Model Context Protocol

From the TaranCodes Wiki

This article covers the Model Context Protocol (MCP), the open standard for AI tool connectivity. Not to be confused with general API frameworks or LangChain.

Contents
  1. Origin and Coining of the Term
  2. History and Development
  3. Architecture and Core Components
  4. How It Works
  5. Transport Mechanisms and Classification
  6. Applications and Use Cases
  7. Advantages and Benefits
  8. Limitations, Criticism, and Security Risks
  9. Comparison with LangChain
  10. Adoption and Statistics
  11. Expert Opinions and Reception
  12. Controversies and Debates
  13. Legal and Ethical Considerations
  14. Future Outlook
  15. Common Misconceptions and FAQs
  16. Key Takeaways

Open protocol connecting AI language models to external tools, data, and enterprise systems.

The Model Context Protocol (MCP) is an open-source, application-level standard in artificial intelligence (AI) that connects large language models (LLMs)—AI systems trained to understand and generate human language—to external data sources, software tools, and enterprise systems. Introduced by the AI company Anthropic in November 2024, MCP provides a single, standardized way for an AI model to read files, run functions, and gather contextual information from outside systems. In doing so, it bridges the gap between an AI model's internal reasoning and the live, real-world data it needs to act usefully.

Before MCP, connecting AI models to external tools was highly fragmented. Developers had to build custom, one-to-one connectors for every pairing of an AI model and a data source. This produced what engineers call the "N×M" problem, in which linking M tools to N models required an unsustainable number of separate custom integrations. MCP solves this by offering one shared standard, which analysts often compare to the Universal Serial Bus (USB-C) connector for hardware or the Language Server Protocol (LSP) used in software development tools. By separating the AI model, known as the host, from the external capabilities, delivered through a server, MCP lets any compliant AI client work with any compliant data source without custom bridging code.

The protocol uses a messaging format called JSON-RPC 2.0, a lightweight, standardized way for programs to exchange requests and responses. As of mid-2026, MCP has grown from a local tool for coding assistants into a central control system for enterprise AI automation. It runs over several transport methods, ranging from local Standard Input/Output (STDIO) on a single computer to remote Streamable HTTP across large cloud systems. This article covers the protocol's history, architecture, mechanisms, applications, benefits, limitations, and future direction.

Origin and Coining of the Term

The Model Context Protocol began inside the engineering teams at Anthropic as an internal answer to a growing problem: connecting their LLM, named Claude, to many separate corporate data systems. The protocol was led by engineers David Soria Parra and Justin Spahr-Summers, and it was formally released to the public as an open standard on November 25, 2024. The name reflects its core function—supplying external context to AI models through a standardized protocol.

History and Development

The development of MCP can be traced through a clear sequence of milestones. In its early period, MCP was used mainly by individual developers. Early adopters used it to give AI coding assistants secure access to local resources such as filesystems, Git code repositories, and development environments. During this phase, the protocol depended heavily on STDIO transport, which offered strong security through operating-system-level process isolation but was poorly suited to distributed cloud environments.

A major turning point came in March 2025, when competing AI firms, including OpenAI and Google DeepMind, adopted the standard in their own products. This cross-company agreement established MCP as the leading integration standard and moved the industry away from closed, proprietary plugin systems. By the summer of 2025, developers were rapidly building remote MCP servers to connect with enterprise Software-as-a-Service (SaaS) platforms, shifting the protocol from a local tool into a foundation for cloud-based agentic workflows.

In a significant governance step, Anthropic donated the MCP specification to the Agentic AI Foundation (AAIF) in December 2025. The AAIF is a directed fund established under the Linux Foundation to neutrally manage open-source agentic AI infrastructure. It was co-founded by Anthropic, OpenAI, Block, and other industry leaders, and its founding contributions also included Block's "goose" agent framework and OpenAI's AGENTS.md specification. This transfer helped ensure that MCP would remain community-driven rather than controlled by a single company.

