What Is MCP? Architecture, Components & How It Works (2026)
The complete 2026 guide to Model Context Protocol: definition, architecture (host, client, server, gateway), 3 capabilities, transports, and security.
TL;DR
Model Context Protocol (MCP) is an open standard that lets AI models and agents talk to your tools, data, and APIs through one shared interface, instead of one custom integration per model. Released by Anthropic in November 2024 and now supported by OpenAI, Microsoft, and Google, MCP uses a client-server architecture over JSON-RPC 2.0 to expose tools, resources, and prompts in a secure, auditable way.
Enterprise AI is no longer limited by model performance. The real challenge today is providing models with the right context at the right time. As LLMs like ChatGPT, Claude, or Gemini expand into production environments, they often operate with limited visibility into the systems they support. Without access to the current state, live tools, or structured data, even the most capable models can produce inconsistent or incomplete results.
The Model Context Protocol (MCP), introduced by Anthropic, is designed to close that gap. It offers a standardised way for AI applications to access external tools, APIs, and services. MCP allows models to retrieve and use contextual information through a shared, governed interface.
MCP uses a clean client-server architecture. Clients, such as AI-powered agents, can request actions or data from servers that expose them in a structured way. It keeps systems modular, scalable, and easier to govern at scale. Now, let’s break down how MCP works, where it fits into modern architecture, and what enterprise teams should evaluate before adopting it.
What is model context protocol (MCP)?
Model Context Protocol (MCP) enables secure two-way communication between AI systems and data sources. Developers can host data on MCP servers or build AI clients to connect with them. Operating at the system interface layer, MCP replaces tightly coupled integrations by routing requests dynamically. It governs data structure, sharing criteria, and access conditions, enhancing modularity, reducing redundancy, and simplifying scalable cross-system AI interactions.
The origins and development of MCP
Anthropic introduced the Model Context Protocol (MCP) in November 2024 as an open standard for connecting AI assistants to real systems. At that time, even advanced models struggled to access tools or data beyond static prompts. MCP was built to fix that gap with a structured and reusable interface.
Before MCP, teams built one-off connectors between every model and system, which Anthropic called the “N×M” problem. Stopgap solutions like plugins or function-calling APIs helped, but only in platform-specific ways. MCP offered a consistent protocol for exposing tools and exchanging context across systems.
Key design principles and protocol foundations
Model Context Protocol was built to support interoperability, modularity, and runtime context exchange across AI ecosystems. It’s structured to be platform-neutral and easy to adopt.
- Uses JSON-RPC 2.0 for transport to maintain consistency across environments.
- Reuses message flow logic from the Language Server Protocol (LSP).
- Supports bidirectional communication between assistants and tools.
- SDKs are provided in Python, TypeScript, Java, and C#.
- Designed for structured access to external tools, not just passive context retrieval.
- Keeps permission, visibility, and state management within the protocol itself.
MCP vs API vs RAG vs Function Calling: what's actually different
If you've worked with AI integrations before, you've probably hit at least one of these patterns: REST APIs, function calling, or retrieval-augmented generation (RAG). MCP overlaps with all three, but it isn't a replacement for any of them. It's a coordination layer that sits above them.
Here is how the four patterns compare side by side:
A few points worth pulling out:
- MCP vs REST API: A REST API exposes endpoints designed for developers to read documentation and write code against. MCP exposes the same underlying functionality as self-describing tools that a model can discover and reason about at runtime. You don't replace your API; you wrap it in an MCP server so AI agents can use it without bespoke glue code.
- MCP vs Function Calling: Function calling is how a single model (Claude, GPT, Gemini) invokes pre-registered functions. MCP is how any model connects to any function source. If function calling is the language a model speaks to its hands, MCP is the standardized hand that fits every model.
- MCP vs RAG: RAG retrieves text into the model's context window so it can answer questions about it. MCP lets the model do something: file a ticket, run a query, send a message, update a record. They're complementary. RAG grounds the model in knowledge; MCP gives it agency.
