Model Context Protocol Explained: The USB-C of AI Integrations
The Model Context Protocol (MCP) is an open standard that lets large language models connect to external tools, data, and prompts the same way in every client. Anthropic released it in November 2024. By March 2026 it had been adopted by OpenAI, Google, Microsoft, and most major AI tooling vendors, with the protocol governance handed to the Linux Foundation's Agentic AI Foundation. If you have ever written a function-calling integration for one LLM and then rewritten it for another, MCP is the protocol designed so you only have to do it once.
Key takeaways
- MCP is a JSON-RPC 2.0 protocol with three primitives — tools, resources, and prompts — exposed by a server and consumed by an MCP-aware client like Claude, ChatGPT, Cursor, or Windsurf.
- The current spec is 2025-11-25, with a major roadmap pointing at Streamable HTTP scaling, the new Tasks primitive, and enterprise auth.
- There are now two supported transports: stdio for local servers and Streamable HTTP for remote ones. The original HTTP+SSE transport is deprecated.
- MCP downloads hit 97 million per month by March 2026, with more than 10,000 public servers in registries.
- Build an MCP server when the same capability needs to plug into multiple LLM clients — otherwise raw tool calling inside one provider's SDK is still simpler.
What MCP Actually Is and Why It Exists
MCP is a protocol, not a framework. It defines how a host application — a chat app, an IDE, an agent — talks to a server that exposes capabilities the model can use. The transport carries JSON-RPC 2.0 messages either over standard input and output, or over HTTP. The schema defines exactly what an initialize, tools/list, tools/call, resources/read, or prompts/get request looks like and what shape the response must take.
The shorthand most often used by the maintainers themselves is "the USB-C of AI integrations" — one connector spec replacing the dozen one-off plugs that came before. Before MCP, if you wanted Claude, ChatGPT, and Cursor to all read from your company knowledge base, you wrote three different integrations against three different SDKs. The plugin ecosystem fragmented along vendor lines, and capabilities that should have been universal — read this database, run this build, file this ticket — got rebuilt in every chat app, every IDE, and every agent framework.
MCP inverts the relationship. The capability lives in a server that the developer writes once. The client knows how to speak MCP and can therefore use any server. Anthropic announced the protocol on November 25, 2024, and exactly one year later released the first stable spec — version 2025-11-25 — maintained at modelcontextprotocol.io.
The Architecture, One Layer at a Time
An MCP system has three roles. The host is the application a human uses — Claude Desktop, the ChatGPT desktop app, Cursor, Windsurf, VS Code with the Copilot agent. The client is a thin component owned by the host that opens a connection to one server and forwards JSON-RPC calls. The server is what the integration author writes, and it exposes some combination of three primitives:
- Tools — functions the model can call with structured arguments.
search_jira_issues({ project: "WEB", status: "open" }). The server runs the call and returns a result. - Resources — read-only data the host fetches and passes to the model as context. A file, a database row, a URL. Resources are addressed by URI.
- Prompts — reusable prompt templates the host offers to the user. A "summarise this PR" command the user picks from a menu and the host fills with current context.
Servers can also accept sampling requests, where the server asks the model to generate something, and elicitation requests, where the server prompts the user mid-call — both shipped in the 2025-11-25 spec and are still rolling out across clients.
All of this rides on JSON-RPC 2.0. Every request has a method like tools/call, a params object, and an id. Responses are matched by id. The protocol is bidirectional and stateful at the session level.
Transports — stdio and Streamable HTTP
The spec defines two standard transports in 2026.
stdio is the simplest. The host spawns the server as a child process and talks to it through standard input and standard output. One process per client, zero network. This is how Claude Desktop, Cursor, and most IDE-integrated clients launch local servers. The tradeoff: stdio is single-client and local-only, so a server you want shared across a team or hosted in production needs the other transport.
Streamable HTTP is what you use for remote servers. The server exposes one HTTP endpoint — https://example.com/mcp — that accepts both POST and GET. Clients send JSON-RPC via POST. The server either replies with a normal HTTP response for simple request-response cases, or upgrades to a Server-Sent Events stream when it needs to push progress updates or server-initiated notifications. Session state is tracked through an Mcp-Session-Id header so a logical session can survive across load-balanced calls.
