Model Context Protocol (MCP): What It Is and How It Works

Model Context Protocol (MCP) is an open standard that lets AI assistants connect to external tools, data, and services through one shared interface. Anthropic created it and open-sourced it on November 25, 2024 (Anthropic, “Introducing the Model Context Protocol”). Claude Desktop was the first application to support it.

Since December 2025, the protocol has been governed by the Agentic AI Foundation (AAIF) under the Linux Foundation, co-founded by Anthropic, Block, and OpenAI (Linux Foundation, December 9, 2025). Google, Microsoft, AWS, Cloudflare, and Bloomberg participate as members. Over 10,000 servers are published across registries. SDK downloads reached 97 million per month by March 2026.

Every MCP connection has three parts. The host is the AI application you interact with: Claude Desktop, Cursor, ChatGPT. The client is the component inside that host that speaks the protocol. The server is the program that exposes a tool or data source (GitHub, Slack, a database) to the host. You choose and configure the servers. The client comes built in.

Without a shared standard, connecting N AI apps to M tools requires N × M separate integrations. MCP collapses that to N + M. Any compliant client connects to any compliant server. No bespoke wiring on either side. This arithmetic is why developers call MCP the “USB-C port for AI.”

This guide is independent: the setup notes, token costs, and failure modes below come from real installs, not vendor documentation. It covers what MCP stands for, who governs it, how it works, what servers and clients are, how MCP compares to APIs and RAG, how to set it up, whether it is safe, and whether it is worth adopting.

What Does MCP Stand For?

MCP stands for Model Context Protocol. Anthropic created it and open-sourced it in November 2024 as a standard way for AI applications to connect to external tools and data.

The name describes the job. “Model” is the AI model: Claude, GPT, Gemini, any LLM. “Context” is the live information the model needs to act: callable tools, readable data, reusable prompt templates. “Protocol” is the shared format for exchanging that context. Every compliant application speaks the same language.

Before MCP, every team built its own private connector between model and tool. MCP turns that one-off plumbing into a public, documented standard. Any developer can implement it. Any vendor can build on it. The specification is hosted on GitHub at github.com/modelcontextprotocol.

The acronym collides with unrelated terms: the metacarpophalangeal joint in the hand, the retired Microsoft Certified Professional certification, and Monocalcium Phosphate. This guide covers the Model Context Protocol, the AI standard created by Anthropic.

Who Created MCP, and Who Governs It Now?

Anthropic created MCP and released it as an open specification in November 2024. Since December 2025, the Agentic AI Foundation under the Linux Foundation governs it.

The governance handoff is the strongest structural signal that MCP will persist. Anthropic, Block, and OpenAI co-founded the AAIF on December 9, 2025 and donated the protocol to it. Google, Microsoft, AWS, Cloudflare, and Bloomberg joined as members. Competing model vendors co-maintain the SDKs: Microsoft co-maintains C#, Google co-maintains Go, JetBrains contributes to Kotlin, the PHP Foundation co-maintains PHP. One company no longer controls the standard. The ecosystem does.

Is MCP Free?

Yes. The MCP specification, every official SDK, and all reference server implementations are free and open-source under permissive licenses. No licensing fees. No usage charges. No vendor lock-in at the protocol level. The only costs MCP introduces are the costs of the external tools the servers connect to: a GitHub API rate limit, a database hosting bill, a SaaS subscription.

What Does MCP Mean in AI?

In AI, MCP is the layer that lets a model act. An AI agent uses MCP to call tools, read data, and run actions instead of only generating text. MCP enables a model to open a ticket in your tracker, not just describe how to file one.

The distinction matters for anyone building agentic AI. An agent framework (LangChain, CrewAI, AutoGen) handles how an agent reasons, plans, and decides what to do next. MCP lets that agent reach external systems to execute what it decided. The reasoning is the brain. MCP is the hands. Production agent systems use both: an orchestration layer for planning and MCP for tool access.

