Mar 2026 · Engineering · 9 min
MCP: The Protocol That Gave AI Agents a Nervous System
Every computing paradigm eventually produces a standard interface. USB-C unified hardware peripherals. REST unified web services. In the agentic AI era, that standard is the Model Context Protocol, and by early 2026, it has already won.
The problem MCP solved
Before MCP, every AI application that needed to talk to an external tool (a database, a code editor, an API) required a bespoke integration. If you wanted Claude to query Postgres and Slack and GitHub, you wrote three separate connectors, each with its own authentication flow, data formatting, and error handling. Multiply that by every model provider, and you get an M×N integration nightmare that does not scale.
graph LR
subgraph "Before MCP: M×N integrations"
direction LR
C1[Claude] --- T1[Postgres]
C1 --- T2[Slack]
C1 --- T3[GitHub]
G1[GPT] --- T4[Postgres]
G1 --- T5[Slack]
G1 --- T6[GitHub]
Ge[Gemini] --- T7[Postgres]
Ge --- T8[Slack]
Ge --- T9[GitHub]
end
style C1 fill:#0a0a0a,color:#ededed,stroke:#555
style G1 fill:#0a0a0a,color:#ededed,stroke:#555
style Ge fill:#0a0a0a,color:#ededed,stroke:#555
graph LR
subgraph "After MCP: M+N integrations"
direction LR
C2[Claude] --- MCP{MCP}
G2[GPT] --- MCP
Gm[Gemini] --- MCP
MCP --- S1[Postgres Server]
MCP --- S2[Slack Server]
MCP --- S3[GitHub Server]
end
style MCP fill:#0a0a0a,color:#ededed,stroke:#555
Anthropic released MCP as an open-source specification in November 2024 to collapse that matrix into a single protocol. The core insight: separate the what (tools, data, prompts) from the who (model providers, clients). Any MCP-compliant client can talk to any MCP-compliant server. Write the connector once, use it everywhere.
Architecture in sixty seconds
MCP follows a client-server model with three roles. Hosts are the user-facing applications (Claude Desktop, VS Code, an IDE plugin). Clients live inside hosts and maintain 1:1 connections with servers. Servers expose capabilities: tools agents can invoke, resources they can read, and prompts that provide templated workflows. Communication happens over JSON-RPC 2.0, and the protocol is bidirectional. Servers can request LLM completions back from the client through a feature called sampling.
graph LR
User((User)) --> Host
subgraph Host["Host (Claude Desktop / VS Code)"]
direction TB
LLM[LLM Engine]
ClientA["Client A"]
ClientB["Client B"]
ClientC["Client C"]
LLM --- ClientA
LLM --- ClientB
LLM --- ClientC
end
ClientA <-->|"JSON-RPC 2.0
stdio"| ServerA["MCP Server
Filesystem"]
ClientB <-->|"JSON-RPC 2.0
HTTP"| ServerB["MCP Server
Postgres"]
ClientC <-->|"JSON-RPC 2.0
HTTP"| ServerC["MCP Server
GitHub"]
ServerA -.-|"sampling"| ClientA
style Host fill:none,stroke:#555
style LLM fill:#0a0a0a,color:#ededed,stroke:#555
The June 2025 specification revision introduced Streamable HTTP as the canonical transport layer, replacing the earlier SSE approach. A single HTTP endpoint handles both POST requests and optional Server-Sent Events streaming, enabling everything from simple stateless tool calls to long-running bidirectional sessions. Each session gets a cryptographically secure ID, and servers can scale horizontally behind standard load balancers.
