Skip to main content
MCP19 min readJul 13, 2026

What Is MCP and How Does Model Context Protocol Work?

Yazan Sharawi
Yazan Sharawi

Jul 13, 2026

What Is MCP and How Does Model Context Protocol Work?

MCP is becoming one of the most important standards in AI infrastructure because it gives AI applications a consistent way to connect with tools, data, and workflows. Instead of building a separate integration for every model, app, or backend system, developers can use Model Context Protocol to expose capabilities once and make them available to compatible AI clients.

TL;DR

MCP is a standard way for AI apps to connect to external tools and data.

  • MCP stands for Model Context Protocol.
  • MCP uses hosts, clients, and servers.
  • MCP servers expose tools, resources, and prompts.
  • MCP should be secured like privileged integration software.

MCP, or Model Context Protocol, is an open protocol that lets AI applications connect to external tools, data sources, prompts, and workflows through a standard client-server interface. MCP helps an AI assistant discover capabilities, request tool calls, read approved context, and return structured results without every app needing a custom connector.

According to Anthropic's November 25, 2024 announcement, MCP launched with three major developer components: the specification and SDKs, local MCP server support in Claude Desktop, and an open-source server repository. The official MCP specification version 2025-11-25 defines MCP communication around JSON-RPC 2.0, protocol lifecycle management, capability negotiation, tools, resources, prompts, and transport rules.

MCP matters for developers, AI product teams, and security teams because it turns one-off AI integrations into reusable infrastructure. The technical value is interoperability. The operational risk is that AI systems can now reach real tools, files, databases, and business workflows.

What Is MCP in AI?

MCP is an open protocol that lets AI apps connect to external tools, data, prompts, and workflows through standard clients and servers.

MCP in AI is a standard interface for connecting large language model applications to external systems. The official MCP introduction defines MCP as an open-source standard for connecting AI applications to data sources, tools, and workflows.

MCP is useful because large language models do not automatically know current company data. A model can reason about a task, but MCP gives the AI application a structured way to retrieve context or request an action. That action might search documentation, inspect a GitHub issue, query a database, or update a ticket.

MCP definition block

ElementMeaning
Full nameModel Context Protocol
Primary purposeConnect AI apps to external context and capabilities
Core patternHost, client, and server architecture
Protocol formatJSON-RPC 2.0 messages
Best forAI agents that need tools, data, or workflows

MCP is not the model itself. MCP is also not the underlying database, SaaS API, or workflow engine. MCP is the protocol layer between the AI application and the external systems the AI application needs to use.

In short: MCP is the connector protocol for AI applications. MCP gives AI hosts a standard way to discover and use external tools, resources, and prompts. The clearest definition is simple: MCP connects model-powered software to the context and capabilities outside the model.

How Does MCP Work?

MCP works through a host, one client per server, JSON-RPC messages, capability negotiation, and tool or resource discovery.

MCP works by separating the AI application from the external capability provider. The MCP host is the app the user interacts with. The MCP client is the connector inside that host. The MCP server is the service that exposes usable capabilities.

The MCP architecture overview says an MCP host creates one MCP client for each MCP server. That client maintains a dedicated connection to the server. This design lets one AI app connect to several servers without mixing their permissions, sessions, or capabilities.

MCP connection flow

  1. Initialize the connection. The MCP client sends an initialize request.
  2. Negotiate capabilities. The MCP client and MCP server exchange supported features.
  3. Discover capabilities. The MCP client lists available tools, resources, and prompts.
  4. Use approved context. The MCP host decides what reaches the model.
  5. Call approved tools. The MCP server executes only requested and permitted operations.

The MCP lifecycle specification defines initialization, operation, and shutdown as the core phases. During initialization, the client and server establish protocol version compatibility, exchange capabilities, and share implementation details.

MCP does not tell the model how to reason. MCP tells the software around the model how to exchange structured messages with external systems. That distinction matters because the host still controls user consent, authorization, and presentation.

In short: MCP works by creating a controlled communication path between an AI host and external servers. The host manages the user experience. The client manages protocol communication. The server exposes tools, resources, and prompts through structured JSON-RPC messages.

What Is an MCP Server?

An MCP server is a local or remote service that exposes model-readable tools, resources, and prompts to compatible AI clients.

An MCP server is the program that provides context or capabilities to an MCP client. The official server concepts guide describes MCP servers as programs that expose specific capabilities through standardized protocol interfaces.