A concrete example: you ask your AI assistant “what changed in the repo today?” The assistant’s MCP client calls a GitHub MCP server. The server queries the GitHub API and retrieves the day’s commits. The model summarises the changes and responds. The model supplied the reasoning. MCP supplied the reach.

Google’s Agent-to-Agent (A2A) protocol, announced in April 2025, addresses a different problem. MCP connects a model to tools. A2A connects an agent to other agents. The two protocols are complementary, not competing. The full comparison is at MCP vs A2A.

How Does MCP Work?

MCP follows a client-server architecture. The AI application’s client connects to one or more servers. The servers expose tools, data, and prompts the model can call. Messages travel as JSON-RPC over a transport layer.

A single MCP exchange runs through four steps:

Discovery. The client connects to a server and asks what capabilities it offers: which tools, which resources, which prompts.
Reasoning. The model receives the user’s request, sees the available tools, and decides which one fits.
Execution. The client sends a structured call to the server. The server runs it against the underlying system: the GitHub API, a database, a browser.
Response. The result returns to the model through the client. The model turns it into a human-readable answer.

Here is the exchange when a user asks Claude Desktop “what issues are open in my repo?” and a GitHub MCP server handles it:

User → Claude Desktop:  "What issues are open in my repo?"

Claude Desktop (client) → GitHub MCP server:
  { "method": "tools/call",
    "params": { "name": "list_issues", "arguments": { "repo": "user/repo", "state": "open" } } }

GitHub MCP server → GitHub API:
  GET /repos/user/repo/issues?state=open

GitHub API → GitHub MCP server:
  [ { "number": 42, "title": "Fix login timeout" }, { "number": 38, "title": "Update docs" } ]

GitHub MCP server → Claude Desktop (client):
  { "result": [ { "number": 42, "title": "Fix login timeout" }, { "number": 38, "title": "Update docs" } ] }

Claude Desktop → User:
  "You have 2 open issues: #42 'Fix login timeout' and #38 'Update docs'."

That trace is the whole protocol in practice. The JSON-RPC format, the tool name, the structured arguments, and the result are all defined by the MCP specification. The server translates between the protocol and the underlying API. The client translates between the protocol and the model. Neither side needs to know how the other works internally.

Here is a second example in a different domain, a natural-language database query through a Postgres MCP server:

User → Cursor:  "Show me revenue by region for last quarter."

Cursor (client) → Postgres MCP server:
  { "method": "tools/call",
    "params": { "name": "run_query", "arguments": { "sql": "SELECT region, SUM(revenue) FROM orders WHERE order_date >= '2026-01-01' GROUP BY region" } } }

Postgres MCP server → Database:
  Executes the SQL query against the connected database.

Database → Postgres MCP server:
  [ { "region": "North America", "revenue": 1420000 }, { "region": "Europe", "revenue": 980000 } ]

Postgres MCP server → Cursor (client):
  { "result": [ { "region": "North America", "revenue": 1420000 }, { "region": "Europe", "revenue": 980000 } ] }

Cursor → User:
  "Last quarter's revenue by region: North America $1.42M, Europe $980K."

The pattern is identical. The client formats the call. The server executes it. The result returns to the model. The tool, the transport, and the external system change. The protocol stays the same. For the wire-level message format and connection lifecycle, see MCP architecture in detail.

What Are Tools, Resources, and Prompts in MCP?

MCP servers expose three kinds of capability. Tools are actions the model can run. Resources are data the model can read. Prompts are reusable templates the server provides.

Primitive	What it provides	Real example
Tools	Actions the model can execute: write operations, queries, anything that changes state	A GitHub server creating an issue. A Postgres server running a SQL query. A Slack server posting a message.
Resources	Read-only access to files, tables, or live state	A filesystem server returning a document. A database server listing table schemas. A Figma server exposing design tokens.
Prompts	Structured templates for invoking common tasks	A “summarise this PR” template. A “review this diff for security issues” template.

