modelcontextprotocol · felixweinberger · Mar 25, 2026 · Mar 14, 2026 · Mar 14, 2026 · Mar 14, 2026
@@ -62,6 +62,19 @@ The SDK is organized into three main layers:
     - `Server` (`packages/server/src/server/server.ts`) - Server implementation extending Protocol with request handler registration
     - `McpServer` (`packages/server/src/server/mcp.ts`) - High-level server API with simplified resource/tool/prompt registration
 
+### Public API Exports
+
+The SDK has a two-layer export structure to separate internal code from the public API:
+
+- **`@modelcontextprotocol/core`** (main entry, `packages/core/src/index.ts`) — Internal barrel. Exports everything (including Zod schemas, Protocol class, stdio utils). Only consumed by sibling packages within the monorepo (`private: true`).
+- **`@modelcontextprotocol/core/public`** (`packages/core/src/exports/public/index.ts`) — Curated public API. Exports only TypeScript types, error classes, constants, and guards. Re-exported by client and server packages.
+- **`@modelcontextprotocol/client`** and **`@modelcontextprotocol/server`** (`packages/*/src/index.ts`) — Final public surface. Package-specific exports (named explicitly) plus re-exports from `core/public`.
+
+When modifying exports:
+- Use explicit named exports, not `export *`, in package `index.ts` files and `core/public`.
+- Adding a symbol to a package `index.ts` makes it public API — do so intentionally.
+- Internal helpers should stay in the core internal barrel and not be added to `core/public` or package index files.
+
 ### Transport System
 
 Transports (`packages/core/src/shared/transport.ts`) provide the communication layer:

@@ -61,18 +61,17 @@ Replace all `@modelcontextprotocol/sdk/...` imports using this table.
 
 | v1 import path                                    | v2 package                   |
 | ------------------------------------------------- | ---------------------------- |
-| `@modelcontextprotocol/sdk/types.js`              | `@modelcontextprotocol/core` |
-| `@modelcontextprotocol/sdk/shared/protocol.js`    | `@modelcontextprotocol/core` |
-| `@modelcontextprotocol/sdk/shared/transport.js`   | `@modelcontextprotocol/core` |
-| `@modelcontextprotocol/sdk/shared/stdio.js`       | `@modelcontextprotocol/core` |
-| `@modelcontextprotocol/sdk/shared/uriTemplate.js` | `@modelcontextprotocol/core` |
-| `@modelcontextprotocol/sdk/shared/auth.js`        | `@modelcontextprotocol/core` |
+| `@modelcontextprotocol/sdk/types.js`              | `@modelcontextprotocol/client` or `@modelcontextprotocol/server` |
+| `@modelcontextprotocol/sdk/shared/protocol.js`    | `@modelcontextprotocol/client` or `@modelcontextprotocol/server` |
+| `@modelcontextprotocol/sdk/shared/transport.js`   | `@modelcontextprotocol/client` or `@modelcontextprotocol/server` |
+| `@modelcontextprotocol/sdk/shared/uriTemplate.js` | `@modelcontextprotocol/client` or `@modelcontextprotocol/server` |
+| `@modelcontextprotocol/sdk/shared/auth.js`        | `@modelcontextprotocol/client` or `@modelcontextprotocol/server` |
+| `@modelcontextprotocol/sdk/shared/stdio.js`       | `@modelcontextprotocol/client` or `@modelcontextprotocol/server` |
 
 Notes:
 
-- `@modelcontextprotocol/client` and `@modelcontextprotocol/server` both re-export everything from `@modelcontextprotocol/core`, so you can import types from whichever package you already depend on.
+- `@modelcontextprotocol/client` and `@modelcontextprotocol/server` both re-export shared types from `@modelcontextprotocol/core`, so import from whichever package you already depend on. Do not import from `@modelcontextprotocol/core` directly — it is an internal package.
 - When multiple v1 imports map to the same v2 package, consolidate them into a single import statement.
-- If code imports from `sdk/client/...`, install `@modelcontextprotocol/client`. If from `sdk/server/...`, install `@modelcontextprotocol/server`. If from `sdk/types.js` or `sdk/shared/...` only, install `@modelcontextprotocol/core`.
 
