What is an MCP Server? The Complete Guide to Model Context Protocol Servers
What is an MCP Server? The Complete Guide to Model Context Protocol Servers
What is an MCP Server? The Complete Guide
Your AI agents can reason, plan, and generate — but they can't do anything useful if they can't reach your systems. Without access to databases, APIs, file systems, and enterprise tools, even the most capable large language model is stuck inside its training data.
MCP servers solve this. They give AI applications a standardized way to connect to the outside world — and they're quickly becoming the default integration layer for enterprise AI.
This guide covers what MCP servers are, how they work under the hood, where they fit in your architecture, and how to build one yourself.
What is an MCP Server?
An MCP server is a program that exposes specific capabilities — tools, data, and interaction templates — to AI applications through the Model Context Protocol, an open standard originally developed by Anthropic.
Think of MCP as a USB-C port for AI. USB-C standardized how devices connect to peripherals. MCP standardizes how AI models connect to external systems. Before MCP, every integration between an AI application and an external tool required custom code — unique to both the model and the service. MCP replaces that fragmentation with a single protocol that any AI client and any server can speak.
In practical terms, an MCP server is a lightweight service that wraps an existing system — a database, a SaaS API, a local file system, a CI/CD pipeline — and makes its functionality available to AI assistants. The AI model doesn't call the underlying system directly. Instead, it communicates with the MCP server through a well-defined interface of tools (actions the model can execute), resources (data the model can read for context), and prompts (reusable templates that guide the model through workflows).
For example, a GitHub MCP server might expose tools like create_pull_request and list_issues, resources like repository_readme, and prompts like code_review_workflow. An AI assistant connected to that server can then manage repositories, review code, and triage issues — all through natural language.
MCP servers can run locally on a developer's machine (using standard input/output for communication) or remotely as hosted services (using HTTP with server-sent events for streaming). This flexibility means MCP works across everything from single-developer IDE setups to enterprise-scale multi-agent architectures.
Why MCP Servers Matter for AI Development
Before MCP, integrating an AI assistant with external tools meant writing custom code for every combination of model and service. OpenAI had GPT Actions. Google had Gemini Extensions. Anthropic had tool use. Each ecosystem required its own integration work. None of them were interoperable.
This created what the developer community calls the N × M problem. If you have N AI models and M external tools, you need N × M custom integrations. Add a new tool, and you need N new integrations. Add a new model, and you need M new integrations. The complexity scales quadratically, and maintenance becomes unsustainable.
MCP collapses that matrix into a single layer. Tool developers build one MCP server, and it works across every MCP-compatible client — Claude, ChatGPT, VS Code, Cursor, Windsurf, and dozens more. AI platforms implement one MCP client, and they can connect to every MCP server in the ecosystem. The integration burden drops from N × M to N + M.
The impact on the ecosystem has been fast and measurable. Within months of MCP's public launch, major platforms adopted it:
Claude Desktop and Claude Code were among the first native MCP hosts
OpenAI added MCP support to ChatGPT through Developer Mode
VS Code and Cursor integrated MCP for connecting coding assistants to external tools
AWS, Cloudflare, Supabase, and Figma all shipped official MCP servers
Community directories like mcpservers.org now catalog hundreds of available servers
For developers, this means build once, integrate everywhere. For enterprises, it means AI agents can access internal tools without locking into a single model vendor — and with the right MCP gateway, they can do so with full governance. And for the broader AI ecosystem, it means a shared infrastructure layer that accelerates how quickly new capabilities reach production.
How MCP Servers Work — Architecture Explained
MCP follows a client-server architecture built on JSON-RPC 2.0, the same lightweight messaging format used in many developer tools. Understanding the architecture starts with three participants and the layers that connect them.
Core Components: Host, Client, Server
Every MCP interaction involves three roles:
MCP Host — The AI application the user interacts with. This could be Claude Desktop, VS Code with Copilot, Cursor, or any application that supports the protocol. The host coordinates user requests and manages connections to one or more servers.
MCP Client — A connector that lives inside the host application. Each client maintains a dedicated, stateful connection to a single MCP server. When a host connects to three servers, it creates three separate client instances.
MCP Server — The program that exposes capabilities from an external system. It translates protocol requests into actions on the underlying service — querying a database, calling an API, reading a file — and returns structured responses.
This separation means the AI model never touches the external system directly. The MCP client acts as an intermediary, routing requests from the host to the correct server and returning results.
What MCP Servers Expose (Tools, Resources, Prompts)
MCP servers provide three types of primitives to AI applications:
Tools are executable functions the AI model can invoke. A weather MCP server might expose a get_forecast tool. A database server might expose run_query. Tools accept typed inputs (defined by JSON Schema), perform an action, and return structured results. Importantly, tool execution typically requires user approval — the model proposes a tool call, but the human confirms it.
Resources are read-only data sources that provide context. They're identified by URIs (like file:///path/to/document.md or database://schema/users) and include MIME types for proper handling. Resources support both direct URIs pointing to specific data and dynamic templates with parameters for flexible queries.
Prompts are reusable interaction templates authored by the server developer. They define structured workflows with typed parameters — for example, a plan-vacation prompt that accepts destination, duration, and budget. Prompts help the model use tools and resources effectively without the user needing to craft complex instructions manually.
The combination of these three primitives gives MCP servers a layered capability model: tools for actions, resources for context, and prompts for guided workflows.
Transport Mechanisms (STDIO and Streamable HTTP)
MCP supports two transport mechanisms that determine how clients and servers communicate:
STDIO (Standard Input/Output) is used for local MCP servers running on the same machine as the host. The host launches the server as a subprocess and communicates through stdin/stdout pipes. There's no network overhead, making STDIO the fastest option for local development. This is how most developers first interact with MCP — configuring a server in Claude Desktop or Cursor that runs on their own machine.
