Invalid JSON RPC requests do not respond with an error

[joshcanhelp]

I noticed that this request:

{"jsonrpc": "2.0", "id": 1, "method": "tools/lit", "params": {}}

... returns an error response (code -32601) as expected but this:

{"jsonrpc": "2.0", "id": 1, "method_": "tools/list", "params": {}}

... returns nothing. I would expect that a missing method property or an unknown root property like methodX would throw and error. The JSON-RPC 2.0 spec says the server should return:

• -32600 "Invalid Request" for malformed JSON-RPC (missing required fields like method)
• -32602 "Invalid params" for bad parameters

I think the SDK should handle these but I'm not even able to write validation logic in my application code because an invalid RPC request never reaches my handler.

Claude tells me I can do something like this:

class ValidatingStdioTransport extends StdioServerTransport {
  // Override message handling to add validation
}

.. but I don't love that.

If a maintainer agrees that this validation should be in the SDK, I'd be more than happy to write a PR! Thank you for all your work on this!

[JBB0807]

I tried it on my end, and here’s what I found: in the event of a schema validation error, the SDK currently returns "Parse Error" -32700, along with a hard-to-read message in the data field.

{"jsonrpc":"2.0","error":{"code":-32700,"message":"Parse error","data":"[\n {\n \"code\": \"invalid_union\",\n \"unionErrors\": [\n {\n \"issues\": [\n {\n \"code\": \"invalid_type\",\n \"expected\": \"string\",\n \"received\": \"undefined\",\n \"path\": [\n \"method\"\n ],\n \"message\": \"Required\"\n },\n {\n \"code\":......

Can I work on this item and improve the error handling?

[mcp-claude]

two related bugs confirmed on both main and v1.x:

1. http transport returns -32700 "Parse error" for structurally invalid JSON-RPC (valid JSON, missing method). should be -32600 "Invalid Request" per the JSON-RPC 2.0 spec. line: packages/server/src/server/streamableHttp.ts:661

2. stdio transport sends no error response at all — processReadBuffer() catches the ZodError and calls onerror() but never writes a -32600 response back. packages/server/src/server/stdio.ts:73-74

fix for (1): change -32_700 → -32_600 and the message to 'Invalid Request' at streamableHttp.ts:661.

fix for (2): processReadBuffer() needs to detect schema-validation failures (distinct from SyntaxError) and, when the failed message had an id, send back a -32600 error response via this.send(). messages without an id (notifications) get no response per the spec.

both bugs present on main and v1.x — backport needed.

repro script (repro.ts — run from repo root: npx tsx repro.ts)

import {
  WebStandardStreamableHTTPServerTransport,
  ReadBuffer,
  deserializeMessage,
} from './packages/server/dist/index.mjs';

// Part 1: HTTP transport — what error code comes back?
console.log('=== Part 1: HTTP transport error code ===');

async function testHttpTransport() {
  const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: undefined });
  const errors: Error[] = [];
  transport.onerror = (e: Error) => errors.push(e);

  const body = JSON.stringify({ jsonrpc: '2.0', id: 1, method_: 'tools/list', params: {} });
  const req = new Request('http://localhost/mcp', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json', 'Accept': 'application/json, text/event-stream' },
    body,
  });

  const res = await transport.handleRequest(req);
  const json = await res.json();
  console.log('HTTP response status:', res.status);
  console.log('HTTP response body:', JSON.stringify(json, null, 2));
  const code = json?.error?.code;
  if (code === -32700) console.log('BUG: -32700 returned — should be -32600');
  else if (code === -32600) console.log('OK: -32600');
}

await testHttpTransport();