 ## 4. Renamed Symbols
 
@@ -91,7 +90,7 @@ Notes:
 | `ResourceReference`                      | `ResourceTemplateReference`                              |
 | `ResourceReferenceSchema`                | `ResourceTemplateReferenceSchema`                        |
 | `IsomorphicHeaders`                      | REMOVED (use Web Standard `Headers`)                     |
-| `AuthInfo` (from `server/auth/types.js`) | `AuthInfo` (now in `@modelcontextprotocol/core`)         |
+| `AuthInfo` (from `server/auth/types.js`) | `AuthInfo` (now re-exported by `@modelcontextprotocol/client` and `@modelcontextprotocol/server`) |
 | `McpError`                               | `ProtocolError`                                          |
 | `ErrorCode`                              | `ProtocolErrorCode`                                      |
 | `ErrorCode.RequestTimeout`               | `SdkErrorCode.RequestTimeout`                            |
@@ -144,7 +143,7 @@ Update error handling:
 if (error instanceof McpError && error.code === ErrorCode.RequestTimeout) { ... }
 
 // v2
-import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/client';
 if (error instanceof SdkError && error.code === SdkErrorCode.RequestTimeout) { ... }
 ```
 
@@ -158,7 +157,7 @@ if (error instanceof StreamableHTTPError) {
 }
 
 // v2
-import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/client';
 if (error instanceof SdkError && error.code === SdkErrorCode.ClientHttpFailedToOpenStream) {
     const status = (error.data as { status?: number })?.status;
 }
@@ -195,11 +194,11 @@ Update OAuth error handling:
 
 ```typescript
 // v1
-import { InvalidClientError, InvalidGrantError } from '@modelcontextprotocol/core';
+import { InvalidClientError, InvalidGrantError } from '@modelcontextprotocol/client';
 if (error instanceof InvalidClientError) { ... }
 
 // v2
-import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/core';
+import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/client';
 if (error instanceof OAuthError && error.code === OAuthErrorCode.InvalidClient) { ... }
 ```
 
@@ -210,7 +209,7 @@ Zod schemas, all callback return types. Note: `callTool()` and `request()` signa
 
 The variadic `.tool()`, `.prompt()`, `.resource()` methods are removed. Use the `register*` methods with a config object.
 
-**IMPORTANT**: v2 requires schema objects implementing [Standard Schema](https://standardschema.dev/) — raw shapes like `{ name: z.string() }` are no longer supported. Wrap with `z.object()` (Zod v4), or use ArkType's `type({...})`, or Valibot. For raw JSON Schema, wrap with `fromJsonSchema(schema, validator)` from `@modelcontextprotocol/core`. Applies to `inputSchema`, `outputSchema`, and `argsSchema`.
+**IMPORTANT**: v2 requires schema objects implementing [Standard Schema](https://standardschema.dev/) — raw shapes like `{ name: z.string() }` are no longer supported. Wrap with `z.object()` (Zod v4), or use ArkType's `type({...})`, or Valibot. For raw JSON Schema, wrap with `fromJsonSchema(schema, validator)` from `@modelcontextprotocol/server`. Applies to `inputSchema`, `outputSchema`, and `argsSchema`.
 
 ### Tools
 

@@ -52,13 +52,12 @@ import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
 ```typescript
 import { Client, StreamableHTTPClientTransport, StdioClientTransport } from '@modelcontextprotocol/client';
 import { McpServer, StdioServerTransport, WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/server';
-import { CallToolResultSchema } from '@modelcontextprotocol/core';
 
