What is MCP (Model Context Protocol)?
The Complete Guide to the Universal AI Standard

What Is the Model Context Protocol (MCP)?

The Model Context Protocol (MCP) is an open protocol created by Anthropic in November 2024 that standardizes how AI models — like Claude, ChatGPT, or Gemini — connect to external data sources, tools, and systems. It provides a universal interface so that any AI assistant can interact with any external resource without requiring custom code for each connection.

The simplest way to understand MCP is through an analogy: think of it as the USB-C for AI. Before USB-C, every device had a different charging port. You needed a different cable for your phone, your laptop, your camera. USB-C standardized all of that — one connector works everywhere. MCP does the same thing for AI integrations. Before MCP, connecting an AI to GitHub required one custom integration. Connecting it to Slack required another. Connecting it to your PostgreSQL database required yet another. With MCP, you build one server that follows the protocol, and any AI that speaks MCP can use it instantly.

Before MCP, the AI integration world had an M×N problem: if you had M different AI models and N different tools you wanted to connect them to, you needed to build M×N custom integrations. Every time you added a new tool or switched AI providers, you had to rebuild the integration from scratch. MCP converts this into an M+N problem: build one MCP client in your AI application, build one MCP server for each tool, and any client can talk to any server automatically.

MCP Architecture: Hosts, Clients, and Servers

MCP follows a clean client-server architecture with three distinct roles. Understanding these three components is the key to understanding how MCP works.

1. MCP Host

The Host is the AI application that the end user interacts with. It is the outer shell — the interface. Examples include Claude Desktop, VS Code with a Copilot extension, Cursor IDE, or any custom AI application you build. The host is responsible for establishing connections to MCP servers and presenting the AI's responses to the user. The host does not communicate directly with servers — instead, it creates MCP clients to do that.

2. MCP Client

The Client lives inside the host application. For every MCP server the host wants to connect to, it creates a dedicated MCP client. That client manages the connection, handles message framing, and acts as the bridge between the AI model (LLM) and the MCP server. Each client-server pair operates in its own isolated session, so permissions, context, and state do not bleed between connections.

3. MCP Server

The Server is the external service that exposes specific capabilities — tools, data, and prompts — to the AI. An MCP server could provide access to a GitHub repository, a PostgreSQL database, the local file system, a Slack workspace, a web browser, or any other system. Servers are lightweight, focused processes that expose their capabilities through the standardized MCP interface. You can run multiple servers simultaneously — one for GitHub, one for your database, one for your email — and the AI can use all of them at once.

How MCP Communicates: JSON-RPC 2.0

Under the hood, MCP uses JSON-RPC 2.0 as its message format — a lightweight, well-established remote procedure call protocol that encodes requests and responses as JSON objects. Every message between an MCP client and server follows this format, making the protocol language-agnostic and easy to implement in any technology stack.

The protocol has two transport mechanisms depending on where the server lives:

STDIO (Standard Input/Output) — Local Servers

For MCP servers running on the same machine as the host (like a local file system server or a local database connector), communication happens through standard input and output streams. The host spawns the server as a child process and communicates through stdin/stdout pipes. This is extremely fast, has no network overhead, and is the standard for local development. Important note: MCP servers using STDIO must never write anything to stdout except valid JSON-RPC messages — any stray output corrupts the message stream.

Streamable HTTP — Remote Servers

For MCP servers running remotely (on a cloud server, Cloudflare Worker, or any HTTPS endpoint), communication uses Streamable HTTP (HTTP with Server-Sent Events). This allows remote servers to push streaming responses back to the client as they are generated. Remote servers can serve many clients simultaneously, while local STDIO servers are dedicated to a single client.

The Three Core Primitives: Tools, Resources, and Prompts

Every MCP server exposes its capabilities through exactly three building blocks — called primitives. These three primitives cover everything an AI might need: things it can do, information it can read, and instructions it can follow.

