What Is MCP? The Model Context Protocol, Explained Simply

Every major AI platform now speaks the same language for plugging into outside tools. Claude, ChatGPT, Gemini, and Copilot all support it. It is called MCP, the Model Context Protocol, and in just over a year it went from an Anthropic experiment to a Linux Foundation standard with 97 million SDK downloads a month.

If you build anything with AI, MCP is fast becoming the plumbing underneath it. This guide covers what MCP is, the problem it solves, how it works, who actually uses it, and where it still breaks. No jargon walls.

What is MCP?

MCP, short for Model Context Protocol, is an open standard that gives AI models one consistent way to discover and use external tools, data, and services. Anthropic released it in November 2024, and it has since become one of the fastest-growing open-source projects in AI. The idea is simple: one shared connector instead of a different cable for every device.

That last part is the whole pitch. Before MCP, wiring an AI app to a tool meant writing bespoke glue code for that exact pairing. MCP turns the connection itself into a standard, so a tool built once works with every compatible AI client.

What problem does MCP solve?

MCP solves the N×M integration problem. Picture five AI apps and four tools: GitHub, Slack, Postgres, and a file system. Connecting each app to each tool directly takes twenty separate integrations, every one with its own auth flow, data format, and schema. Add a new tool or app and it gets worse, fast.

MCP collapses that math from N×M to M+N. Build a tool server once and every compatible AI client can use it. Build a client once and it can talk to every server. Nine clean connections instead of twenty brittle ones.

Before MCPN × M

5 apps × 4 tools = 20 brittle integrations

With MCPM + N

Build once on either side = 9 connections

That shift is why adoption moved so quickly. The pain was real and repeated at every company gluing AI to its stack, and the fix was good enough to standardize.

How does MCP work?

Under the hood, MCP uses JSON-RPC 2.0 as its wire format and follows a three-layer architecture: hosts, clients, and servers. Those three roles are the whole protocol, so they are worth getting straight.

The host is the AI app you actually talk to, like Claude Desktop or Cursor. It manages permissions and routes requests. A client is a connector living inside the host, and each client keeps one private session with exactly one server. A server is the lightweight program that exposes capabilities, running either locally on your machine or remotely in the cloud.

wire format: JSON-RPC 2.0

Host 01

The AI app you actually talk to. It manages permissions and routes every request.

Claude DesktopCursorChatGPTVS Code

↓

Client 02

A connector living inside the host. Each client keeps one private session with exactly one server.

1 client=1 server(1:1)

↓

Server 03

A small program that exposes capabilities. Runs locally on your machine or remotely in the cloud.

Local (Python)Remote (cloud)

Every session opens with a short handshake. The client announces its protocol version and what it supports, the server replies with its own capabilities, and only then does real work begin. If the versions cannot agree, the client disconnects.

Client Server

1. 1 initialize protocol version + capabilities →
2. 2 result capabilities: tools, resources, prompts ←
3. 3 notifications/initialized ready to work →

Session active

The MCP server, explained

An MCP server is the piece most people end up building, so it deserves its own section. It is a small program that publishes what an AI can do: run this tool, read this data, use this prompt template. The host connects to it through a client, and from then on the AI can use whatever the server offers.

Servers come in two flavors. A local server runs as a process on your machine and talks over standard input and output, which is how a filesystem or SQLite server usually works. A remote server runs in the cloud and talks over Streamable HTTP, the transport introduced in the 2025 spec that works behind normal load balancers and plugs into OAuth.

The most-used reference servers cover everyday developer work: filesystem access, GitHub, Postgres, Slack, Google Drive, and browser automation through Playwright. You can install one in minutes and immediately give your AI client live context from a real system, rather than pasting snippets by hand.

Tools, resources, and prompts: MCP’s three primitives

MCP exposes capabilities through three primitives, and the key detail is that each one has a different control model. Get this distinction and the rest of the protocol clicks.

Tools are model-controlled: the AI decides when to call them based on the conversation, like running a query or opening a pull request. Resources are application-controlled: read-only data the host pulls in, such as a log file or a database schema, which the AI never fetches on its own. Prompts are user-controlled: reusable templates you trigger on purpose, often as slash commands.

Model-controlled

Tools

Actions the AI can choose to run, based on the conversation.

• query_database()
• create_issue()
• send_message()

App-controlled

Resources

Read-only data the app pulls in. The AI never fetches these on its own.

• file:///logs/app.log
• postgres://db/users

User-controlled

Prompts

Reusable templates you pick on purpose, often as slash commands.

• /explain
• /debug
• /commit

That separation is a safety feature, not bureaucracy. The model cannot quietly read every resource or fire off a prompt template. It can only reach for tools, and a good host keeps a human able to approve or deny those.