Tools are the most common primitive because the dominant use cases involve taking actions. Resources are second: they give the model read access to live information instead of stale training data. Prompts are the least common and most underused. A well-designed prompt template encodes domain expertise the model lacks.

A server that exposes only tools is less capable than one that also surfaces resources and provides prompts. Check what a server exposes before installing it. The richer the primitive set, the more the model can do with it.

How Does MCP Connect? Local vs Remote Transports

MCP supports three transports. Stdio runs the server as a local process. Streamable HTTP connects to remote hosted servers. SSE is the legacy remote transport, replaced by streamable HTTP.

Transport	Setup	Latency	Security model	Use for
stdio	Low: add to config, runs locally	Lowest: no network	Inherits machine permissions	Desktop setups, local development
Streamable HTTP	Medium: URL + auth + TLS	Network round-trips	TLS plus OAuth or API key	Production remote and hosted servers
SSE	Medium: URL + auth	Network round-trips	Explicit auth tokens	Legacy remote servers only

The decision is practical. Use stdio for servers running on your laptop. Use streamable HTTP for servers hosted remotely. Stdio needs a local runtime (Node.js or Python). HTTP needs a URL and authentication. Local servers inherit your machine’s permissions. Remote servers need explicit auth. First-time setups start with stdio because it is simpler: add a server to the config file and the client launches it at startup. For the full transport specification, see MCP transports in detail.

The transports define how clients and servers connect. The next two sections define what those servers and clients are.

What Is an MCP Server?

An MCP server is a program that exposes one tool or data source to any MCP-compatible AI application. The server translates between structured JSON-RPC calls from the client and the underlying system’s API.

Every MCP server is a bridge between the AI world and the tool world. The GitHub server translates protocol calls into GitHub API requests. The Postgres server translates them into SQL. The Playwright server translates them into browser actions.

MCP servers fall into three tiers. Reference servers are maintained by the MCP project under the Linux Foundation. Seven are active: Everything, Fetch, Filesystem, Git, Memory, Sequential Thinking, and Time. Vendor-maintained servers are built by the tool’s own company: GitHub, Stripe, Figma, Supabase, Linear, and Slack each maintain their own. At least 50 vendor-maintained servers exist as of mid-2026. Community servers are built by independent developers, and quality ranges from production-grade to abandoned.

Thirteen former reference servers were archived across 2025: GitHub, GitLab, Slack, Google Drive, Postgres, Puppeteer, Brave Search, Sentry, SQLite, Redis, Google Maps, EverArt, and AWS Knowledge Base. Vendor-maintained replacements exist for each. Tutorials written in early 2025 still link to the archived versions. Install the current vendor version, not the archived reference. The full categorised directory is at MCP servers.

Where Do You Find MCP Servers?

MCP servers are listed on the official MCP Registry, PulseMCP, Smithery, and the modelcontextprotocol GitHub repository.

The official MCP Registry lists over 9,600 server records as of mid-2026. PulseMCP indexes over 15,900. Smithery catalogs over 7,300 with install commands. No single registry indexes everything, and none verifies maintainer activity. A server with 500 GitHub stars and no commits in six months is less reliable than one with 50 stars and weekly updates. Check the source repository’s commit history before trusting any listing. The independent server directory applies one evaluation rubric to every server it lists.

Do You Download MCP?

No. You do not download or install MCP itself. MCP is a protocol, not an application. Your AI app already contains the MCP client when it supports the standard: Claude Desktop, Cursor, VS Code, ChatGPT, Windsurf. What you install are individual MCP servers, the programs that connect your AI app to specific tools. When someone says “install MCP,” they mean “install an MCP server and add it to your client’s config file.” The protocol is already there. The servers are what you add.

What Are MCP Clients, and Which Apps Support MCP?

An MCP client is the component inside an AI application that speaks the protocol to servers. The client discovers what servers offer, formats tool calls as JSON-RPC, and carries messages over stdio or HTTP. You do not install a client. It is part of the host application.

