What is the Model Context Protocol? MCP defined
The Model Context Protocol (MCP) is an open source framework that aims to provide a standard way for AI systems, like LLMs, to interact with other tools, computing services, and sources of data. Helping generative AI tools and AI agents interact with the world outside themselves on their own is a key to allowing autonomous AI to take on real-world tasks. But it’s been a difficult goal for AI developers to realize at scale, with much effort being put into complex, bespoke code that connects AI systems to databases, filesystems, and other tools.
Several protocols that have emerged recently that aim to solve this problem and MCP, in particular, has been adopted at an increasingly brisk pace since it was introduced by Anthropic in November 2024. With MCP, intermediary client and server programs handle the communication between AI systems and external tools or data, providing a standardized messaging format and set of interfaces that developers use for integration. In this article, we’ll introduce you to the Model Context Protocol and talk a little bit about its impact on the world of AI.
What is an MCP server?
Before diving into the details of the different building blocks of MCP architecture, we first need to define the MCP server, since it’s become nearly synonymous with the protocol itself. An MCP server is a lightweight program that sits between an AI system and some other service or data source. The server acts as a bridge, communicating with the AI in a standardized format defined by the Model Context Protocol and with the other service via whatever programmatic interface it exposes.
MCP servers are relatively simple to build and a wide variety of them, which can do anything from interact with a database to get the latest weather reports, are available on GitHub and elsewhere and are free to download and use. This is part of what has made MCP so popular so quickly: Developers and users of all sorts of AI systems found that they could use these readily available MCP servers for a variety of tasks. And that widespread adoption was made possible by the way that MCP servers connect to the AI tools themselves.
MCP vs. RAG vs. function calling
MCP isn’t the first technique developed to connect AIs to the outside world. For instance, if you want an LLM to integrate documents that aren’t part of its training data into its responses, you can use retrieval augmented generation (RAG), though that involves encoding the target data into a vector-formatted database.
Many LLMs are also capable of what’s variously known as function calling or tool use. The LLMs can recognize when a user prompt or other input is requesting functionality that requires the use of a helper tool, and instead of a natural language response, it would instead provide the appropriate commands to invoke that tool. So, for instance, if you asked a general-purpose chatbot about the climate in Los Angeles, it could almost certainly give you all that information from its training data; but if you asked it what the weather in Los Angeles was going to be tomorrow, it would need to connect to a service that provides weather forecasting data.
This connection task was far from impossible: After all, LLMs are at the heart text generators, and the commands these services expect take the form of text. But building out the tools necessary to connect LLMs to outside services turned out to be a daunting task, and many developers found themselves reinventing the wheel each time they had to code a connector.
“If you were doing tool calling a year ago, every agentic framework had its own tool definition,” says Roy Derks, Principal Product Manager, Developer Experience and Agents at IBM. “So if you switched frameworks, you’d have to redo your tools. And since tools are just mappings to APIs, databases, or whatever, it was hard to share them.”
MCP builds on LLMs’ capability to make function calls, providing a much more standardized way to connect to services and data sources. “The LLM is not aware of MCP,” Derks says. “It only sees a list of tools. Your agentic loop, however, knows the mapping of the tool name to MCP, so it knows MCP is my mode of calling tools. If my get-weather tool is being called or suggested by the large language model, it knows it should call the get-weather tool and then — if this happens to be a tool from an MCP server—it uses the MCP client-server connection to make that tool call.”
MCP architecture: How MCP works
Now we’re ready to take look in more detail at the different components that make the MCP architecture, and how they work together.
- An MCP host is the AI-based application that will be connecting to the outside world. When Anthropic rolled out MCP, the company built it into the Claude desktop application, which became one of the first MCP hosts. But hosts aren’t limited to LLM chatbots — an AI-enhanced IDE could serve as a host as well, for instance. A host program includes the core LLM along with a variety of helper programs.
- An MCP client is, for our purposes, the most important of these helpers. Each LLM needs a client that’s been customized to accommodate the way it calls tools and consumes data. However, all MCP clients provide a standard set of services to their hosts. They discover accessible servers and report back on those services are the parameters required to call them, all of which information goes into the LLM’s prompt context. When the LLM recognizes user input that should trigger a call to an available service, it uses the client to send out a request for that service to the appropriate MCP server.
- We’ve already discussed the MCP server, but now you have a better sense of how it fits into the bigger picture. Each server is built to communicate with a data source or external service in a language that service understands, and communicates with the MCP client in accordance with the Model Context Protocol, serving as a middleman between the two.
- MCP transport layer. The MCP client and server communicate with one another using a JSON-based format defined by the protocol. Note that a server might run locally on the same machine as the client, or might run online and accept client connections over the internet; in the former scenario client-server communications take place via stdio, and in the latter via streamable HTTP.
The figure below illustrates how these components all work together. As noted, servers can run either locally or remotely to clients; servers can also connect to either local or remote services.
MCP server ecosystem
The increasing popularity of MCP is largely due to the wide variety of servers available free of charge to anyone who wants to use them. And while having all these components in the architecture might at first seem more complex than simply connecting an LLM directly to an outside service, MCP’s modularity, portability, and standardization makes everything much easier for developers:
- An MCP server can communicate with any AI application that includes a properly implemented MCP client. That means that if you want to expose your service for access by AI agents, you can write a single server and know it will work across different types of LLMs.
- Conversely, while an MCP client must be tailored to a specific host, it can connect to any properly implemented MCP server. There’s no need to figure out how to connect your specific LLM to Google Docs, or a MySQL database, or a weather forecasting service; you just need to create an MCP client and it can, via MCP servers, connect to services of all types.
To take a deep dive into the ecosystem of MCP servers, check out the protocol’s GitHub repo.
MCP security issues
Just about any method that opens up new lines of communication also provides potential new avenues for attackers. When MCP first launched, it mandated session identifiers in URLs, a big security no-no; it also lacked message signing or verification mechanisms, which allows for message tampering.
Many of these vulnerabilities have been patched in subsequent updates, but there are others that are harder to eliminate; and the fact that so many people simply use MCP servers they find online increases the risk of servers that are misconfigured or simply malicious going into production. For more on this topic, read “MCP is fueling agentic AI — and introducing new security risks” at CSO Online
What’s ahead for MCP?
Nevertheless, MCP’s utility and ease of use is overriding security concerns and ensuring that the technology will be around for some time to come. What’s on the horizon for this protocol? IBM’s Derks says that enterprises are starting to build tooling and come up with strategies to manage proliferating MCP servers that AI agents will be making use of.
“One interesting pattern is the composition and orchestration of MCP servers,” he says. “What we see a lot is, instead of people connecting multiple MCP servers to a single client, they orchestrate multiple MCP servers into a single server and then connect that server to a client. If you think about clients on the left and servers on the right, there are some patterns emerging on the right to reduce the number of MCP servers needed, so as to reduce clutter — because if you provide 100 tools to a model, it’s going to get confused.
“That’s what I see a lot of the enterprise interest moving towards,” Derks adds. “How do you orchestrate and arrange all these servers, rather than how do you build the best possible client.” MCP is still in its early days, but expect enterprises to adapt quickly to keep up.