The capability surface
MCP servers expose three primitives. Tools are executable functions: run a SQL query, create a GitHub issue, send a Slack message. The 2025-06-18 spec added structured output schemas, so tools return typed, predictable data instead of free-form text, dramatically reducing context window waste. Resources are readable data: files, database records, screenshots. Resource linking borrows HATEOAS from REST: every response includes _links that let clients discover related resources. Prompts are dynamic, context-aware workflow templates that servers tailor to the current project state.
| Primitive | Controlled by | Purpose | Example |
|---|---|---|---|
| Tools | Model | Executable actions | Run SQL query, send Slack message |
| Resources | Application | Readable data sources | File contents, DB schemas, screenshots |
| Prompts | User | Workflow templates | Code review checklist, deploy pipeline |
| Sampling | Server | Request LLM completions | Server asks client model to summarize |
| Elicitation | Server | Structured user input | Ask user to confirm before delete |
Then there is sampling, arguably the most powerful capability. It lets MCP servers request LLM completions from the client, meaning a server can reason about its own data without needing its own model access. The client retains full control over cost, model selection, and security. And with elicitation, servers can ask the user structured questions mid-workflow, turning one-shot tool calls into interactive conversations.
Security: OAuth 2.1 and the trust model
Remote MCP servers authenticate using OAuth 2.1 with PKCE. The server acts as an OAuth Resource Server: it validates tokens but does not issue them. An external authorization server handles authentication, consent, and token issuance. This means enterprise identity providers like Okta, Auth0, and WorkOS plug in natively. The principle of least privilege is enforced at the protocol level: servers declare the minimum scopes they need, and clients can enforce human-in-the-loop approval for sensitive operations.
sequenceDiagram
participant U as User
participant C as MCP Client
participant A as Auth Server
(Okta / Auth0)
participant S as MCP Server
C->>A: Authorization request + PKCE
A->>U: Consent prompt
U->>A: Approve scopes
A->>C: Access token (scoped)
C->>S: Tool call + Bearer token
S->>S: Validate token + check scopes
S->>C: Tool result
Note over C,S: Human-in-the-loop approval
for sensitive operations
Early deployments exposed real risks. Research by Equixly found command injection vulnerabilities in 43% of tested MCP implementations, and many servers launched without any authentication at all. The June 2025 spec tightened this with mandatory Resource Indicators that prevent malicious servers from obtaining overly broad access tokens. Security is no longer optional. It is structural.
Adoption: the numbers that matter
MCP crossed 97 million monthly SDK downloads by early 2026. The ecosystem grew from roughly 100,000 server downloads in November 2024 to over 8 million by April 2025. OpenAI, Google DeepMind, Microsoft, and Hugging Face all adopted the protocol. VS Code shipped full MCP specification support. Atlassian built a remote MCP server for Jira and Confluence with Anthropic as launch partner, hosted on Cloudflare infrastructure.
Adoption timeline
In December 2025, Anthropic donated MCP to the newly formed Agentic AI Foundation under the Linux Foundation, ensuring vendor-neutral governance. This was not a symbolic gesture. With Anthropic, Google, Microsoft, OpenAI, and AWS as founding members, MCP became the first agentic protocol with genuine multi-vendor stewardship. The specification is now a community standard, not a company product.
Why MCP won
Three factors compounded. First, the protocol solved a real, immediate pain point (tool integration) that every developer building on LLMs had already hit. It was not speculative; it was practical from day one. Second, the architecture was simple enough to implement in a weekend but expressive enough for production use. Third, Anthropic played the adoption game correctly: open-source the spec early, get competitors to adopt it, then donate governance to a neutral foundation before anyone could fork.
| Dimension | Function Calling | MCP |
|---|---|---|
| Architecture | Tools inside the app process | External servers via protocol |
| Vendor lock-in | Each provider has own schema | Provider-agnostic, universal |
| Discovery | Hardcoded at request time | Dynamic via tools/list |
| State | Stateless per call | Stateful sessions |
| Reusability | Coupled to one app | Build once, every client uses it |
| Scalability | M × N integrations | M + N integrations |
The result is that MCP is now table stakes. If your agent framework does not support MCP, it does not ship. The protocol did for AI tool integration what HTTP did for document transfer: it made the connection boring, so the applications on top could be interesting.
What comes next
The roadmap points toward server discovery via .well-known URLs, an established web standard that lets clients find and interrogate MCP servers without prior configuration. Think DNS for agent capabilities. Combine that with the registry and marketplace initiatives already in development, and MCP is evolving from a protocol into an ecosystem, one where agents can discover, evaluate, and connect to tools they have never seen before, at runtime, without human intervention.
That is not tool integration. That is an immune system.
← Notes