The specification itself has been refined continuously using a date-based versioning system in the YYYY-MM-DD format. The 2025-03-26 specification introduced Streamable HTTP, replacing the more fragile HTTP with Server-Sent Events (SSE) transport and enabling large-scale cloud deployment. In early 2026, the protocol added "MCP Apps," which standardized interactive user interfaces inside AI chat environments. Building on this, the 2026-07-28 specification release candidate shifted the protocol to a fully stateless core, removing connection-time handshakes and session pinning to improve enterprise scalability.

Architecture and Core Components

At its core, MCP uses a strict client-server structure that separates the AI's reasoning engine from the data and execution systems it works with. The architecture has three main parts: the MCP Host, the MCP Client, and the MCP Server. The MCP Host is the main application containing the LLM, such as a chat interface, an AI-powered integrated development environment (IDE), or an autonomous agent. Inside the host sits the MCP Client, a software connector that manages connections, translates the model's intent into standardized JSON-RPC messages, and handles communication with external services. The MCP Server is a separate, lightweight program that exposes specific capabilities and acts as a secure bridge to external systems, converting MCP requests into database queries, API calls, or file operations.

An isometric process diagram showing the software architecture of the Model Context Protocol. It features a futuristic tech mood with a central host and client connecting to a server, which bridges to a database. The 3D design uses corporate blue tones, illustrating the flow of JSON-RPC messages and listing the three core primitives: Tools, Resources, and Prompts.
An isometric diagram displaying the MCP Host, Client, Server, and three core primitives.

The capabilities a server offers fall into three categories called primitives, each defined by its "control plane"—the entity that decides when the capability is used. The first primitive, Tools, is model-controlled and performs real-world actions such as querying a database or sending an email; because tools can change external data, they require strong security and user consent. The second, Resources, is application-controlled and supplies read-only context, such as database schemas or log files, to enrich the model's knowledge without allowing it to alter that data. The third, Prompts, is user-controlled and provides predefined, repeatable workflow templates, often triggered by a human user through a slash command. Together, these three primitives define how an MCP server exposes its functionality.

How It Works

The operation of MCP is driven entirely by structured JSON-RPC 2.0 messages sent over a chosen transport layer. The specification defines strict schemas for requests, responses, and notifications, ensuring consistent behavior across different programming languages. The interaction follows a standardized sequence.

First, the MCP client performs a discovery phase, asking connected servers to list their available capabilities through endpoints such as tools/list and resources/list. When the LLM determines that an external action is needed, it produces a structured request naming the target tool and its parameters. The client converts this into a precise JSON-RPC request and sends it to the server. The server then validates the parameters against its defined schemas, which must follow the JSON Schema 2020-12 specification, and executes the underlying action, such as running a database query or calling an external service. Finally, the server formats the results into an MCP-compliant response and returns them to the client, which feeds the new information back into the model's reasoning process.

A major change to these mechanics arrived with the 2026-07-28 specification, which made MCP a stateless protocol. Earlier versions used a stateful connection that required an initialization handshake and a persistent session identifier. While workable for local use, this design made horizontal scaling difficult in cloud environments, forcing teams to rely on complex techniques like sticky sessions and shared session stores. The stateless model removes handshakes and session pinning, making every request self-contained. Information such as protocol version and client identity now travels inside a metadata payload attached to each request. When a server must track state across multiple calls, it uses an "explicit-handle pattern," issuing an opaque identifier that the model passes back as an ordinary argument. As a result, any request can be routed to any available server replica, greatly simplifying large-scale deployment.

Transport Mechanisms and Classification

MCP implementations are primarily classified by their transport mechanism—the channel used to carry JSON-RPC messages between client and server. The protocol officially defines two standard transports, with a third now deprecated.

