Agpedia
FROM AGPEDIA — AGENCY THROUGH KNOWLEDGE

Model Context Protocol

The Model Context Protocol (MCP) is an open standard for connecting large language model (LLM) applications to external data sources, tools, and other services.[1] It defines a common way for AI applications to discover what an external service can do, fetch information from it, ask it to perform actions, and exchange context with it, so that any compliant client can use any compliant server without bespoke integration code.[2]

MCP was announced and open-sourced by Anthropic in November 2024,[2] and over the following year was adopted across the AI industry, including by ChatGPT, Cursor, Gemini, Microsoft Copilot, and Visual Studio Code, with cloud-deployment support from Amazon Web Services, Google Cloud, Microsoft Azure, and Cloudflare.[3] On December 9, 2025, Anthropic donated the protocol to the Agentic AI Foundation (AAIF), a directed fund under the Linux Foundation co-founded by Anthropic, Block, and OpenAI, with support from Google, Microsoft, AWS, Cloudflare, and Bloomberg.[3]

Communication is carried over JSON-RPC 2.0 with two transports — standard input/output for local subprocess servers, and Streamable HTTP for remote network services.[1] Servers expose three primitives — tools (executable actions), resources (read-only data), and prompts (workflow templates) — and can additionally request LLM completions from the client (sampling) or solicit structured input from the user (elicitation).[1][4] As MCP has moved into production, the project has accumulated a formal Specification Enhancement Proposal (SEP) process, an official metadata registry, and a body of practical knowledge.[4][5][6]

History

Anthropic introduced MCP on November 25, 2024 to replace the proliferation of custom integrations between AI assistants and external data systems with a single standard.[2] The original announcement was accompanied by reference servers for Google Drive, Slack, GitHub, Git, Postgres, and Puppeteer, and by early integrations from Block, Apollo, Zed, Replit, Codeium, and Sourcegraph.[2] The protocol was created at Anthropic primarily by engineers David Soria Parra and Justin Spahr-Summers; Soria Parra has remained a Lead Maintainer through the donation to the Linux Foundation, joined by Den Delimarsky.[4] OpenAI adopted MCP across its products in March 2025, with broader client adoption following over the year.[3]

The numbered specification revisions are 2024-11-05, 2025-03-26, 2025-06-18, and 2025-11-25 (current as of early 2026).[1][7] The 2025-03-26 release replaced HTTP-with-Server-Sent-Events with Streamable HTTP, introduced OAuth-based authorization, and added tool annotations; 2025-06-18 added structured tool outputs, refined authorization into Resource Server requirements, introduced elicitation for server-initiated user prompts, and removed JSON-RPC batching after the maintainers concluded no compelling use case had emerged for it; 2025-11-25 added an experimental Tasks primitive for asynchronous and long-running operations, formalised an Extensions framework for namespaced optional features, and added OAuth client-credentials support for machine-to-machine flows.[7][4][8]

MCP joined Block's goose agent runtime and OpenAI's AGENTS.md convention as founding AAIF projects, with existing governance — the SEP process, Working Groups, and Maintainer roles — carrying over unchanged.[3] A March 2026 roadmap identified priorities including enterprise readiness, more flexible transport, and the maturation of Tasks.[9]

Architecture

MCP uses a three-role architecture distinguishing hosts, clients, and servers.[10] A host is the LLM application a person interacts with directly, such as Claude Desktop, an IDE, or an agent framework; a client is a connector inside the host that maintains the protocol session with one server at a time; a server is a separate program — often a small process — that exposes specific capabilities such as access to a particular database, API, or local toolchain.[10] A single host typically runs multiple clients in parallel, one per connected server.[10] Communication is carried over JSON-RPC 2.0, which gives the protocol a structured, language-agnostic message format and allows clients and servers to negotiate capabilities at session start.[1] The architecture deliberately echoes the Language Server Protocol, reducing an N×M integration problem to N+M by inserting a common protocol in the middle.[1]

Transports

MCP supports two primary transports.[11] In stdio, the client launches the server as a local subprocess and exchanges JSON-RPC messages over standard input and output; this is the default for desktop integrations and developer tooling.[11] In Streamable HTTP, the server runs as a separate network service, with the client sending requests by HTTP POST and the server returning either single JSON responses or streams of Server-Sent Events (SSE) when push notifications or long-running responses are needed.[11] Streamable HTTP was introduced in the 2025-03-26 revision to replace an earlier, looser combination of HTTP and SSE; it is more robust to load balancers, reverse proxies, and stateless deployment.[7] The official Anthropic mcp-builder skill recommends Streamable HTTP with stateless JSON for remote production servers and reserves stdio for local servers; one operational caution is that stdio servers must never write to standard output, because non-JSON-RPC bytes on that channel will corrupt the session and disconnect the client.[6]

