go from there?
• Or are you imaging that we also introduce some stream-processing primitives into MCP, e.g. "subscribe to this event stream, but then transform this into an events-per-second stream, and filter by X, etc."

I think these are all potentially valid, but really need to understand the CUJ so that we can design appropriately. You are right that if we go down this path then we need to think more about other transports, backpressure, etc.

Right now the proposal does allow of out of order delivery and best effort (using cursor: null) but we've punted on things like flow control for now. I think the design does allow for alternative transports via the different delivery modes, though we'd need to consider that carefully: MCP generally tries to avoid introducing new transport where possible to avoid a large compatibility matrix. I think it could be justified if this use case is important and we have no other reasonable choice.

In summary: I think this is very interesting, but it would be useful to understand who is asking for this and to understand their specific use case and desired integration with AI applications.

[srikalyan]

Totally agree that putting all events directly into context is a non-starter. At 100s/sec the agent would never get time to reason, and the context would explode immediately.

The CUJ I have in mind is closer to your “code-mode script that subscribes, collects, and aggregates” example.

Concrete example: an agent is asked to monitor an A/B test on a high-QPS platform, backed by Statsig / Datadog / Sentry / internal experimentation infra:

“Watch experiment checkout-redesign for the next 30 minutes. If variant B causes error rate or p95 latency to exceed the guardrail, pause B / roll back to A.”

The agent would not put every exposure/request/error event into context. It might write or run a small collector that subscribes to a high-frequency stream, keeps a bounded rolling window, aggregates locally,
and only surfaces summaries or threshold crossings back to the agent.

For example:

• subscribe to sampled request/error events for experiment checkout-redesign
• maintain a rolling 1m / 5m window
• compute error rate, p95 latency, sample size by variant
• only wake the agent when a guardrail is breached or confidence is high enough
• then the agent calls existing tools to inspect details and possibly pause/rollback the experiment, depending on permissions/policy

So the agent-facing context might be something like:

{
  "experiment": "checkout-redesign",
  "variant": "B",
  "windowSeconds": 300,
  "sampleSize": 250000,
  "errorRate": 0.043,
  "baselineErrorRate": 0.009,
  "p95LatencyMs": 420,
  "guardrail": "error_rate",
  "recommendation": "pause_variant"
}

The “small window” model also makes sense to me, but I’d think of it as bounded by both count and time, e.g. “latest 100 events within the last 5 minutes,” rather than an unbounded stream being pushed into
context.

I agree the current proposal covers the MVP use case well: reliable-ish discrete event delivery with ordering/replay where the upstream supports it. My question is mostly whether we should explicitly call high-
frequency best-effort streams out of scope, or leave room for them through patterns like bounded windows, sampling, aggregation, and possibly future transport/flow-control work.

[srikalyan]

how server operators audit active webhook subscriptions, investigate abuse, or perform emergency shutdowns without relying only on client SDK state

[panyam]

Are you thinking if (and how much) say clients should have in this. Today server has full authority to do this - I am suspecting this is about how much should this be notified to the client?

[srikalyan]

So you are saying that server owner should keep track of all the subscriptions?

[srikalyan]

How event payloads evolve compatibly, whether event names need namespaces/versioning, and whether MCP reserves an mcp.* prefix?

[pja-ant]

It's a good question. So far, MCP hasn't decided on tool name namespacing and versioning, so my inclination is to not try to define it here and rather wait for broader guidance for MCP.

You did make me realise that we need a _meta for the event payload and event type definition (similar to tools). Will add that. _meta does reserve a prefix for MCP.

[srikalyan]

Should authorization must be checked on every poll, every push delivery, every webhook delivery, or only on a configured interval, and what happens to queued events after revocation

[panyam]

This is a good one - one thing coming out of the auth (and fine-grained-auth) wg is also looking at this - I am thinking deferring to that would keep it simpler here (i am sure the integration wont be as zero effort)

[srikalyan]

@panyam can you expand more on the keeping it simpler part? Auth once, timely or every push?

[calclavia]

Posting here as well as Discord for more feedback/visibility:

I had an orthogonal proposal from some time ago on a way to avoid webhooks on the protocol layer completely by putting the responsibility on the transport layer.