- MCP vs A2A (Agent-to-Agent): A2A protocols (like Google's A2A) coordinate communication between agents. MCP coordinates communication between an agent and its tools. Most production systems will use both.
Why MCP is crucial in AI integration?

Model Context Protocol (MCP) is important in AI integration because it simplifies how AI models interact with external data, tools, and services. It provides a standardised way for AI to access context and makes integrations easier, more flexible, and secure.
Here are the reasons why MCP is important:
1. Cuts operational costs and duplication
MCP directly lowers operational costs by cutting out repetitive integration work. Instead of building custom connectors for every model-tool pair, developers implement a single Model Context Protocol interface that can serve multiple assistants. This reuse leads to faster deployment cycles, leaner engineering demands, and a stronger return on investment.
2. Gives models structured access to context
Without access to state or system context, even the best models operate in isolation. MCP turns context into a first-class input. Instead of prompt injections or hacks, assistants can request structured data or functions through a secure interface. That makes behaviour more predictable and aligned to the task.
3. Makes architectures modular
MCP is built on a clean client-server model, which separates orchestration from execution. Tools can be added or updated independently, without breaking model logic. This kind of modularity supports long-term maintainability and makes system evolution easier as needs change.
4. Strengthens security and governance
Every request routed through Model Context Protocol carries structure and permissions. Enterprises can define access levels, usage boundaries, and execution rules. That reduces exposure and helps AI systems operate safely in regulated environments.
5. Speeds up deployment and experimentation
With SDKs in Python, TypeScript, Java, and C#, MCP is accessible to most engineering teams out of the box. It removes low-level protocol work, so teams can focus on building workflows, not wiring up systems. Faster iteration means better outcomes.
6. Supports multi-agent and tool coordination
As architectures move toward agent-based systems, shared access becomes critical. MCP allows multiple agents to interact with the same toolset, without stepping on each other’s state or triggering conflicts. That coordination layer helps larger systems behave more like unified applications.
7. Future-proof AI system design
Because Model Context Protocol is open and transport-agnostic, teams aren’t locked into any model or vendor. It uses JSON-RPC 2.0 and follows a design pattern inspired by the Language Server Protocol. That makes switching models or evolving the stack easier, with no code rewrites.
What is the architecture of MCP? Host, client, server, gateway explained
MCP is built on a client-server architecture that defines how AI systems interact with tools and services in a structured, permission-aware way. Each component plays a focused role, and together, they form a modular system that scales across use cases and environments.
Here are the key components of MCP:
1. Host
The Host is the user-facing application where interaction begins. It could be a chat interface, a developer tool, or a domain-specific app. Its core role is to manage user inputs, initiate requests to MCP Servers, and coordinate outputs.
Hosts also handle permissions and overall flow. For example, tools like Claude Desktop or Cursor act as Hosts, letting users engage with LLMs while triggering tools through MCP. Other Hosts may be purpose-built apps using libraries like LangChain or smolagents.
2. Client
The Client lives inside the Host and acts as a protocol-aware bridge to a specific MCP Server. Each Client maintains a one-to-one connection with one Server. Its job is to handle the transport logic, structure requests, manage session state, and interpret server responses.
Clients abstract away the low-level communication, allowing Hosts to work with remote tools through a consistent interface. This modularity keeps the logic inside Hosts clean and reusable, even as the number of tools or servers grows.
3. Server
The Server is the tool-facing side of Model Context Protocol. It exposes services, data, or functions in a way that Clients can discover, call, and interpret. Servers can wrap local scripts, external APIs, or cloud services and they don’t need to know anything about the AI system using them.
MCP Servers register their capabilities in a standardized format, enabling Clients to navigate and use them securely. They can be deployed locally or remotely, depending on infrastructure needs.
The 4th role: the gateway
Most enterprises that adopt MCP at scale add a gateway between clients and servers. The gateway is an optional protocol-level role but a required operational role in production. It enforces the controls that the protocol specification deliberately leaves out: registry, identity propagation, policy decisions, observability, lifecycle, and compliance evidence.