Streamable HTTP replaced the original HTTP+SSE dual-endpoint transport in the March 26, 2025 spec release. The legacy SSE transport is officially deprecated — new servers should not use it. Atlassian has set a hard cut-off of June 30, 2026 for SSE on its Rovo MCP server, and most other vendors are following similar timelines. The 2026 roadmap focuses on hardening Streamable HTTP at scale: stateful sessions versus load balancers, horizontal scaling, and server discovery for crawlers.
Who Has Actually Adopted It
Adoption is the single biggest reason to take MCP seriously. The list, as of mid-2026:
| Adopter | What ships | First adopted |
|---|---|---|
| Anthropic (Claude Desktop, claude.ai, Claude Code) | Native MCP client; dozens of first-party servers | Nov 2024 (launch) |
| OpenAI (ChatGPT desktop, Agents SDK, Apps SDK, Responses API) | MCP client across product surface | Mar 2025 |
| Google (Gemini API, Vertex AI Agent Builder, Gemini CLI) | MCP client and server support | Apr 2025 |
| Microsoft (GitHub Copilot, VS Code, Azure, Microsoft 365) | First-party MCP servers and clients | Q3 2025 |
| Cursor, Windsurf, Zed | Native MCP client in the IDE | early 2025 |
| AWS, Cloudflare, Bloomberg, Block | First-party servers and AAIF co-founders | through 2025 |
In December 2025, Anthropic donated the protocol to the Agentic AI Foundation — a directed fund under the Linux Foundation, co-founded by Anthropic, Block, and OpenAI, with support from Google, Microsoft, AWS, Cloudflare, and Bloomberg. That move closed the door on MCP being read as "Anthropic's protocol."
The adoption numbers reflect it. SDK downloads hit 97 million per month by March 2026, up from roughly 100,000 at launch. More than 10,000 public MCP servers exist across registries, and industry surveys put MCP-backed agents in production at roughly 78% of enterprise AI teams by Q1 2026.
A Tiny MCP Server in TypeScript
The fastest way to understand MCP is to see one. The snippet below is a complete, runnable MCP server in 30 lines that exposes a single add tool over stdio. Save it as server.ts, install @modelcontextprotocol/sdk and zod, and you can wire it into Claude Desktop with one entry in the config file.
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
import { z } from 'zod';
const server = new McpServer({
name: 'calculator',
version: '1.0.0',
});
server.registerTool(
'add',
{
title: 'Add two numbers',
description: 'Returns the sum of a and b',
inputSchema: { a: z.number(), b: z.number() },
},
async ({ a, b }) => ({
content: [{ type: 'text', text: String(a + b) }],
})
);
const transport = new StdioServerTransport();
await server.connect(transport);
Step by step: McpServer creates the server with a name and version that the client sees during the initialize handshake. registerTool declares one tool — its name, a description the LLM uses to decide when to call it, an input schema validated by Zod, and an async handler. The handler returns content blocks, which is how MCP represents tool results (text here, but also images, audio, or embedded resources). StdioServerTransport wires the server to stdin and stdout.
To use it in Claude Desktop, add a stanza to claude_desktop_config.json:
{
"mcpServers": {
"calculator": { "command": "node", "args": ["./server.js"] }
}
}
The Python SDK is structurally identical — FastMCP plays the role of McpServer, decorators replace registerTool, and stdio_server() provides the transport.
MCP vs Function Calling vs LangChain vs Raw HTTP
These are not the same kind of thing, and the comparison only makes sense if you frame each correctly.
| What it is | When to reach for it | |
|---|---|---|
| Raw HTTP API | Your endpoint, model invokes via prompt instructions | Almost never — schemas drift and errors are silent |
| OpenAI / Anthropic function calling | Vendor-specific tool-call schema inside one provider's SDK | One model, one product, fastest path to ship |
| LangChain / LlamaIndex tools | Framework abstraction over many providers | Custom agent code, one tool def across providers |
| MCP | Open protocol — server is a separate process | Same capability needs to plug into clients you don't own |
The shortest version: function calling lives inside the LLM API call. MCP lives between the LLM client and the tool. If you are writing a one-off integration inside your own agent, function calling or a framework abstraction is fine. If you are exposing a capability that other people's agents will use — your company's data, your SaaS product, a developer tool — MCP is the standard you ship against. The two also overlap: LangChain supports MCP servers as a tool source, and the OpenAI Agents SDK consumes MCP servers natively, so MCP slots underneath agent frameworks rather than competing with them.
When to Build an MCP Server
Not every integration needs to be an MCP server. Build one when the same capability needs to be available in multiple LLM clients — your team uses Claude and Cursor and ChatGPT and you want one Jira integration in all three, or you are a SaaS company whose customers' AI assistants need to talk to your product, or you are an enterprise IT team standardising how internal agents reach systems of record.
