verification updates

Craig Shoemaker · Craig Shoemaker · commit 6145eebed9cb · 2026-02-19T14:29:02.000-07:00
diff --git a/articles/container-apps/mcp-authentication.md b/articles/container-apps/mcp-authentication.md
@@ -5,7 +5,7 @@ description: Learn how to authenticate and authorize MCP servers on Azure Contai
 ms.topic: how-to
 ms.service: azure-container-apps
 ms.collection: ce-skilling-ai-copilot
-ms.date: 02/18/2026
+ms.date: 02/19/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.reviewer: cshoe
@@ -21,7 +21,7 @@ This article explains how to authenticate and secure MCP servers running on Azur
 - [Azure CLI](/cli/azure/install-azure-cli) version 2.62.0 or later.
 - An existing container app or session pool. If you don't have one, see the [MCP server tutorials](mcp-overview.md).
 
-## Authentication models at a glance
+## Authentication models overview
 
 Azure Container Apps supports two authentication models for MCP servers. The following table summarizes the key differences.
 
@@ -30,7 +30,7 @@ Azure Container Apps supports two authentication models for MCP servers. The fol
 | Auth mechanism | Container Apps built-in authentication with Microsoft Entra ID | API key via `x-ms-apikey` header |
 | Token type | OAuth 2.0 Bearer token | Opaque API key string |
 | Identity provider | Microsoft Entra ID | Azure Resource Manager |
-| Key/token rotation | Managed by Microsoft Entra ID | Regenerate the Azure Resource Manager API |
+| Key/token rotation | Managed by Microsoft Entra ID | Regenerate via Azure Resource Manager API |
 | Authorization scope | Configurable per application | Session pool level |
 | Transport encryption | TLS (Container Apps ingress) | TLS (Container Apps sessions endpoint) |
 
@@ -95,7 +95,7 @@ When your MCP server requires a bearer token, configure token retrieval in your
     "servers": {
         "my-mcp-server": {
             "type": "http",
-            "url": "https://<APP_NAME>.<REGION>.azurecontainerapps.io/mcp",
+            "url": "https://<CONTAINER_APP_NAME>.<REGION>.azurecontainerapps.io/mcp",
             "headers": {
                 "Authorization": "Bearer ${input:mcpBearerToken}"
             }
@@ -129,7 +129,7 @@ az containerapp ingress cors update \
     --max-age 3600
 ```
 
-Key headers to allow:
+The following headers are key to allow:
 
 - `Content-Type`: required for JSON-RPC requests
 - `Authorization`: required for bearer token auth
@@ -138,7 +138,7 @@ Key headers to allow:
 > [!NOTE]
 > GitHub Copilot connects to remote MCP servers from the VS Code desktop app, not from a browser. CORS is only needed if you intend to support browser-based MCP clients or VS Code for the Web. The standalone tutorials use wildcard CORS origins for simplicity; for production, restrict to specific trusted origins as shown here.
 
-### Security recommendations
+### Security recommendations for standalone MCP servers
 
 Apply the following best practices to harden your standalone MCP server.
 
@@ -150,15 +150,18 @@ Apply the following best practices to harden your standalone MCP server.
 
 ## Dynamic sessions with API key authentication
 
+> [!IMPORTANT]
+> The platform-managed MCP server for dynamic sessions is in **preview**. The API version `2025-02-02-preview` and `mcpServerSettings` properties are subject to change.
+
 The platform-managed MCP server in dynamic sessions uses API key authentication. The key is scoped to the session pool and grants access to all tools and sessions in the pool.
 
-### Authentication flow
+### API key authentication flow
 
 The following steps describe how API key authentication works for dynamic sessions.
 
 1. The client sends a JSON-RPC request with the `x-ms-apikey` header.
 1. The session pool proxy validates the key against the Azure control plane.
-1. If the key is valid, the request is forwarded to the session. If not, a `401 Unauthorized` response is returned.
+1. If the key is valid, the request is forwarded to the session. If not, an authentication error is returned.
 
 ### Retrieve the API key
 
@@ -171,9 +174,9 @@ API_KEY=$(az rest --method POST \
     --query "apiKey" -o tsv)
 ```
 
-### Key rotation and caching
+### Rotate and cache the API key
 
-You can regenerate the API key at any time. The platform caches validation results, so previously valid keys might continue to work for several minutes after regeneration while the cache expires.
+You can regenerate the API key at any time. The platform caches validation results for up to five minutes, so previously valid keys might continue to work after regeneration until the cache expires.
 
