If you’ve been building with large language models in 2025 or 2026, you’ve probably hit the same wall everyone else has: getting your AI to actually do things beyond generating text. You want it to query your database, read your docs, call your APIs, manage files. Every tool vendor has its own integration pattern, every model provider has its own function-calling spec, and you end up writing bespoke glue code for each combination.
That’s the problem Model Context Protocol (MCP) was built to solve. Released by Anthropic as an open standard in late 2024, MCP defines a universal way for AI applications to connect to external tools, data sources, and services. Think of it as USB-C for AI integrations—one protocol that replaces the tangle of custom connectors.
If you’re searching “what is MCP model context protocol,” you’re likely a developer evaluating whether to adopt it, a technical lead deciding on integration architecture, or someone trying to understand why every AI coding tool suddenly lists “MCP support” in its changelog. This guide covers the protocol in depth: what it is, how it works under the hood, who supports it, and when it’s—and isn’t—the right choice.
The Integration Problem MCP Solves
Before MCP, connecting AI models to external tools meant building point-to-point integrations. If you had N models and M tools, you needed up to N × M integration implementations. Claude needs a Postgres connector? Build it. GPT-4 needs the same Postgres connector? Build a different one, because OpenAI’s function-calling format differs from Anthropic’s tool-use format.
This is the classic M × N problem in software engineering, and it’s the same problem that USB, ODBC, and LSP (Language Server Protocol) each solved in their respective domains. The solution is always the same: introduce a standard protocol so that each side only needs to implement it once. With MCP, M tools each implement one MCP server, and N model hosts each implement one MCP client. Total integrations drop from M × N to M + N.
This isn’t just a theoretical elegance. In practice, the M × N approach creates three concrete problems:
- Duplicated effort. Every team building AI features writes its own database connectors, file-system access layers, and API wrappers. The logic is nearly identical across projects, but the interface contracts differ.
- Inconsistent capabilities. When each integration is hand-rolled, some models get access to certain tools and others don’t. Users experience unpredictable feature gaps depending on which model-tool combination they’re using.
- Security fragmentation. Without a standard, each integration implements its own permission model (or none at all). There’s no common framework for sandboxing, approval flows, or audit logging.
MCP Architecture: How It Actually Works
MCP uses a client-server architecture built on JSON-RPC 2.0, the same lightweight RPC protocol used by LSP. The architecture has three layers:
The Three Layers
- MCP Host — The user-facing application. This is Claude Desktop, Cursor, VS Code, your custom chat app—whatever the user interacts with. The host manages the lifecycle of MCP clients and coordinates between the AI model and the connected servers.
- MCP Client — A protocol-level connector that lives inside the host. Each client maintains a 1:1 connection with a single MCP server. The client handles capability negotiation, message routing, and transport management.
- MCP Server — A lightweight process that exposes specific capabilities (tools, resources, prompts) to the client. Servers can be local processes communicating over stdio, or remote services communicating over HTTP with Server-Sent Events (SSE).
The data flow looks like this: the user asks the AI model a question → the model decides it needs external data or actions → the host routes the request through the appropriate MCP client → the client sends a JSON-RPC call to the MCP server → the server executes the operation and returns results → the model incorporates the results into its response.
The Three Primitives
MCP servers expose capabilities through three primitive types. This is where the protocol gets specific and opinionated:
1. Tools (Model-Controlled)
Tools are functions that the AI model can invoke. They’re the most common primitive and the one most people think of first. A tool has a name, a description (which the model reads to decide when to use it), and a JSON Schema defining its input parameters.
Examples: query_database, create_github_issue, send_email, search_files.
The key design decision: the model decides when to call tools, but the host application controls whether to actually execute them. Most MCP hosts implement a human-in-the-loop approval step before running tool calls, especially for tools that have side effects (writing data, sending messages, modifying files).
2. Resources (Application-Controlled)
Resources are data sources that the MCP server exposes for reading. Unlike tools, resources are controlled by the host application, not the model. The host decides when and how to fetch resource data and attach it to the model’s context.
Examples: file contents, database schemas, API documentation, configuration files, log streams.
Resources have URIs (like file:///path/to/doc.md or postgres://db/schema) and can be static or dynamic. Dynamic resources can notify the client when their content changes via subscriptions.