Don't build one when the integration only ever runs inside one agent codebase you control. Function calling against your provider's SDK is two fewer abstractions there. Same for prototypes — write the tool call directly, ship something working, convert to MCP if the integration outgrows one client. The practical heuristic: if the integration would be useful even if your current AI vendor disappeared tomorrow, ship it as MCP.
Security — What You're Actually Exposing
MCP gives an LLM the ability to execute code on your machine or your server. That is the entire point and also the entire risk surface.
The 2025-11-25 spec made MCP servers official OAuth 2.1 Resource Servers when running over HTTP. Clients are required to implement RFC 8707 Resource Indicators, which means access tokens are scoped to a specific server rather than to "any MCP server the user has installed." This was the largest single security improvement in the protocol's first year.
For stdio servers, the threat model is different — the server runs as a child process with whatever permissions the host has. Treat third-party MCP servers the way you treat npm dependencies or VS Code extensions. Two other things to watch: tool descriptions are part of the attack surface (the LLM reads them, so a malicious server can try to talk the model into actions the user didn't request), and resources can act as a prompt-injection vector if they pull untrusted content into the model context. Host applications increasingly surface tool calls to the user with explicit per-call consent — that, more than the protocol itself, is what keeps the surface manageable.
Where Crosscheck Fits
Crosscheck is a free Chrome extension for bug reporting — it captures screenshots, recordings, console logs, and network logs and ships them to Jira, Linear, ClickUp, GitHub, or Slack. The Crosscheck team also runs an MCP server, live at mcp.crosscheck.cloud, that lets Claude, ChatGPT, Cursor, and any other MCP-aware client read bug reports and file new ones from inside the AI conversation. The pattern is exactly the one this article describes — one server, many clients, no per-vendor plugin code. If you want to see a small production MCP server in the wild, point your Claude Desktop config at it and look at how the tools, resources, and prompts are shaped.
For more context on the AI testing landscape MCP fits inside, see the Crosscheck guides to AI test generation and the best AI-powered testing tools in 2026.
FAQ
What is MCP in simple terms?
MCP is a shared language that AI applications and external tools both speak. Instead of every AI app inventing its own way to connect to your data or your API, they all use MCP — and you write the integration once.
Is MCP only for Claude?
No. Anthropic created it, but OpenAI, Google, Microsoft, Cursor, Windsurf, and most major AI platforms have shipped MCP support. Anthropic donated the protocol to the Linux Foundation's Agentic AI Foundation in December 2025, with OpenAI, Google, Microsoft, AWS, Cloudflare, Block, and Bloomberg as co-supporters.
What is the difference between MCP and function calling?
Function calling is a provider-specific feature inside one LLM's API — you describe a tool to GPT or Claude in that provider's schema, and the model returns a call. MCP is an open protocol that sits between the LLM client and external servers, so the same server works across every MCP-aware client without rewriting the integration.
Which MCP transport should I use?
Use stdio if the server runs locally on the same machine as the AI client — that covers most desktop and IDE integrations. Use Streamable HTTP if the server runs remotely, needs to be shared across users, or needs to be deployed to the cloud. Avoid the legacy HTTP+SSE transport — it was deprecated in March 2025.
Is MCP secure?
The protocol now defines MCP servers as OAuth 2.1 Resource Servers with audience-scoped tokens per RFC 8707, which addresses the worst-case "one token, every server" problem. But security also depends on the host application surfacing tool calls to the user and on the user trusting the servers they install — treat third-party MCP servers the way you treat any other third-party code.
How do I find existing MCP servers?
The MCP Registry, launched in preview in September 2025, is the canonical catalogue. Cloudflare and Smithery also run public hubs. For first-party servers, the @modelcontextprotocol/server-* npm packages cover filesystem, Git, GitHub, Postgres, Slack, and others. Official SDKs cover TypeScript, Python, C#, Java, Kotlin, Swift, Rust, Go, and Ruby.
Start Building With MCP Today
If your team is building AI features and feels the integration sprawl — one Jira tool for Claude, another for ChatGPT, a third for the in-IDE agent — MCP is the protocol that collapses that into one server. And when one of those AI-driven workflows turns up a real bug, the bug still has to be filed with reproduction steps, console output, and a screenshot. That part is what Crosscheck does, in one click, into the same Jira or Linear board your agents are reading from.