MCP vs APIs: what’s the difference?

This is the question that trips people up, so here is the short answer: MCP is not a replacement for APIs or for function calling. It is the standardized layer that sits on top. An API is how any two systems talk. Function calling is how a model says “I want to run this.” MCP standardizes how that intent gets discovered and executed, across any client.

With plain function calling, your tools are hard-coded into one app, locked to one provider’s format, and your API keys live in that app’s code. With MCP, tools are discovered at runtime, reusable across Claude, ChatGPT, Cursor, and the rest, and credentials stay on the server where the model never sees them.

Who’s using MCP in production

Adoption is the strongest signal that MCP is more than hype. Claude Desktop was the first host. Cursor became the breakout developer story, with people wiring it to GitHub, Postgres, Sentry, Linear, and Figma to feed its coding agent live context. Block open-sourced Goose, a Rust agent framework built on MCP that thousands of its engineers use weekly.

Then the rivals showed up. In 2025, OpenAI added MCP to ChatGPT and its Agents SDK, Google backed it for Gemini, and Microsoft built it across GitHub, Copilot, and Windows. GitHub ships an official server, and AWS supports MCP in Bedrock across many regions. By early 2026 the ecosystem had grown past 10,000 active servers, hundreds of clients, and official SDKs in eight languages.

1. Nov 2024 Anthropic releases MCP
2. Mar 2025 OpenAI adopts it; Streamable HTTP + OAuth land
3. Apr 2025 Google backs MCP for Gemini
4. May 2025 Microsoft joins the steering committee
5. Dec 2025 Donated to the Linux Foundation

The capstone came in December 2025, when Anthropic donated MCP to the Linux Foundation Agentic AI Foundation, co-founded with Block and OpenAI. That move hands MCP the same neutral, vendor-independent governance that backs Kubernetes and PyTorch, which matters when five competing giants all depend on it.

Where does MCP fall short?

MCP is not a silver bullet, and the sharp edges are worth knowing before you bet on it. Three problems come up again and again: token bloat, security, and latency.

Token bloat up to 236×

worst-case input-token inflation when many servers dump their tool definitions into the context window

Security 2 in 3

open-source MCP servers found to follow poor security practices; prompt injection is the top unsolved risk

Latency 300–800ms

baseline overhead per call, before serverless cold starts push it past 2 seconds

Token bloat is the most common headache. Every connected server injects its tool definitions into the context window, burning tokens even when those tools go unused. Researchers measuring this overhead have documented up to 236 times input-token inflation in worst cases, and more tools can actually make a model perform worse, not better.

Security is the part that should give you pause. Prompt injection through MCP is the top unsolved risk. Researchers have demonstrated tool-poisoning attacks, where malicious instructions hidden in a tool’s description are invisible to the user but fully visible to the model, and one analysis found roughly two-thirds of open-source MCP servers followed weak security practices. The spec’s main defense is a recommendation that a human “SHOULD” stay in the loop, and as Simon Willison put it, that “SHOULD” is doing a lot of heavy lifting.

Latency rounds it out. A reported 300 to 800 ms of baseline overhead per call, plus serverless cold starts that can push past two seconds, makes MCP a poor fit for time-critical request paths.

Build your first MCP server in 15 minutes

The fastest way to understand MCP is to build a tiny server. With Python’s FastMCP, a working tool server is about ten lines. Install the SDK with pip install "mcp[cli]", then write this:

from mcp.server.fastmcp import FastMCP

mcp = FastMCP("Demo")

@mcp.tool()
def add(a: int, b: int) -> int:
    """Add two numbers"""
    return a + b

if __name__ == "__main__":
    mcp.run(transport="stdio")

To poke at it, run the MCP Inspector, a browser tool that acts like Postman for MCP: npx @modelcontextprotocol/inspector uv run server.py. It opens a UI showing your tools, resources, and prompts with a live JSON-RPC log. To use the server for real, point your host’s config (such as Claude Desktop) at the script.

One gotcha worth saving you an hour: never use print() in a stdio server. It corrupts the JSON-RPC stream. Log to standard error instead.

So, is MCP worth learning?

For connecting AI to the tools and data developers actually use, nothing else has this level of cross-platform support. MCP went from one company’s experiment to a neutral standard backed by every major AI vendor in about thirteen months. That does not happen unless the problem is real and the answer is good enough.

It is rough around the edges. The security model has real gaps, token bloat is an unsolved tension, and latency limits where you can use it. But the direction is clear, and the smart move is to treat MCP as early infrastructure rather than magic. Learn it now, while you still can, before it becomes the water you swim in.

For the animated walkthrough of all of this, the architecture, the primitives, and the trade-offs in under eight minutes, watch the full explainer on YouTube.