 To rotate the API key, call the `regenerateCredentials` action on the session pool:
 
@@ -185,7 +188,7 @@ az rest --method POST \
 
 After regeneration, retrieve the new key by using `fetchMCPServerCredentials` as shown earlier.
 
-### Security recommendations
+### Security recommendations for dynamic sessions
 
 Apply the following best practices to secure your dynamic sessions MCP deployment.
 
@@ -195,7 +198,7 @@ Apply the following best practices to secure your dynamic sessions MCP deploymen
 - **Session lifetime**: Configure `coolDownPeriodInSeconds` to automatically destroy idle sessions. This setting limits the window of exposure if a session is compromised.
 - **Secret storage**: Store the API key in [Azure Key Vault](/azure/key-vault/general/overview) or [Container Apps secrets](/azure/container-apps/manage-secrets) rather than in code or configuration files.
 
-## Authentication model comparison
+## Common authentication mismatches
 
 A common mistake is using the API key header (`x-ms-apikey`) with a standalone container app, or using a bearer token with the sessions MCP endpoint. The following table shows what happens when you mix them up.
 
diff --git a/articles/container-apps/mcp-choosing-azure-service.md b/articles/container-apps/mcp-choosing-azure-service.md
@@ -6,7 +6,7 @@ ms.topic: conceptual
 ms.service: azure-container-apps
 ms.collection: ce-skilling-ai-copilot
 ms.custom: cross-service
-ms.date: 02/18/2026
+ms.date: 02/19/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.reviewer: cshoe
@@ -37,7 +37,7 @@ Add an MCP endpoint to an existing or new web app. App Service supports code-bas
 
 ### Azure Functions
 
-Map function triggers to MCP tools using the [Azure Functions MCP extension](/azure/azure-functions/scenario-custom-remote-mcp-server). Azure Functions is optimized for stateless, event-driven tool execution with per-invocation pricing.
+Map function triggers to MCP tools by using the [Azure Functions MCP extension](/azure/azure-functions/scenario-custom-remote-mcp-server). Azure Functions is optimized for stateless, event-driven tool execution with per-invocation pricing.
 
 ## Compare hosting options
 
@@ -60,7 +60,7 @@ The following table summarizes the key differences between hosting options.
 
 Use the following guidance to narrow your decision based on common workload patterns.
 
-### Build a custom MCP server
+### Build a custom MCP server with Azure
 
 **Recommended: Azure Container Apps (standalone) or Azure App Service**
 
@@ -82,10 +82,11 @@ Tutorials:
 
 Session pools with MCP enabled provide Hyper-V-isolated environments for running untrusted or LLM-generated code. The platform manages the MCP server, so you don't write or deploy server code. The built-in tools cover code execution scenarios without custom development:
 
-- **Shell pools**: `launchShell`, `runShellCommandInRemoteEnvironment`
-- **Python pools**: `launchPythonEnvironment`, `runPythonCodeInRemoteEnvironment`
+- `launchShell`: Creates a new environment
+- `runShellCommandInRemoteEnvironment`: Executes shell commands
+- `runPythonCodeInRemoteEnvironment`: Executes Python code
 
-Dynamic sessions maintain prewarmed instances, so there's no cold-start latency.
+Dynamic sessions maintain prewarmed instances, so you don't experience cold-start latency.
 
