Tutorials Logic, IN info@tutorialslogic.com
FAQs Support

MCP Sampling, Elicitation, and Tasks: Bidirectional and Deferred Workflows

MCP Sampling, Elicitation, and Tasks

MCP is bidirectional. Servers do not only expose tools, resources, and prompts; they can also request capabilities from the client when those capabilities were negotiated during initialization.

Sampling lets a server ask the client to perform model generation while the client retains control over model selection, permissions, and user review. Elicitation supports form mode for structured input and URL mode for sensitive interactions that must happen outside the MCP client.

The 2025-11-25 specification also introduced experimental tasks for deferred and long-running operations. Tasks wrap supported requests in durable state that can be polled, cancelled, and completed later.

These features are optional. Correct implementations advertise and check capabilities instead of assuming that every host supports them.

Mental Model

Tools, resources, and prompts flow from server to client. Sampling and elicitation flow from server through the client toward a model or user. Tasks add durable execution state around supported requests.

Capability Negotiation Rule: A server should send sampling, elicitation, or task-augmented requests only when the other party advertised the corresponding capability during initialization.

Client and Utility Capabilities

Feature Request Direction Primary Purpose
Sampling Server to client Ask the host-controlled model to generate a response
Elicitation Server to client Request additional structured user input
Roots Client to server Expose approved filesystem work boundaries
Tasks Either direction where supported Represent deferred, pollable, cancellable work

Sampling Keeps the Host in Control

A server may need model reasoning during a capability workflow. Instead of embedding its own model credentials, it can send `sampling/createMessage` through the MCP client. The client decides whether to allow the request and which model to use.

The server can provide messages, model preferences, a requested token limit, and context preferences. These are requests rather than authority: the client may modify or reject them.

  • Check the client sampling capability before requesting generation.
  • Keep requested context and token limits as small as practical.
  • Allow the host to show the request and generated result to the user.
  • Never assume the client will use the server-preferred model.

Elicitation Requests Missing User Input

Form-mode elicitation lets a server request a small structured form from the user through the client. It is useful when a tool workflow discovers that a required non-sensitive choice or field is missing.

URL-mode elicitation directs the user to an external HTTPS page for credentials, payment authorization, OAuth, or other sensitive interactions that must not pass through the MCP client. The client should show the destination and obtain consent before navigation.

  • Use a restricted flat JSON schema with primitive fields for form mode.
  • Use URL mode for secrets, credentials, payments, and OAuth.
  • Explain which server is asking and why the information is needed.
  • Let users accept, decline, or cancel form requests.
  • Rate-limit repeated elicitation requests.

Tasks Represent Deferred Work

Tasks are experimental in the 2025-11-25 specification. They let a request receiver acknowledge work immediately and return a task identifier instead of holding the original request open until expensive work completes.

The requestor can inspect status, retrieve the final result, list tasks, or cancel a task when those operations were negotiated. Typical states include working, input required, completed, failed, and cancelled.

  • Use tasks for expensive computation, batch work, or external jobs.
  • Generate task identifiers on the receiving side.
  • Return polling guidance and useful status messages.
  • Apply authorization to task listing, status, result, and cancellation.

Design for Decline, Cancellation, and Failure

Bidirectional features create more outcomes than a normal request-response call. A user can decline elicitation, a host can reject sampling, and a task can fail or be cancelled.

Treat these outcomes as normal workflow branches. Preserve partial progress, return a clear status, and avoid retrying user-facing requests in a loop.

Security and Privacy Boundaries

Sampling can expose context to a model, elicitation can collect user data, and tasks can retain state beyond the original request. Each feature therefore needs explicit consent, data minimization, retention rules, and auditability.

The host remains the user-facing trust boundary. Servers should request the least information and capability necessary to finish the current workflow, and sensitive input should travel directly to a trusted HTTPS destination through URL-mode elicitation rather than through the MCP client.

Designing Bidirectional Workflows Safely

Sampling, elicitation, and tasks are advanced because they let the server participate in a richer workflow than simple request-response capability calls. Sampling lets a server ask the client-controlled model for generation. Elicitation lets a server ask the user for missing input through the client. Tasks let supported requests become deferred, pollable work. Each feature is useful, but each increases the number of states the system must handle.

The safe design order is capability negotiation first, user trust second, and workflow recovery third. A server should not assume the client supports sampling or elicitation. A client should not hide from users when a server is asking for model work or user input. Both sides should handle decline, cancellation, timeout, and unsupported-feature paths as normal outcomes.

Use these features when they simplify a real workflow. If a server can complete work with an ordinary tool response, do that. If it needs model judgment owned by the host, use sampling. If it needs a non-sensitive missing choice, use form elicitation. If it needs credentials or payment authorization, use URL-mode elicitation. If work is long-running, use tasks where supported rather than holding a fragile request open.