Streamable HTTP is used for remote MCP servers hosted on external infrastructure. Clients send requests via HTTP POST, and servers can stream responses back using Server-Sent Events (SSE). This transport supports standard HTTP authentication methods — bearer tokens, API keys, OAuth — and enables remote servers to serve multiple clients simultaneously. AWS MCP Server, Figma's MCP server, and Sentry's MCP server all use this transport.
The protocol layer is transport-agnostic: the same JSON-RPC 2.0 messages work identically over both STDIO and Streamable HTTP.
Security and Human-in-the-Loop Controls
MCP is designed with a human-in-the-loop model. When an AI assistant wants to execute a tool — say, sending an email or modifying a database record — the host application presents the action for user approval before it's executed. This prevents unintended side effects and keeps the human in control of consequential actions.
Beyond user approval, MCP servers can implement authentication and authorization at the transport layer. Remote servers typically use OAuth or bearer tokens to verify client identity. Servers can enforce role-based access control (RBAC), restricting which tools or resources are available based on the authenticated user's permissions. For organizations deploying multiple MCP servers, an MCP gateway can centralize these security controls across all connections.
Step-by-Step Request Flow
Here's what happens when a user asks an AI assistant a question that requires external data:
User sends a message — The user types a question or instruction in the host application.
Model analyzes intent — The LLM reviews the available tools (discovered via
tools/listduring initialization) and decides which tools are needed.Client routes the request — The MCP client sends a
tools/callrequest to the appropriate server with typed arguments.Server executes the action — The MCP server processes the request against the underlying system (queries the database, calls the API, reads the file).
Server returns results — Structured response data flows back through the client to the host.
Model formulates a response — The LLM uses the tool results as context to generate a natural language answer.
User sees the response — The final answer is displayed, often with the option to view the underlying tool calls for transparency.
This entire flow is stateful — the MCP connection maintains session context across multiple exchanges, enabling multi-step workflows where later requests build on earlier results.
MCP Server vs. API — What's the Difference?
APIs have been the backbone of software integration for decades. They define structured endpoints, require explicit calls with specific parameters, and return predictable responses. MCP servers build on top of APIs rather than replacing them — but they serve a fundamentally different purpose.
The core distinction: APIs are designed for software-to-software communication. MCP servers are designed for AI-to-system communication.
A traditional REST API requires the calling application to know exactly which endpoint to hit, what parameters to pass, and how to interpret the response. The developer writes code that handles each integration explicitly.
An MCP server, by contrast, exposes capabilities in a way that AI models can discover and reason about dynamically. The model reads tool descriptions, understands input schemas, and decides when and how to use them based on user intent — not hardcoded logic.
Traditional API | MCP Server | |
|---|---|---|
Designed for | Application-to-application | AI agent-to-system |
Discovery | Static documentation (OpenAPI specs) | Dynamic runtime discovery ( |
Invocation | Hardcoded endpoint calls | Model-driven, intent-based tool selection |
Context | Stateless request/response | Stateful session with shared context |
Integration effort | Custom code per API per consumer | One MCP server serves all MCP clients |
User interaction | None (backend process) | Human-in-the-loop approval for actions |
MCP servers don't eliminate APIs — they wrap them. Under the hood, an MCP server for Slack still calls the Slack API. An MCP server for a PostgreSQL database still executes SQL queries. MCP provides the standardized layer that lets AI agents orchestrate those API calls intelligently, choosing the right endpoints, composing multi-step workflows, and adapting to user intent in real time.
In short: APIs remain the plumbing. MCP servers are the AI-native interface layer on top.
MCP Server vs. RAG, Function Calling, and LangChain
MCP is often compared to other AI integration approaches. The key difference is scope: MCP is a protocol that governs how AI clients and servers communicate, while RAG, function calling, and frameworks like LangChain are techniques or tools used within specific implementations.
Retrieval-Augmented Generation (RAG) enhances LLM responses by retrieving relevant documents from a knowledge base before generating an answer. RAG focuses on feeding context into the model. An MCP server can serve as the retrieval layer in a RAG pipeline — exposing a search_documents resource that the model queries for context — but MCP itself is broader than retrieval alone.
Function calling (as implemented by OpenAI, Anthropic, and others) allows models to invoke predefined functions during a conversation. MCP standardizes how those functions are discovered, described, and invoked across different models and applications. Function calling is a capability; MCP is the protocol that makes it interoperable.
LangChain and similar frameworks provide developer tooling for building AI applications — chaining prompts, managing memory, orchestrating tool calls. These frameworks can use MCP servers as tool providers. In fact, MCP is designed to be framework-agnostic: a LangChain agent, a CrewAI workflow, or a custom Python script can all act as MCP clients.
The relationship is complementary, not competitive. MCP aims to be the equivalent of HTTP for AI agents — a shared communication standard that any tool, framework, or model can implement.
Top MCP Server Use Cases
MCP servers are being deployed across industries wherever AI agents need to interact with real systems. Here are the most impactful patterns emerging in production.
Connecting AI Agents to Enterprise Data (CRM, ERP, HCM)
Enterprise data lives in systems like Salesforce, SAP, Workday, and dozens of internal databases. Traditionally, giving an AI assistant access to this data requires building custom integrations for each source — and maintaining them as schemas change.
An MCP server can sit in front of these systems and expose structured access. An AI agent can query customer records from a CRM, pull order history from an ERP, or look up employee data from an HCM system — all through the same protocol. The MCP server handles authentication, data formatting, and access control, so the AI model never touches the underlying system directly.