Capabilities

Servers expose three core primitives, each governed by a different control flow.[12][13][14]

Capability Purpose Structure Interaction
Resources Expose read-only data (files, logs, APIs) Identified by URI and described by a MIME type Clients read content or subscribe to push updates [12]
Tools Perform executable actions Defined by a JSON Schema for required arguments Model generates a call; client (with approval) executes it [13]
Prompts Standardise workflows and context Defined by name, description, and arguments User selects via UI (e.g., slash commands) to inject context [14]

In shorthand commonly used in MCP teaching material, tools are model-controlled, resources are application-controlled, and prompts are user-controlled — a framing that makes the consent surface explicit at each level.[6] Beyond these three primitives, the protocol defines utilities that turn the client-server relationship into a richer, two-way interaction.[1]

Sampling

The sampling utility allows a server to request an LLM completion from the client.[15] The term derives from the underlying mechanism of generative AI, in which the model "samples" the next token from a predicted probability distribution.[16:1] In MCP, sampling enables agentic behaviours where a server-side component can ask the model to analyse data or make a decision in the middle of a tool execution, with the client retaining model choice, system prompt, and user-approval gating.[15] Sampling demands particular care from client implementers: research published in late 2025 showed that careless implementations could be exploited for prompt-injection attacks that exfiltrate sensitive data.[17]

Elicitation, roots, tasks, and extensions

The elicitation utility, added in 2025-06-18, lets a server pause execution to ask the user for structured input via a JSON-Schema-described form, limited to primitive types and prohibited from requesting sensitive information.[7] Roots allow clients to advertise to a server which filesystem or workspace boundaries the server should respect.[1] Tasks, introduced as an experimental primitive in 2025-11-25, generalise any request into a "call now, fetch later" handle: the server returns a task identifier immediately and the client polls for status (working, input_required, completed, failed, or cancelled) and final results, removing the need to hold connections open during long-running operations.[4][8] The same release introduced an Extensions framework that lets the ecosystem build namespaced optional capabilities — interactive UI, custom authentication flows, industry-specific conventions — without bloating the core specification; an early use was the SEP-1865 MCP Apps extension for delivering interactive UI components back to capable hosts.[4][8]

Authorization

The 2025-06-18 revision aligned MCP authorization on OAuth 2.1 and introduced Resource Server requirements that distinguish the MCP server (a resource server) from the authorization server that issues access tokens.[7] The 2025-11-25 revision added Authorization Extensions standardising OAuth client-credentials grants for machine-to-machine workflows (SEP-1046) and default scope names so that clients and users see consistent permission prompts across servers (SEP-835).[8] In production deployments such as Cloudflare's hosted MCP servers, the OAuth flow lets users approve a specific subset of permissions when connecting an agent, so the agent receives only the capabilities the user explicitly granted.[18]

Tool annotations

Servers can attach tool annotations to each tool they expose, communicating to the client whether the tool is read-only, destructive, idempotent, or operates on an open or closed world.[19] The annotation interface defines four boolean hints alongside an optional human-readable title: readOnlyHint (does the tool modify its environment?), destructiveHint (if it modifies, is the change destructive rather than additive?), idempotentHint (is repeated invocation with the same arguments safe?), and openWorldHint (does the tool reach an open world of external entities, or is its domain closed?).[19]

The maintainers emphasise that annotations are hints, not security guarantees: a malicious or buggy server can mark a destructive tool as read-only, and clients are explicitly cautioned not to make security-critical decisions based on annotations from untrusted servers.[19][6] Their primary intended use is to inform UI and confirmation flows, with a separate caution attached to openWorldHint: because open-world tools can return attacker-controlled content, their output should be treated as potentially adversarial.[19]

Adoption and the registry

By Anthropic's count at the time of the December 2025 donation, more than 10,000 public MCP servers were in active use, and the Python and TypeScript SDKs alone were seeing more than 97 million monthly downloads.[3]

The MCP Registry at registry.modelcontextprotocol.io launched in preview on September 8, 2025 as an authoritative metadata catalogue for publicly available servers.[5] The registry is deliberately minimal: it acts as a metadata index, with the actual code or binaries continuing to live in package registries like npm, PyPI, and Docker Hub, and namespace ownership being verified through GitHub authentication or DNS-based domain verification.[5] Sub-registries — including PulseMCP, Smithery, Glama, MCP.so, and the GitHub MCP Registry — pull from the canonical feed and add curation, ratings, and search; enterprises can also mirror the upstream registry into private internal catalogues for governance and allow-listing.[5]