  • Negotiate support before using bidirectional features.
  • Keep sampling context minimal and host-controlled.
  • Use form elicitation only for bounded non-sensitive input.
  • Use URL-mode elicitation for sensitive out-of-band flows.
  • Model task states explicitly: working, input required, completed, failed, and cancelled.

Advanced Workflow State Review

Bidirectional MCP workflows need explicit state tracking. A sampling request may be approved, modified, rejected, or produce output that the server must validate. An elicitation request may be accepted, declined, cancelled, or abandoned. A task may be working, waiting for input, completed, failed, or cancelled. Treat each result as a normal branch.

For sampling, log why the server requested model help, what context was requested, whether the client allowed it, and how the generated result was used. For elicitation, log the prompt, mode, user decision, and safe correlation identifier. For tasks, log creation time, owner, status transitions, cancellation, and result retrieval.

The expert rule is to avoid hidden waiting. If the workflow is waiting for a user, model, or background task, the client and user should be able to see that status. Hidden pending states create support tickets and make recovery difficult.

  • Model every approval, decline, cancellation, timeout, and failure branch.
  • Log state transitions without storing sensitive elicitation data.
  • Expose clear status for pending and deferred work.
  • Design cancellation and cleanup before production use.

Sampling Request

The server asks the client for a bounded model response. The client remains free to approve, modify, or reject it.

Sampling Request 
{
  "jsonrpc": "2.0",
  "id": 41,
  "method": "sampling/createMessage",
  "params": {
    "messages": [
      {
        "role": "user",
        "content": {
          "type": "text",
          "text": "Summarize the validated incident timeline."
        }
      }
    ],
    "maxTokens": 300
  }
}
  • The request is valid only when the client advertised sampling support.
  • The client controls the actual model and may limit context further.
  • The token limit bounds generation cost and response size.

Elicitation Request

A server requests a non-sensitive user choice using a restricted JSON schema.

Elicitation Request 
{
  "jsonrpc": "2.0",
  "id": 42,
  "method": "elicitation/create",
  "params": {
    "message": "Choose the environment for this deployment plan.",
    "requestedSchema": {
      "type": "object",
      "properties": {
        "environment": {
          "type": "string",
          "enum": ["development", "staging", "production"]
        }
      },
      "required": ["environment"]
    }
  }
}
  • The form contains one bounded non-sensitive choice.
  • The server must handle accept, decline, and cancel responses.
  • Both client and server should validate accepted content.

URL-Mode Elicitation for a Sensitive Flow

For OAuth, credentials, payments, or other sensitive input, the server asks the client to open a trusted external page instead of collecting the data in an MCP form.

URL-Mode Elicitation for a Sensitive Flow 
{
  "jsonrpc": "2.0",
  "id": 43,
  "method": "elicitation/create",
  "params": {
    "mode": "url",
    "message": "Connect your incident-management account.",
    "url": "https://accounts.example.com/oauth/authorize",
    "elicitationId": "connect-incident-account-7f31"
  }
}
  • The client should display the destination and ask for user consent before opening it.
  • Sensitive values are entered on the external HTTPS page and do not pass through the MCP client.
  • The elicitation identifier correlates completion without exposing the sensitive data.

Task-Augmented Tool Call

Experimental tasks let a receiver return durable work state for a long-running tool call.

Task-Augmented Tool Call 
{
  "jsonrpc": "2.0",
  "id": 44,
  "method": "tools/call",
  "params": {
    "name": "generate_compliance_report",
    "arguments": {
      "quarter": "2026-Q2"
    },
    "task": {
      "ttl": 3600000
    }
  }
}
  • The receiver must advertise task support for tool calls.
  • The immediate response contains task state rather than the final report.
  • Result retrieval and cancellation require their own authorization checks.
Key Takeaways
  • Check negotiated capabilities before sending bidirectional requests.
  • Keep sampling context and token requests bounded.
  • Never collect secrets through form-mode elicitation; use URL mode.
  • Handle accept, decline, cancel, failure, and timeout explicitly.
  • Treat tasks as experimental and version-sensitive.
Common Mistakes to Avoid
Assuming every MCP host supports sampling or elicitation.
Using form-mode elicitation as a secret or credential form.
Keeping long-running work inside an open request when task support exists.
Allowing users to inspect or cancel tasks belonging to another tenant.

Practice Tasks

  • Design an elicitation schema for a safe non-sensitive deployment choice.
  • Write the capability check required before a sampling request.
  • Model task states for a long-running report generator.
  • Define audit events for sampling approval, elicitation response, and task cancellation.
See Also
Roots & Context Authorization

Frequently Asked Questions

No. The server can express preferences, but the client controls model selection and may modify or reject the request.

Not through form mode. Sensitive interactions must use URL mode so the data does not pass through the MCP client.

Tasks were introduced as experimental in the 2025-11-25 specification, so implementations should pin protocol expectations and prepare for evolution.

Previous Next

Ready to Level Up Your Skills?

Explore 500+ free tutorials across 20+ languages and frameworks.

Browse Tutorials Contact Us