The premise is that if MCP is already bidirectional when stateful, push should just work, and we don't need to invent anything new for triggers/events, and webhooks exist primarily because the bidirectional connection isn't durable (the network might drop). So it becomes more of a question of: how do we ensure durable SSE?

The idea is to patch the problem for Streamable HTTP: when a notification (server -> client) fails to get pulled by SSE, hit a webhook backup to deliver the events.

In this setting, the current event proposal will focus solely on event semantics, and not on how it gets delivered. That separated concern goes into the transport layer. It feels more elegant because stdio servers, for example, don't seem to make a ton of sense supporting a webhook.

Would love to hear if this idea has value!

[caseychow-oai]

thoughts on doing a yield-style setup?

[pja-ant]

Open to it! All the SDK stuff here is non-normative. I'd be interested in seeing prototypes of that to see how well it works.

[panyam]

This is interesting @caseychow-oai - Will share a demo of this. It was interesting because I am thinking (and this is obviously an impl detail) the Yield source and an actual Event source could have different expectations on whether the listing is by a tool call or for justing getting events.

[caseychow-oai]

+1 to this, very hard to add after

[srikalyan]

events/list accepts a pagination cursor, but the response example does not include nextCursor / hasMore. Should this follow existing MCP list pagination semantics?

[pja-ant]

Yep, will update to include nextCursor in the example. hasMore doesn't seem to be used by MCP.

[vaishnavparth]

One quick question/comment here and curious about the trade-offs: The current shape collapses subscribe and stream-open into a single events/stream request. For monolithic servers that's clean, but for tiered deployments it forces auth, ACL, and event-registry state to live wherever the SSE connection terminates. In our architecture (and I'd guess this generalizes to anyone whose connection tier is separate from their app/auth tier - i.e. gateways fronting an upstream API, edge layers handling long-lived connections, etc.), that means the connection-termination tier has to either re-implement the auth/registry surface or make synchronous cross-tier RPCs at every checkpoint: subscribe-time validation, scope check, ACL evaluation, per-event re-check, termination signaling.

Webhook mode sidesteps this elegantly because subscribe and delivery are decoupled — events/subscribe lives in the auth/registry tier, delivery can fan out from anywhere, and the client-supplied secret means no out-of-band coordination. Poll mode is similar: each events/poll is a self-contained request that can be served by whichever tier holds the registry.

Would the WG be open to letting events/stream optionally accept a server-issued subscription handle from a prior events/subscribe call? Concretely:

• Push-mode servers that want today's behavior keep working - events/stream with {name, params, Optional:cursor} does subscribe-and-stream in one shot.
• Servers that want to split the tiers can advertise events/subscribe for push (the spec currently scopes it to webhook) and accept events/stream with {subscription_id, Optional:cursor} against a previously-minted handle. The connection-termination tier validates the handle, opens the stream, and stays out of the auth path.

This feels additive - no wire-format break, opt-in per server, and clients that don't care can ignore the new path, but would love to hear your thoughts.

Regarding the security shape, the handle could follow the same pattern Slack's Socket Mode already uses for apps.connections.open: the auth/registry tier mints a single-use, short-TTL ticket, embeds it in the URL it returns, and the connection-termination tier consumes the ticket exactly once at stream-open by calling back to the auth tier to validate. That gives single-use semantics, bounded replay window, principal binding (via the ticket), and a clean revocation seam. It's also orthogonal to the bearer token: the ticket authorizes opening this specific subscription, not arbitrary API access, so leaking it gets you one stream, not a session. Worth noting the spec wouldn't need to prescribe the format (subscription_id can stay opaque) - only that it's server-issued and consumed once at events/stream time.

Has this come up already? Would love some thoughts and feedback 🙇 !

[pja-ant]

@vaishnavparth thanks for raising this.

I'm curious if you see this as any different from e.g. tools/call?

Would the WG be open to letting events/stream optionally accept a server-issued subscription handle from a prior events/subscribe call?