This pattern is particularly valuable for enterprise chatbots and internal copilots that need to answer questions spanning multiple business systems. Organizations deploying agents across SaaS products can use this approach to safely expose product capabilities to AI-driven usage.
Federating Access Across Data Silos
Most enterprises don't have a single source of truth. Customer data is fragmented across CRM, support tickets, billing systems, and product analytics. An MCP server can act as a semantic layer that federates access to these silos through a unified interface.
Instead of the AI agent needing to know which system holds which data, it queries the MCP server, which orchestrates retrieval from the appropriate backends. This abstraction simplifies agent development and makes it possible to build AI workflows that span organizational boundaries without requiring a massive data warehouse migration.
Integrating with APIs and External Services
MCP servers can wrap external APIs — exchange rate providers, geocoding services, stock market feeds, weather data — and present them as tools. The server handles API keys, rate limiting, response formatting, and error handling. The AI agent simply calls a tool like get_exchange_rate and receives clean, structured data.
This is especially useful when an agent needs to incorporate real-time external data into its responses without the complexity of managing dozens of API integrations at the application layer.
DevOps and Infrastructure Management
One of the most compelling MCP use cases is connecting AI assistants to infrastructure platforms. The AWS MCP Server gives AI agents authenticated access to over 15,000 AWS APIs, enabling tasks like provisioning VPCs, troubleshooting CloudWatch logs, and configuring services through natural language.
Similarly, the Argo CD MCP Server connects AI assistants to GitOps workflows — syncing applications, checking deployment status, and inspecting resources directly from an IDE. These integrations reduce context switching for platform engineers and make infrastructure operations accessible through conversation.
Design-to-Code Workflows
The Figma MCP server enables AI coding assistants to pull design context, variables, components, and layout data directly into an IDE. Developers can select a Figma frame, paste the URL into their AI assistant, and generate code that matches the design — complete with design system components and proper spacing.
The server also supports reverse workflows: capturing live UI from a running web application and sending it back to Figma as editable design layers.
Data Privacy and Compliance Enforcement
By centralizing data access through MCP servers, organizations can enforce governance policies at a single control point. MCP servers can implement dynamic data masking (hiding sensitive fields based on the requester's role), tokenization, audit logging of every query, and guardrails that prevent unauthorized data access.
This is especially important in regulated industries — healthcare, finance, government — where AI agents must comply with data protection regulations while still being useful. Platforms like Agen sit between AI agents and applications to enforce identity, permissions, and data governance before any action occurs — providing the compliance boundary that ensures sensitive data is never exposed to models or users without appropriate authorization. For a deeper look at how this works, see how organizations are governing AI agents across enterprise apps.
Popular MCP Server Examples
The MCP ecosystem has grown rapidly. Here are some of the most widely used servers:
GitHub Official Reference Servers — The modelcontextprotocol/servers repository on GitHub contains reference implementations for file systems, databases, Git, Slack, Google Maps, and more. These are designed as starting points for developers building custom servers.
AWS MCP Server — A managed remote MCP server from Amazon that provides AI assistants with authenticated access to AWS services. It includes pre-built workflows (Agent SOPs) for common tasks like setting up production VPCs and deploying serverless applications.
Figma MCP Server — Connects coding assistants to Figma designs, enabling design-to-code and code-to-design workflows. Available as both a remote hosted server and a local desktop server.
Supabase MCP Server — Connects AI agents to the Supabase platform for database operations, authentication management, edge functions, and storage.
Cloudflare MCP Server — Enables deployment, configuration, and management of Cloudflare resources including Workers, KV, R2, and D1.
Playwright MCP Server — Gives AI agents browser automation capabilities for web testing, scraping, and interaction.
Agen MCP Connector — An enterprise-grade MCP gateway that adds identity-aware connectivity, fine-grained tool authorization, data governance, and observability to any MCP server deployment. Agen sits between AI agents and applications, enforcing permissions and audit controls before any action reaches the underlying system.
mcpservers.org — A community-maintained directory that catalogs hundreds of available MCP servers across categories like web scraping, communication, productivity, development, databases, and cloud services.
How to Build an MCP Server (Step-by-Step)
Building an MCP server is straightforward with the official SDKs. The Model Context Protocol documentation provides quickstart guides in Python, TypeScript, Java, Kotlin, C#, Ruby, Go, and Rust.
Here's the general workflow using Python as an example.
Prerequisites and System Requirements
Python 3.10 or higher
The
uvpackage manager (recommended) orpipAn MCP-compatible host for testing (Claude Desktop, VS Code, or Cursor)
Setting Up Your Environment
Install the MCP SDK and create a project:
pip install mcp mkdir my-mcp-server && cd my-mcp-server touch
Building Your First MCP Server
The Python SDK provides a FastMCP class that uses type hints and docstrings to automatically generate tool definitions:
from mcp.server.fastmcp import FastMCP mcp = FastMCP("my-server") @mcp.tool() def get_weather(city: str) -> str: """Get the current weather for a city.""" # Your implementation here return f"Weather data for {city}" @mcp.resource("config://app") def get_config() -> str: """Return application configuration.""" return "{ \"version\": \"1.0\" }"
Implementing Tools and Resources
Each tool is a decorated function with typed parameters. The decorator registers it with the MCP server, and the docstring becomes the tool's description that AI models use to decide when to call it. Resources work similarly but expose read-only data through URI-based access.
For production servers, you'll want to add error handling, input validation, and proper logging. The SDK supports structured error responses that help AI models understand and recover from failures.