// Part 2: Stdio — no response sent at all
console.log('\n=== Part 2: Stdio transport behavior ===');

const badMsg = JSON.stringify({ jsonrpc: '2.0', id: 1, method_: 'tools/list', params: {} });
try {
  deserializeMessage(badMsg);
  console.log('UNEXPECTED: accepted invalid message');
} catch (e: any) {
  console.log(`deserializeMessage throws: ${e.constructor.name}`);
  console.log('onerror() called — no JSON-RPC error response sent to client');
}

const buf = new ReadBuffer();
buf.append(Buffer.from(badMsg + '\n'));
try {
  buf.readMessage();
} catch (e: any) {
  console.log(`ReadBuffer.readMessage() throws: ${e.constructor.name} — same code path`);
}

actual output

=== Part 1: HTTP transport error code ===
HTTP response status: 400
HTTP response body: {
  "jsonrpc": "2.0",
  "error": {
    "code": -32700,
    "message": "Parse error: Invalid JSON-RPC message"
  },
  "id": null
}
BUG CONFIRMED: returned -32700 (Parse error) — should be -32600 (Invalid Request) per JSON-RPC spec

=== Part 2: Stdio transport behavior (ReadBuffer / deserializeMessage) ===
deserializeMessage throws for missing 'method': ZodError
  First Zod issue: {"code":"invalid_union",...,"path":[],"message":"Invalid input"}
In StdioServerTransport.processReadBuffer(), this error goes to onerror() only.
No JSON-RPC error response is sent back to the client.
BUG CONFIRMED: stdio client receives NO error response for invalid JSON-RPC message.

--- Via ReadBuffer.readMessage() ---
ReadBuffer.readMessage() throws: ZodError
Confirms same code path — onerror called, no response sent.

code path analysis

HTTP transport bug (streamableHttp.ts):

POST /mcp with {"jsonrpc":"2.0","id":1,"method_":"tools/list","params":{}}
  → JSON.parse() succeeds (valid JSON)
  → JSONRPCMessageSchema.parse(rawMessage) throws ZodError  [line 658]
  → catch block at line 659:
      this.onerror?.(error)
      return this.createJsonErrorResponse(400, -32_700, 'Parse error: Invalid JSON-RPC message')  ← WRONG code

Stdio transport bug (stdio.ts):

stdin receives {"jsonrpc":"2.0","id":1,"method_":"tools/list","params":{}}\n
  → ReadBuffer.readMessage() → deserializeMessage()
  → JSONRPCMessageSchema.parse() throws ZodError  [core/src/shared/stdio.ts:45]
  → ReadBuffer.readMessage() propagates ZodError
  → processReadBuffer() catch at line 73:
      this.onerror?.(error)  ← logs error only, no response
      ← client never receives anything

The JSONRPCMessageSchema is a z.union over request/notification/result/error shapes; missing method fails all branches.

suggested fix

// packages/core/src/shared/stdio.ts
 export function deserializeMessage(line: string): JSONRPCMessage {
-    return JSONRPCMessageSchema.parse(JSON.parse(line));
+    const rawMessage = JSON.parse(line);
+    try {
+        return JSONRPCMessageSchema.parse(rawMessage);
+    } catch (error) {
+        // Attach the raw parsed object so callers can extract the id for error responses
+        (error as Record<string, unknown>).rawMessage = rawMessage;
+        throw error;
+    }
 }

// packages/server/src/server/streamableHttp.ts
-                return this.createJsonErrorResponse(400, -32_700, 'Parse error: Invalid JSON-RPC message');
+                return this.createJsonErrorResponse(400, -32_600, 'Invalid Request: Invalid JSON-RPC message');

// packages/server/src/server/stdio.ts  (processReadBuffer catch block)
             } catch (error) {
                 this.onerror?.(error as Error);
+                const rawMessage = (error as Record<string, unknown>)?.rawMessage as Record<string, unknown> | undefined;
+                if (rawMessage != null && rawMessage.id != null) {
+                    this.send({
+                        jsonrpc: '2.0',
+                        id: rawMessage.id as string | number,
+                        error: { code: -32_600, message: 'Invalid Request' }
+                    }).catch(() => {});
+                }
             }

tests to verify:

• http: POST a valid-JSON-but-invalid-schema body (e.g. {"jsonrpc":"2.0","id":1,"method_":"tools/list"}), assert response error.code === -32600
• stdio: push the same message to stdin, assert the response written to stdout is a -32600 error with the correct id