How an MCP message flows from prompt to tool call
The protocol uses JSON-RPC 2.0 messages over one of four transports (stdio, SSE, Streamable HTTP, custom). A typical interaction:
- Host launches. The client inside the host opens a connection to the server.
- Capability handshake. The client sends
initialize, the server returns its declared capabilities. - Discovery. The client calls
tools/list,prompts/list,resources/listto surface available capabilities to the LLM. - Tool selection. The model reads the descriptions and decides which tool to call.
- Tool invocation. The client sends
tools/callwith the tool name and parameters. The server executes and returns the result. - Response handling. The client returns the result to the model, which incorporates it into the next turn.
- Session continues. The connection stays open. The model can call more tools, read more resources, or invoke prompts as the conversation continues.
In enterprise deployments, every step in this flow goes through the gateway, which applies policy at discovery, identity propagation at tool invocation, and audit at every message.
What are the architectural components of MCP?
Every MCP deployment has the same four architectural layers: the host environment, the client connector, the server runtime, and (in production) the gateway control plane. Each layer has its own components that you can build, buy, or assemble.
1. Host components (the AI application)
The host handles conversation management (chat UI, message history, context window assembly), model invocation (the LLM call with system prompts and tool definitions), client lifecycle (launching MCP clients, managing connections, surfacing errors), tool surfacing (rendering available tools, prompts, and resources to the user), and authorization UX (OAuth flows, consent screens, scope display).
Client components (the connector)
The client handles the protocol handshake (sending initialize, receiving capability declarations), transport handling (stdio, SSE, or Streamable HTTP framing), JSON-RPC message framing, capability negotiation (matching what the host wants with what the server offers), reconnection logic, and error normalization. Official SDKs (TypeScript, Python, Java, .NET) handle most of this for you.
Server components (tools, prompts, resources)
The server handles capability declaration (announcing tools, prompts, and resources at handshake), tool execution (running the actual code when tools/call arrives), resource serving (returning data when resources/read arrives), prompt templating, authentication (often via OAuth 2.1), and transport hosting (stdio for local servers or HTTP for remote servers). Each server typically wraps a single external system. For a curated list of 25 production-ready MCP servers grouped by category, see our comprehensive MCP server guide.
Gateway components (the enterprise control plane)
In production deployments, the gateway adds the server registry (allowlist with version pinning and per-tenant scoping), the identity layer (OAuth 2.1 with token isolation and per-tool token scoping), the policy engine (tool-level RBAC and ABAC, content filtering, rate limits, human-in-the-loop gates), observability (per-call audit logging, selection rationale capture, trace correlation), lifecycle workflows (submission, vetting, staged promotion, deprecation), and compliance evidence (automated pulls into the GRC tool for SOC 2, HIPAA, EU AI Act). The complete gateway reference architecture (10 components, 6-stage request lifecycle, two-plane control/data design) is in MCP gateway architecture explained.
The capability negotiation handshake
When a client connects to a server, the first message is initialize. The server responds with its serverInfo and capabilities object. The capabilities tell the client what the server can do: which methods it supports, whether it offers tools, whether it offers prompts, whether it offers resources, whether it supports subscriptions. This negotiation is what makes MCP dynamic. The client does not have to know in advance what a server offers. It asks at connection time. New tools added to a server appear without changing the client.
Local vs remote MCP servers: stdio, SSE, and streamable HTTP
MCP servers can run two ways: locally on the same machine as the host, or remotely behind a network boundary. The choice of transport changes everything about how you secure, scale, and operate them.
Three transports you'll see in practice:
- stdio (standard input/output): The original local transport. The host launches the server as a child process and they exchange JSON-RPC messages over stdin/stdout. Fast, simple, no network, no auth required at the transport level. Best for desktop clients (Claude Desktop, Cursor, local Claude Code) and trusted developer environments.
