QR-10

MCP Quick Reference

Model Context Protocol: how it works, how to build safely, and where it will bite you.
Last verified 2026-07-09

Core Principles

MCP is USB-C for AIOne protocol lets any host plug into any server and use its tools
Open standardIntroduced by Anthropic Nov 2024. Now natively supported by OpenAI, Google, Anthropic
JSON-RPC 2.0 under the hoodTwo transports: stdio (local) and HTTP (remote)
Three primitivesTools (code execution), Resources (data), Prompts (templates)
Current spec: 2025-11-25Next release 2026-07-28: stateless core, MCP Apps, Tasks extension, hardened OAuth 2.1

Know The Limits read this first

MCP standardisesHow AI apps discover and call tools, resources, and prompts across vendors
MCP does not enforce securityThe spec says so explicitly. The host and operator own auth, authz, and validation
MCP is not a REST replacementIt is for AI tool access. Your regular APIs still serve human clients

The Architecture

RoleWhat it isExamplesResponsibilities
HostThe AI app the user talks toClaude Desktop, ChatGPT, Cursor, VS Code Copilot, WindsurfCoordinates clients, manages consent, renders results
ClientOne connection to one serverInstantiated by the host, one per connected serverHandles capability discovery and JSON-RPC over the transport
ServerExposes tools, resources, and promptsFilesystem, GitHub, Slack, Postgres, your internal APIResponds to requests, returns results, enforces its own security

The Three Primitives

PrimitiveWhat it is
ToolsFunctions the model can call. Arbitrary code execution. Treat with high caution
ResourcesData the model can read: files, DB rows, API responses. Read-only by convention
PromptsReusable prompt templates the host can offer as slash commands or shortcuts

Transports

TransportUse for
stdioLocal servers running on the same machine as the host. Pull credentials from env
HTTPRemote servers. MUST use OAuth 2.1 with PKCE. Post-2026-07-28: stateless by default

Building Your Own Server production checklist

StepWhat to do
Pick an SDKOfficial SDKs: Python, TypeScript, Java, C#, Kotlin, Ruby, Go, Swift
Design tools around real jobsOne tool = one clear action. Descriptive names, precise schemas
Validate every input against a schemaAllowlist values. Reject malformed. Bound sizes. Assume hostile input
Turn on OAuth 2.1 with PKCEAnything older is broken. Validate token audience per RFC 8707 / 9068
Never pass tokens throughA token minted for the client MUST NOT be forwarded upstream. Broken audit, exfil risk
Block SSRF egressDeny internal IPs and cloud metadata endpoints (169.254.x.x)
Sandbox the server processContainer per server. Deny outbound network beyond what the tool needs
Require confirmation for destructive actionsWrites, deletes, sends, transfers. Friction is a feature
Log every invocationParams, identity, decision, correlation IDs. Ship to SIEM
Test with MCP Inspectornpx @modelcontextprotocol/inspector

The Attack Surface what makes MCP different, and dangerous

The context. A 2026 audit found 40% of MCP servers require no authentication, 43% carry command-injection flaws, and 79% handle credentials in plaintext. Between Jan and Feb 2026 the community filed 30+ CVEs against MCP components. CVE-2025-6514 (CVSS 9.6) affected 437K+ installs. Most servers were written for the demo, not for production.
AttackHow it works
Tool poisoningA malicious server's tool description contains hidden instructions that steer the model to exfiltrate data via other tools
Prompt injection (indirect)Retrieved data or a tool result contains instructions. The model follows them as if from the user
Confused deputyA proxy server with a static client ID and a stale consent cookie authorises an attacker's redirect
Token passthroughThe server forwards a token it was not issued. Turns the server into an exfiltration proxy
SSRFDuring OAuth metadata discovery, malicious URLs point at internal services or 169.254.x.x
Rug pullA tool description changes after approval. Same server, different behaviour, no re-consent
Command injectionUnvalidated input reaches shell, filesystem, or database. Classic vuln, still 43% of servers
Parasitic toolchainA tool call from one server triggers unintended tools on another. Cross-server privilege escalation
QR-10

MCP Quick Reference

The defences, best practices, troubleshooting, and when not to use MCP.
Last verified 2026-07-09

The Defences layered, and none of them optional

ControlWhat it stops
OAuth 2.1 + PKCEUnauthorised access. Anything older is broken
Audience validationToken confusion, mix-up attacks (RFC 8707 / 9068)
Minimum scopesStart narrow, escalate only when the agent needs it. Reject wildcards
Tool version pinningRug pulls. Hash the description on approval, re-prompt if it changes
Per-server sandboxBlast radius from one compromised server. Deny outbound DNS by default
Egress allowlistSSRF, data exfil. Block private IPs and metadata endpoints
Human-in-the-loopDestructive actions taken without consent
MCP GatewayShadow MCP servers. Every call routes through central logging, allowlisted servers, access control
Full audit loggingUndetected compromise. Every invocation to SIEM with correlation IDs
Red teaming (e.g. MCPTox)Unknown attack classes. Run before ship, run on every server update

Best Practices

Do
Treat every third-party server as hostile until proven otherwise
Run each server in its own container with minimal egress
Pin tool versions and hash the descriptions
Require confirmation on writes, deletes, and sends
Log every invocation to SIEM with correlation IDs
Use MCP Inspector to test tools without a model in the loop
Do not
Skip auth because "it is only running locally"
Forward a client token to an upstream API. Ever
Trust tool descriptions from a server you did not review
Grant wildcard scopes. Start narrow, add on demand
Rely on transport encryption to stop prompt injection. It does not
Install "one command" MCP servers on production systems

Troubleshooting

SymptomWhere to look
Tools not appearing in the hostCheck tools/list response. Version negotiation. Confirm host actually supports the primitive
Auth failing on remote serverPKCE not enforced, token audience mismatch, iss parameter not validated (RFC 9207)
Model calls the wrong toolDescriptions are ambiguous. Rewrite them. Test with Inspector first
Sudden behaviour change from an installed serverTool descriptions or schemas changed. Rug pull. Re-review before consent
Data appears in an unexpected placeTool poisoning or cross-server exfiltration. Audit invocations. Consider revoking
Server hangs on long jobsYou need the Tasks extension (2026-07-28+). Async lifecycle
CVE reported against a dependencyCheck mcp-remote and MCP Inspector versions. Both have had CVSS 9+ findings

When Not To Use MCP

A single, well-defined API callNative function calling is simpler. MCP adds a protocol you do not need
Frontier-model batch inferenceUse the provider's batch API. MCP is for interactive tool use
Ultra-low-latency inner loopsJSON-RPC overhead matters. Call the tool directly in-process
You cannot afford the security workThe protocol does not enforce it. If nobody owns hardening, do not deploy it
What ships on 2026-07-28. The largest revision since launch. A stateless core so remote servers scale on ordinary HTTP infra. Two official extensions: MCP Apps (server-rendered HTML UIs, sandboxed iframe) and Tasks (long-running work with async lifecycle). Six SEPs harden OAuth 2.1 authorization. If you shipped against 2025-11-25 experimental Tasks, migrate. Tier 1 SDKs are expected to ship support within the 10-week window.