PulseMCP counts over 592 MCP clients as of mid-2026. These are the ones that matter:

Claude Desktop: Anthropic’s desktop app and the canonical first MCP experience. Configured through claude_desktop_config.json. MCP access requires a Claude Pro subscription as of March 2026. Setup walkthrough at set up MCP in Claude Desktop.
Claude Code: Anthropic’s terminal coding agent. Configured with the claude mcp add command. Lazy-loads tool definitions on demand through Tool Search, cutting tool-definition overhead by 47% in independent testing (Joe Njenga, 2026).
Cursor: AI code editor with config in .cursor/mcp.json at the project root. The config travels with the repository.
VS Code: MCP through GitHub Copilot Chat. The JSON root key is "servers", not "mcpServers". Copying a Claude Desktop config without changing that key is the first error developers hit.
Windsurf: AI IDE with built-in MCP support and enterprise compliance certifications.
ChatGPT: OpenAI added MCP support in April 2025, extending its connector system to the open standard.
Cline, Zed, Gemini CLI, Codex CLI, GitHub Copilot: coding agents and terminal tools with MCP support across free and per-token pricing models.

Clients differ in transport support, primitive support, tool-loading strategy, and pricing. The side-by-side matrix is at MCP clients compared.

Can ChatGPT and Other Models Use MCP?

Yes. MCP is an open standard, and any AI application that implements it can use MCP servers, not just Claude. OpenAI added MCP support to ChatGPT in April 2025. Google’s Gemini CLI supports it. Microsoft’s VS Code supports it through Copilot. That cross-model adoption is the point of standardising the protocol: a server you set up once is reachable from any compliant client, regardless of which model powers it.

The clients consume what the servers expose. The next question is how this whole layer relates to the tools you already use.

How Does MCP Compare to APIs, RAG, and Function Calling?

MCP is not a replacement for APIs, function calling, or RAG. It is a standard layer that sits on top of them. Each row below is a complement, not a competitor:

Approach	What it provides	Use it when
MCP	A standard protocol for AI apps to discover and call tools through one interface	Any AI client needs to reach multiple tools without custom wiring
Traditional API	A direct connection between two specific systems	Two systems need to talk and no AI model is in the loop
Function calling	A model’s ability to emit a structured call to a defined function	You wire one model to one function yourself; MCP standardises this across applications
RAG	Document retrieval that grounds a model’s answer in existing text	The model needs to read knowledge, not act on live systems
Orchestration (LangChain, CrewAI)	Frameworks that manage agent reasoning, planning, and multi-step workflows	An agent needs to plan; MCP carries the tool calls underneath

An MCP server frequently wraps an existing API. Function calling is how the model emits the structured call that MCP carries. RAG supplies knowledge. MCP supplies actions. An orchestration framework plans what to do. MCP executes the calls. The layers stack. For the full breakdown with a worked example built both ways, see MCP vs API.

Is MCP Just an API?

No. An API is one connection between two specific systems. MCP is a standard that lets any AI application reach multiple APIs and tools through one uniform interface. An MCP server often wraps an existing API: the GitHub MCP server calls the GitHub API underneath. MCP adds three layers on top. The discovery layer lets the client ask the server what it can do. The model-facing abstraction shows the model tools, not endpoints. The standard format lets any client speak to any server. Those three layers separate a protocol from an endpoint.

How Does MCP Relate to Orchestration Frameworks?

MCP is the tool-access layer. Orchestration frameworks are the reasoning layer. MCP carries “call this tool on this server and return the result.” LangChain, CrewAI, or AutoGen decides which tool to call, in what order, and what to do with the results.

Production agent systems use both. LangChain provides an MCP adapter that lets its agents consume MCP servers as native tools: the agent plans the workflow, and MCP executes the calls. You do not choose between MCP and orchestration. You choose an orchestration framework and wire it to MCP for tool access. The detailed comparison is at MCP vs LangChain tools.

Where Does MCP Fit in the AI Infrastructure Stack?