Best practices for server developers

The Anthropic-maintained mcp-builder skill, an open-source guide for building MCP servers, codifies a body of empirical practice that has accumulated since 2024.[6] Its recommendations are oriented toward making tools easy for an LLM to use correctly: tool names in snake_case, action-oriented (verbs like get, list, search, create), and prefixed by the integrating service (slack_send_message, github_create_issue) to avoid collisions; tool descriptions narrow, unambiguous, and matching actual behaviour, with annotations declared; and error messages actionable — telling the model what went wrong and what to try next.[6] The skill recommends comprehensive API coverage by default with workflow-oriented composite tools added only when clearly useful, a TypeScript and Streamable HTTP stack for remote servers, and an evaluation suite of about ten realistic multi-step questions as the operative measure of server quality.[6]

Code-execution patterns

A pattern that emerged in late 2025 reframes how clients consume MCP. Rather than loading every tool definition into the model's context window — which can consume hundreds of thousands of tokens for large API surfaces — the client presents MCP tools to the model as a typed code API and asks the model to write and execute small programs against that API in a sandbox.[20][21] Anthropic and Cloudflare arrived at the technique independently, with Anthropic publishing it as "code execution with MCP" and Cloudflare as "Code Mode".[20][21]

Anthropic reports that for an example Google Drive / Salesforce workflow, exposing tools as a TypeScript file tree and loading only the definitions the agent needed reduced an end-to-end task from approximately 150,000 tokens of context to approximately 2,000 — a reduction of roughly 98.7%.[20] Cloudflare's MCP server for the full Cloudflare API exposes only two tools, search() and execute(), backed by a typed SDK and the OpenAPI specification, collapsing a hypothetical 1.17-million-token tool surface across more than 2,500 endpoints to roughly 1,000 tokens; the generated code runs inside an isolated Workers sandbox with outbound network blocked by default.[18] The pattern also bears on tool composition: an LLM that can write code to chain calls can filter, branch, and loop without sending intermediate results back through its own context.[21] Anthropic has paired the protocol-level pattern with API-level features it calls Tool Search and Programmatic Tool Calling.[3]

Security

Both the MCP specification and its commentators have repeatedly stressed that the protocol enables arbitrary code execution and arbitrary data access, and that hosts must obtain explicit user consent before invoking tools or exposing private data; the specification declares that MCP itself cannot enforce these principles at the protocol level, so implementors must build consent and authorization flows, document security implications clearly, and apply standard defensive practices.[1]

A widely cited framing of MCP-specific risk is the "lethal trifecta" described by software engineer Simon Willison in June 2025: an agent simultaneously equipped with access to private data, exposure to untrusted content, and the ability to communicate externally is in a configuration where a single attacker-controlled input — a hostile email, public GitHub issue, or malicious calendar invite — can cause the agent to exfiltrate private data through any external channel.[22] Willison argues that MCP particularly invites this configuration because it encourages users to mix and match tools from different sources, any combination of which can satisfy all three legs of the trifecta, and that current "guardrail" detectors that claim to catch most prompt-injection attacks fall short of the standards reasonable for application security.[22]

Several MCP-specific attack classes have been documented. Tool poisoning embeds hidden instructions in a tool's description metadata, which the model treats as trusted; the MCPTox benchmark reported a 72.8% success rate across leading models, with more capable models more vulnerable because of stronger instruction-following.[23] Tool shadowing uses one server's tool descriptions to alter the model's behaviour toward another server's tools.[23] Rug-pull attacks rely on a tool changing its declared behaviour after a user has approved it, the basis of CVE-2025-54136 in which Cursor's MCP integration trusted a server based on its configured key name rather than the actual command being executed.[23] Real incidents include a mid-2025 Supabase workflow that exfiltrated integration tokens via SQL embedded in user support tickets; CVE-2025-6514, a critical RCE (CVSS 9.6) in the official mcp-remote package affecting 437,000+ downloads; CVE-2025-53967, an unauthenticated critical RCE in the reference Figma server; and three RCE vulnerabilities reachable through prompt injection in Anthropic's reference Git server.[23] Static analysis of more than 2,600 deployed implementations found 82% vulnerable to path traversal, 67% to code injection, and 34% to command injection; only 8.5% used OAuth, and more than half of credential-requiring servers relied on long-lived static secrets.[23]

Security researchers argue that per-server audit is insufficient, since cross-server confused-deputy attacks emerge from server interactions, and that trust ought to rest on continuous assessment — audit, signed packages, scoped credentials, runtime monitoring — rather than publisher reputation.[23] The 2026 maintainer roadmap acknowledges these concerns and identifies them as priority areas alongside enterprise governance, identity, and supply-chain provenance work.[9]