The problem with this is that it makes the protocol stateful again which is exactly what we're trying to avoid with the next MCP spec release. See SEP-2575. We just removed the GET stream and resources/subscribe for this very purpose, so I'd be quite strongly against bringing it back.

It would be fair to argue that Webhook mode is bringing this back in some form, but the hope was to limit it to webhooks (which are inherently stateful) rather than bringing statefulness back to the core protocol, especially for something analogous to resource subscriptions, which were made stateless.

Even if we did what was suggested, do you not need the x-tier call for per-event re-checks?

[vaishnavparth]

Thanks @pja-ant, this is really helpful, and the SEP-2575 pointer was the part I was missing. Reading that thread, I take your point: the whole direction of travel is moving server-side state out of the protocol, and what I was suggesting would re-introduce it for push in the same shape that just got removed for resources. Sounds like Webhook's TTL'd subscription as a contained exception (because the server has to remember where to deliver) makes sense as the design line, and I shouldn't try to extend it.

On your question: "do you not need the x-tier call for per-event re-checks?" - In our case the per-event re-check would happen in our auth/registry tier as part of the emit path, before fanning out to whatever holds the connection, so the handle wasn't really about avoiding cross-tier traffic at delivery time. It was about letting the connection-termination tier stay auth-naive at stream-open.

The tools/call analogy is also fair. The thing that actually differs in our case is connection lifetime rather than auth shape, but that's a transport problem. In our architecture, tools/call is short-lived and served by a web application (which also handles auth and ACLs) whereas events/stream is long-lived and the server to hold the long lived SSE connection lies outside of the web application.

The tools/call vs. events/stream framing is the part I'd love to get your thoughts on, even if just to think out loud: short-lived auth-bearing requests and long-lived ones land in pretty different deployment shapes for a non-monolithic server, and I suspect this won't be the last time it comes up as more upstreams adopt events. Happy to be a sounding board if it's useful, or to drop it if you'd rather keep the WG focused. Either way - thanks again 🙇

[saurabhsahni]

Hey! 👋 Saurabh here. I work on the Slack platform and have spent a lot of time deep in the internals of Slack’s Events API and delivery infrastructure: webhooks, retries, rate limiting, and related systems.

Really excited to see this proposal. The three-mode design (poll, push, webhook) maps closely to patterns we’ve converged on at Slack over years of operating large-scale event systems in production.

I’ve left a few comments throughout, mostly based on lessons learned from running event delivery at Slack scale. The hardest problems in these systems tend to be around failure modes, degradation behavior, retries, and protecting servers and clients from each other rather than the happy path.

Overall, I think there are some really strong design choices here, especially the Standard Webhooks adoption and endpoint verification approach. Looking forward to seeing this evolve. 🎉

[saurabhsahni]

Have you considered additionally supporting a static callback URL per client rather than per subscription?

The model that has worked well for Slack is that each app registers a single Request URL, verifies domain ownership once, and all event subscriptions are delivered there. This keeps verification overhead low, makes callback URL rotation simpler for clients, and allows the server to manage health tracking at the client/app level rather than per subscription URL.

One possible approach here would be to support a mode where the client registers and verifies a single callback URL up front. Subsequent subscriptions could then omit delivery.url and inherit the established endpoint.

[pja-ant]

Hey @saurabhsahni - I think this is a good suggestion. I need to spend a bit more time thinking through this, but I like the idea and I'm wondering if there is something we can learn from the CIMD work from our auth friends, i.e. something like the client exposes a myclient.com/.well-known/mcp/webhook-receiver.json as a DNS-backed proof of authenticity for the client that exposes the same-origin delivery URL to avoid the one-time verification step.

[saurabhsahni]

Yeah, something along those lines could be compelling.

That said, I'd love to see this remain optional so platforms that already have developer-configured callback URLs can reuse their existing infrastructure. At Slack, for example, developers register a single Request URL in their app configuration, and we deliver all event subscriptions to that endpoint. We'd want to be able to use that existing URL for MCP subscriptions rather than requiring apps to also host and maintain a separate .well-known document.

[vaishnavparth]

+1 to Saurabh's point about keeping this optional and reuse-friendly.