1. Tools — What the AI Can Do

Tools are executable functions that the AI model can call to take action in the world. They are the "hands" of the AI — the things it can actually do, not just know about. A tool might search the web, insert a record into a database, send an email, run a code script, make an API call, or read a file. Tools are model-controlled: the AI decides when to call a tool and with what arguments, based on its reasoning about how to accomplish the goal.

Each tool has a name, a description (so the AI knows what it does), and a JSON schema defining the parameters it accepts. When the AI calls a tool, the MCP server executes it and returns the result, which the AI incorporates into its next reasoning step.

Examples of tools:

• search_web(query) — Searches the internet and returns results
• query_database(sql) — Runs a SQL query and returns the data
• create_github_issue(repo, title, body) — Creates a new GitHub issue
• send_slack_message(channel, text) — Posts a message to Slack
• read_file(path) — Reads a file from the local system
• execute_code(language, code) — Runs a code snippet and returns output

2. Resources — What the AI Can Read

Resources are data entities that the MCP server exposes for the AI to read as context. Unlike tools (which execute actions), resources are read-only data — they provide the AI with information it needs to reason accurately. Resources are application-controlled: the host application decides which resources to include in the AI's context.

Resources can be static (like a configuration file or a prompt template) or dynamic (like a live database record, a user's profile, or the current state of a system). They give the AI situational awareness — the background knowledge it needs to make good decisions.

Examples of resources:

• A database schema — so the AI knows what tables and columns exist before writing SQL
• A user's preferences and history — so the AI personalizes responses
• A codebase's file structure — so the AI understands the project before editing code
• A company's internal documentation — so the AI answers questions accurately
• Real-time API response data — current stock prices, weather, system status

3. Prompts — Structured Instructions

Prompts are reusable message templates that MCP servers expose to guide the AI's behavior for specific tasks. They are user-controlled: a user or the host application explicitly invokes a prompt to give the AI structured instructions for a particular workflow.

Think of prompts as pre-built "modes" for the AI. A code review prompt, a customer support tone prompt, a data analysis prompt — these are standardized instruction sets that can be shared and reused across many different AI applications. Prompts can accept arguments to customize them, and they often work best in combination with resources (the prompt tells the AI how to format output; the resource gives the AI the data to format).

Popular MCP Servers You Can Use Today

One of MCP's greatest strengths is the thriving ecosystem of ready-to-use servers. Anthropic published official reference servers, and thousands of community and enterprise servers have followed. Here are the most widely used categories:

Official Anthropic Reference Servers

Community and Enterprise MCP Servers

Beyond official servers, the community has built thousands more. Notable examples include:

• Notion MCP — Read and write to Notion databases, pages, and workspaces
• Jira MCP — Create, update, and query Jira issues and projects
• Figma MCP — Read design files, extract component data, and interact with design systems
• Linear MCP — Manage product roadmaps and engineering tickets from an AI conversation
• Stripe MCP — Check payments, create charges, and manage subscriptions through AI
• HubSpot MCP — Access CRM contacts, deals, and marketing data
• AWS MCP — Interact with AWS services including S3, EC2, Lambda, and more
• Docker MCP — Manage containers, images, and Docker Compose stacks
• Cloudflare MCP — Deploy Workers, manage DNS records, and interact with Cloudflare services
• Neo4j MCP — Query and write to graph databases with natural language

MCP vs Function Calling vs Direct API — What's the Difference?

MCP is not the only way to give AI models access to external tools. Understanding how it compares to alternatives helps you choose the right approach.