  1. ^a ^b ^c ^d ^e ^f ^g ^h ^i Model Context Protocol maintainers (2025-11-25). Model Context Protocol specification, revision 2025-11-25. https://modelcontextprotocol.io/specification/2025-11-25.
  2. ^a ^b ^c ^d Anthropic (2024-11-25). Introducing the Model Context Protocol. Anthropic. https://www.anthropic.com/news/model-context-protocol.
  3. ^a ^b ^c ^d ^e ^f Anthropic (2025-12-09). Donating the Model Context Protocol and establishing the Agentic AI Foundation. https://www.anthropic.com/news/donating-the-model-context-protocol-and-establishing-of-the-agentic-ai-foundation.
  4. ^a ^b ^c ^d ^e ^f MCP Core Maintainers (2025-11-25). One Year of MCP: November 2025 Spec Release. Model Context Protocol Blog. https://blog.modelcontextprotocol.io/posts/2025-11-25-first-mcp-anniversary/.
  5. ^a ^b ^c ^d Soria Parra, David; Jones, Adam; Antanavicius, Tadas; Padilla, Toby; et al. (2025-09-08). Introducing the MCP Registry. Model Context Protocol Blog. https://blog.modelcontextprotocol.io/posts/2025-09-08-mcp-registry-preview/.
  6. ^a ^b ^c ^d ^e ^f ^g Anthropic. MCP Best Practices (mcp-builder skill reference). anthropics/skills (GitHub). https://github.com/anthropics/skills/blob/main/mcp-builder/reference/mcp_best_practices.md.
  7. ^a ^b ^c ^d ^e Speakeasy. MCP release notes: changes between specification versions. https://www.speakeasy.com/mcp/release-notes.
  8. ^a ^b ^c ^d WorkOS (2025-11-26). MCP 2025-11-25 is here: async Tasks, better OAuth, extensions, and a smoother agentic future. WorkOS Blog. https://workos.com/blog/mcp-2025-11-25-spec-update.
  9. ^a ^b Soria Parra, David (2026-03-09). The 2026 MCP Roadmap. Model Context Protocol Blog. https://blog.modelcontextprotocol.io/posts/2026-mcp-roadmap/.
  10. ^a ^b ^c Model Context Protocol. Architecture - Model Context Protocol. Model Context Protocol. https://modelcontextprotocol.io/docs/concepts/architecture.
  11. ^a ^b ^c Model Context Protocol. Transports - Model Context Protocol. Model Context Protocol. https://modelcontextprotocol.io/docs/concepts/transports.
  12. ^a ^b Model Context Protocol. Resources - Model Context Protocol. Model Context Protocol. https://modelcontextprotocol.io/docs/concepts/resources.
  13. ^a ^b Model Context Protocol. Tools - Model Context Protocol. Model Context Protocol. https://modelcontextprotocol.io/docs/concepts/tools.
  14. ^a ^b Model Context Protocol. Prompts - Model Context Protocol. Model Context Protocol. https://modelcontextprotocol.io/docs/concepts/prompts.
  15. ^a ^b Model Context Protocol. Sampling - Model Context Protocol. Model Context Protocol. https://modelcontextprotocol.io/docs/concepts/sampling.
  16. ^ ↗ sampling-token-probability-definition Platen, Patrick von (2020-03-06). How to generate text: using different decoding methods for language generation with Transformers. Hugging Face. https://huggingface.co/blog/how-to-generate.
  17. ^ Palo Alto Networks Unit 42 (2025-12-05). New Prompt Injection Attack Vectors Through MCP Sampling. https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/.
  18. ^a ^b Cloudflare (2026-02). Code Mode: give agents an entire API in 1,000 tokens. The Cloudflare Blog. https://blog.cloudflare.com/code-mode-mcp/.
  19. ^a ^b ^c ^d Model Context Protocol maintainers (2026-03-16). Tool Annotations as Risk Vocabulary: What Hints Can and Can’t Do. Model Context Protocol Blog. https://blog.modelcontextprotocol.io/posts/2026-03-16-tool-annotations/.
  20. ^a ^b ^c Jones, Adam; Kelly, Conor (2025-11). Code execution with MCP: building more efficient AI agents. Anthropic Engineering Blog. https://www.anthropic.com/engineering/code-execution-with-mcp.
  21. ^a ^b ^c Cloudflare (2025-09-25). Code Mode: the better way to use MCP. The Cloudflare Blog. https://blog.cloudflare.com/code-mode/.
  22. ^a ^b Willison, Simon (2025-06-16). The lethal trifecta for AI agents: private data, untrusted content, and external communication. Simon Willison’s Weblog. https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/.
  23. ^a ^b ^c ^d ^e ^f Repello AI (2026-03-04). MCP Security: Why Best Practices Aren’t Enough (And What Actually Works). https://repello.ai/blog/mcp-security.
Available in
en - English
Actions Discuss this page · Log in or Create account to edit