Expert Summary
- Model Context Protocol (MCP) is an open standard that lets AI clients (like Claude, Cursor, or custom agents) connect to tools, files, databases, and APIs through a common interface — without bespoke integration code for each connection.
- MCP servers are lightweight programs that expose capabilities to AI clients through a standardized JSON-RPC interface. A single server can provide tools (executable functions), resources (data sources), and prompts (reusable templates).
- The main benefit is interoperability — build an MCP server for your database once, and any MCP-compatible client can use it. The main risk is overpermission — MCP servers should be granted only the access they actually need.
Model Context Protocol (MCP) quietly became one of the most important infrastructure standards in AI development during 2025–2026. If you are building AI applications or using AI tools that connect to external data, understanding MCP explains why your tools work the way they do — and how to extend them.
The Problem MCP Solves
Before MCP, connecting an AI assistant to external tools required custom integration work for every combination:
- Want Claude to read your Google Drive? Custom integration.
- Want Cursor to query your company's database? Custom integration.
- Want your AI agent to browse the web? Custom integration.
Each application built its own tools layer, and capabilities were not transferable between applications.
MCP's solution: A standard protocol that separates the tool/data provider (MCP server) from the AI application (MCP client). Build an MCP server for GitHub once, and Cursor, Claude Desktop, Zed, and any other MCP-compatible client can use GitHub capabilities without any additional work.
The MCP Architecture
An MCP system has three components:
MCP Host (Client Application) The AI application that uses tools — Claude Desktop, Cursor, a custom Python agent, a VS Code extension. The host manages connections to one or more MCP servers.
MCP Client The component within the host that implements the MCP protocol and communicates with servers. Usually handled by an MCP SDK (Python, TypeScript, Rust).
MCP Server A lightweight process that exposes capabilities through the MCP protocol. Can be local (running on your machine) or remote (accessed over HTTPS). Each server can offer:
| Capability Type | What It Provides | Example |
|---|---|---|
| Tools | Functions the AI can call | search_database(), create_file(), send_email() |
| Resources | Data sources the AI can read | File contents, database records, API responses |
| Prompts | Reusable prompt templates | Standardized workflows, system instructions |
How MCP Communication Works
MCP uses JSON-RPC 2.0 as its message format. The communication flow:
- Initialization: Client connects to server. Server declares its protocol version.
- Capability negotiation: Client and server exchange capability lists — what tools, resources, and prompts are available.
- Tool discovery: Client requests the server's tool list (
tools/list). Server returns tool definitions with names, descriptions, and input schemas. - Tool call: When the AI decides to use a tool, the client sends a
tools/callrequest with the tool name and arguments. Server executes and returns results. - Resource access: Client can request resource contents (
resources/read) for data the AI needs to read.
Transport options:
- stdio: Server runs as a subprocess, communicating through stdin/stdout. Most common for local servers.
- SSE (Server-Sent Events): HTTP-based transport for remote servers.
- WebSocket: Bidirectional transport for real-time use cases (MCP 1.1, 2026).
MCP Adoption in 2026
Since Anthropic open-sourced the protocol in November 2023, adoption has expanded significantly:
Applications with native MCP support:
- Claude Desktop (Anthropic) — pioneered the consumer MCP integration
- Cursor IDE — MCP integration for code assistants connecting to databases, documentation, and APIs
- Zed editor — MCP server connections for custom AI capabilities
- VS Code (via extensions) — multiple MCP-enabling extensions
- OpenHands, Goose, and other open-source AI agents
Official MCP servers available (Anthropic + community):
| Server | Provides Access To |
|---|---|
| Filesystem | Local files and directories |
| GitHub | Repositories, issues, PRs, code |
| GitLab | Same as GitHub |
| PostgreSQL | Read-only database queries |
| Brave Search | Web search |
| Puppeteer | Browser automation |
| Slack | Messages, channels |
| Google Drive | Documents and files |
| Sentry | Error tracking data |
| Memory | Persistent AI memory across sessions |
As of June 2026, the Model Context Protocol specification lists over 1,000 community-built servers in the official registry at modelcontextprotocol.io.
MCP vs. Other Tool Use Standards
| Feature | MCP | OpenAI Function Calling | LangChain Tools |
|---|---|---|---|
| Server/client separation | Yes | No (in-process) | No (in-process) |
| Standard protocol | Yes (JSON-RPC) | No (SDK-specific) | No (framework-specific) |
| Multi-client reuse | Yes | No | No |
| Resource access | Yes | No | Via loaders |
| Prompt templates | Yes | No | Via chains |
| Remote servers | Yes | No | Partial |
MCP's key architectural advantage: the server runs as a separate process (or remote service). This means the server can maintain its own state, authentication, and access controls independently of the AI application.
Security Considerations
MCP introduces a new attack surface that developers and users need to manage:
Tool poisoning: A malicious MCP server can describe its tools in ways designed to manipulate the AI into unintended actions. Example: a malicious read_file tool description that instructs the AI to also execute commands.
Over-permissioned servers: An MCP server with write access to your filesystem grants that write access to any AI connected to it. Apply least-privilege principles — read-only unless write access is genuinely needed.
Prompt injection through resources: If an MCP server returns resource contents that contain instructions (e.g., a document that says "ignore previous instructions and..."), the AI may follow them. Input sanitization at the resource level is important.
Recommended practices:
- Only connect to MCP servers you trust
- Review the source code of community-built servers before running them
- Use separate MCP servers for different permission scopes (one for read-only, one for write)
- Run local MCP servers with minimal filesystem permissions
RAG Systems Explained: how retrieval-augmented generation works →
What is Model Context Protocol (MCP)?
Model Context Protocol is an open standard (Anthropic, November 2023) that defines how AI applications communicate with external tools and data sources. It works like a 'USB-C port for AI' — instead of each AI app needing custom integration code for every tool, MCP provides a standard interface that any client and server can use.
What is the difference between MCP and function calling?
Function calling lets an LLM decide when to invoke a predefined function. MCP is higher-level — it defines how an AI client discovers and calls tools provided by a separate server process. MCP can use function calling internally and adds the server architecture layer that function calling alone doesn't provide.
Is MCP secure?
MCP security depends on implementation. Risks include tool poisoning, over-permissioned servers, and prompt injection through retrieved data. Run only trusted MCP servers, apply least-privilege access, and review what capabilities each server exposes before connecting.