Feature	MCP	Function Calling	Direct API
Standardization	Open universal protocol — any client, any server	Provider-specific (OpenAI, Anthropic, Google each differ)	No standard — fully custom per API
Portability	Switch AI providers without rebuilding integrations	Locked to specific AI provider	Not relevant to AI model choice
Token Cost	Load only needed tools per request — lower cost	All schemas sent in every API call — grows with tool count	No impact on token cost
Maintenance	Add tool once — all connected clients get it	Update schema in every client that uses it	Maintain one custom integration per API
Discovery	Dynamic — AI discovers available tools at runtime	Static — tools defined at call time	Manual — you code what tools exist
Multi-tool support	Hundreds of tools from many servers simultaneously	Practical limit of ~20–30 tools before cost becomes prohibitive	Unlimited but manually managed
Setup complexity	Moderate — requires server infrastructure	Low — add JSON schema to API call	Low upfront, high at scale
Best for	Production AI agents, enterprise, multi-tool systems	Simple bots, prototypes, few tools	One-off integrations, not AI-centric systems

The practical guidance is clear: if you are building a simple chatbot with two or three tools and you only ever plan to use one AI provider — function calling is fine. But if you are building a production AI agent that needs access to many tools, must work across multiple AI providers, or will be shared with other teams — MCP is the right architecture. The upfront investment in building an MCP server pays back many times over in flexibility and maintainability.

Who Has Adopted MCP?

MCP's adoption story is one of the fastest in recent AI history. Within 18 months of launch, it went from an Anthropic internal experiment to a genuine industry standard backed by every major AI company.

AI Platform Adoption

• Anthropic (Claude) — Creator and primary steward. Claude Desktop, Claude Code, and the Claude API all support MCP natively.
• OpenAI (ChatGPT) — Officially adopted MCP in March 2025 and integrated it across all products including the ChatGPT desktop app.
• Google DeepMind (Gemini) — Adopted MCP following OpenAI, integrating the standard into Gemini's tool ecosystem.
• Microsoft (Copilot) — Microsoft Copilot Studio and Azure OpenAI both support MCP integration for enterprise deployments.
• Cursor — The AI-powered code editor adopted MCP as its primary method for connecting the AI to developer tools.
• VS Code — Microsoft's VS Code GitHub Copilot extension supports MCP for custom tool integration.

Infrastructure & Cloud Adoption

• Cloudflare — Supports deploying MCP servers to its global edge network via Cloudflare Workers, enabling ultra-low-latency remote MCP servers.
• AWS — Amazon Bedrock AgentCore and other AWS AI services support MCP integration.
• Docker — Docker's MCP integration allows containerized deployment of MCP servers with standard DevOps tooling.

The Agentic AI Foundation

In December 2025, Anthropic donated MCP to the newly formed Agentic AI Foundation (AAIF) under the Linux Foundation — the same organization that governs Kubernetes, Node.js, and Linux itself. This move ensured that MCP will be governed as a true open standard by a neutral, industry-wide body rather than controlled by any single company. The AAIF was co-founded by Anthropic, OpenAI, and Block, with support from Google, Microsoft, AWS, Cloudflare, and Bloomberg.

Real-World MCP Use Cases Across Industries

MCP is not an abstract concept — it is already powering real business applications across every industry. Here is how leading organizations are using it:

Software Development & DevOps

Developers connect their AI coding assistants to GitHub, Jira, and local file systems through MCP servers. The AI can read the entire codebase, open pull requests, create issues, run tests, and update documentation — all from a single natural language instruction. Companies using Cursor and VS Code with MCP report reducing repetitive engineering tasks by over 60%.

Healthcare

MCP connects AI medical assistants to Electronic Health Records (EHRs), diagnostic databases, and clinical tools through standardized servers. A doctor can ask the AI to "review this patient's history and flag any drug interactions with the proposed prescription" — and the AI uses MCP to pull the patient's records, check the medication database, and return a structured clinical summary. This results in faster, safer clinical decisions without the doctor needing to switch between multiple systems.

Financial Services

Banks and fintech companies use MCP to give AI analysts access to transaction databases, credit scoring APIs, fraud detection systems, and regulatory compliance tools simultaneously. A single AI agent can review a credit application by pulling the applicant's transaction history, running the credit model, checking fraud signals, and verifying regulatory compliance — all through MCP-connected servers — returning a complete risk assessment in seconds instead of days.