One thing I wasn't sure about and wanted to ask: does the .well-known/mcp/webhook-receiver.json approach assume the client can serve same-origin static content from the delivery domain? I ask because in tiered setups (gateways, edge tiers, managed integration platforms) the delivery endpoint often isn't the same origin as anything the client can publish a well-known doc on, so I wanted to make sure that case stays supported.

If I'm reading Saurabh's suggestion right, the verify-once-then-inherit model also seems like it could lean on the endpoint-verification challenge this proposal already has, without needing DNS or same-origin hosting. Would it make sense to treat .well-known as one optional authenticity mechanism for clients that can serve it, while keeping the verified-once callback URL as a baseline that doesn't constrain receiver topology? Curious whether that squares with what you both had in mind.

[saurabhsahni]

A few retry semantics that have worked well for Slack webhooks and Events API integrations:

• Retry at most 3 times with bounded backoff (roughly immediate, 1 minute, 5 minutes)

• Include retry metadata headers on every attempt:

  • X-Slack-Retry-Num: retry attempt number
  • X-Slack-Retry-Reason: categorized failure reason (http_timeout, connection_failed, http_error, etc.)

• Allow the receiver to explicitly suppress retries for a specific delivery (Slack uses X-Slack-No-Retry: 1), which is useful when the endpoint intentionally rejects stale or already-processed events

Might be worth considering something similar in the Standard Webhooks profile here:

• Define recommended retry limits and a bounded retry window (for example, max 3 attempts within 10 minutes total)
• Standardize retry metadata headers so receivers can reason about retry behavior consistently
• Allow receivers to explicitly signal “do not retry this delivery” to avoid unnecessary retries and queue growth for intentionally rejected events

[pja-ant]

These are good suggestions, will weave them in.

[saurabhsahni]

It will be useful to include some recommended suspension thresholds here as implementation guidance. For example: “95% delivery failure rate over a rolling 60-minute window, with a minimum of 100 delivery attempts.”

[saurabhsahni]

Thoughts on specifying a webhook acknowledgment timeout?

[pja-ant]

Makes sense. Any suggestions? Something fixed, or should the client say "give me this much time"? Thinking about clients that maybe do some DB checkpoint every X-seconds or something and don't want to ack until durable. Maybe overkill though, and probably clients shouldn't have too much control over timeouts since it is the server that pays for it.

[saurabhsahni]

At Slack, a fixed, server-defined timeout (3 seconds), combined with clear documentation, has worked well in practice. Clients are expected to acknowledge requests quickly and perform any longer-running work asynchronously. If a client doesn't respond within the timeout window, we treat the delivery as failed and retry the request.

[vaishnavparth]

From the meeting today - leaving towards making this a choice a server can make on its own without wrapping this into the protocol.

[saurabhsahni]

At Slack, we also enforce outbound event delivery rate limits. There is an upper bound on how many events we will dispatch to an app within a given window, and when that limit is exceeded we emit an app_rate_limited event so the app is aware that deliveries are being throttled.

It may be worth defining a standard “rate limited” or “delivery suspended” control event/notification in the spec that servers can emit when throttling or protective suppression kicks in. That gives clients explicit visibility into dropped, delayed, or suppressed deliveries instead of requiring them to infer it indirectly from gaps or reduced traffic.

[pja-ant]

Is this to protect the server?

If you are dropping events, I think we have the"gap" message for that. For delayed events, we don't have anything. Agree a control event could be useful, just being mindful of feature creep here. How valuable do you think this is for clients? Is just a deliveryStatus sufficient?

[saurabhsahni]

It's really about protecting both sides. The server avoids fan-out storms, and the client avoids getting overwhelmed by a sudden burst of deliveries. The rate limit acts as a circuit breaker.

I see the gap message as related but slightly different. gap is a generic, backward-looking signal that some events were skipped, but it doesn't explain why. The signal I'm describing is more specific: "the server is actively throttling outbound deliveries for your app." At Slack, we emit an app_rate_limited event when that happens, and it's been useful because otherwise developers often assume events are being silently lost.

That said, I agree this may not be worth adding to the initial spec. Just wanted to flag it as something that's proven valuable in practice.