Transport Type Architectural Model Optimal Use Cases Key Characteristics
STDIO (Standard Input/Output) Local, process-per-user Local IDE integrations, command-line tools, secure local file access Host spawns the server as a local child process; communication via newline-delimited JSON; very low latency (~10ms) and strong isolation, but no centralized auditing
Streamable HTTP Remote, stateless HTTP Enterprise gateways, cloud deployments, SaaS integrations Operates over HTTP/HTTPS to a single endpoint; supports optional Server-Sent Events; highly scalable; enables centralized OAuth 2.1 identity and Role-Based Access Control
HTTP+SSE (Legacy) Remote, stateful HTTP Deprecated implementations Used a fragmented dual-endpoint design; suffered unidirectional limits and heavy resource use; formally deprecated via Specification Enhancement Proposal (SEP) 2596

In practice, the move from local experimentation to enterprise production strongly favors Streamable HTTP. While STDIO suits a single developer's laptop, it lacks centralized points for security teams to audit usage, verify identity, or revoke access. Streamable HTTP routes all agent tool traffic through standard API gateways, bringing MCP under established enterprise IT governance.

Applications and Use Cases

The standardization MCP provides has enabled sophisticated, multi-step applications well beyond simple data retrieval. One major application is code execution for token optimization. Normally, the host must load the schemas of every available tool into the model's context window, which becomes costly and degrades performance as tools scale into the hundreds. To address this, advanced systems present MCP servers as code interfaces, letting the agent write executable code in a secure sandbox to interact with servers dynamically. This supports "progressive disclosure," in which the model reads only the tool definitions it needs at runtime. Benchmarking showed this approach can cut total token usage by up to 77.4%, producing an estimated 70% cost reduction while maintaining task success.

A second application is interactive user interfaces through MCP Apps, ratified by the AAIF in January 2026 as the first official extension to the core protocol. Earlier, MCP tools could return only text, images, or structured data. MCP Apps let servers deliver interactive interface bundles built with HTML and JavaScript, which the host renders inside a secure, sandboxed iframe within the chat window. This lets users manipulate dashboards, edit designs, or complete multi-step wizards without leaving the conversation, while the host retains auditable control over data access.

A third application is Agentic Resource Discovery (ARD), a specification led by a coalition including Google, Microsoft, and Hugging Face. As the number of MCP servers grew, finding the right tool became difficult. ARD acts as a kind of "DNS for AI," letting organizations publish a verifiable manifest file (ai-catalog.json) describing their AI capabilities. Federated registries crawl these manifests, allowing agents to discover, verify, and connect to servers using natural language at runtime, removing the need for hardcoded toolsets.

Advantages and Benefits

MCP's rapid adoption stems from several clear benefits. Its most immediate advantage is solving the N×M integration problem: a vendor writes one MCP server, and its platform becomes instantly accessible to Claude, ChatGPT, Cursor, and any other compliant client. This shifts integration effort away from AI providers and onto the broader software ecosystem.

The protocol also supports pluggable composability. A central infrastructure team can deploy a single secure MCP server—for example, one connected to a human resources database—that many different agentic workflows reuse, ensuring consistency and reducing duplicated work. In addition, by grounding models in specific, real-time enterprise data through resources, MCP reduces AI "hallucinations," meaning fabricated or inaccurate outputs. Finally, MCP enforces a separation of concerns, isolating the reasoning layer from the execution layer so that backend systems can change without rewriting the agent's core logic.

Limitations, Criticism, and Security Risks

Despite its strengths, MCP has drawn substantial criticism, mainly over security. Its rapid spread outpaced the maturation of its security frameworks, prompting some in the cybersecurity community to joke that "the S in MCP stands for security," highlighting its absence. In the first half of 2026, authorities including the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Five Eyes intelligence alliance issued guidance on systemic MCP vulnerabilities.

Documented risks include several distinct categories. Arbitrary Code Execution (ACE) can occur when untrusted, model-generated input reaches sensitive execution environments without proper checks. Tool poisoning and indirect prompt injection allow a malicious server to hide harmful instructions in tool descriptions or returned data, potentially hijacking an agent's behavior. Supply chain compromise arises from reliance on community-built servers, where typo-squatting or compromised repositories can lead teams to deploy malicious code. A lack of protocol-level identity in early versions meant servers often used shared static credentials, making detailed auditing and selective access revocation impossible.

A separate limitation concerns the fragility of natural-language tool descriptions. A 2026 academic study of 856 tools across 103 prominent servers found that 97.1% of tool descriptions contained structural defects, termed "smells," with 56% failing to clearly state their purpose. Because models depend on these descriptions to choose and use tools, poorly written ones cause errors and failures. Improving them raised task success by 5.85 percentage points but increased execution steps by 67.46% and inflated token use, revealing a trade-off between reliability and cost.