Testing with Claude for Desktop
To test locally, configure your MCP host to connect to your server. In Claude Desktop, edit the configuration file at ~/Library/Application Support/Claude/claude_desktop_config.json:
{ "mcpServers": { "my-server": { "command": "python", "args": ["server.py"] } } }
Restart Claude Desktop, and your server's tools will appear in the connector menu. You can verify by asking Claude to use one of your tools.
Logging and Best Practices
When building MCP servers, follow these guidelines:
Never write to stdout in STDIO-transport servers — it corrupts JSON-RPC messages. Use stderr or the MCP SDK's built-in logging instead.
Keep servers narrowly focused — A server that does one thing well is easier for AI models to reason about than a server that exposes dozens of unrelated tools.
Validate inputs rigorously — Treat all tool inputs as untrusted. Use JSON Schema validation and sanitize parameters before passing them to underlying systems.
Implement proper error handling — Return structured error messages that help the AI model understand what went wrong and suggest corrective actions.
MCP Server Security Considerations
Security is not optional when deploying MCP servers in production. Because MCP servers bridge AI agents to real systems — databases, APIs, infrastructure — every tool call is a potential vector for unintended actions.
Authentication and Authorization: Remote MCP servers should implement OAuth 2.0 or bearer token authentication at the transport layer. Every tool and resource should enforce role-based access control (RBAC), ensuring that the authenticated user or agent only accesses what they're entitled to. As noted in a recent InfoWorld analysis, MCP does not provide built-in security out of the box — it's the server developer's responsibility to implement authentication and authorization properly.
Data Masking and Tokenization: MCP servers that expose sensitive data should implement dynamic masking — returning redacted or tokenized values based on the requester's access level. A sales agent might see a customer's name and account status, while a support agent sees the full record including billing details.
Audit Logging: Every tool invocation, resource read, and prompt execution should be logged with the authenticated identity, timestamp, input parameters, and output. This creates an audit trail for compliance and incident response.
Human-in-the-Loop Controls: MCP's design encourages human approval for consequential actions. Host applications should implement approval workflows for high-risk operations — database writes, financial transactions, infrastructure changes — while allowing read-only operations to proceed automatically.
Prompt Injection Defense: MCP servers should validate that tool inputs contain only expected data types and values. Because AI agents may pass user-generated content as tool arguments, servers must sanitize inputs to prevent injection attacks against downstream systems.
Governance Platforms: For organizations managing multiple MCP servers at scale, dedicated governance layers like Agen provide centralized identity management, anomaly detection, tool authorization, and data masking across all agent-to-application interactions — without requiring each individual MCP server to implement these controls independently. The scaling AI agents governance gap is one of the biggest risks enterprises face as MCP adoption accelerates.
Is MCP Server Free?
Yes. The Model Context Protocol is an open-source standard — anyone can build, deploy, and use MCP servers without licensing fees.
The official SDKs for Python, TypeScript, Java, Go, Rust, and other languages are freely available. Community-built servers on GitHub are open source. Running a local MCP server on your own machine costs nothing beyond compute resources.
For cloud-hosted servers, costs depend on the provider. The AWS MCP Server, for example, has no additional charges for the MCP layer itself — you pay only for the underlying AWS resources consumed. Similarly, Figma's remote MCP server is included with paid Figma plans.
The main cost consideration for enterprises is operational: building custom MCP servers for internal systems, maintaining them as schemas evolve, and implementing the security and governance layers needed for production deployment.
MCP Server FAQ
What is an MCP server? An MCP server is a program that exposes tools, data, and interaction templates to AI applications through the Model Context Protocol. It acts as a standardized bridge between AI models and external systems like databases, APIs, and SaaS platforms.
What is the difference between MCP and API? APIs define structured endpoints for software-to-software communication. MCP servers provide an AI-native interface layer that enables models to dynamically discover and invoke capabilities based on user intent. MCP servers typically wrap existing APIs, adding discoverability, typed schemas, and human-in-the-loop controls designed for AI agent workflows.
What is the difference between MCP and MCP server? MCP (Model Context Protocol) is the open standard — the specification that defines how clients and servers communicate. An MCP server is an implementation of that standard — a running program that follows the protocol to expose capabilities from a specific system or service.
Does ChatGPT use MCP? Yes. OpenAI added MCP support to ChatGPT through Developer Mode, allowing it to connect to MCP servers via Apps (formerly Plugins). This enables ChatGPT to interact with external tools and data sources using the same protocol supported by Claude, VS Code, Cursor, and other MCP-compatible clients.
Is MCP server free? The protocol and SDKs are open source and free to use. Running local MCP servers is free. Cloud-hosted MCP servers may incur costs based on the underlying infrastructure, but the MCP layer itself is not a paid product.
What MCP servers exist? Hundreds of MCP servers are available across categories including file systems, databases, cloud services (AWS, Cloudflare, Supabase), design tools (Figma), development tools (GitHub, Playwright), communication (Slack), and more. Directories like mcpservers.org maintain up-to-date catalogs.
How do I set up an MCP server? Install an MCP SDK for your language (Python, TypeScript, Java, etc.), define tools and resources as functions, and configure your MCP host (Claude Desktop, VS Code, Cursor) to connect to your server. The official documentation at modelcontextprotocol.io provides step-by-step guides for each supported language.
Which AI tools support MCP? Major MCP-compatible hosts include Claude Desktop, Claude Code, ChatGPT (Developer Mode), VS Code, Cursor, Windsurf, Zed, and many others. The ecosystem is growing rapidly, with new clients adding MCP support on a regular basis.