 // Node.js HTTP server transport is in the @modelcontextprotocol/node package
 import { NodeStreamableHTTPServerTransport } from '@modelcontextprotocol/node';
 ```
 
-Note: `@modelcontextprotocol/client` and `@modelcontextprotocol/server` both re-export everything from `@modelcontextprotocol/core`, so you can import types from whichever package you already depend on.
+Note: `@modelcontextprotocol/client` and `@modelcontextprotocol/server` both re-export shared types from `@modelcontextprotocol/core`, so you can import types and error classes from whichever package you already depend on. Do not import from `@modelcontextprotocol/core` directly — it is an internal package.
 
 ### Dropped Node.js 18 and CommonJS
 
@@ -117,7 +116,7 @@ Server-side OAuth/auth has been removed entirely from the SDK. This includes `mc
 
 Use a dedicated auth library (e.g., `better-auth`) or a full Authorization Server instead. See the [examples](../examples/server/src/) for a working demo with `better-auth`.
 
-Note: `AuthInfo` has moved from `server/auth/types.ts` to `@modelcontextprotocol/core` (it's now a core type).
+Note: `AuthInfo` has moved from `server/auth/types.ts` to the core types and is now re-exported by `@modelcontextprotocol/client` and `@modelcontextprotocol/server`.
 
 ### `Headers` object instead of plain objects
 
@@ -252,7 +251,7 @@ server.registerTool('greet', {
 }, async ({ name }) => { ... });
 
 // Raw JSON Schema via fromJsonSchema
-import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core';
+import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/server';
 server.registerTool('greet', {
   inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator())
 }, handler);
@@ -434,6 +433,22 @@ const client = new Client(
 );
 ```
 
+### `InMemoryTransport` removed from public API
+
+`InMemoryTransport` has been removed from the public API surface. It was previously used for in-process client-server connections and testing.
+
+For **testing**, import it directly from the internal core package:
+
+```typescript
+// v1
+import { InMemoryTransport } from '@modelcontextprotocol/sdk/inMemory.js';
+
+// v2 (testing only — @modelcontextprotocol/core is internal, not for production use)
+import { InMemoryTransport } from '@modelcontextprotocol/core';
+```
+
+For **production in-process connections**, use `StreamableHTTPClientTransport` with a local server URL, or connect client and server via paired streams.
+
 ### Removed type aliases and deprecated exports
 
 The following deprecated type aliases have been removed from `@modelcontextprotocol/core`:
@@ -447,9 +462,9 @@ The following deprecated type aliases have been removed from `@modelcontextproto
 | `ResourceReferenceSchema`                | `ResourceTemplateReferenceSchema`                |
 | `ResourceReference`                      | `ResourceTemplateReference`                      |
 | `IsomorphicHeaders`                      | Use Web Standard `Headers`                       |
-| `AuthInfo` (from `server/auth/types.js`) | `AuthInfo` (now in `@modelcontextprotocol/core`) |
+| `AuthInfo` (from `server/auth/types.js`) | `AuthInfo` (now re-exported by `@modelcontextprotocol/client` and `@modelcontextprotocol/server`) |
 
-All other types and schemas exported from `@modelcontextprotocol/sdk/types.js` retain their original names in `@modelcontextprotocol/core`.
+All other types and schemas exported from `@modelcontextprotocol/sdk/types.js` retain their original names — import them from `@modelcontextprotocol/client` or `@modelcontextprotocol/server`.
 
 **Before (v1):**
 
@@ -460,7 +475,7 @@ import { JSONRPCError, ResourceReference, isJSONRPCError } from '@modelcontextpr
 **After (v2):**
 
 ```typescript
-import { JSONRPCErrorResponse, ResourceTemplateReference, isJSONRPCErrorResponse } from '@modelcontextprotocol/core';
+import { JSONRPCErrorResponse, ResourceTemplateReference, isJSONRPCErrorResponse } from '@modelcontextprotocol/server';
 ```
 
 ### Request handler context types
@@ -576,7 +591,7 @@ try {
 **After (v2):**
 
 ```typescript
-import { ProtocolError, ProtocolErrorCode, SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+import { ProtocolError, ProtocolErrorCode, SdkError, SdkErrorCode } from '@modelcontextprotocol/client';
 
 try {
     await client.callTool({ name: 'test', arguments: {} });
@@ -633,7 +648,7 @@ try {
 **After (v2):**
 
 ```typescript
-import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/client';
 
 try {
     await transport.send(message);
@@ -703,7 +718,7 @@ The `OAUTH_ERRORS` constant has also been removed.
 **Before (v1):**
 
 ```typescript
-import { InvalidClientError, InvalidGrantError, ServerError } from '@modelcontextprotocol/core';
+import { InvalidClientError, InvalidGrantError, ServerError } from '@modelcontextprotocol/client';
 
 try {
     await refreshToken();
@@ -721,7 +736,7 @@ try {
 **After (v2):**
 