3. Prompts (User-Controlled)
Prompts are reusable prompt templates that the server exposes. They’re user-controlled—typically surfaced as slash commands or menu items in the host application. A user explicitly selects a prompt template and optionally fills in arguments.
Examples: /review-code, /explain-error, /generate-tests.
Prompts are the least discussed primitive but arguably the most important for user experience. They let MCP server authors package domain expertise into reusable interaction patterns, rather than requiring users to write effective prompts from scratch every time.
Transport Mechanisms
MCP supports two transport layers, each suited to different deployment scenarios:
- stdio (Standard I/O) — The host spawns the MCP server as a local child process and communicates via stdin/stdout. This is the simplest transport: no network configuration, no authentication overhead. It’s the default for local tools like file-system access, local database queries, and CLI wrappers. The tradeoff is that the server must run on the same machine as the host.
- Streamable HTTP — The server runs as an HTTP endpoint. The client sends JSON-RPC requests as HTTP POST requests and can receive streaming responses via Server-Sent Events. This enables remote MCP servers—SaaS tools, cloud databases, team-shared services—and supports authentication, load balancing, and all the standard HTTP infrastructure. The original SSE-based transport is being superseded by this streamable HTTP approach in newer SDK versions.
Who Supports MCP Today
MCP adoption has been rapid. Within a year of its release, most major AI development tools added MCP client support. Here’s the current landscape:
| Application | MCP Support | Transport | Notes |
|---|---|---|---|
| Claude Desktop | Full (Host + Client) | stdio, HTTP | First-party support from Anthropic; ships with built-in MCP server management |
| Claude Code (CLI) | Full (Host + Client) | stdio, HTTP | Native MCP integration with tool approval workflows |
| Cursor | Full (Host + Client) | stdio, HTTP | MCP servers configurable per-project via settings |
| VS Code (Copilot) | Full (Host + Client) | stdio, HTTP | MCP support in GitHub Copilot Chat; configure via settings.json |
| Windsurf | Full (Host + Client) | stdio | MCP server support integrated into Cascade AI flows |
| Zed | Full (Host + Client) | stdio | Extension-based MCP server management |
| Cline | Full (Host + Client) | stdio, HTTP | VS Code extension with deep MCP integration and approval UI |
| Continue | Full (Host + Client) | stdio | Open-source coding assistant with MCP support |
| OpenAI Agents SDK | Client support | stdio, HTTP | Added MCP client support for agent tool use |
The Server Ecosystem
The supply side of MCP has grown even faster than the client side. As of mid-2026, the MCP server ecosystem includes thousands of community-built servers with over 97 million total installs across package registries. Servers exist for databases (Postgres, MySQL, SQLite, MongoDB), cloud platforms (AWS, GCP, Cloudflare), developer tools (GitHub, GitLab, Jira, Linear), communication platforms (Slack, Discord, email), file systems, web scraping, and dozens of other categories.
Anthropic maintains a curated registry and a set of reference servers, but most of the ecosystem is community-driven. This is by design—the protocol is open (Apache 2.0 license), and anyone can publish a server to npm or PyPI.
Building an MCP Server
If you’re considering building your own MCP server, the official SDKs make it straightforward. Here’s what’s involved:
TypeScript SDK
The @modelcontextprotocol/sdk npm package provides a high-level API for building servers. You define tools with names, descriptions, and input schemas, then implement handler functions. The SDK handles JSON-RPC framing, capability negotiation, and transport setup. A minimal server that exposes a single tool is roughly 30–40 lines of code.
Python SDK
The mcp Python package provides the same functionality with a decorator-based API. You annotate functions with @server.tool() and the SDK generates the JSON Schema from type hints. The Python SDK also supports async handlers out of the box, which matters for servers that call external APIs.
What a Server Needs to Handle
Beyond the core tool/resource/prompt implementations, a production MCP server needs to address:
- Input validation. The SDK validates inputs against your JSON Schema, but you still need application-level validation (checking that a file path exists, that a database query is safe, etc.).
- Error handling. MCP defines standard error codes (inspired by JSON-RPC). Your server should return meaningful error messages that help the model recover or ask the user for clarification.
- Timeouts. Long-running operations need progress reporting or timeout handling. The protocol supports progress notifications for this.