Comparison with LangChain

A common point of confusion is the relationship between MCP and orchestration frameworks such as LangChain. The two are often wrongly framed as competitors, when in fact they address different layers of the AI stack and are complementary.

Feature LangChain Model Context Protocol (MCP)
Primary Role Agent orchestration framework Standardized tool-connectivity protocol
Core Capabilities Memory management, reasoning loops, routing logic, workflow planning Standardized discovery, secure execution, and communication of external tools
Portability Tools are locked into the LangChain ecosystem Servers run across any compliant client
Execution Focus Decides which tool to call and why Handles how the tool is called securely over a network

In short, LangChain handles cognitive decision-making, while MCP handles standardized execution. For simple internal functions, building native LangChain tools can be faster and cheaper than running a remote MCP server. As deployments scale, however, developers increasingly bridge the two using libraries such as langchain-mcp-adapters, combining LangChain's orchestration with MCP's portable tooling.

Adoption and Statistics

By mid-2026, MCP showed exceptional adoption for an open engineering standard. Monthly downloads of core MCP Software Development Kits (SDKs), mainly for Python and TypeScript, rose from roughly 2 million at launch to over 97 million by March 2026, a 4,750% increase in 16 months. Public data showed more than 15,900 repositories tagged "mcp-server," with the main reference repository exceeding 86,000 stars, and over 10,000 actively maintained public servers. According to the Stacklok "State of MCP in Software 2026" report, 50% of surveyed organizations were experimenting with MCP while 41% had deployed it in production. On security, the firm Snyk reported that 36.82% of analyzed packages and servers contained at least one critical issue. The analyst firm Gartner projected that 65% of enterprises would adopt MCP or a similar protocol by the end of 2026.

Expert Opinions and Reception

Industry leaders broadly view MCP as a structural shift in software architecture. Mike Krieger, Chief Product Officer at Anthropic, noted that what began as a fix for internal friction had within a year become the industry standard for connecting AI systems to data and tools, describing it as critical infrastructure. Jim Zemlin, Executive Director of the Linux Foundation, stressed that neutral, open governance gives such infrastructure the transparency and stability it needs to grow.

Security experts express more caution. A May 2026 Cybersecurity Information Sheet from the NSA warned that traditional cyber-defense strategies do not fully address the novel risks of agentic AI protocols, advising that securing MCP requires treating the agentic environment as a continuum in which small misalignments can compound into serious vulnerabilities.

Controversies and Debates

The central debate around MCP is the tension between fast ecosystem growth and accumulating security debt. The original 2024-11-05 specification was deliberately permissive, lacking native rules for token lifecycle management, session revocation, or payload verification. This lowered the barrier to entry but encouraged insecure practices such as storing plaintext credentials. A second debate concerns token efficiency, as injecting verbose schemas into the context window becomes costly at scale, prompting discussion of "tokenmaxxing" versus efficiency. A third debate involves discovery: efforts like ARD favor an open, decentralized model, while major vendors have incentives to build closed, curated catalogs they control.

MCP raises notable compliance and ethical concerns, chiefly around data privacy and access control. Because remote servers often connect to sensitive data such as electronic health records, financial systems, or proprietary source code, they expand the surface for automated data exfiltration. The autonomous nature of agents also complicates informed consent: an agent granted access to a corporate Google Drive might process documents well beyond a user's original intent. Regulations such as the European Union's General Data Protection Regulation (GDPR) require strict auditing of automated processing, which in turn requires centralized gateways that enforce per-user identity and generate reliable audit logs.

Future Outlook

The protocol's future is focused on enterprise maturation, security hardening, and multi-agent coordination. The stateless core in the 2026-07-28 specification enables large-scale, Kubernetes-native horizontal scaling. The roadmap also indicates stricter alignment with OAuth 2.1 and OpenID Connect for delegated identity, while several early features—Roots, Sampling, and Logging—have been deprecated through SEP-2577 due to low adoption. Looking further ahead, wider use of ARD may shift the field from static, pre-installed toolsets to dynamic discovery, and the AAIF roadmap points toward Agent-to-Agent (A2A) networking, in which MCP could serve as the secure communication layer between autonomous agents.