What is an MCP Server? The Complete Guide
Your AI agents can reason, plan, and generate — but they can't do anything useful if they can't reach your systems. Without access to databases, APIs, file systems, and enterprise tools, even the most capable large language model is stuck inside its training data.
MCP servers solve this. They give AI applications a standardized way to connect to the outside world — and they're quickly becoming the default integration layer for enterprise AI.
This guide covers what MCP servers are, how they work under the hood, where they fit in your architecture, and how to build one yourself.
What is an MCP Server?
An MCP server is a program that exposes specific capabilities — tools, data, and interaction templates — to AI applications through the Model Context Protocol, an open standard originally developed by Anthropic.
Think of MCP as a USB-C port for AI. USB-C standardized how devices connect to peripherals. MCP standardizes how AI models connect to external systems. Before MCP, every integration between an AI application and an external tool required custom code — unique to both the model and the service. MCP replaces that fragmentation with a single protocol that any AI client and any server can speak.
In practical terms, an MCP server is a lightweight service that wraps an existing system — a database, a SaaS API, a local file system, a CI/CD pipeline — and makes its functionality available to AI assistants. The AI model doesn't call the underlying system directly. Instead, it communicates with the MCP server through a well-defined interface of tools (actions the model can execute), resources (data the model can read for context), and prompts (reusable templates that guide the model through workflows).
For example, a GitHub MCP server might expose tools like create_pull_request and list_issues, resources like repository_readme, and prompts like code_review_workflow. An AI assistant connected to that server can then manage repositories, review code, and triage issues — all through natural language.
MCP servers can run locally on a developer's machine (using standard input/output for communication) or remotely as hosted services (using HTTP with server-sent events for streaming). This flexibility means MCP works across everything from single-developer IDE setups to enterprise-scale multi-agent architectures.
Why MCP Servers Matter for AI Development
Before MCP, integrating an AI assistant with external tools meant writing custom code for every combination of model and service. OpenAI had GPT Actions. Google had Gemini Extensions. Anthropic had tool use. Each ecosystem required its own integration work. None of them were interoperable.
This created what the developer community calls the N × M problem. If you have N AI models and M external tools, you need N × M custom integrations. Add a new tool, and you need N new integrations. Add a new model, and you need M new integrations. The complexity scales quadratically, and maintenance becomes unsustainable.
MCP collapses that matrix into a single layer. Tool developers build one MCP server, and it works across every MCP-compatible client — Claude, ChatGPT, VS Code, Cursor, Windsurf, and dozens more. AI platforms implement one MCP client, and they can connect to every MCP server in the ecosystem. The integration burden drops from N × M to N + M.
The impact on the ecosystem has been fast and measurable. Within months of MCP's public launch, major platforms adopted it:
Claude Desktop and Claude Code were among the first native MCP hosts
OpenAI added MCP support to ChatGPT through Developer Mode
VS Code and Cursor integrated MCP for connecting coding assistants to external tools
AWS, Cloudflare, Supabase, and Figma all shipped official MCP servers
Community directories like mcpservers.org now catalog hundreds of available servers
For developers, this means build once, integrate everywhere. For enterprises, it means AI agents can access internal tools without locking into a single model vendor — and with the right MCP gateway, they can do so with full governance. And for the broader AI ecosystem, it means a shared infrastructure layer that accelerates how quickly new capabilities reach production.
How MCP Servers Work — Architecture Explained
MCP follows a client-server architecture built on JSON-RPC 2.0, the same lightweight messaging format used in many developer tools. Understanding the architecture starts with three participants and the layers that connect them.
Core Components: Host, Client, Server
Every MCP interaction involves three roles:
MCP Host — The AI application the user interacts with. This could be Claude Desktop, VS Code with Copilot, Cursor, or any application that supports the protocol. The host coordinates user requests and manages connections to one or more servers.
MCP Client — A connector that lives inside the host application. Each client maintains a dedicated, stateful connection to a single MCP server. When a host connects to three servers, it creates three separate client instances.
MCP Server — The program that exposes capabilities from an external system. It translates protocol requests into actions on the underlying service — querying a database, calling an API, reading a file — and returns structured responses.
This separation means the AI model never touches the external system directly. The MCP client acts as an intermediary, routing requests from the host to the correct server and returning results.
What MCP Servers Expose (Tools, Resources, Prompts)
MCP servers provide three types of primitives to AI applications:
Tools are executable functions the AI model can invoke. A weather MCP server might expose a get_forecast tool. A database server might expose run_query. Tools accept typed inputs (defined by JSON Schema), perform an action, and return structured results. Importantly, tool execution typically requires user approval — the model proposes a tool call, but the human confirms it.
Resources are read-only data sources that provide context. They're identified by URIs (like file:///path/to/document.md or database://schema/users) and include MIME types for proper handling. Resources support both direct URIs pointing to specific data and dynamic templates with parameters for flexible queries.
Prompts are reusable interaction templates authored by the server developer. They define structured workflows with typed parameters — for example, a plan-vacation prompt that accepts destination, duration, and budget. Prompts help the model use tools and resources effectively without the user needing to craft complex instructions manually.
The combination of these three primitives gives MCP servers a layered capability model: tools for actions, resources for context, and prompts for guided workflows.
Transport Mechanisms (STDIO and Streamable HTTP)
MCP supports two transport mechanisms that determine how clients and servers communicate:
STDIO (Standard Input/Output) is used for local MCP servers running on the same machine as the host. The host launches the server as a subprocess and communicates through stdin/stdout pipes. There's no network overhead, making STDIO the fastest option for local development. This is how most developers first interact with MCP — configuring a server in Claude Desktop or Cursor that runs on their own machine.