- HTTP + SSE (Server-Sent Events): The first remote transport, introduced in early 2025. Uses a long-lived SSE stream from server to client, with HTTP POST from client to server. Functional but operationally awkward: SSE connections are hard to load-balance, hard to authenticate cleanly, and don't play nicely with corporate proxies. Officially deprecated in favor of streamable HTTP, but still widely deployed.
- Streamable HTTP: The current official remote transport (introduced March 2025). One HTTP endpoint handles both directions, with optional streaming. Works with standard load balancers, gateways, and observability stacks. Supports stateless mode for horizontally scaled deployments. This is what new remote MCP servers should target.
When to use which:
- Use stdio when: the server runs on the same machine as the agent, you're prototyping, or you're building a desktop integration.
- Use streamable HTTP when: the server is shared, multi-tenant, behind a gateway, or needs to scale across nodes. Anything you'd put behind a load balancer.
- Avoid SSE for new builds: maintain it only for backward compatibility.
What changes once you go remote:
- Auth becomes mandatory: OAuth 2.1 with PKCE is the recommended pattern. Tokens must be scoped per server and per tool.
- Rate limiting and quotas: local servers don't need them; remote ones do, per user and per agent.
- Observability gets harder: you need request tracing across the host, client, server, and any downstream APIs the server calls.
- Governance is now a platform problem: a single agent can hit dozens of remote MCP servers in one session. Without a gateway or registry, you lose visibility and policy control.
This is where an API management platform like DigitalAPI earns its keep. Treating remote MCP servers as first-class managed APIs (with auth, rate limits, observability, and governance) is the difference between a controlled rollout and shadow MCP everywhere.
A concrete example: how an AI agent resolves a support ticket with MCP
Abstract architecture is easier to grasp with a real workflow. Here is a single end-to-end example that touches every part of the protocol.
The scenario: a customer files a Zendesk ticket saying their invoice is wrong. An AI support agent is configured with three MCP servers: Zendesk, the billing system, and Slack.
Step 1: Discovery. When the agent session starts, the MCP host launches three MCP clients, one per server. Each client calls the server's tools/list, resources/list, and prompts/list methods to discover what's available. The model now knows it has zendesk.get_ticket, billing.lookup_invoice, slack.post_message, and so on, with their JSON schemas.
Step 2: Reading the ticket. The model decides to call zendesk.get_ticket with the ticket ID. The MCP client forwards the call as a JSON-RPC request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "zendesk.get_ticket",
"arguments": { "ticket_id": "INC-48211" }
}
}The Zendesk MCP server validates the token, hits the Zendesk REST API, and returns the structured ticket back to the client.
Step 3: Reasoning across tools. The model reads the ticket, identifies the customer ID, then calls billing.lookup_invoice. The billing server queries the internal billing database and returns the invoice. The model spots a duplicate charge.
Step 4: Action with human-in-the-loop. Rather than refunding directly, the agent posts a summary to a #billing-disputes Slack channel via slack.post_message, with a structured payload that the on-call billing engineer can approve or reject.
Step 5: Audit. Every tool call, by every agent, with every argument, is logged through the gateway. If anything goes wrong, there's a single source of truth.
What makes this work is not the model and not any one server. It's the protocol. The agent didn't need custom code for Zendesk, for billing, or for Slack. It discovered the tools at runtime, used them through one consistent interface, and the platform team kept the whole thing observable and governed.
How to implement MCP in your systems?

To implement MCP, teams should prioritise clarity in tool design, strict security, and modular architecture. These elements ensure stable and scalable integration across different AI environments.
Here’s how to approach MCP implementation with confidence:
1. Define tools with clarity and constraints
Each MCP tool should describe its exact function, expected inputs, and outputs in a structured form. Use clear naming, typed arguments, and schemas like JSON Schema to define how your tools behave. When you scope definitions precisely, models can generate valid requests and avoid failures caused by vague or incomplete arguments.
2. Apply security controls by default
You should use OAuth 2.1 to authenticate users and apply the least privileged access to every available tool. Avoid hard-coded tokens and store secrets outside your codebase. This approach limits unintended actions and gives you clear visibility into how models interact with sensitive systems.