MCP occupies the third layer in a four-layer AI agent architecture: the model on top, orchestration below it, tool access (MCP) below that, and external systems at the bottom. Reasoning, planning, and deciding belong to the layers above it. MCP connects and carries.

The four layers, top to bottom:

Model (LLM): reasons over input and generates output. Claude, GPT, Gemini.
Orchestration framework: plans and sequences agent actions. LangChain, CrewAI, AutoGen.
Tool-access protocol (MCP): carries tool calls between the agent and external systems.
External systems: APIs, databases, browsers, SaaS tools. The systems MCP servers expose.

The pattern repeats across computing history. HTTP standardised how browsers talk to web servers. REST standardised how applications talk to APIs. GraphQL standardised how clients query data. Each replaced a landscape of custom integrations with a shared protocol, and each accelerated its ecosystem. MCP gives AI tool access the same shared layer.

The protocol, its components, and its position in the stack are established. The practical questions follow: which servers to connect first, and how to run them.

Which MCP Servers Can You Use First?

Start with three servers: Filesystem for local files, GitHub for code workflows, and Playwright for browser automation. Each one teaches a different part of the protocol, and each has a full guide on this site with the real install steps, token costs, and failure modes.

Filesystem MCP server reads and writes local files and directories. One of the seven active reference servers. The simplest to install and the easiest to verify. The common mistake: configuring it with your home directory. Scope it to a single project folder. An agent pointed at your entire home directory can read SSH keys and credential files anywhere in the tree. Token cost: 500 to 2,000 per call.
GitHub MCP server exposes issues, pull requests, repo files, branches, and commits. GitHub maintains it; the archived Anthropic reference is no longer updated. The gotcha is token scope: a token scoped to repo can push code and merge pull requests. Scope it to the minimum your workflow needs. Token cost: 1,500 to 3,000 per call, plus 17,600 to 55,000 for tool definitions depending on enabled toolsets.
Playwright MCP server drives a real browser: navigate, click, fill forms, extract content. Microsoft maintains it. The catch is token cost: a full-page snapshot consumes 15,000 to 30,000 tokens. Target specific elements, not whole pages. Run npx playwright install first; the browser binaries are a separate download.

The full directory, organised into 14 categories with editorial picks for each, is at MCP servers.

How Do You Choose an MCP Server?

Evaluate every server on five criteria: maintenance recency, client compatibility, authentication model, transport support, and token cost per call.

Maintenance recency. Check commit history, not star count. A server last updated eight months ago has missed the November 2025 specification changes. Look for commits in the last 60 days and issues answered within a week.
Client compatibility. Confirm the server runs in the client you use. A server tested only on Claude Desktop fails in Cursor when it uses a transport Cursor does not support.
Authentication model. Prefer OAuth 2.1 tokens: scoped, time-limited, revocable. API keys sit in the config file in plain text until manually revoked. Set the narrowest permissions the server needs.
Transport. Stdio for local servers. Streamable HTTP for remote and hosted servers.
Token cost. Tool definitions consume 500 to 2,000 tokens per server before any calls happen. Three to five simultaneous servers is the practical ceiling.

Apply those five and you rarely need a ranking. The full rubric with worked examples is in the server evaluation guide. For ranked editorial picks with stated criteria, see the best MCP servers shortlist.

How Do You Set Up MCP?

Set up MCP by adding a server entry to your client’s config file, then fully quitting and reopening the client. The config file tells the client which servers to launch, what command runs each one, and which environment variables (API keys, tokens, paths) to pass.

Setup follows the same three steps in any client:

Install the server. Node.js servers run through npx. Python servers run through uvx. The package manager downloads the server on first run.
Add it to the config file. Server name, launch command, and any tokens or paths it needs.
Restart the client and verify. The server’s tools appear in the client’s tool list, and a test call returns a real result.