MCP servers can run locally or remotely. A local MCP server often uses standard input and output. A remote MCP server usually uses Streamable HTTP. A filesystem MCP server might expose project files. A GitHub MCP server might expose issue search, pull request metadata, and comment tools.

Common MCP server examples

MCP server typeTypical capabilityBest for
Filesystem serverRead approved local filesCoding assistants
Database serverQuery approved tablesData analysis agents
GitHub serverInspect issues and pull requestsDeveloper workflows
Documentation serverSearch trusted docsSupport and coding agents
CRM serverRead or update account recordsSales operations

MCP server quality depends on capability design. A weak MCP server exposes too many raw actions. A strong MCP server exposes narrow, task-oriented tools with strict schemas, clear permissions, and predictable outputs.

MCP servers should be treated as privileged software. If an MCP server can read files, mutate records, send messages, or run commands, that MCP server can affect real systems. Security review should match the sensitivity of the exposed capability.

In short: An MCP server is the capability provider in the MCP architecture. MCP servers make external systems usable by AI applications. The best MCP servers expose narrow, audited, task-specific capabilities instead of dumping every backend API endpoint into the model context.

What Are MCP Tools, Resources, and Prompts?

MCP tools execute actions, MCP resources provide context, and MCP prompts package reusable workflows for users.

MCP tools, resources, and prompts are the three main server-side building blocks. The MCP server concepts guide separates these primitives by control model. Tools are model-controlled. Resources are application-controlled. Prompts are user-controlled.

Tools let the model request an action. Resources let the host include useful context. Prompts let users select repeatable workflows. This separation keeps MCP more precise than a generic API wrapper because each primitive has a different interaction pattern.

MCP primitives comparison

PrimitiveWhat it doesWho controls itExample
ToolsExecute functions or actionsModel, with host approvalSearch docs, create ticket
ResourcesProvide contextual dataApplicationFile contents, schemas
PromptsPackage reusable instructionsUserCode review, meeting summary
Best forStructured agent workflowsDepends on riskMixed AI workflows

The MCP tools specification says tools include names, descriptions, input schemas, optional output schemas, annotations, and execution metadata. The MCP resources specification says resources are identified by URIs. The MCP prompts specification says prompts expose reusable templates to clients.

MCP primitive design should avoid broad, dangerous shortcuts. A tool named run_shell creates more risk than a tool named search_project_docs. A resource named all_customer_data creates more exposure than a resource scoped to one approved account.

In short: MCP tools, resources, and prompts give AI applications three different ways to use external systems. Tools perform actions. Resources provide context. Prompts package repeatable workflows. Good MCP design uses the narrowest primitive that solves the user task.

How Does MCP Use JSON-RPC and Transports?

MCP uses JSON-RPC 2.0 for messages and supports standard stdio and Streamable HTTP transports.

MCP uses JSON-RPC 2.0 as its message format. The MCP base specification says all messages between MCP clients and servers must follow JSON-RPC 2.0. JSON-RPC gives MCP a common structure for requests, responses, and notifications.

The MCP transports specification defines two standard transport mechanisms in the 2025-11-25 protocol version: stdio and Streamable HTTP. Clients should support stdio whenever possible, and implementations may add custom transports if they preserve the JSON-RPC message format and lifecycle requirements.

MCP transport comparison

TransportHow it worksBest forMain risk
`stdio`Client launches server subprocessLocal toolsLocal code execution
Streamable HTTPServer exposes an HTTP endpointRemote servicesAuth and session risk
Custom transportImplementer-defined channelSpecialized systemsInteroperability drift
Best forDepends on deploymentLocal or remote agentsSecurity review required

In stdio, the server reads from standard input and writes protocol messages to standard output. In Streamable HTTP, every client message is sent as an HTTP POST to the MCP endpoint. The server may use Server-Sent Events for streaming.

Transport choice affects security. Local stdio servers may run with user privileges. Remote HTTP servers need authentication, session handling, and origin validation.

In short: MCP uses JSON-RPC 2.0 so clients and servers can exchange predictable structured messages. stdio fits local servers. Streamable HTTP fits remote servers. The transport does not remove the need for consent, authentication, and least-privilege design.

How Is MCP Different From an API?

MCP differs from an API because MCP is agent-facing, while APIs are usually developer-facing integration contracts.

