modelcontextprotocol · pantanurag555 · May 28, 2025 · May 28, 2025 · May 28, 2025 · Jun 11, 2025
@@ -92,7 +92,8 @@ The server **MUST** respond with its own capabilities and information:
         "listChanged": true
       },
       "tools": {
-        "listChanged": true
+        "listChanged": true,
+        "webhooksSupported": true
       }
     },
     "serverInfo": {

@@ -21,6 +21,11 @@ However, implementations are free to expose tools through any interface pattern
 suits their needs&mdash;the protocol itself does not mandate any specific user
 interaction model.
 
+Servers typically receive tool call requests and respond to the client with the result.
+However, servers may offer webhook support for tool calls. This allows clients to specify
+webhooks in tool call requests and enables servers to transmit tool call responses to the
+webhooks instead of the client.
+
 <Warning>
 
 For trust & safety and security, there **SHOULD** always
@@ -43,7 +48,8 @@ Servers that support tools **MUST** declare the `tools` capability:
 {
   "capabilities": {
     "tools": {
-      "listChanged": true
+      "listChanged": true,
+      "webhooksSupported": true
     }
   }
 }
@@ -52,6 +58,9 @@ Servers that support tools **MUST** declare the `tools` capability:
 `listChanged` indicates whether the server will emit notifications when the list of
 available tools changes.
 
+`webhooksSupported` indicates whether the server offers support to transmit results to
+the webhooks provided by the client in the tool call request.
+
 ## Protocol Messages
 
 ### Listing Tools
@@ -138,6 +147,68 @@ To invoke a tool, clients send a `tools/call` request:
 }
 ```
 
+#### Calling Tools with Webhooks
+
+To invoke a tool with webhooks, when interacting with a webhook support enabled server,
+clients send a `tools/call` request with a list of webhooks:
+
+**Request:**
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "method": "tools/call",
+  "params": {
+    "name": "get_weather",
+    "arguments": {
+      "location": "New York"
+    },
+    "webhooks": [
+      {
+        "url": "http://localhost:8000"
+      }
+    ]
+  }
+}
+```
+
+**Acknowledgement to Client:**
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "result": {
+    "content": [
+      {
+        "type": "text",
+        "text": "Response will be forwarded to the webhook."
+      }
+    ],
+    "isError": false
+  }
+}
+```
+
+**Response to Webhook:**
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "result": {
+    "content": [
+      {
+        "type": "text",
+        "text": "Current weather in New York:\nTemperature: 72°F\nConditions: Partly cloudy"
+      }
+    ],
+    "isError": false
+  }
+}
+```
+
 ### List Changed Notification
 
 When the list of available tools changes, servers that declared the `listChanged`
@@ -401,11 +472,20 @@ Example tool execution error:
    - Implement proper access controls
    - Rate limit tool invocations
    - Sanitize tool outputs
+   - Verify veracity of webhook URLs to prevent Server-Side Request Forgery or
+     Distributed Denial of Service attacks against internal or 3rd party systems
 
 2. Clients **SHOULD**:
+
    - Prompt for user confirmation on sensitive operations
    - Show tool inputs to the user before calling the server, to avoid malicious or
      accidental data exfiltration
    - Validate tool results before passing to LLM
    - Implement timeouts for tool calls
    - Log tool usage for audit purposes
+   - Exercise caution when providing secrets in webhook credentials since they might be
+     susceptible to Man-in-the-Middle attacks
+
+3. Webhook servers **SHOULD**:
+
+    - Authenticate the received messages
@@ -260,6 +260,10 @@ export interface ServerCapabilities {
      * Whether this server supports notifications for changes to the tool list.
      */
     listChanged?: boolean;
+    /**
+     * Whether this server supports sending tool responses to webhooks
+     */
+    webhooksSupported?: boolean;
   };
 }
 
@@ -722,6 +726,7 @@ export interface CallToolRequest extends Request {
   params: {
     name: string;
     arguments?: { [key: string]: unknown };
+    webhooks?: Webhook[];
   };
 }
 
@@ -732,6 +737,42 @@ export interface ToolListChangedNotification extends Notification {
   method: "notifications/tools/list_changed";
 }
 
+/**
+ * Specifies a webhook that can receive messages from the server.
+ * 
+ * It includes the URL where the webhook is hosted and an optional authentication method that should be used by the server when transmitting to the webhook.
+ */
+export interface Webhook {
+  /**
+   * The URL where the webhook is hosted and to which the message will be transmitted.
+   */
+  url: string;
+
+  /**
+   * Authentication required to communicate with the webhook.
+   */
+  authentication?: AuthenticationInfo;
+}
+
+/**
+ * Specifies the authentication details that are required for communication with an endpoint.
+ */
+export interface AuthenticationInfo {
+  /**
+   * The authentication strategy enforced by the endpoint.
+   */
+  strategy: "bearer" | "apiKey" | "basic" | "customHeader";
+
+  /**
+   * Optional credentials that can be used to communicate with the endpoint.
+   * 
+   * In case of bearer and apiKey, credentials consist of static string credentials that can be supplied in the header.
+   * In case of basic, credentials can consist of static string credentials that can be supplied in the header or a parsable JSON that consists of username and password keys along with their corresponding values.
+   * In case of customHeader, credentials consist of a parsable JSON that contains the relevant authentication headers and corresponding values.
+   */
+  credentials?: string;
+}
+
 /**
  * Additional properties describing a Tool to clients.
  *