3. Connect only what’s relevant
Don't expose every tool by default. Instead, match tools to the user’s current task or system role. By limiting access based on intent, you narrow the model’s decision space, avoid invalid calls, and make it easier for your team to trace and debug requests.
4. Validate behaviour with real context
If you're testing integrations, use data snapshots that simulate real operational states. Avoid relying on mock responses alone. Testing with full workflows helps you identify unexpected behaviours and confirms that tool responses align with the model’s interpretation of context.
5. Use what already exists
You don’t need to build everything from scratch. Anthropic and the open-source community provide ready-made Model Context Protocol servers for platforms like Slack and Google Drive. These are already compatible with core SDKs, and using them can help you move faster with fewer protocol-level issues.
6. Design for change and growth
Structure your implementation so that communication logic, tool definitions, and orchestration remain decoupled. As MCP evolves, you’ll want to isolate the parts of your system that may require updates. This reduces rework and makes your stack easier to maintain over time.
7. Stay connected with the ecosystem
Follow MCP development through GitHub, changelogs, and discussions around upcoming changes. Staying active in the ecosystem gives you visibility into compatibility shifts and lets you contribute insights from your own deployments. The more you engage, the more resilient your implementation becomes.
What security measures should be considered in MCP?
Giving AI models access to tools and services through the Model Context Protocol changes how trust, context, and permissions are managed. This convenience introduces new attack surfaces that require deliberate security planning.
Below are five high-priority threats and the specific security measures that can help contain them:
1. Token theft and account takeover
Stored OAuth tokens can be reused without triggering standard login warnings. If stolen, an attacker can impersonate the user and maintain access indefinitely. Password changes often don’t help, because OAuth tokens are still valid until manually revoked or expired by system policy.
Key Security Measures:
- Store tokens in encrypted, isolated environments
- Use short token lifespans with automatic expiration
- Revoke tokens on logout, reset, or anomaly detection
- Monitor activity by IP, location, and behavior patterns
2. MCP server compromise
Model Context Protocol servers often hold credentials for multiple systems. If compromised, attackers can access every linked tool including email, calendars, and storage without needing to hack each one individually. This single point of entry increases the overall blast radius of any breach.
Key Security Measures:
- Containerise and isolate each server deployment
- Enforce network restrictions with tight inbound rules
- Apply least-privilege scopes to every integration
- Enable logging and alerts for privileged operations
3. Prompt injection attacks
AI assistants interpret natural language to trigger tools. Attackers can insert hidden commands in regular-looking text. The model may read the message, misinterpret the intent, and take action without the user realising it. This breaks traditional boundaries between viewing and executing.
Key Security Measures:
- Sanitise and validate input before processing
- Limit which model outputs can invoke the tools
- Require confirmation for any sensitive or persistent operation
- Train users not to share untrusted or unclear content
4. Excessive permission scope
MCP integrations often ask for full access to simplify development. That becomes a liability during token loss. If a tool only needs read access but has full write privileges, even a minor compromise can lead to serious damage across connected systems.
Key Security Measures:
- Use OAuth scopes scoped tightly to the task
- Avoid granting edit or delete access by default
- Separate privilege levels by role and integration
- Review permissions during regular audits or refactors
5. Cross-Service data aggregation
When multiple services connect to a single model, they can access and correlate information across domains. This unified view enables profiling, behavioural inference, or surveillance even if only one token is compromised. It amplifies the risk of what seems like limited access.
Key Security Measures:
- Segment tokens across use cases and endpoints
- Require consent before combining multiple data sources
- Monitor which services are queried together
- Avoid unnecessary context sharing unless functionally required
From API to MCP server: what the conversion actually looks like
You don't need to rewrite your systems to use MCP. Most enterprises adopt MCP by wrapping the APIs they already have. The question is how much of that wrapping you build by hand and how much a platform does for you.