- Capability negotiation. During initialization, the client and server exchange capability declarations. Your server should only advertise capabilities it actually implements.
Security Considerations
MCP takes a deliberate approach to security, but the model is still evolving. Key considerations:
Tool Permissions and Approval
The protocol itself doesn’t enforce permissions—that’s the host’s responsibility. Most MCP hosts implement approval flows where the user must explicitly authorize tool calls, especially for write operations. Claude Code, for example, categorizes tools into read-only (auto-approved after initial grant) and write (requires per-call approval) tiers.
Sandboxing
Local MCP servers (stdio transport) run as child processes with the same permissions as the host application. This means a file-system MCP server can access any file the user can access. The security boundary is the host’s approval mechanism, not OS-level sandboxing. For production deployments, consider running MCP servers in containers or with restricted OS permissions.
Supply Chain Risks
The open ecosystem is a double-edged sword. Anyone can publish an MCP server, and there’s no mandatory security review. Before installing a community MCP server, you should audit the source code—particularly what system calls it makes, what network requests it sends, and what data it accesses. This is no different from the due diligence you’d apply to any npm or PyPI package, but the stakes are higher because MCP servers operate with the user’s ambient authority.
Prompt Injection
MCP servers that fetch content from external sources (web pages, emails, documents) can introduce prompt injection vectors. The model may receive malicious instructions embedded in fetched content. The standard mitigation is to treat all MCP-sourced data as untrusted input and rely on the host’s instruction hierarchy to prevent the model from following injected commands.
When MCP Isn’t the Answer
MCP is powerful, but it’s not always the right tool. There are scenarios where a simpler approach makes more sense:
Simple, Single-Model Deployments
If your application uses exactly one AI model and calls a handful of well-defined functions, native function calling (tool use) might be all you need. OpenAI’s function calling, Anthropic’s tool use, and Google’s function declarations all work fine for direct model-to-function integration. MCP adds value when you need interoperability across models or want to reuse tool implementations across projects—if neither applies, it’s added complexity without added benefit.
High-Performance, Latency-Sensitive Paths
MCP adds a layer of indirection: JSON-RPC serialization, process-to-process (or HTTP) communication, and protocol negotiation. For hot paths where microseconds matter—like real-time trading systems or latency-critical inference pipelines—direct function calls within the same process will always be faster. MCP’s overhead is negligible for most applications, but it’s worth measuring if you’re operating at the margins.
Internal-Only, Tightly Coupled Systems
If you’re building an internal tool where the AI model, tools, and data all live in the same monolith and will never need to be separated, the abstraction layer MCP provides may not justify itself. Protocols shine at boundaries—between teams, between organizations, between products. Inside a single, cohesive system, they can feel like bureaucracy.
When You Need Fine-Grained Streaming
MCP supports progress notifications but doesn’t currently provide fine-grained streaming of tool results. If your use case requires streaming partial results back to the model mid-execution (for example, processing a large dataset row by row), you may need to implement that outside the MCP framework or wait for protocol extensions.
The Bottom Line: Should You Adopt MCP?
Here’s the honest assessment:
Adopt MCP if you’re building AI applications that need to connect to multiple external tools or data sources, especially if you want those integrations to work across different AI models or development environments. The protocol is well-designed, the ecosystem is large and growing, and the major development tools already support it. If you’re building tools that other developers will use with AI, publishing an MCP server is increasingly the expected integration path.
Wait on MCP if you have a simple, single-model application with a small number of direct API integrations that work fine today. Adopting MCP in that scenario adds architectural complexity without solving a problem you actually have. You can always add MCP later when your integration needs grow.
The trajectory is clear. MCP is becoming the standard interface between AI models and external capabilities, much as LSP became the standard for editor-language integration. The ecosystem is past the early-adopter phase—with support in Claude, Cursor, VS Code, and the major AI SDKs, it’s mainstream infrastructure. The question for most developers isn’t whether MCP will matter, but when it becomes relevant to their specific work.
For developers building AI-powered tools and services, understanding MCP is no longer optional. It’s the protocol layer that connects models to the real world, and it’s being adopted faster than almost any developer standard in recent memory.
Disclosure: Some links in this article are affiliate links. If you sign up through them, we may earn a commission at no extra cost to you. We only recommend tools we’ve used in production and genuinely believe are worth adopting.