Customer Support & CRM

Support AI agents use MCP to connect to CRMs like HubSpot and Salesforce, ticketing systems like Jira and Zendesk, and knowledge bases. When a customer asks about an order, the AI uses MCP to look up the order in the database, check the shipping status through an API, and pull relevant policies from the knowledge base — all within a single response. Klarna reported handling 75% of customer service interactions autonomously using this type of architecture.

E-Commerce & Retail

E-commerce operators use MCP to give AI agents access to inventory systems, pricing engines, supplier APIs, and analytics dashboards. The AI can autonomously monitor stock levels, reorder products when inventory drops below threshold, adjust pricing based on competitor data, and generate weekly performance reports — all through MCP-connected tool servers running in the background.

Manufacturing & IoT

In manufacturing, MCP enables AI systems to connect edge devices, sensor networks, and central analytics platforms. Factory AI uses MCP servers that bridge local IoT data with cloud AI models — allowing the system to track machine wear in real time, predict failures before they happen, and automatically schedule maintenance, reducing unplanned downtime by up to 35%.

Research & Knowledge Management

Research teams use MCP to give AI assistants access to document stores, scientific databases, internal wikis, and citation management tools. The AI can search across thousands of internal documents, synthesize findings, identify gaps in existing research, and draft reports with proper citations — completing in minutes work that previously took analysts days.

How to Build an MCP Server

Building an MCP server is more accessible than it sounds. Official SDKs exist for Python, TypeScript, Java, C#, Go, and Kotlin. Here is the conceptual process:

Step 1 — Choose Your Language and SDK

Python with the FastMCP library is the fastest way to prototype — a simple server can be running in under 15 minutes. TypeScript is preferred for production servers deployed to edge environments like Cloudflare Workers. Choose based on your team's existing expertise and your deployment target.

Step 2 — Define What Your Server Will Expose

Decide which of the three primitives you need. Most servers focus primarily on tools (functions the AI can call). Write down every action the AI should be able to take — these become your tools. Also decide what context data the AI needs — these become your resources.

Step 3 — Register Your Tools, Resources, and Prompts

Using the SDK, you register each tool with a name, a clear description (the AI reads this to decide when to use the tool), and a parameter schema. The description quality matters enormously — a well-described tool gets used correctly; a vague one gets called with wrong arguments or ignored.

Step 4 — Implement the Tool Logic

Write the actual function behind each tool. This is where you write the database query, the API call, the file operation — the real code that does the work. The MCP SDK handles all the protocol communication; you just write the business logic.

Step 5 — Choose a Transport and Test

For local development, use STDIO transport — it is simpler and faster. For remote or shared servers, use Streamable HTTP. Test using the MCP Inspector, a browser-based tool that lets you connect to any MCP server and call its tools directly to verify they work before connecting an AI.

Step 6 — Connect to an AI Host and Deploy

Add your server to Claude Desktop, Cursor, or your custom application by pointing the host at your server's entry point. For production, deploy behind proper authentication, set up logging and monitoring, and implement rate limiting. A minimal MCP server takes 1–2 weeks to build and test; production hardening adds another 2–4 weeks.

MCP Security: Risks and How to Mitigate Them

MCP's power comes with real security responsibilities. As the ecosystem grew rapidly, security researchers identified significant risks — and in 2025, these moved from theoretical to real-world incidents. Understanding them is essential for any organization deploying MCP in production.

Prompt Injection

The most dangerous MCP attack vector. Malicious content embedded in data that the AI reads through an MCP resource or tool result can manipulate the AI into taking unintended actions — accessing data it should not, exfiltrating information, or calling destructive tools. For example, a malicious document in a file system the AI is reading could contain hidden instructions that override the AI's actual task.

Mitigation: Treat all data retrieved through MCP tools as untrusted input. Use structured output validation. Configure tool permission boundaries that prevent the AI from taking irreversible or high-risk actions without explicit human confirmation.