Here is a working Claude Desktop config connecting the Filesystem reference server and the vendor-maintained GitHub server:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/you/projects"]
    },
    "github": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "GITHUB_PERSONAL_ACCESS_TOKEN",
        "ghcr.io/github/github-mcp-server"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_your_token_here"
      }
    }
  }
}

Each key under "mcpServers" is a server name you choose. The command field is the executable the client runs. The args array passes arguments to it. The env object sets environment variables, typically tokens. The Filesystem entry’s final argument is the directory the server can access. The GitHub entry runs the vendor’s Docker image; Docker must be running before the client starts.

The step that silently fails first is restart-and-verify. Claude Desktop and Cursor read the config at launch only. A window close does not reload it. Fully quit the application and relaunch. MCP access in Claude Desktop requires a Claude Pro subscription as of March 2026; the free tier does not include it. Per-client walkthroughs with exact paths and error messages are in the step-by-step setup guides, starting with Claude Desktop.

Why Isn’t My MCP Server Working?

The three most common failures are a config file that was not reloaded, a missing runtime, and an expired or unset token.

Config not reloaded. You edited the config but closed the window instead of quitting. A full application quit and relaunch is required. This is the single most common MCP setup failure.
Missing runtime. The server needs Node.js (for npx) or Python (for uvx) installed and in your PATH. Without it, the client fails with “command not found” and the server never appears.
Token not set or expired. A missing, mistyped, or expired token means the server connects but every call fails with a 401 error.

The cross-client troubleshooting guide with exact error strings and fixes is at fix MCP connection errors.

Does MCP Work on Windows, Mac, and Linux?

Yes. MCP works on all three platforms. Config paths and runtime availability differ. On macOS, the Claude Desktop config is at ~/Library/Application Support/Claude/claude_desktop_config.json. On Windows, it is at %APPDATA%\Claude\claude_desktop_config.json. On Linux, it is at ~/.config/Claude/claude_desktop_config.json.

The platform-specific trap is Windows Subsystem for Linux. A client running in native Windows cannot see Node.js installed inside WSL. The npx command in the config runs in Windows, not in WSL. Install the runtime natively on the same OS the client runs on, or run the entire client inside WSL.

Does MCP Work Without Coding?

Setup requires editing a JSON file or clicking through an install flow, not writing code. Adding a server takes 2 to 5 minutes for anyone comfortable with a text editor. Using MCP after setup requires no technical skill at all: the user types natural language, and the model decides which tools to call.

The no-JSON path is growing. Desktop Extensions (.mcpb files), introduced in early 2026, install a server into Claude Desktop with one click and no config editing. Smithery provides copy-paste install commands for its listed servers. The config-file approach remains the most flexible path, and every guide on this site shows it.

What Is MCP Inspector?

MCP Inspector is the official debugging tool for MCP servers. Inspector connects to any server and shows the tools, resources, and prompts it exposes, then lets you test individual calls without touching a client config. Use it to evaluate a new server before installing it and to isolate whether a failure sits in the server, the config, or the client. The full guide is at MCP Inspector.

A connected, verified server is the starting point. Here is what people build on top of it.

What Can You Do with MCP?

The dominant MCP workflows combine one client with two or three servers to remove tool-switching from a daily task. Five workflows people run in production:

Code review. Claude Desktop + GitHub + Slack. The model reads a pull request, summarises the changes, flags issues, and posts the summary to a channel. Cost per review: 5,000 to 8,000 tokens depending on PR size.
Natural-language data analysis. Cursor + Postgres. The developer asks a question in English. The model writes the SQL, the server runs it, and the results return into the conversation.
Design-to-code. Cursor + Figma. The model reads design tokens and frame hierarchy from a Figma file and generates matching frontend code. It reads structure, not pixels, so clean layer naming matters.
Documentation-aware coding. Claude Code + Context7. The model pulls current library documentation into context before generating code, so it uses current API signatures instead of stale training data.
Meeting preparation. ChatGPT + Notion + Slack. The model pulls relevant notes and recent messages, then produces a one-page brief with key points and open questions.