 Tutorials:
 
diff --git a/articles/container-apps/mcp-overview.md b/articles/container-apps/mcp-overview.md
@@ -1,17 +1,17 @@
 ---
-title: MCP servers on Azure Container Apps
-description: Learn how to host Model Context Protocol (MCP) servers on Azure Container Apps as standalone container apps or with platform-managed dynamic sessions.
+title: Host MCP servers on Azure Container Apps
+description: Learn how to host MCP servers on Azure Container Apps as standalone container apps or with dynamic sessions.
 #customer intent: As a developer, I want to deploy an MCP server as a standalone container app so that I can expose custom tools and connect to backend services.
 ms.topic: conceptual
 ms.service: azure-container-apps
 ms.collection: ce-skilling-ai-copilot
-ms.date: 02/18/2026
+ms.date: 02/19/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.reviewer: cshoe
 ---
 
-# MCP servers on Azure Container Apps
+# Host MCP servers on Azure Container Apps
 
 [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) is an open standard that connects AI applications to external data sources and tools. By using MCP, AI clients like GitHub Copilot can discover and invoke capabilities you expose, turning your APIs, databases, and business logic into tools an AI agent can use through natural language.
 
@@ -80,13 +80,12 @@ In this model, the platform manages the MCP server. You don't write or deploy MC
 
 | Tool | Description |
 |---|---|
-| `launchShell` | Creates a new shell environment and returns an `environmentId` |
-| `launchPythonEnvironment` | Creates a new Python environment and returns an `environmentId` |
+| `launchShell` | Creates a new environment and returns an `environmentId` |
 | `runShellCommandInRemoteEnvironment` | Executes a shell command in an existing environment |
 | `runPythonCodeInRemoteEnvironment` | Executes Python code in an existing environment |
 
 > [!NOTE]
-> The available tools depend on the session pool's `containerType`. Shell pools expose `launchShell` and `runShellCommandInRemoteEnvironment`. Python pools expose `launchPythonEnvironment` and `runPythonCodeInRemoteEnvironment`.
+> The platform-managed MCP server exposes all three tools regardless of the session pool's `containerType`. Use `launchShell` to create an environment for both shell and Python pools.
 
 ### Request flow
 
diff --git a/articles/container-apps/mcp-troubleshooting.md b/articles/container-apps/mcp-troubleshooting.md
@@ -5,7 +5,7 @@ description: Diagnose and fix common issues with MCP servers on Azure Container
 ms.topic: troubleshooting
 ms.service: azure-container-apps
 ms.collection: ce-skilling-ai-copilot
-ms.date: 02/18/2026
+ms.date: 02/19/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.reviewer: cshoe
@@ -111,7 +111,7 @@ The `id` must be a string or number. The `jsonrpc` field must be exactly `"2.0"`
 
 ### Transport mismatch
 
-**Symptoms**: SSE client gets 404 or 405 errors; HTTP client gets unexpected `text/event-stream` content type.
+**Symptoms**: SSE client gets 404 or 405 errors. HTTP client gets unexpected `text/event-stream` content type.
 
 MCP supports multiple transports. Ensure your client and server use the same transport.
 
@@ -123,6 +123,9 @@ MCP supports multiple transports. Ensure your client and server use the same tra
 
 Most modern MCP SDKs default to streamable HTTP. If you're connecting to a server that uses SSE (common with older examples), switch your client to SSE mode.
 
+> [!NOTE]
+> The [Java tutorial](tutorial-mcp-server-java.md) uses the SSE transport (`WebMvcSseServerTransportProvider`) because the MCP Java SDK doesn't yet offer a stable streamable HTTP transport. When connecting from VS Code, select SSE and use `"type": "sse"` in `.vscode/mcp.json`.
+
 ## Deployment and scaling
 
 Deployment issues prevent your container from starting or responding correctly. These problems typically relate to health probes, port configuration, or scaling settings.
@@ -221,15 +224,15 @@ Authentication problems typically happen when you use the wrong credential type
 1. Check that the Microsoft Entra app registration's `audience` matches the resource you requested.
 1. Verify the `--unauthenticated-client-action` setting. `Return401` blocks unauthenticated requests; `AllowAnonymous` lets them through.
 