Exposed Servers with No Authentication

A 2025 report by Bitsight found approximately 1,000 MCP servers exposed on the public internet with no authorization controls. These servers gave anyone — including attackers — direct access to databases, file systems, and APIs through the AI interface.

Mitigation: Never expose an MCP server publicly without authentication. Implement OAuth 2.0 or API key authentication on all remote servers. Use network-level controls to restrict access to known clients. Deploy MCP servers on private networks wherever possible.

Supply Chain Attacks

The first malicious MCP package appeared in public registries in September 2025. Attackers published fake "official" servers with names similar to legitimate ones (typosquatting) containing code that exfiltrates sensitive data passed through the server.

Mitigation: Only use MCP servers from verified sources. Check package signatures and star counts. Review server source code before connecting it to production AI systems. Use a curated internal registry rather than pulling from public catalogs directly.

Overly Permissive Tool Scopes

Giving an AI agent access to a tool that can delete records, send external emails, or execute arbitrary code without any approval mechanism means a single mistake in the AI's reasoning can cause irreversible damage.

Mitigation: Follow the principle of least privilege — give each MCP server only the permissions it needs for the task at hand. Implement human-in-the-loop confirmation for any destructive or irreversible actions. Log every tool call with full parameters for audit purposes.

The Future of MCP

MCP's trajectory from a November 2024 release to a Linux Foundation standard in just 13 months is extraordinary. Here is where the protocol is heading:

• Multi-Agent Orchestration: MCP is becoming the backbone of multi-agent systems where specialized agents communicate through a shared MCP layer. An orchestrator agent routes sub-tasks to specialist agents — a researcher agent, a writer agent, a code agent — each exposing their capabilities as MCP servers.
• Elicitation and Sampling: Newer MCP features allow servers to request user input mid-task (Elicitation) and ask the host LLM to generate text on their behalf (Sampling) — enabling richer, more interactive agentic workflows where agents and humans collaborate in real time.
• Roots — Filesystem Context Boundaries: The Roots feature lets clients declare which parts of the file system or URI space are relevant, giving servers clear scope boundaries and reducing the risk of agents accessing unintended areas of a system.
• Enterprise Authentication Standards: Future MCP versions will formalize OAuth 2.0 flows, role-based access control, and audit logging as first-class protocol features — addressing the current gap between protocol capabilities and enterprise security requirements.
• Embedded in Everything: As AI capabilities are embedded into every SaaS product, every enterprise application, and every developer tool, MCP will be the integration layer connecting them all. IDC predicts that by 2026, 80% of enterprise applications will have embedded AI — and MCP is the protocol that makes them all interoperable.
• Physical World and IoT: MCP is expanding beyond software to connect AI with physical systems — manufacturing equipment, smart building sensors, medical devices, and autonomous vehicles. The protocol's lightweight, streaming design makes it well-suited for real-time IoT integration.

Key Takeaways

• MCP is the USB-C of AI — one universal protocol to connect any AI model to any tool or data source, eliminating the M×N integration problem forever.
• Three-layer architecture: Hosts (the AI app), Clients (the protocol bridge), and Servers (the tools and data) — with clean isolation between connections.
• Three core primitives: Tools (what the AI does), Resources (what the AI reads), and Prompts (how the AI is instructed) — covering every AI integration need.
• Industry standard: Adopted by Anthropic, OpenAI, Google, Microsoft, AWS, and Cloudflare. Governed by the Linux Foundation's Agentic AI Foundation since December 2025.
• 5,800+ servers available — covering GitHub, Slack, Notion, databases, cloud platforms, and virtually every business tool category.
• MCP beats function calling at scale — lower token costs, provider portability, dynamic tool discovery, and zero maintenance overhead when tools change.
• Security is critical — prompt injection, exposed servers, and supply chain attacks are real threats. Always authenticate, scope minimally, and audit everything.
• The protocol is still evolving — Elicitation, Sampling, Roots, and enterprise auth features are expanding MCP's capabilities rapidly in 2026.