MCP does not replace APIs. Most MCP servers call APIs behind the scenes. The difference is that MCP exposes model-readable capabilities, while a traditional API exposes developer-readable endpoints.

The Auth0 MCP vs API article from August 2025 argues that traditional APIs are often too low-level for AI agents. Enterprise APIs may expose dozens of endpoints. An MCP server can wrap those endpoints into fewer task-oriented capabilities that are easier for an AI system to choose correctly.

MCP vs API comparison

DimensionTraditional APIMCP
Primary userDeveloperAI host and agent
DiscoveryDocumentation or OpenAPIProtocol capability listing
Capability shapeLow-level endpointsTask-oriented tools
Context modelExternal to APIBuilt into resources and prompts
Best forDeterministic app integrationAgent workflows

An API might expose GET /users, PATCH /users, and POST /users/reset-password. An MCP server might expose one narrower tool called manage_customer_profile. That tool can validate inputs, enforce user permissions, call several APIs, and return output shaped for the AI host.

MCP should not be used as a lazy OpenAPI converter. A strong MCP server curates a small set of safe, purposeful tools. A weak MCP server passes API complexity directly to the model.

In short: MCP is not an API replacement. MCP is an AI-facing abstraction over APIs, data, and workflows. APIs remain the implementation layer. MCP becomes the interaction layer that lets AI clients discover, request, and use capabilities safely.

How Is MCP Different From RAG and Function Calling?

MCP differs from RAG and function calling because MCP standardizes external capability access across clients and servers.

MCP, Retrieval-Augmented Generation, and function calling solve related but different problems. Retrieval-Augmented Generation (RAG) improves answers by adding retrieved information to the model context. Function calling lets a model call functions defined inside an application. MCP standardizes how AI clients connect to external systems that expose tools, resources, and prompts.

The Google Cloud MCP guide describes MCP as broader than Retrieval-Augmented Generation because MCP supports both information retrieval and action. That distinction matters for workflows that need to read data and then change something.

MCP vs RAG vs function calling

ApproachPrimary goalTypical outputBest for
RAGRetrieve knowledgeGrounded answerSearch and Q&A
Function callingInvoke app-defined functionsTool resultSingle-app tools
MCPStandardize external capability accessTools, resources, promptsMulti-tool agents
Best forDepends on taskContext or actionAgent interoperability

RAG can answer, "What does the refund policy say?" MCP can help an AI read the refund policy, check the order record, create a return label, and update the support ticket. Function calling may still happen inside the host, but MCP standardizes the server connection.

MCP and RAG often work together. A documentation MCP server may expose a search tool that performs retrieval. The difference is that MCP also defines discovery, transport, lifecycle, and tool metadata.

In short: RAG retrieves knowledge. Function calling invokes functions. MCP standardizes how AI clients discover and use external capabilities. MCP can include retrieval and function execution, but its main value is interoperability across AI applications and external systems.

What Are the Main MCP Use Cases?

MCP use cases include coding assistants, enterprise search, data analysis, support workflows, CRM actions, and internal automation.

MCP use cases are strongest when an AI assistant needs live context or controlled actions. Anthropic's 2024 MCP announcement named Google Drive, Slack, GitHub, Git, Postgres, and Puppeteer as examples of pre-built server targets. Those examples show the main pattern: expose existing systems to AI through a shared protocol.

Developers use MCP for coding workflows. An AI coding host can connect to a filesystem server, GitHub server, documentation server, and observability server. The model receives enough context to reason about code without receiving unlimited system access.

MCP use case selector

Use caseMCP capabilityBest for
Coding assistantFiles, issues, pull requestsEngineering teams
Enterprise searchDocs and knowledge basesInternal assistants
Data analysisApproved database queriesAnalysts
Support workflowsTickets and customer contextSupport teams
Sales operationsCRM records and updatesRevenue teams

MCP is also useful for internal workflow automation. A company can expose a narrow workflow, such as "summarize account health" or "draft renewal email." The MCP server handles system calls and permission checks. The AI host handles the user interaction.

MCP is less useful when an application only needs one fixed function. Direct function calling or a normal API integration may be simpler for narrow, single-system tasks.

In short: MCP is most useful when AI applications need multiple external capabilities. Coding, documentation search, support, sales, data, and internal workflow use cases fit MCP well. Simple single-function integrations may not need MCP.

What Are the Security Risks of MCP?