[vaishnavparth]

Deferring to Saurabh here since this is his area, just wanted to add one small data point on Peter's deliveryStatus question. The case that seems hardest to detect today is throttled vs. delayed — gap tells a client it missed something after the fact, but not that it's actively being throttled and a retry/poll right now won't help.

Would a lightweight deliveryStatus hint (e.g. { deliveryStatus: "throttled", retryAfterMs }) be enough to cover that without a full control event? The thing that seems valuable is just giving the client something actionable to back off on, so it doesn't read reduced traffic as "nothing happening". I agree that the broader control-event is probably post-v1; mostly wondering whether a small retryAfterMs - style field now would be cheap insurance against clients baking in the wrong assumption early.

[pja-ant]

yeah I'm open to a lightweight deliveryStatus

[saurabhsahni]

Thoughts on renaming the inner params field to something like filter or criteria?

params.params is likely to create confusion in docs and code:

subscription.params.params.severity

filter also better communicates intent here: this field narrows which events are delivered rather than parameterizing a function call.

For example:

{
  "name": "incident.created",
  "filter": {
    "severity": "P1"
  }
}

[pja-ant]

The intent was to match tools/call -- which I now realised I have failed at because tools/call uses arguments for the inner set...

Regarding filter, that may not be entirely accurate. While I do imagine filtering is the common use case, the arguments may not always be filters, e.g. a temperature event stream might have a parameter for farenheit or celsius, which is not really a filter but a transformation.

I do agree the params.param is confusing and hopefully params.arguments resolves that and has precedence in tool calling.

[saurabhsahni]

arguments works great. The precedent from tools/call makes it consistent, and params.arguments reads much more naturally than params.params.

[vaishnavparth]

Would it be worth saying, in one sentence, that cursor is optional and nullable on both the request and the response, and that an absent cursor is treated identically to cursor: null (nothing to persist; start from / replay from now)? Concretely, it would help to have this spelled out symmetrically for both SDKs:

• Server SDK: when sending (subscribe/refresh response and delivered payloads), MAY omit cursor entirely instead of writing an explicit null; when receiving (the subscribe/poll request), MUST treat an absent cursor the same as null and MUST NOT fail on omission.
• Client SDK: when sending (the subscribe/poll request), MAY omit cursor instead of sending null; when receiving (responses and delivered payloads), MUST treat an absent cursor the same as null and MUST NOT fail on omission.

The motivation is emit-only upstreams like Slack, where there's no replay history and cursor is always null. If both SDKs know that "absent" and "null" are interchangeable, neither side has to special-case the field just to always write null, and an emit-only server that simply never emits it stays conformant.

Entirely possible this is already obvious from Required: no and I'm over reading it - deferring to you on whether it's worth a line.

[pja-ant]

What you've suggested is the intention. It can be clearer. Thanks!

[vaishnavparth]

I've been prototyping webhook delivery on a multi-tenant server, and two questions came up that I couldn't fully answer from the text. I may well be missing something you've already considered, so please read these as questions rather than gaps.

If I'm reading it right, the TTL value is server-defined while the existence of a TTL is mandated: refreshBefore is required in the subscribe response, the client re-calls events/subscribe before it, and the server resets the TTL on each refresh, with the duration surfacing as server SDK config (webhook_ttl, 30 minutes as an illustrative value). That split seems very sensible. Two smaller things I wasn't sure about:

1. Is a recommended TTL range worth considering?

Would it be worth the spec suggesting a TTL floor and a default order of magnitude (say, a floor of "at least 1 hour" and a default somewhere in the hours-to-~7-days range)? My thinking is that a generous TTL seems safe here because the server SHOULD re-check authorization at delivery time and emits a terminated envelope on access loss, so a long TTL doesn't obviously widen a stale-access window once events are flowing. The main cost seems to be slower reclamation of idle subscriptions, and an idle subscription isn't delivering anything anyway. The one thing I wasn't sure about: delivery-time re-auth is a SHOULD, and a fully idle subscription wouldn't get re-checked at all (nothing is delivered), so maybe leaning on re-auth as the safety argument is too strong. Curious whether you'd already weighed this.