Streamable HTTP is used for remote MCP servers hosted on external infrastructure. Clients send requests via HTTP POST, and servers can stream responses back using Server-Sent Events (SSE). This transport supports standard HTTP authentication methods — bearer tokens, API keys, OAuth — and enables remote servers to serve multiple clients simultaneously. AWS MCP Server, Figma's MCP server, and Sentry's MCP server all use this transport.
The protocol layer is transport-agnostic: the same JSON-RPC 2.0 messages work identically over both STDIO and Streamable HTTP.
Security and Human-in-the-Loop Controls
MCP is designed with a human-in-the-loop model. When an AI assistant wants to execute a tool — say, sending an email or modifying a database record — the host application presents the action for user approval before it's executed. This prevents unintended side effects and keeps the human in control of consequential actions.
Beyond user approval, MCP servers can implement authentication and authorization at the transport layer. Remote servers typically use OAuth or bearer tokens to verify client identity. Servers can enforce role-based access control (RBAC), restricting which tools or resources are available based on the authenticated user's permissions. For organizations deploying multiple MCP servers, an MCP gateway can centralize these security controls across all connections.
Step-by-Step Request Flow
Here's what happens when a user asks an AI assistant a question that requires external data:
User sends a message — The user types a question or instruction in the host application.
Model analyzes intent — The LLM reviews the available tools (discovered via
tools/listduring initialization) and decides which tools are needed.Client routes the request — The MCP client sends a
tools/callrequest to the appropriate server with typed arguments.Server executes the action — The MCP server processes the request against the underlying system (queries the database, calls the API, reads the file).
Server returns results — Structured response data flows back through the client to the host.
Model formulates a response — The LLM uses the tool results as context to generate a natural language answer.
User sees the response — The final answer is displayed, often with the option to view the underlying tool calls for transparency.
This entire flow is stateful — the MCP connection maintains session context across multiple exchanges, enabling multi-step workflows where later requests build on earlier results.
MCP Server vs. API — What's the Difference?
APIs have been the backbone of software integration for decades. They define structured endpoints, require explicit calls with specific parameters, and return predictable responses. MCP servers build on top of APIs rather than replacing them — but they serve a fundamentally different purpose.
The core distinction: APIs are designed for software-to-software communication. MCP servers are designed for AI-to-system communication.
A traditional REST API requires the calling application to know exactly which endpoint to hit, what parameters to pass, and how to interpret the response. The developer writes code that handles each integration explicitly.
An MCP server, by contrast, exposes capabilities in a way that AI models can discover and reason about dynamically. The model reads tool descriptions, understands input schemas, and decides when and how to use them based on user intent — not hardcoded logic.
Traditional API | MCP Server | |
|---|---|---|
Designed for | Application-to-application | AI agent-to-system |
Discovery | Static documentation (OpenAPI specs) | Dynamic runtime discovery ( |
Invocation | Hardcoded endpoint calls | Model-driven, intent-based tool selection |
Context | Stateless request/response | Stateful session with shared context |
Integration effort | Custom code per API per consumer | One MCP server serves all MCP clients |
User interaction | None (backend process) | Human-in-the-loop approval for actions |
MCP servers don't eliminate APIs — they wrap them. Under the hood, an MCP server for Slack still calls the Slack API. An MCP server for a PostgreSQL database still executes SQL queries. MCP provides the standardized layer that lets AI agents orchestrate those API calls intelligently, choosing the right endpoints, composing multi-step workflows, and adapting to user intent in real time.
In short: APIs remain the plumbing. MCP servers are the AI-native interface layer on top.
MCP Server vs. RAG, Function Calling, and LangChain
MCP is often compared to other AI integration approaches. The key difference is scope: MCP is a protocol that governs how AI clients and servers communicate, while RAG, function calling, and frameworks like LangChain are techniques or tools used within specific implementations.
Retrieval-Augmented Generation (RAG) enhances LLM responses by retrieving relevant documents from a knowledge base before generating an answer. RAG focuses on feeding context into the model. An MCP server can serve as the retrieval layer in a RAG pipeline — exposing a search_documents resource that the model queries for context — but MCP itself is broader than retrieval alone.
Function calling (as implemented by OpenAI, Anthropic, and others) allows models to invoke predefined functions during a conversation. MCP standardizes how those functions are discovered, described, and invoked across different models and applications. Function calling is a capability; MCP is the protocol that makes it interoperable.
LangChain and similar frameworks provide developer tooling for building AI applications — chaining prompts, managing memory, orchestrating tool calls. These frameworks can use MCP servers as tool providers. In fact, MCP is designed to be framework-agnostic: a LangChain agent, a CrewAI workflow, or a custom Python script can all act as MCP clients.
The relationship is complementary, not competitive. MCP aims to be the equivalent of HTTP for AI agents — a shared communication standard that any tool, framework, or model can implement.
Top MCP Server Use Cases
MCP servers are being deployed across industries wherever AI agents need to interact with real systems. Here are the most impactful patterns emerging in production.
Connecting AI Agents to Enterprise Data (CRM, ERP, HCM)
Enterprise data lives in systems like Salesforce, SAP, Workday, and dozens of internal databases. Traditionally, giving an AI assistant access to this data requires building custom integrations for each source — and maintaining them as schemas change.
An MCP server can sit in front of these systems and expose structured access. An AI agent can query customer records from a CRM, pull order history from an ERP, or look up employee data from an HCM system — all through the same protocol. The MCP server handles authentication, data formatting, and access control, so the AI model never touches the underlying system directly.