 ```typescript
-import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/core';
+import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/client';
 
 try {
     await refreshToken();

@@ -15,6 +15,9 @@
             "@modelcontextprotocol/client/_shims": ["./node_modules/@modelcontextprotocol/client/src/shimsNode.ts"],
             "@modelcontextprotocol/core": [
                 "./node_modules/@modelcontextprotocol/client/node_modules/@modelcontextprotocol/core/src/index.ts"
+            ],
+            "@modelcontextprotocol/core/public": [
+                "./node_modules/@modelcontextprotocol/client/node_modules/@modelcontextprotocol/core/src/exports/public/index.ts"
             ]
         }
     },

@@ -10,6 +10,9 @@
             "@modelcontextprotocol/core": [
                 "./node_modules/@modelcontextprotocol/client/node_modules/@modelcontextprotocol/core/src/index.ts"
             ],
+            "@modelcontextprotocol/core/public": [
+                "./node_modules/@modelcontextprotocol/client/node_modules/@modelcontextprotocol/core/src/exports/public/index.ts"
+            ],
             "@modelcontextprotocol/eslint-config": ["./node_modules/@modelcontextprotocol/eslint-config/tsconfig.json"],
             "@modelcontextprotocol/vitest-config": ["./node_modules/@modelcontextprotocol/vitest-config/tsconfig.json"],
             "@modelcontextprotocol/examples-shared": ["./node_modules/@modelcontextprotocol/examples-shared/src/index.ts"]

@@ -14,6 +14,9 @@
             "@modelcontextprotocol/server/_shims": ["./node_modules/@modelcontextprotocol/server/src/shimsNode.ts"],
             "@modelcontextprotocol/core": [
                 "./node_modules/@modelcontextprotocol/server/node_modules/@modelcontextprotocol/core/src/index.ts"
+            ],
+            "@modelcontextprotocol/core/public": [
+                "./node_modules/@modelcontextprotocol/server/node_modules/@modelcontextprotocol/core/src/exports/public/index.ts"
             ]
         }
     },

@@ -13,6 +13,9 @@
             "@modelcontextprotocol/core": [
                 "./node_modules/@modelcontextprotocol/server/node_modules/@modelcontextprotocol/core/src/index.ts"
             ],
+            "@modelcontextprotocol/core/public": [
+                "./node_modules/@modelcontextprotocol/server/node_modules/@modelcontextprotocol/core/src/exports/public/index.ts"
+            ],
             "@modelcontextprotocol/examples-shared": ["./node_modules/@modelcontextprotocol/examples-shared/src/index.ts"],
             "@modelcontextprotocol/eslint-config": ["./node_modules/@modelcontextprotocol/eslint-config/tsconfig.json"],
             "@modelcontextprotocol/vitest-config": ["./node_modules/@modelcontextprotocol/vitest-config/tsconfig.json"]

@@ -12,6 +12,9 @@
             "@modelcontextprotocol/core": [
                 "./node_modules/@modelcontextprotocol/server/node_modules/@modelcontextprotocol/core/src/index.ts"
             ],
+            "@modelcontextprotocol/core/public": [
+                "./node_modules/@modelcontextprotocol/server/node_modules/@modelcontextprotocol/core/src/exports/public/index.ts"
+            ],
             "@modelcontextprotocol/eslint-config": ["./node_modules/@modelcontextprotocol/eslint-config/tsconfig.json"],
             "@modelcontextprotocol/vitest-config": ["./node_modules/@modelcontextprotocol/vitest-config/tsconfig.json"],
             "@modelcontextprotocol/test-helpers": ["./node_modules/@modelcontextprotocol/test-helpers/src/index.ts"],