2. The refresh model seems to assume a long-lived component for the timer

Re-calling events/subscribe on a schedule needs something in the deployment that can run a timer, and I think the spec already handles most of the cases. I want to make sure I'm reading it correctly:

• Agentic / long-lived clients look covered: the Client SDK section says the SDK "manages … webhook refresh cycles" and "runs a background refresh loop." So this population seems to get refresh for free.
• Forward-proxy deployments also look mostly covered, since the proxy is a long-lived service and a natural home for the refresh loop, and the callback endpoint "does not need to be the client itself."

The case I wasn't sure about is a deployment with no long-lived component at all ie. a pure serverless receiver with no SDK host and no proxy, just an endpoint that wakes when a request arrives. There doesn't seem to be a natural place there to run a refresh loop, and I'd worry that asking that integrator to stand up a cron purely to keep a subscription alive might be a bit of an adoption tax. But this may be a narrower case than I'm imagining, and "front it with a proxy" may simply be the intended answer.

If it's useful, a few directions I've been thinking about (very tentatively):

• Sliding-window refresh on delivery. Treating a successful delivery ack as an implicit TTL reset, so an actively-receiving subscription stays alive with no timer and only idle ones need explicit refresh. It seemed to compose well with the rest of the design, since active deliveries already carry the safe-to-persist cursor in each payload. I'd totally defer to you on whether it was considered and set aside for a reason.
• Optional long-lived / persistent subscriptions. For an endpoint whose intent is already verified (the challenge handshake or an allowlist), a subscription that doesn't require periodic refresh and ends only on events/unsubscribe or access revocation i.e. roughly the Slack Events API model. If there's already a thread on static/persistent callback URLs, this probably belongs there; I looked through the Open Questions and couldn't spot it, so a pointer would help if it exists.
• Documented pattern for non-agentic receivers. Since the SDK refresh loop is already specced, maybe the missing piece is just guidance rather than mechanism i.e. a recommended pattern for a receiver with no long-lived host (pair with a minimal scheduled refresh, front with a refreshing proxy, or the persistent mode above).

[pja-ant]

Is a recommended TTL range worth considering?

Yes we should provide guidance around TTL.

I think the 1-7 days range feels too long though, but it depends on the server. Some servers will only have short-lived subscriptions, e.g. a coding agent subscribing to github just to keep track of CI. Others will be more long-running.

The cost of short TTL is having to send refreshes too frequently. Cost is O(1/TTL).
The cost of long TTL is subscription storage. Cost is O(TTL).

1/TTL is close to 0 for any reasonable TTL whereas subscription storage grows linearly. I'm thinking a bound like min 5 minutes to max 1 day feels more realistic, but depends on the expected rate of incoming subscriptions, which is server dependent. I don't see much value of a 7 day vs 1 day TTL. Sending a refresh once a day doesn't feel like much of a burden.

generous TTL seems safe here because the server SHOULD re-check authorization at delivery time and emits a terminated envelope on access loss

I agree, and I see TTL and access as an independent thing. I feel a server with long TTL probably should either treat this closer to a MUST, OR just make sure that events are pure notifications and have nothing sensitive.

The case I wasn't sure about is a deployment with no long-lived component at all ie. a pure serverless receiver with no SDK host and no proxy, just an endpoint that wakes when a request arrives. There doesn't seem to be a natural place there to run a refresh loop, and I'd worry that asking that integrator to stand up a cron purely to keep a subscription alive might be a bit of an adoption tax.

If the server sent a heartbeat on the webhook, would this be a sufficient hint to wake-up and refresh the subscription? That way you don't need to maintain the cron -- the server does it for you. Similar to your sliding window idea in a way.

I don't think we can rely purely on unsubscribe since the server doesn't know if it will ever come. MCP sessions had this issue.

[vaishnavparth]

From the weekly meeting - it likely makes sense (for Slack's use cases especially) for Server-Server communication where Slack allows for a permanent subscription (i.e. infinite TTL). Maybe something we can enforce by making the refreshBefore field as optional, which, when missing, indicates that the subscription need not be refreshed.