What needs to happen to turn a REST API into an MCP server:
- Endpoint to tool mapping: Each meaningful operation in your API becomes an MCP tool with a name, description, and JSON Schema input. A
POST /ticketsendpoint becomes acreate_tickettool. - Resource modeling: Read-only data your agent should be able to browse (catalogs, knowledge bases, customer records) becomes MCP resources with URIs, not tools.
- Schema translation: Your OpenAPI request and response schemas need to become MCP-compatible tool schemas, with descriptions written for a model to read rather than a developer.
- Auth bridging: Your API likely uses an API key or OAuth flow. The MCP server needs to accept an MCP-side OAuth 2.1 token and exchange or proxy it for whatever your API expects.
- Transport: You pick stdio for local use or streamable HTTP for remote, and stand up the right endpoint.
- Tool description hygiene: Tool descriptions are read by the model and influence behavior. They need to be clear, scoped, and free of phrasing that could be hijacked by injection attacks.
- Lifecycle: Versioning, deprecation, change communication, and contract tests, just like any API.
Done by hand, this is a few days of work per service, plus ongoing maintenance. Done at scale, across dozens of internal APIs, it becomes a platform problem.
If you're thinking about converting a handful of internal APIs into MCP servers and you want to see what the governed version looks like, book a demo.
What does "MCP-ready" actually mean?
A platform, API, or organization is MCP-ready when it can safely and consistently let AI agents use its capabilities through the Model Context Protocol, without bespoke work per agent or per use case.
For an API or service, MCP-ready means
- Tool and resource definitions: every meaningful capability is exposed as a discoverable MCP primitive with clear, model-readable descriptions.
- Transport support: streamable HTTP for remote agents, stdio where local use makes sense.
- OAuth 2.1 auth: scoped tokens, per-tool or per-server, with refresh and revocation.
- Schema versioning: changes don't silently break agents.
- Observability: every tool call is logged with caller identity, arguments, and outcome.
For a platform, MCP-ready means all of the above, plus
- A central registry: agents and developers can discover available MCP servers in one place.
- Policy enforcement: rate limits, data classification rules, and per-agent permissions applied at the gateway, not inside each server.
- Lifecycle management: publishing, versioning, deprecating, and monitoring MCP servers the same way you manage APIs.
- Compliance posture: audit trails, residency controls, and certifications appropriate to your industry (ISO 27001, SOC 2, HIPAA, and so on, depending on your scope).
For an enterprise, MCP-ready means
- A clear policy on which MCP servers are approved, who can install them, and where.
- A managed gateway for all remote MCP traffic.
- A defined process for converting internal APIs into MCP servers, including security review.
If you can answer all of those with a process and a platform rather than a person, you're MCP-ready.
Convert your APIs to MCP in one click with DigitalAPI
As enterprises embed AI into operations, the need for secure and scalable context delivery becomes urgent. Model Context Protocol (MCP) creates a standard interface between AI systems and external tools, simplifying connections and reducing integration complexity.
DigitalAPI strengthens this foundation by embedding security into every layer of implementation. It ensures AI systems operate within clear access boundaries, structured token management, and traceable execution flows. With DigitalAPI, deployment practices stay aligned with compliance and governance expectations from day one.
See DigitalAPI in action and deploy MCP with clarity, control, and confidence.
FAQs
1. Is MCP compatible with all AI models?
MCP is model-agnostic by design. Any model or agent runtime that implements the protocol can use any MCP server. Anthropic released the spec, and OpenAI, Microsoft, and Google have since added support to their major products. In practice, this means you can swap models without rewriting your tool integrations.
2. Where can I find resources to implement MCP?
The official specification, SDKs, and sample servers are at modelcontextprotocol.io. Official SDKs are available for Python, TypeScript, Java, and C#. There is also a growing public registry of community MCP servers for popular tools.
3. Are there any costs associated with using MCP?
The protocol itself is open and free. Costs come from what you build on top of it: compute for your MCP servers, model inference for the agent, and (for enterprises) the management layer that handles auth, governance, and observability across servers.
