From 4aaf4ad9335633317a11cd4c5a52e55feaeb45fd Mon Sep 17 00:00:00 2001
From: max-rousseau <maxime@secured.org>
Date: Fri, 19 Dec 2025 16:54:56 -0800
Subject: [PATCH] fix: return HTTP 404 for unknown session IDs instead of 400

Per the MCP Streamable HTTP transport spec, servers MUST respond with
HTTP 404 when the session ID is not found. This aligns behavior with
the TypeScript SDK implementation.

Github-Issue: #1727
---
 src/mcp/server/streamable_http_manager.py | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/mcp/server/streamable_http_manager.py b/src/mcp/server/streamable_http_manager.py
index 50d2aefa2..b2ac15237 100644
--- a/src/mcp/server/streamable_http_manager.py
+++ b/src/mcp/server/streamable_http_manager.py
@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import contextlib
+import json
 import logging
 from collections.abc import AsyncIterator
 from http import HTTPStatus
@@ -277,9 +278,21 @@ async def run_server(*, task_status: TaskStatus[None] = anyio.TASK_STATUS_IGNORE
                 # Handle the HTTP request and return the response
                 await http_transport.handle_request(scope, receive, send)
         else:  # pragma: no cover
-            # Invalid session ID
+            # Unknown or expired session ID - return 404 per MCP spec
+            # Match TypeScript SDK exactly: jsonrpc, error, id order
+            error_body = json.dumps(
+                {
+                    "jsonrpc": "2.0",
+                    "error": {
+                        "code": -32001,
+                        "message": "Session not found",
+                    },
+                    "id": None,
+                }
+            )
             response = Response(
-                "Bad Request: No valid session ID provided",
-                status_code=HTTPStatus.BAD_REQUEST,
+                content=error_body,
+                status_code=HTTPStatus.NOT_FOUND,
+                media_type="application/json",
             )
             await response(scope, receive, send)