On December 9, 2025, Anthropic gave away its most successful product of the agent era. The Model Context Protocol, released barely a year earlier, was donated to the Linux Foundation's new Agentic AI Foundation, two weeks after the 2025-11-25 specification shipped.
By then OpenAI, Google DeepMind, Microsoft, and GitHub had all adopted it. If you build with AI agents in 2026, MCP is the integration layer you're standing on whether you chose it or not.
So, what is MCP? The Model Context Protocol is an open, vendor-neutral standard that defines how AI models and agents connect to external data sources, tools, and prompts over JSON-RPC 2.0.
The official docs call it "a universal adapter for AI integrations," and the USB-C comparison has stuck: one server, many hosts, no bespoke glue code per model vendor.
TL;DR: MCP standardizes the connection between AI hosts (Claude Code, Cursor, VS Code, ChatGPT) and capability servers (GitHub, Figma, your database). Servers expose tools, resources, and prompts; hosts consume them over stdio or Streamable HTTP. You can ship a working server in about ten lines of Python. The protocol is now Linux Foundation governed, and the newest extension, MCP Apps, lets servers render interactive UI inside the host.
Key takeaways
- MCP went from Anthropic side project (November 25, 2024) to industry standard (Linux Foundation, December 9, 2025) in just over a year.
- The current spec is 2025-11-25; MCP Apps stabilized as an extension on January 26, 2026.
- Write one MCP server and it works in Claude Code, Cursor, VS Code, Copilot, and ChatGPT. That one-to-many reuse is the entire economic argument.
- Security is the sharp edge: tool poisoning attacks hit success rates up to 72.8% in academic testing, and the mitigations are on you, the integrator.
What is the Model Context Protocol, exactly?
MCP is a client-server protocol with three roles. A host is the application the user touches: Claude Code, Cursor, VS Code, Windsurf, or your own agent. The host embeds one or more clients, and each client holds a dedicated one-to-one connection to a server, the process that actually exposes capabilities, per the official architecture docs.
| Role | What it does | Examples |
|---|---|---|
| Host | Owns the UX, manages model access and user consent | Claude Code, Cursor, VS Code, ChatGPT desktop |
| Client | Embedded connector, speaks MCP to exactly one server | The MCP client object inside each host |
| Server | Exposes tools, resources, and prompts | GitHub MCP, Figma MCP, filesystem server |
The design borrows directly from the Language Server Protocol. LSP separated "what an editor can do" from "how editors talk to language tooling," and one server suddenly worked everywhere. MCP applies the same move to AI tooling.
Anthropic's launch post shipped with reference servers for filesystem, GitHub, Google Drive, Slack, and Postgres. The endorsements came fast: OpenAI's Sam Altman publicly backed MCP on March 26, 2025, and Google DeepMind committed Gemini to it fourteen days later.
Within a 21-day window in spring 2025, every frontier lab had aligned on the same protocol.
How does MCP work under the hood?
Everything in MCP is JSON-RPC 2.0 messages flowing over one of two transports. Servers expose three primitives, and clients expose three back.
On the server side:
- Tools: functions the model can call (
create_issue,query_database). Think OpenAI function calling, but standardized across every vendor. - Resources: named, URI-addressed data the client can read (files, schemas, recent activity).
- Prompts: reusable, parameterized templates the host surfaces as slash commands or quick actions.
On the client side: sampling (a server asks the host to run an LLM completion), roots (the host declares which filesystem paths are authorized), and elicitation (a server requests structured user input, like a confirmation dialog). The 2025-11-25 changelog also added an experimental Tasks primitive for async, durable operations and consolidated OAuth 2.1 as the authorization story.
Transports come in two flavors. stdio runs the server as a child process of the host, lowest latency and the default for local servers. Streamable HTTP is for remote servers: the client POSTs JSON-RPC and receives streamed responses on a single connection. GitHub'sapi.githubcopilot.com/mcpendpoint, which reached general availability on September 4, 2025, speaks Streamable HTTP, as does every other production remote server.
MCP vs API: when do you actually need a server?
The honest trade-off: an MCP call is one extra serialization hop compared to an in-process function call. For a tool that lives inside a single application and serves a single model, plain function calling is faster and simpler.
MCP pays for itself the moment you have more than one consumer. A function-calling integration is one-to-one. An MCP server is one-to-many: the same Postgres server works from your IDE, your CI agent, and your chat product without a line of new integration code. Cloudflare's agents documentation frames it as a transport decision: in-process tools stay in-process, and anything crossing a trust or process boundary goes through MCP.
| Plain function calling | Framework tools (LangChain, Vercel AI SDK) | MCP server | |
|---|---|---|---|
| Consumers | One app, one model API | One app, one framework | Any MCP host |
| Latency | Lowest | Low | One extra hop |
| Discovery | None | None | Registry,tools/list |
| Best for | Internal app logic | Single-codebase agents | Shared, cross-surface tools |
Even OpenAI converged here. Its Apps SDK now tells developers building ChatGPT apps to write an MCP server as the build target, while function calling remains the in-model primitive. The common 2026 pattern is to write the tool once as an MCP server and bridge it into framework-native tool objects where needed.
