Include requestInit options in GET SSE stream request

[bhosmer-ant]

The GET request in _startOrAuthSse() did not spread this._requestInit into the fetch options, unlike POST (send()) and DELETE (terminateSession()). While _commonHeaders() does extract headers from requestInit.headers, non-header fetch options like credentials, mode, cache, and referrerPolicy were dropped.

This meant users configuring requestInit: { credentials: 'include' } for cookie-based auth would have POST/DELETE send cookies but the GET SSE notification stream would not — causing auth failures on server-initiated messages.

Resolves #895
Supersedes #896 — same fix, but that PR targets the pre-monorepo file layout and hasn't been rebased.

Motivation and Context

Users connecting to servers that use cookie-based authentication configure requestInit: { credentials: 'include', mode: 'cors' }. This worked for all POST/DELETE requests but silently failed for the GET SSE stream, since non-header RequestInit properties were never applied there.

How Has This Been Tested?

Added a unit test that configures requestInit: { credentials: 'include', mode: 'cors' }, calls _startOrAuthSse(), and verifies the fetch was called with credentials: 'include' and mode: 'cors'.

Breaking Changes

None. This brings the GET request into consistency with the existing POST/DELETE behavior.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Credit to @DW8Reaper for the original fix in #896.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b9c99dd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1592

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1592

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1592

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1592

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1592

commit: b9c99dd