-### 401 Unauthorized: dynamic sessions MCP
+### Authentication error: dynamic sessions MCP
 
-**Symptoms**: `401 Unauthorized` when calling the platform-managed MCP endpoint.
+**Symptoms**: Authentication error when calling the platform-managed MCP endpoint. The error might appear as an HTTP `401` response or as a JSON-RPC error message in the response body. The type of error depends on where in the request pipeline the failure occurs.
 
 **Checklist**:
 
 1. Verify the API key is sent via the `x-ms-apikey` header (not `Authorization`).
 1. Verify the key is from `fetchMCPServerCredentials`, not from a different API.
-1. If you recently regenerated the key, wait several minutes for the old key's cache to expire.
+1. If you recently regenerated the key, wait up to five minutes for the old key's cache to expire.
 1. Check that `mcpServerSettings.isMCPServerEnabled` is `true` on the session pool.
 
 For more information, see the [authentication guide](mcp-authentication.md).
@@ -245,10 +248,10 @@ Issues in this section apply only to the platform-managed MCP server in [dynamic
 **Causes**:
 
 - The session expired (exceeded `coolDownPeriodInSeconds`).
-- The `environmentId` wasn't extracted correctly from the `launchShell` or `launchPythonEnvironment` response.
+- The `environmentId` wasn't extracted correctly from the `launchShell` response.
 - You're using an environment ID from a different session pool.
 
-**Solution**: Call `launchShell` or `launchPythonEnvironment` again to create a new environment.
+**Solution**: Call `launchShell` again to create a new environment.
 
 ### MCP not enabled on session pool
 
diff --git a/articles/container-apps/sessions-tutorial-python-mcp.md b/articles/container-apps/sessions-tutorial-python-mcp.md
@@ -5,7 +5,7 @@ description: Learn how to create a Python session pool with the platform-managed
 ms.topic: tutorial
 ms.service: azure-container-apps
 ms.collection: ce-skilling-ai-copilot
-ms.date: 02/18/2026
+ms.date: 02/19/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.reviewer: cshoe
@@ -22,7 +22,7 @@ Unlike the [standalone MCP server tutorials](mcp-overview.md#standalone-containe
 
 | Tool | Description |
 |------|-------------|
-| `launchPythonEnvironment` | Creates a new Python environment and returns an `environmentId` |
+| `launchShell` | Creates a new environment and returns an `environmentId` |
 | `runPythonCodeInRemoteEnvironment` | Executes Python code in an existing environment |
 | `runShellCommandInRemoteEnvironment` | Executes a shell command in an existing environment |
 
@@ -184,7 +184,7 @@ Create a new Python environment:
 ENVIRONMENT_RESPONSE=$(curl -sS -X POST "$MCP_ENDPOINT" \
     -H "Content-Type: application/json" \
     -H "x-ms-apikey: $API_KEY" \
-    -d '{ "jsonrpc": "2.0", "id": "2", "method": "tools/call", "params": { "name": "launchPythonEnvironment", "arguments": {} } }')
+    -d '{ "jsonrpc": "2.0", "id": "2", "method": "tools/call", "params": { "name": "launchShell", "arguments": {} } }')
 
 echo $ENVIRONMENT_RESPONSE
 ```
@@ -197,7 +197,7 @@ echo $ENVIRONMENT_ID
 ```
 
 > [!NOTE]
-> The `launchPythonEnvironment` tool generates a unique environment identifier. The actual session is allocated "lazily". When you execute your first command, the session pool assigns a Hyper-V-isolated container to handle it.
+> The `launchShell` tool generates a unique environment identifier. The actual session is allocated "lazily". When you execute your first command, the session pool assigns a Hyper-V-isolated container to handle it.
 
 ## Execute Python commands
 
diff --git a/articles/container-apps/tutorial-mcp-server-java.md b/articles/container-apps/tutorial-mcp-server-java.md
diff --git a/articles/container-apps/tutorial-mcp-server-python.md b/articles/container-apps/tutorial-mcp-server-python.md