Common Misconceptions and FAQs

Is MCP a replacement for REST APIs? No. MCP does not make traditional APIs obsolete; it acts as an overlay, with servers typically wrapping or proxying existing REST calls. Does MCP manage an AI agent's logic and memory? No. MCP is only a communication and transport protocol, with reasoning and memory handled by the host LLM and its framework. Why was the session identifier removed in 2026? It was removed to make the protocol stateless, so any request can be routed to any server replica without shared session state. What happens to deprecated features like Roots and Sampling? Under the 2026 lifecycle policy, they remain functional for at least twelve months, giving developers time to migrate.

Key Takeaways

The Model Context Protocol has reshaped the infrastructure of modern AI by solving the N×M integration problem and enabling agentic systems that connect deeply to real-world data. It evolved quickly from a local developer tool into a stateless, enterprise-ready standard governed neutrally by the Linux Foundation. Its power, however, is balanced by significant security vulnerabilities, integration complexity, and reliance on natural-language schemas. As the ecosystem matures through dynamic discovery via ARD and interactive interfaces via MCP Apps, MCP is positioned to remain a foundational standard for the next generation of autonomous AI systems.

References

  1. Transports – Model Context Protocol (MCP)
  2. modelcontextprotocol/schema/2024-11-05/schema.ts – GitHub
  3. Transports – Model Context Protocol (2025-11-25)
  4. What changed in the 2026-07 MCP specification – Stacktree
  5. MCP Server Transports: STDIO, Streamable HTTP & SSE – Godspeed Systems
  6. Deprecated Features – Model Context Protocol
  7. The Enterprise IT Security Guide to Claude + MCP – Stacklok
  8. Code Execution with MCP: Building More Efficient AI Agents – DEV Community
  9. SING: Synthetic Intention Graph for Scalable Active Tool Discovery in LLM Agents – arXiv
  10. Code Execution with MCP: A New Approach to AI Agent Efficiency – AIMultiple
  11. MCP Apps – Model Context Protocol
  12. MCP Apps are here: Rendering interactive UIs in AI clients – WorkOS
  13. Solving an ARD problem in AI: Agentic Resource Discovery – CIO
  14. AI agents don't need more hype. They need a map – PCWorld
  15. Agentic Resource Discovery: Let agents search – Hugging Face
  16. Introducing the Agentic Resource Discovery specification – Microsoft Command Line
  17. MCP vs LangChain Tools: When to Use Each – Knit
  18. Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads – Reddit
  19. claude-code-ultimate-guide threat-db.yaml – GitHub
  20. NSA Releases Security Design Considerations for AI-Driven Automation Leveraging MCP
  21. MCP: Security Design Considerations for AI-Driven Automation (PDF) – NSA
  22. MCP: Security Design Considerations for AI-Driven Automation – Department of War
  23. MCP Tool Descriptions Are Smelly! (HTML) – arXiv
  24. MCP Tool Descriptions Are Smelly! (Abstract) – arXiv
  25. MCP Tool Descriptions Are Smelly! – ResearchGate
  26. LangChain vs MCP: When to Use Each (2026 Guide) – Apigene Blog
  27. MCP vs. LangChain: Choosing the Right AI Framework – Deep Learning Partnership
  28. Model Context Protocol (MCP) – Docs by LangChain
  29. MCP Adoption Statistics 2026 – Digital Applied
  30. modelcontextprotocol/servers – GitHub
  31. SEP-2577: Deprecate Roots, Sampling, and Logging – Model Context Protocol

See also

  • Context EngineeringContext Engineering is an AI discipline for curating LLM inputs, emerging in mid-2025.
  • Large Language ModelAI system built on the Transformer that predicts text tokens to generate human language.
  • Retrieval-Augmented GenerationAI technique that grounds LLM outputs in documents retrieved from external sources at query time.

Last updated on June 22, 2026.