How do I build an MCP server? A ten-minute tutorial
The official SDKs cover Python, TypeScript, Go, Java, Kotlin, C# (co-maintained with Microsoft), Rust, and Swift. Python and TypeScript are the most used and best documented.
Here is a complete, working Python server:
# pip install "mcp[cli]"
from mcp.server.fastmcp import FastMCP
mcp = FastMCP("hello-mcp")
@mcp.tool()
def add(a: int, b: int) -> int:
"""Add two integers and return the result."""
return a + b
if __name__ == "__main__":
mcp.run(transport="stdio")
That's the whole thing. Test it withmcp dev hello.py, which launches the MCP Inspector, the project's official visual debugging tool. TypeScript developers get the same shape withnpm i @modelcontextprotocol/sdk, aMcpServerinstance, and aStdioServerTransport.
Then connect a host:
- Claude Code:
claude mcp add hello -- python hello.py(see the quickstart). - Cursor: Settings → MCP, add the command.
- VS Code: drop a
.vscode/mcp.jsonin your project (docs). - Copilot: register the remote URL in the MCP settings UI.
For discovery beyond your own machine, the Official MCP Registry launched September 8, 2025 with Anthropic, GitHub, Microsoft, and PulseMCP as partners, and the GitHub MCP Registry followed eight days later as the fast path inside Copilot and VS Code.
What are MCP Apps, and why do they matter?
MCP Apps is the newest surface, and the most interesting one for product builders. Formalized in SEP-1865 and stabilized on January 26, 2026, it lets a server return fully interactive HTML that the host renders inside a sandboxed iframe, with apostMessagechannel speaking JSON-RPC 2.0 back to the host.
Cursor 2.6 became the first major editor to render these natively on March 3, 2026. The shipped examples show the pattern clearly: Amplitude's server returns a live analytics chart whose hover-to-filter state flows back into the model's context.
Figma's server generates design layers directly from VS Code as of March 6, 2026. Tldraw returns an interactive whiteboard, and Postman renders a "Try It" view over an API collection.
The practical upshot: your MCP server can now ship a product surface, since the host renders your UI inside its own chrome. If you've been waiting for a reason to build one beyond tool calls, this is it.
Is MCP secure? The risks you have to own
The protocol layer ships no authentication by default. The authorization tutorial is explicit that auth is an optional, HTTP-only layer: stdio servers inherit the host's credentials, and remote servers should implement OAuth 2.1 with PKCE and RFC 8707 resource indicators.
The documented attack classes are nastier than missing auth. Invariant Labs' tool poisoning disclosure showed that a malicious server's tool descriptions can instruct a model to exfiltrate data, even when the user is interacting with a separate, trusted server. The MCPTox paper measured attack success rates up to 72.8% against o1-mini under poisoned descriptions, and the "Breaking the Protocol" study found a 23 to 41 percent amplification of unsafe behavior when tool results carry indirect prompt-injection payloads.
Vendor guidance from Anthropic, OpenAI, and Microsoft converges on one playbook. Treat all retrieved content as untrusted input. Scope each tool to least privilege. Require human confirmation for high-impact actions. And run MCP-Scan against any third-party server before allowlisting it; it statically inspects tool definitions for known poisoning patterns.
What this means for you
If you maintain a product with an API, write an MCP server for it now. The distribution math changed when the registries launched: one server gets you into Claude Code, Cursor, VS Code, Copilot, and ChatGPT simultaneously, and the Official Registry is becoming the enterprise allowlist of record.
If you build internal agents, keep in-process tools in-process and reserve MCP for anything that crosses a team, model, or trust boundary. Pin your servers to a date-versioned spec; the versioning policy guarantees support across the next two revisions, so 2025-11-25 is a safe target through 2026.
And budget security work as a first-class line item. The 72.8% attack success number is from a controlled study against one model, but the lesson generalizes: every server you allowlist is code you're letting whisper to your model. Scan it, scope it, and gate the dangerous actions behind a human.
Sources
- Introducing the Model Context Protocol (Anthropic)
- MCP Specification 2025-11-25
- Architecture overview (modelcontextprotocol.io)
- Donating MCP to the Agentic AI Foundation (Anthropic)
- Linux Foundation announces the Agentic AI Foundation
- Google embraces Anthropic's MCP standard (TechCrunch)
- MCP Apps spec repo, SEP-1865 (GitHub)
- Cursor 2.6 changelog: MCP Apps
- Remote GitHub MCP Server GA (GitHub Changelog)
- Official MCP SDKs
- MCP Inspector (GitHub)
- Tool Poisoning Attacks (Invariant Labs)
- Protecting against indirect prompt injection in MCP (Microsoft)
- Build your MCP server, Apps SDK (OpenAI)