This pattern is particularly valuable for enterprise chatbots and internal copilots that need to answer questions spanning multiple business systems. Organizations deploying agents across SaaS products can use this approach to safely expose product capabilities to AI-driven usage.
Federating Access Across Data Silos
Most enterprises don't have a single source of truth. Customer data is fragmented across CRM, support tickets, billing systems, and product analytics. An MCP server can act as a semantic layer that federates access to these silos through a unified interface.
Instead of the AI agent needing to know which system holds which data, it queries the MCP server, which orchestrates retrieval from the appropriate backends. This abstraction simplifies agent development and makes it possible to build AI workflows that span organizational boundaries without requiring a massive data warehouse migration.
Integrating with APIs and External Services
MCP servers can wrap external APIs — exchange rate providers, geocoding services, stock market feeds, weather data — and present them as tools. The server handles API keys, rate limiting, response formatting, and error handling. The AI agent simply calls a tool like get_exchange_rate and receives clean, structured data.
This is especially useful when an agent needs to incorporate real-time external data into its responses without the complexity of managing dozens of API integrations at the application layer.
DevOps and Infrastructure Management
One of the most compelling MCP use cases is connecting AI assistants to infrastructure platforms. The AWS MCP Server gives AI agents authenticated access to over 15,000 AWS APIs, enabling tasks like provisioning VPCs, troubleshooting CloudWatch logs, and configuring services through natural language.
Similarly, the Argo CD MCP Server connects AI assistants to GitOps workflows — syncing applications, checking deployment status, and inspecting resources directly from an IDE. These integrations reduce context switching for platform engineers and make infrastructure operations accessible through conversation.
Design-to-Code Workflows
The Figma MCP server enables AI coding assistants to pull design context, variables, components, and layout data directly into an IDE. Developers can select a Figma frame, paste the URL into their AI assistant, and generate code that matches the design — complete with design system components and proper spacing.
The server also supports reverse workflows: capturing live UI from a running web application and sending it back to Figma as editable design layers.
Data Privacy and Compliance Enforcement
By centralizing data access through MCP servers, organizations can enforce governance policies at a single control point. MCP servers can implement dynamic data masking (hiding sensitive fields based on the requester's role), tokenization, audit logging of every query, and guardrails that prevent unauthorized data access.
This is especially important in regulated industries — healthcare, finance, government — where AI agents must comply with data protection regulations while still being useful. Platforms like Agen sit between AI agents and applications to enforce identity, permissions, and data governance before any action occurs — providing the compliance boundary that ensures sensitive data is never exposed to models or users without appropriate authorization. For a deeper look at how this works, see how organizations are governing AI agents across enterprise apps.
Popular MCP Server Examples
The MCP ecosystem has grown rapidly. Here are some of the most widely used servers:
GitHub Official Reference Servers — The modelcontextprotocol/servers repository on GitHub contains reference implementations for file systems, databases, Git, Slack, Google Maps, and more. These are designed as starting points for developers building custom servers.
AWS MCP Server — A managed remote MCP server from Amazon that provides AI assistants with authenticated access to AWS services. It includes pre-built workflows (Agent SOPs) for common tasks like setting up production VPCs and deploying serverless applications.
Figma MCP Server — Connects coding assistants to Figma designs, enabling design-to-code and code-to-design workflows. Available as both a remote hosted server and a local desktop server.
Supabase MCP Server — Connects AI agents to the Supabase platform for database operations, authentication management, edge functions, and storage.
Cloudflare MCP Server — Enables deployment, configuration, and management of Cloudflare resources including Workers, KV, R2, and D1.
Playwright MCP Server — Gives AI agents browser automation capabilities for web testing, scraping, and interaction.
Agen MCP Connector — An enterprise-grade MCP gateway that adds identity-aware connectivity, fine-grained tool authorization, data governance, and observability to any MCP server deployment. Agen sits between AI agents and applications, enforcing permissions and audit controls before any action reaches the underlying system.
mcpservers.org — A community-maintained directory that catalogs hundreds of available MCP servers across categories like web scraping, communication, productivity, development, databases, and cloud services.
How to Build an MCP Server (Step-by-Step)
Building an MCP server is straightforward with the official SDKs. The Model Context Protocol documentation provides quickstart guides in Python, TypeScript, Java, Kotlin, C#, Ruby, Go, and Rust.
Here's the general workflow using Python as an example.
Prerequisites and System Requirements
Python 3.10 or higher
The
uvpackage manager (recommended) orpipAn MCP-compatible host for testing (Claude Desktop, VS Code, or Cursor)
Setting Up Your Environment
Install the MCP SDK and create a project:
pip install mcp mkdir my-mcp-server && cd my-mcp-server touch
Building Your First MCP Server
The Python SDK provides a FastMCP class that uses type hints and docstrings to automatically generate tool definitions:
from mcp.server.fastmcp import FastMCP mcp = FastMCP("my-server") @mcp.tool() def get_weather(city: str) -> str: """Get the current weather for a city.""" # Your implementation here return f"Weather data for {city}" @mcp.resource("config://app") def get_config() -> str: """Return application configuration.""" return "{ \"version\": \"1.0\" }"
Implementing Tools and Resources
Each tool is a decorated function with typed parameters. The decorator registers it with the MCP server, and the docstring becomes the tool's description that AI models use to decide when to call it. Resources work similarly but expose read-only data through URI-based access.
For production servers, you'll want to add error handling, input validation, and proper logging. The SDK supports structured error responses that help AI models understand and recover from failures.