The full pattern library is at MCP use cases.

What Happens Without a Standard Like MCP?

Without MCP, every AI application builds its own connector to every tool, and the integration count multiplies. Three clients reaching 3 tools require 9 custom integrations. Adding a fourth tool means 3 more. Adding a fourth client means 4 more.

Each custom connector carries its own authentication logic, its own data format, and its own error handling. When a tool’s API ships a breaking change, every connector for that tool needs a separate update. A team maintaining 9 connectors spends engineering time on every API version bump across all 9.

MCP collapses the multiplication into addition. Each tool needs one server. Each client needs one protocol implementation. Three clients and 3 tools require 6 components, not 9. Ten clients and 10 tools require 20 components, not 100. The savings compound as the ecosystem grows, which is why the tool vendors themselves (GitHub, Stripe, Figma, Supabase) ship their own servers: one server gives them distribution across every MCP client at once.

Is MCP Safe to Use?

MCP is safe when you use trusted servers. A server can execute actions and read data, so an untrusted server is a real risk, and the risk is documented in peer-reviewed research.

The threat class to understand is tool poisoning. A malicious server embeds hidden instructions in its tool descriptions, the metadata the model reads during discovery. The model treats those descriptions as context and may follow them without the user seeing anything. Documented consequences include data exfiltration, unintended actions, and privilege escalation (Hou et al., “Model Context Protocol: Landscape, Security Threats, and Future Research Directions,” arXiv:2503.23278, 2025).

Three rules cover the bulk of the risk surface:

Install servers only from sources you trust with the underlying access. A GitHub token given to an untrusted MCP server is a GitHub token given to an untrusted developer.
Scope every token to the minimum the server needs. A read-only token for a server that only lists issues. A read-only database role for a server that only runs SELECT queries.
Prefer OAuth 2.1 over long-lived API keys. OAuth tokens expire and carry scopes. API keys pasted into a config file last until you revoke them by hand.

The full threat model, the server vetting checklist, and the mitigations are at MCP security.

What Is Tool Poisoning?

Tool poisoning is an attack where a malicious MCP server hides instructions inside its tool descriptions, and the model follows them without the user seeing them. A poisoned description for a “list_files” tool can instruct the model to also read .env files and send their contents to the server. The user sees “listing files” in the interface. The defense: install servers from trusted sources, and review tool descriptions in MCP Inspector before connecting an unfamiliar server. Inspector shows the raw descriptions exactly as the model reads them.

Does MCP Support OAuth?

Yes. The specification introduced an OAuth-based authorization framework in March 2025 and finalized OAuth 2.1 in the November 2025 release. Before that, authentication meant pasting API keys into the config file in plain text. OAuth 2.1 tokens are scoped to specific permissions, time-limited, and revocable without rotating a key. Prefer OAuth where a server supports it. Fall back to narrowly scoped keys where it does not. Per-server auth patterns are at MCP authentication.

What Are MCP’s Limitations?

MCP is useful infrastructure, not magic. Five limitations affect what you can build on it.

Encryption lives in the transport, not the protocol. Stdio is local, so no network is involved. Remote servers need TLS configured by the implementer. A remote server over plain HTTP sends tool calls in clear text.
Synchronous by default. The base protocol is request-response. Long-running operations lack native support in the core spec. The November 2025 release added experimental task support, and adoption across servers is still early.
No protocol-level rate limiting. A model that calls a tool 50 times in succession is not stopped by the protocol. The server has to implement its own throttling, and community servers rarely do.
Token overhead. Each connected server’s tool definitions consume 500 to 2,000 tokens before any calls happen, and heavyweight servers cost more: the GitHub server registers 17,600 to 55,000 tokens of definitions depending on enabled toolsets. Three to five simultaneous servers is the practical ceiling. The mitigations (toolset pruning, lazy loading, CLI substitution for single operations) are in the token optimization guide.
Quality variance across 10,000+ servers. Seven reference servers and 50+ vendor servers are reliably maintained. The rest vary, and 13 archived reference servers still circulate in old tutorials. Maintenance recency is the filter that catches both problems.