MCP security risks include malicious servers, tool poisoning, prompt injection, token misuse, session hijacking, and local server compromise.

MCP security matters because MCP can connect AI systems to real tools, files, credentials, and business data. The official MCP security best practices identify risks including confused deputy attacks, token passthrough, Server-Side Request Forgery (SSRF), session hijacking, local server compromise, OAuth URL validation issues, and scope minimization failures.

MCP tools and metadata must be treated as untrusted unless the server is trusted. The MCP tools specification states that clients must consider tool annotations untrusted unless they come from trusted servers. That warning is important because malicious descriptions can influence model behavior.

MCP security risk table

RiskWhat can happenControl
Tool poisoningHidden instructions steer model behaviorValidate trusted servers
Token passthroughWrong token reaches wrong audienceValidate token audience
Session hijackingAttacker reuses session IDSecure random sessions
Local compromiseServer runs harmful commandsSandbox local servers
SSRFClient fetches internal URLsBlock private IP ranges

Security controls should be built into both host and server. Hosts should show consent prompts for sensitive actions. Servers should enforce authentication, scope minimization, audit logs, and strict input validation.

MCP is safest when every tool has a narrow purpose. Broad tools create broad blast radius. A tool that can query any database or run any shell command should require exceptional review.

In short: MCP security is integration security plus AI-specific risk. MCP servers can expose powerful operations, so MCP deployments need trusted servers, least-privilege scopes, token validation, sandboxing, audit logs, and explicit user approval for sensitive or destructive actions.

How Do You Build an MCP Server?

MCP server development starts by choosing a narrow domain, defining safe tools, adding schemas, and testing with an MCP client.

MCP server development should begin with capability design, not code. The best first question is not "Which API can I expose?" The best first question is "Which user task should this AI host safely complete?"

The official MCP documentation points developers toward building servers that expose data and tools. The MCP specification provides protocol requirements. SDKs then reduce implementation work for specific languages.

MCP server build process

  1. Choose the domain. Pick one bounded area, such as docs search or ticket lookup.
  2. Define tools. Use narrow verbs with strict inputs and predictable outputs.
  3. Define resources. Expose context through scoped URIs.
  4. Add prompts. Package repeatable workflows users intentionally select.
  5. Choose transport. Use stdio for local servers or Streamable HTTP for remote servers.
  6. Add security. Implement auth, scope checks, consent, logging, and validation.
  7. Test behavior. Use an MCP-compatible client or inspector before production.

MCP server design checklist

Design choiceStrong patternWeak pattern
Tool scope`search_docs``run_any_command`
PermissionsLeast privilegeGlobal admin token
OutputStructured resultRaw unbounded text
TestingTool-level evalsManual chat only

MCP server quality improves when tools are evaluated like product features. Each tool needs a clear name, strict schema, safe default behavior, and observable logs.

In short: Build an MCP server by starting with one safe user task. Define narrow tools, scoped resources, and optional prompts. Choose the right transport. Add authentication, least privilege, validation, and logs before allowing an AI host to use the server.

When Should You Not Use MCP?

MCP should not be used when a direct API call, simple function call, or static retrieval pipeline solves the problem with less risk.

MCP is powerful, but MCP is not always the simplest architecture. A direct API integration is often better when one application needs one deterministic operation. Retrieval-Augmented Generation is often better when the task is only knowledge lookup. Native function calling may be enough when all tools live inside one host application.

MCP adds protocol, discovery, transport, authentication, and server lifecycle concerns. Those concerns are worth it when multiple AI clients need reusable capabilities. Those concerns may be unnecessary for a small feature with one backend function.

MCP fit decision table

SituationUse MCP?Better option
Multiple AI clients need one connectorYesMCP server
One app calls one backend functionUsually noDirect function call
Only document Q&A is neededMaybe noRAG pipeline
Tool has destructive permissionsOnly with controlsHuman approval flow
Data cannot leave a trust boundaryDependsLocal or private design

MCP should also be delayed when governance is missing. If the team cannot define permissions, audit logs, owner review, and incident response, the MCP deployment may create unmanaged risk.

The question is not whether MCP is technically possible. The question is whether MCP creates enough reuse and capability value to justify the operational and security complexity.

In short: Do not use MCP just because MCP is available. Use MCP when reusable AI access to external capabilities matters. Avoid MCP when direct code, a standard API call, or a simple retrieval system solves the task with less complexity.