Testing with Claude for Desktop
To test locally, configure your MCP host to connect to your server. In Claude Desktop, edit the configuration file at ~/Library/Application Support/Claude/claude_desktop_config.json:
{ "mcpServers": { "my-server": { "command": "python", "args": ["server.py"] } } }
Restart Claude Desktop, and your server's tools will appear in the connector menu. You can verify by asking Claude to use one of your tools.
Logging and Best Practices
When building MCP servers, follow these guidelines:
Never write to stdout in STDIO-transport servers — it corrupts JSON-RPC messages. Use stderr or the MCP SDK's built-in logging instead.
Keep servers narrowly focused — A server that does one thing well is easier for AI models to reason about than a server that exposes dozens of unrelated tools.
Validate inputs rigorously — Treat all tool inputs as untrusted. Use JSON Schema validation and sanitize parameters before passing them to underlying systems.
Implement proper error handling — Return structured error messages that help the AI model understand what went wrong and suggest corrective actions.
MCP Server Security Considerations
Security is not optional when deploying MCP servers in production. Because MCP servers bridge AI agents to real systems — databases, APIs, infrastructure — every tool call is a potential vector for unintended actions.
Authentication and Authorization: Remote MCP servers should implement OAuth 2.0 or bearer token authentication at the transport layer. Every tool and resource should enforce role-based access control (RBAC), ensuring that the authenticated user or agent only accesses what they're entitled to. As noted in a recent InfoWorld analysis, MCP does not provide built-in security out of the box — it's the server developer's responsibility to implement authentication and authorization properly.
Data Masking and Tokenization: MCP servers that expose sensitive data should implement dynamic masking — returning redacted or tokenized values based on the requester's access level. A sales agent might see a customer's name and account status, while a support agent sees the full record including billing details.
Audit Logging: Every tool invocation, resource read, and prompt execution should be logged with the authenticated identity, timestamp, input parameters, and output. This creates an audit trail for compliance and incident response.
Human-in-the-Loop Controls: MCP's design encourages human approval for consequential actions. Host applications should implement approval workflows for high-risk operations — database writes, financial transactions, infrastructure changes — while allowing read-only operations to proceed automatically.
Prompt Injection Defense: MCP servers should validate that tool inputs contain only expected data types and values. Because AI agents may pass user-generated content as tool arguments, servers must sanitize inputs to prevent injection attacks against downstream systems.
Governance Platforms: For organizations managing multiple MCP servers at scale, dedicated governance layers like Agen provide centralized identity management, anomaly detection, tool authorization, and data masking across all agent-to-application interactions — without requiring each individual MCP server to implement these controls independently. The scaling AI agents governance gap is one of the biggest risks enterprises face as MCP adoption accelerates.
Is MCP Server Free?
Yes. The Model Context Protocol is an open-source standard — anyone can build, deploy, and use MCP servers without licensing fees.
The official SDKs for Python, TypeScript, Java, Go, Rust, and other languages are freely available. Community-built servers on GitHub are open source. Running a local MCP server on your own machine costs nothing beyond compute resources.
For cloud-hosted servers, costs depend on the provider. The AWS MCP Server, for example, has no additional charges for the MCP layer itself — you pay only for the underlying AWS resources consumed. Similarly, Figma's remote MCP server is included with paid Figma plans.
The main cost consideration for enterprises is operational: building custom MCP servers for internal systems, maintaining them as schemas evolve, and implementing the security and governance layers needed for production deployment.
MCP Server FAQ
What is an MCP server? An MCP server is a program that exposes tools, data, and interaction templates to AI applications through the Model Context Protocol. It acts as a standardized bridge between AI models and external systems like databases, APIs, and SaaS platforms.
What is the difference between MCP and API? APIs define structured endpoints for software-to-software communication. MCP servers provide an AI-native interface layer that enables models to dynamically discover and invoke capabilities based on user intent. MCP servers typically wrap existing APIs, adding discoverability, typed schemas, and human-in-the-loop controls designed for AI agent workflows.
What is the difference between MCP and MCP server? MCP (Model Context Protocol) is the open standard — the specification that defines how clients and servers communicate. An MCP server is an implementation of that standard — a running program that follows the protocol to expose capabilities from a specific system or service.
Does ChatGPT use MCP? Yes. OpenAI added MCP support to ChatGPT through Developer Mode, allowing it to connect to MCP servers via Apps (formerly Plugins). This enables ChatGPT to interact with external tools and data sources using the same protocol supported by Claude, VS Code, Cursor, and other MCP-compatible clients.
Is MCP server free? The protocol and SDKs are open source and free to use. Running local MCP servers is free. Cloud-hosted MCP servers may incur costs based on the underlying infrastructure, but the MCP layer itself is not a paid product.
What MCP servers exist? Hundreds of MCP servers are available across categories including file systems, databases, cloud services (AWS, Cloudflare, Supabase), design tools (Figma), development tools (GitHub, Playwright), communication (Slack), and more. Directories like mcpservers.org maintain up-to-date catalogs.
How do I set up an MCP server? Install an MCP SDK for your language (Python, TypeScript, Java, etc.), define tools and resources as functions, and configure your MCP host (Claude Desktop, VS Code, Cursor) to connect to your server. The official documentation at modelcontextprotocol.io provides step-by-step guides for each supported language.
Which AI tools support MCP? Major MCP-compatible hosts include Claude Desktop, Claude Code, ChatGPT (Developer Mode), VS Code, Cursor, Windsurf, Zed, and many others. The ecosystem is growing rapidly, with new clients adding MCP support on a regular basis.
Read More Articles
Empower your workforce with secure agents
© 2026 Agen™ | All rights reserved.
Deploy anywhere
Empower your workforce with secure agents
© 2026 Agen™ | All rights reserved.
Deploy anywhere