What Is MCP? Model Context Protocol Explained

The open standard connecting AI models to tools, files, and services — think USB-C for AI integrations

8 min read Updated: April 2026

🔌 What Is MCP?

The Model Context Protocol (MCP) is an open standard published by Anthropic in December 2024 that defines a universal interface for connecting AI models to external tools, data sources, and services. Before MCP, every AI integration was a custom, one-off implementation. MCP standardizes how AI clients communicate with external capabilities — so one integration works with any compatible AI system.

MCP is a client-server protocol: MCP clients are AI systems (like Claude, Cursor, VS Code with Copilot) that want to use external capabilities. MCP servers are services that expose those capabilities (GitHub, a database, a file system, a web browser) through a standardized API that any MCP client can consume.

💡 Key insight: MCP doesn't make AI smarter — it makes AI better connected. The intelligence stays in the model; MCP provides the plumbing that lets that intelligence act on real-world data and services.

🔋 The USB-C Metaphor

Before USB-C, every device had its own proprietary connector — a phone charger didn't work with a laptop, a display cable didn't work with storage devices. USB-C solved this with one universal standard: one port, one cable, infinite devices.

AI integrations before MCP were the same chaos. Connecting Claude to GitHub required custom code. Connecting GPT-4 to the same GitHub API required different custom code. Adding a new tool meant rebuilding integrations from scratch for each AI platform.

MCP is USB-C for AI. One standard:

  • Build an MCP server once — any MCP client can use it
  • Adopt a new AI model — your existing MCP servers work immediately
  • The ecosystem of MCP servers grows independently of AI model development

⚙️ How MCP Works

MCP uses a JSON-RPC 2.0 protocol over a transport layer (stdio for local servers, HTTP/SSE for remote servers). The communication follows a lifecycle of initialization, capability discovery, and request handling.

Three core primitives

PrimitiveWhat it exposesExample
Tools Functions the AI can call (model-controlled) search_github_issues, run_sql_query, send_email
Resources Data the AI can read (application-controlled) file:///workspace/src, db://customers/schema
Prompts Reusable prompt templates (user-controlled) code-review, summarize-pr, explain-error

The communication flow

  1. Initialize: Client connects to server, exchanges protocol version and capabilities
  2. Discover: Client requests list of available tools, resources, and prompts
  3. Invoke: AI model decides to call a tool; client sends the request to the server
  4. Return: Server executes the action and returns structured results to the client
  5. Continue: AI model incorporates results and continues reasoning

Transport options

TransportBest forNotes
stdio Local tools, CLI integrations Client launches server as subprocess; simplest setup
HTTP + SSE Remote/cloud services, shared teams Server runs independently; supports auth headers
WebSocket Real-time bidirectional (draft) Proposed for streaming use cases

🔄 MCP vs Function Calling

Function calling (tool use) is a feature built into specific AI APIs — OpenAI, Anthropic, Google — that lets you define custom functions the model can invoke. MCP is a layer on top of or alongside function calling that standardizes how those functions are discovered and connected.

Function CallingMCP
Scope API-specific, per-request Cross-platform, standardized
Discovery Hardcoded in your API call Dynamic — server advertises capabilities
Portability Tied to one AI provider Works with any MCP-compatible client
Resources Not standardized First-class primitive (files, DBs, URIs)
Best for Simple, single-provider use cases Multi-tool, multi-model production systems

In practice, MCP servers often use function calling internally — MCP provides the discovery and connection layer, while function calling handles the actual LLM-to-tool invocation.

🏢 Who Supports MCP

MCP adoption has grown rapidly since its December 2024 launch. As of April 2026, the ecosystem includes:

AI clients with MCP support

  • Claude (Anthropic) — native MCP support in Claude.ai and Claude Code
  • Cursor — MCP servers for code-aware AI assistance
  • VS Code (GitHub Copilot) — MCP integration in agent mode
  • Windsurf (Codeium) — MCP server support
  • Continue.dev — open-source IDE assistant with MCP

Popular MCP servers

  • Filesystem — read/write local files (official Anthropic)
  • GitHub — repos, PRs, issues, code search
  • PostgreSQL / SQLite — database query and schema exploration
  • Brave Search / Exa — web search without API keys
  • Puppeteer / Playwright — browser automation
  • Slack / Linear / Notion — productivity tool integrations
📦 Finding MCP servers: The official MCP servers repository and community registries like mcp.so list hundreds of available servers.

🚀 Getting Started with MCP

Option 1: Use existing MCP servers (5 minutes)

The fastest way to experience MCP is using Claude Desktop with pre-built servers. Edit your Claude Desktop config at ~/Library/Application Support/Claude/claude_desktop_config.json: 

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/yourname/Documents"]
    },
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

Option 2: Build an MCP server (30 minutes)

Official SDKs are available for TypeScript, Python, and Kotlin:

// TypeScript MCP server example
import { Server } from "@modelcontextprotocol/sdk/server/index.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";

const server = new Server({ name: "my-server", version: "1.0.0" });

server.setRequestHandler("tools/list", async () => ({
  tools: [{
    name: "get_weather",
    description: "Get current weather for a city",
    inputSchema: {
      type: "object",
      properties: { city: { type: "string" } },
      required: ["city"]
    }
  }]
}));

server.setRequestHandler("tools/call", async (request) => {
  const { city } = request.params.arguments;
  // ... fetch weather data
  return { content: [{ type: "text", text: `Weather in ${city}: sunny, 22°C` }] };
});

const transport = new StdioServerTransport();
await server.connect(transport);

🔐 MCP Security Considerations

MCP's power — giving AI models access to tools, files, and services — also introduces security risks that developers must design against.

RiskDescriptionMitigation
Prompt injection via MCP Malicious content in tool results manipulates the AI Sanitize tool output; use separate reasoning and action models
Overprivileged servers MCP server has more permissions than needed Principle of least privilege; read-only where possible
Confused deputy AI acts on behalf of attacker without user awareness HITL confirmation for destructive/irreversible actions
Server supply chain Malicious third-party MCP server exfiltrates data Use only trusted, audited servers; review server code
⚠️ Never give MCP servers access you wouldn't give a developer intern. If you wouldn't let a new hire run arbitrary database queries, don't give your MCP server unrestricted database access. Design your MCP server's permissions as carefully as you design any API.

For a deeper dive into AI security vulnerabilities — including how prompt injection can be weaponized through MCP tool results — see our guide: Prompt Injection Explained.