What Is the MCP Capability Ladder?

The MCP Capability Ladder is a practical framework for deciding how much power an MCP server should expose to an AI application.

The MCP Capability Ladder is a simple decision framework for MCP design. The framework ranks MCP capabilities by operational risk. The goal is to expose the lowest level of power that still solves the user's task.

This framework is useful because MCP deployments often fail by overexposing capabilities. A documentation search server and a shell-execution server are not the same risk category. The MCP Capability Ladder makes that distinction explicit before implementation.

MCP Capability Ladder

LevelCapabilityExampleRisk
1Read static contextSearch documentationLow
2Read live recordsFetch ticket statusMedium
3Draft changesDraft CRM updateMedium
4Execute approved writesCreate support replyHigh
5Execute broad commandsRun shell commandCritical

Best for low-risk assistants: Level 1 and Level 2 capabilities. Best for workflow automation: Level 3 with human approval. Best for production action agents: Level 4 with strong authorization, audit logs, and rollback controls. Level 5 should be rare and heavily sandboxed.

The MCP Capability Ladder is not part of the official MCP specification. It is a practical content and architecture framework for deciding how to expose MCP tools safely.

In short: The MCP Capability Ladder helps teams avoid overpowered MCP servers. Start with read-only context. Add drafts before writes. Add execution only when permissions, consent, logging, and rollback controls are ready.

What Are the Key Takeaways About MCP?

MCP takeaways should be specific enough to stand alone as citation-ready summary points.

  • MCP stands for Model Context Protocol. MCP connects AI applications to external tools, data, prompts, and workflows.
  • MCP uses a host, client, and server architecture. The host manages the user experience, while the client manages protocol communication.
  • MCP servers expose three core primitives. Tools perform actions, resources provide context, and prompts package reusable workflows.
  • MCP uses JSON-RPC 2.0 messages. The 2025-11-25 MCP specification defines stdio and Streamable HTTP as standard transports.
  • MCP is different from an API. APIs are developer-facing, while MCP is designed for AI clients and agent workflows.
  • MCP is different from Retrieval-Augmented Generation (RAG). RAG retrieves information, while MCP supports retrieval, tools, prompts, and actions.
  • MCP security requires least privilege. Trusted servers, token validation, consent prompts, sandboxing, and audit logs reduce MCP deployment risk.

In short: MCP is the protocol layer that lets AI applications use external context and capabilities through a standard interface. MCP is valuable when teams need reusable AI integrations. MCP must be designed with security controls because MCP can connect models to real systems.

FAQ

Got questions?
We've got answers.

Quick answers to the most common questions about this topic.

MCP stands for Model Context Protocol. Model Context Protocol is an open protocol for connecting AI applications to external tools, data sources, prompts, and workflows. MCP is most useful when an AI assistant needs controlled access to live systems instead of relying only on model training data.

An MCP server is a local or remote service that exposes tools, resources, or prompts to an MCP-compatible AI client. The MCP server is the capability provider. The MCP host and client decide how those capabilities are discovered, approved, and used inside the AI application.

MCP is not the same as an API. APIs are usually developer-facing contracts for software integration. MCP is an AI-facing protocol for discovering and using capabilities. Many MCP servers call APIs behind the scenes, but MCP reshapes those APIs into model-readable tools and resources.

MCP is not simply better than Retrieval-Augmented Generation (RAG). MCP and RAG solve different problems. RAG retrieves information to improve answers. MCP standardizes access to tools, resources, and prompts. MCP can include retrieval, but MCP also supports actions and workflow execution.

MCP can be secure when implementations use trusted servers, least-privilege scopes, explicit user approval, token validation, sandboxing, and audit logs. MCP is not automatically secure. MCP increases risk when servers expose broad tools, accept passthrough tokens, or run local commands without restrictions.

Anthropic introduced MCP on November 25, 2024 as an open standard for connecting AI assistants to external systems. The MCP ecosystem later expanded across AI applications, developer tools, SDKs, and server implementations. The official documentation now tracks the protocol, architecture, examples, and security guidance.

Developers should learn MCP if they build AI agents, coding assistants, internal copilots, or workflow tools. MCP is especially relevant when the same external system must connect to several AI clients. Developers building one narrow app feature may still prefer direct APIs or native function calls.

Ready to launch?

Proxies built for real operations.

For teams that depend on stability, not luck.