4. Are MCP servers secure?
The protocol provides the building blocks (auth, scoped tokens, structured tool definitions), but security depends on how you deploy and manage them. The main risks are tool poisoning, prompt injection through returned content, and excessive scope. Running MCP servers behind a managed gateway, with OAuth 2.1 and centralized policy, addresses most of them.
5. What's the difference between MCP and an API?
A REST API is designed for developers writing code. MCP is designed for AI clients reasoning at runtime. The same underlying capability (creating a ticket, querying a database) can be exposed as both. MCP doesn't replace your APIs; it gives AI agents a standard way to use them.
6. What's the difference between MCP and a CLI?
A CLI is a human-driven command interface, scripted manually. MCP is a machine-readable interface that a model discovers and uses autonomously. CLIs are great for deterministic automation; MCP is built for agent-driven, non-deterministic workflows where the model decides what to call.
7. What's the difference between MCP and RAG?
RAG retrieves text and inserts it into the model's context so the model can answer questions about it. MCP lets the model take actions and read live, structured data on demand. They solve different problems and are usually combined: RAG for grounding, MCP for action.
8. Is MCP the same as function calling?
No, although they're related. Function calling is the per-vendor mechanism a model uses to invoke registered functions. MCP is the cross-vendor protocol that standardizes where those functions come from, how they're described, and how they're authenticated. MCP rides on top of function calling capabilities in each model.
9. Why does ChatGPT (or another client) always ask for permission before MCP tool calls?
That's the protocol working as designed. MCP is explicit about user consent: the host is supposed to surface tool calls to the user, especially for write actions, before executing them. Clients can be configured to remember approvals for specific tools, but the default is human-in-the-loop.
10. Can I set permissions per agent for MCP tools?
Yes, but the protocol does not enforce it on its own. Per-agent permissioning is implemented at the host, the gateway, or the server. Enterprise platforms like DigitalAPI enforce per-agent scopes centrally, so you can give one agent read-only access to a tool that another agent can write to.
11. How do I convert an existing API to an MCP server?
You map each API operation to an MCP tool, model read-only data as resources, translate auth into OAuth 2.1, choose a transport (stdio or streamable HTTP), and stand up the server. You can do this by hand with the official SDKs, or use a platform that ingests your OpenAPI specs and produces governed MCP servers automatically.
12. What does "MCP-ready" mean?
At a minimum: tools and resources are clearly defined, the server supports streamable HTTP with OAuth 2.1, calls are logged, and versions are managed. For enterprises, it also means a registry, policy enforcement at a gateway, and a defined lifecycle for publishing and retiring servers.
13. What's the difference between local and remote MCP servers?
Local servers run on the same machine as the agent over stdio. They're fast, simple, and need no network auth. Remote servers run behind HTTP (ideally streamable HTTP) and require proper authentication, rate limiting, and observability. Most enterprise deployments are remote.
14. Does OpenAI support MCP?
Yes. OpenAI added MCP support across its products in 2025, joining Anthropic, Microsoft, and Google. This effectively made MCP a cross-vendor standard rather than an Anthropic-only protocol.
15. Can MCP servers expose write actions, or only read?
Both. The protocol distinguishes between resources (read-only data the model can browse) and tools (actions the model can invoke, including writes). Best practice is to surface write tools through explicit user consent and to enforce least-privilege scopes.
16. How does MCP handle multi-agent coordination?
MCP itself is for agent-to-tool communication, not agent-to-agent. For multi-agent systems, MCP is typically paired with an agent-to-agent protocol such as Google's A2A. In production, one agent might call another over A2A while each agent uses MCP to reach its own tools.
17. Why is MCP described as the "USB-C of AI"?
Because it replaces a tangle of bespoke integrations (every model wired to every tool through custom code) with one shared connector. Any client, any server, one protocol. The analogy isn't perfect, but it captures the standardization play.
One email a fortnight. Worth opening.
A short digest of what we're writing, what we're learning from customers, and the handful of links you'd actually want from us. No tracking pixels.
.avif)