Can You Build Your Own MCP Server?

Yes. Official SDKs cover TypeScript, Python, C#, Java, Go, Kotlin, Swift, PHP, and Ruby, with co-maintainers including Microsoft, Google, JetBrains, Shopify, and the PHP Foundation. FastMCP, the most popular Python framework for the job, handles boilerplate, transport setup, and tool registration in a few lines.

Build a custom server when no existing server covers your tool: an internal database, a proprietary API, a legacy system. For common tools (GitHub, Slack, Postgres, Figma), a maintained existing server is faster and more reliable than building from scratch. The build guides, with a quickstart per SDK, are at how to build an MCP server, starting with FastMCP.

Is MCP Worth Using?

Yes. MCP has moved past the hype cycle, and the adoption evidence is structural, not promotional. Anthropic launched the protocol in November 2024. OpenAI added MCP support to ChatGPT in April 2025. Anthropic, Block, and OpenAI co-founded the Agentic AI Foundation in December 2025 and donated the protocol to it, with Google, Microsoft, AWS, Cloudflare, and Bloomberg as members. Competing vendors co-maintain the SDKs. A standard that rivals co-govern through a neutral foundation is a standard built to last.

The ecosystem numbers point the same way: over 10,000 published servers, over 592 clients, and 97 million monthly SDK downloads as of March 2026 (AAIF project data).

MCP gives a model reach, not new intelligence. The value question is whether your work involves tools the model cannot currently touch. MCP removes tool-switching for anyone working between an AI assistant and GitHub, Slack, a database, a design tool, or a documentation site. For text-in, text-out workflows with no external tools, MCP adds nothing. The workflows it pays for are at MCP use cases.

How Has the MCP Specification Evolved?

The specification has shipped four revisions since launch, with a fifth published as a release candidate.

November 2024: initial release. JSON-RPC message format, stdio and SSE transports, the three primitives, basic discovery and lifecycle.
March 2025: streamable HTTP transport replaced SSE for remote servers, and the first OAuth-based authorization framework arrived.
June 2025: structured tool output, elicitation, and security clarifications for remote deployments.
November 2025: OAuth 2.1 finalized, experimental task support for long-running operations, and the extensions mechanism.
July 2026 (release candidate): a candidate dated 2026-07-28 is published for review, covering MCP Apps, the extensions track, and trace context.

Each revision stays backward-compatible with the core protocol. A server built against the November 2024 spec still connects; it lacks OAuth 2.1 and task support. This is why maintenance recency leads the evaluation criteria: a maintained server tracks the spec, and an abandoned one silently falls behind it.

MCP Key Terms

Key MCP terms, defined:

Host: the AI application the user interacts with, such as Claude Desktop or Cursor.
Client: the component inside the host that speaks the MCP protocol to servers.
Server: a program that exposes a tool, data source, or prompt library to the host.
Tool: an action the model can run through a server, such as creating an issue.
Resource: data a server makes readable to the model, such as a file or table schema.
Prompt: a reusable template a server provides, such as “summarise this PR.”
Transport: the channel for client-server messages: stdio locally, streamable HTTP remotely.
stdio: standard input/output, the transport for servers running on your machine.
Streamable HTTP: the current transport for remote and hosted servers.
SSE: Server-Sent Events, the legacy remote transport replaced by streamable HTTP.
JSON-RPC: the message format MCP uses to carry requests and responses.
OAuth 2.1: the authentication standard MCP finalized in November 2025 for scoped, expiring tokens.
Registry: a public index of published servers; the official registry lists over 9,600 records.
Discovery: the first step in every MCP exchange, where the client asks a server what it offers.

Discovery is where each connection begins, and it is where this guide began: a model, a client, a server, and a shared protocol that lets them work as one system.

What Is Model Context Protocol (MCP) and How Does It Work?