Core Principles
| MCP is USB-C for AI | One protocol lets any host plug into any server and use its tools |
| Open standard | Introduced by Anthropic Nov 2024. Now natively supported by OpenAI, Google, Anthropic |
| JSON-RPC 2.0 under the hood | Two transports: stdio (local) and HTTP (remote) |
| Three primitives | Tools (code execution), Resources (data), Prompts (templates) |
| Current spec: 2025-11-25 | Next release 2026-07-28: stateless core, MCP Apps, Tasks extension, hardened OAuth 2.1 |
Know The Limits read this first
| MCP standardises | How AI apps discover and call tools, resources, and prompts across vendors |
| MCP does not enforce security | The spec says so explicitly. The host and operator own auth, authz, and validation |
| MCP is not a REST replacement | It is for AI tool access. Your regular APIs still serve human clients |
The Architecture
| Role | What it is | Examples | Responsibilities |
|---|
| Host | The AI app the user talks to | Claude Desktop, ChatGPT, Cursor, VS Code Copilot, Windsurf | Coordinates clients, manages consent, renders results |
| Client | One connection to one server | Instantiated by the host, one per connected server | Handles capability discovery and JSON-RPC over the transport |
| Server | Exposes tools, resources, and prompts | Filesystem, GitHub, Slack, Postgres, your internal API | Responds to requests, returns results, enforces its own security |
The Three Primitives
| Primitive | What it is |
|---|
| Tools | Functions the model can call. Arbitrary code execution. Treat with high caution |
| Resources | Data the model can read: files, DB rows, API responses. Read-only by convention |
| Prompts | Reusable prompt templates the host can offer as slash commands or shortcuts |
Transports
| Transport | Use for |
|---|
| stdio | Local servers running on the same machine as the host. Pull credentials from env |
| HTTP | Remote servers. MUST use OAuth 2.1 with PKCE. Post-2026-07-28: stateless by default |
Building Your Own Server production checklist
| Step | What to do |
|---|
| Pick an SDK | Official SDKs: Python, TypeScript, Java, C#, Kotlin, Ruby, Go, Swift |
| Design tools around real jobs | One tool = one clear action. Descriptive names, precise schemas |
| Validate every input against a schema | Allowlist values. Reject malformed. Bound sizes. Assume hostile input |
| Turn on OAuth 2.1 with PKCE | Anything older is broken. Validate token audience per RFC 8707 / 9068 |
| Never pass tokens through | A token minted for the client MUST NOT be forwarded upstream. Broken audit, exfil risk |
| Block SSRF egress | Deny internal IPs and cloud metadata endpoints (169.254.x.x) |
| Sandbox the server process | Container per server. Deny outbound network beyond what the tool needs |
| Require confirmation for destructive actions | Writes, deletes, sends, transfers. Friction is a feature |
| Log every invocation | Params, identity, decision, correlation IDs. Ship to SIEM |
| Test with MCP Inspector | npx @modelcontextprotocol/inspector |
The Attack Surface what makes MCP different, and dangerous
The context. A 2026 audit found 40% of MCP servers require no authentication, 43% carry command-injection flaws, and 79% handle credentials in plaintext. Between Jan and Feb 2026 the community filed 30+ CVEs against MCP components. CVE-2025-6514 (CVSS 9.6) affected 437K+ installs. Most servers were written for the demo, not for production.
| Attack | How it works |
|---|
| Tool poisoning | A malicious server's tool description contains hidden instructions that steer the model to exfiltrate data via other tools |
| Prompt injection (indirect) | Retrieved data or a tool result contains instructions. The model follows them as if from the user |
| Confused deputy | A proxy server with a static client ID and a stale consent cookie authorises an attacker's redirect |
| Token passthrough | The server forwards a token it was not issued. Turns the server into an exfiltration proxy |
| SSRF | During OAuth metadata discovery, malicious URLs point at internal services or 169.254.x.x |
| Rug pull | A tool description changes after approval. Same server, different behaviour, no re-consent |
| Command injection | Unvalidated input reaches shell, filesystem, or database. Classic vuln, still 43% of servers |
| Parasitic toolchain | A tool call from one server triggers unintended tools on another. Cross-server privilege escalation |