Requests with "id": null silently misclassified as notifications #2057
Description
Initial Checks
- I confirm that I'm using the latest version of MCP Python SDK
- I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue
Description
When a JSON-RPC request arrives with "id": null, the SDK should reject it. Both JSON-RPC 2.0 and the MCP spec restrict request IDs to strings or integers. Instead, the request is silently reclassified as a JSONRPCNotification and the caller gets a 202 with no response.
This happens because of how JSONRPCMessage union resolution interacts with extra='allow':
RequestIdcorrectly excludesNone(Annotated[int, Field(strict=True)] | str).JSONRPCRequestvalidation rejectsid: null, working as intended.- Pydantic falls through to
JSONRPCNotification, which absorbs"id": Noneas an extra field viaextra='allow'. - The streamable HTTP transport sees "not a request" and returns 202.
The net effect is the caller gets no error and no response, which is hard to debug. Found via authprobe scanning.
I suspect the v2 migration to TypeAdapter and dropping extra='allow' on top-level types would resolve this, but wanted to flag it for the current release line too.
Example Code
from mcp.types import JSONRPCMessage, JSONRPCRequest
msg = {"jsonrpc": "2.0", "method": "initialize", "id": None}
# JSONRPCRequest correctly rejects null id
try:
JSONRPCRequest.model_validate(msg)
except Exception:
print("JSONRPCRequest rejects null id") # Expected
# JSONRPCMessage falls through to JSONRPCNotification
parsed = JSONRPCMessage.model_validate(msg)
print(type(parsed.root).__name__) # JSONRPCNotification (unexpected)
print(parsed.root.model_extra) # {'id': None}Python & MCP Python SDK
Python 3.13
mcp 1.14.1 (also reproduced on 1.26.0, latest at time of filing)