@@ -1,15 +1,73 @@
-export * from './client/auth.js';
-export * from './client/authExtensions.js';
-export * from './client/client.js';
-export * from './client/crossAppAccess.js';
-export * from './client/middleware.js';
-export * from './client/sse.js';
-export * from './client/stdio.js';
-export * from './client/streamableHttp.js';
-export * from './client/websocket.js';
+// Public API for @modelcontextprotocol/client.
+//
+// This file defines the complete public surface. It consists of:
+//   - Package-specific exports: listed explicitly below (named imports)
+//   - Protocol-level types: re-exported from @modelcontextprotocol/core/public
+//
+// Any new export added here becomes public API. Use named exports, not wildcards.
+
+export type {
+    AddClientAuthentication,
+    AuthProvider,
+    AuthResult,
+    ClientAuthMethod,
+    OAuthClientProvider,
+    OAuthDiscoveryState,
+    OAuthServerInfo
+} from './client/auth.js';
+export {
+    auth,
+    buildDiscoveryUrls,
+    discoverAuthorizationServerMetadata,
+    discoverOAuthMetadata,
+    discoverOAuthProtectedResourceMetadata,
+    discoverOAuthServerInfo,
+    exchangeAuthorization,
+    extractResourceMetadataUrl,
+    extractWWWAuthenticateParams,
+    fetchToken,
+    isHttpsUrl,
+    parseErrorResponse,
+    prepareAuthorizationCodeRequest,
+    refreshAuthorization,
+    registerClient,
+    selectClientAuthMethod,
+    selectResourceURL,
+    startAuthorization,
+    UnauthorizedError
+} from './client/auth.js';
+export type {
+    AssertionCallback,
+    ClientCredentialsProviderOptions,
+    CrossAppAccessContext,
+    CrossAppAccessProviderOptions,
+    PrivateKeyJwtProviderOptions,
+    StaticPrivateKeyJwtProviderOptions
+} from './client/authExtensions.js';
+export {
+    ClientCredentialsProvider,
+    createPrivateKeyJwtAuth,
+    CrossAppAccessProvider,
+    PrivateKeyJwtProvider,
+    StaticPrivateKeyJwtProvider
+} from './client/authExtensions.js';
+export type { ClientOptions } from './client/client.js';
+export { Client } from './client/client.js';
+export { getSupportedElicitationModes } from './client/client.js';
+export type { DiscoverAndRequestJwtAuthGrantOptions, JwtAuthGrantResult, RequestJwtAuthGrantOptions } from './client/crossAppAccess.js';
+export { discoverAndRequestJwtAuthGrant, exchangeJwtAuthGrant, requestJwtAuthorizationGrant } from './client/crossAppAccess.js';
+export type { LoggingOptions, Middleware, RequestLogger } from './client/middleware.js';
+export { applyMiddlewares, createMiddleware, withLogging, withOAuth } from './client/middleware.js';
+export type { SSEClientTransportOptions } from './client/sse.js';
+export { SSEClientTransport, SseError } from './client/sse.js';
+export type { StdioServerParameters } from './client/stdio.js';
+export { DEFAULT_INHERITED_ENV_VARS, getDefaultEnvironment, StdioClientTransport } from './client/stdio.js';
+export type { StartSSEOptions, StreamableHTTPClientTransportOptions, StreamableHTTPReconnectionOptions } from './client/streamableHttp.js';
+export { StreamableHTTPClientTransport } from './client/streamableHttp.js';
+export { WebSocketClientTransport } from './client/websocket.js';
 
 // experimental exports
-export * from './experimental/index.js';
+export { ExperimentalClientTasks } from './experimental/tasks/client.js';
 
-// re-export shared types
-export * from '@modelcontextprotocol/core';
+// re-export curated public API from core
+export * from '@modelcontextprotocol/core/public';
@@ -6,6 +6,7 @@
         "paths": {
             "*": ["./*"],
             "@modelcontextprotocol/core": ["./node_modules/@modelcontextprotocol/core/src/index.ts"],
+            "@modelcontextprotocol/core/public": ["./node_modules/@modelcontextprotocol/core/src/exports/public/index.ts"],
             "@modelcontextprotocol/test-helpers": ["./node_modules/@modelcontextprotocol/test-helpers/src/index.ts"],
             "@modelcontextprotocol/client/_shims": ["./src/shimsNode.ts"]
         }