Model Context Protocol (MCP): The Complete Developer's Guide
Welcome to the AgentDevPro Handbook’s MCP section. If your AI agents need to talk to tools, databases, APIs, or any external system — this is where you start.
Model Context Protocol (MCP) is an open standard that solves one of the most frustrating problems in AI development: the endless, brittle work of wiring every AI model to every external tool it needs. Instead of writing custom connectors for each new integration, you build an MCP server once — and it works with any MCP‑compatible host: Claude Desktop, Cursor, custom agents, enterprise platforms, and beyond.
In this overview, you’ll learn:
- What MCP is and the problem it solves
- How MCP works under the hood
- Core concepts: servers, clients, tools, resources, and prompts
- How MCP compares to A2A — and why you need both
- Where to go next to start implementing MCP servers and clients
Let’s start at the beginning.
What Is MCP
Model Context Protocol (MCP) is an open protocol that standardises how AI applications and agents connect to external tools, data sources, and APIs. It provides a consistent, secure interface for LLMs to discover and interact with the outside world.
Before MCP, connecting an AI model to a database, a file system, or an API meant writing custom integration code for every pair — a classic N×M problem. MCP reduces this complexity to N+M: every agent speaks MCP, every tool exposes MCP. Think of it as the USB‑C for AI: one standard connector that works across countless devices.
At its core, MCP gives AI agents three essential capabilities:
| Capability | What it does | Example |
|---|---|---|
| Tools | Executable functions the agent can call | search_web(), send_email(to, subject) |
| Resources | Data the agent can read (files, database records) | README.md, customer_profiles.json |
| Prompts | Reusable template workflows | code_review.draft: “Review this code for bugs, style, and performance” |
On top of these, MCP adds Sampling (servers requesting LLM completions) and Roots (permission boundaries), making it a complete integration layer for production agents.
MCP is now an open standard under the Linux Foundation's Agentic AI Foundation, with broad adoption across the industry.
Why MCP Matters
MCP didn’t emerge in a vacuum. It was built to solve three real, painful problems that every production AI team encounters.
The N×M Integration Problem
Every new AI model (Claude, GPT, Gemini, Llama) needs to connect to every new tool (database, file system, email, calendar, GitHub, Slack…). The number of integrations grows faster than any team can maintain. MCP changes this: build your tool once as an MCP server, and any MCP‑compatible agent can use it.
Fragmented Tool Description Formats
OpenAI’s function‑calling JSON looks different from Anthropic’s tool‑use shape, which looks different from LangChain’s BaseTool. They’re close enough to frustrate — but different enough that a tool written for one must be rewritten for another. MCP standardises the tool‑description format at the wire level.
Security and Governance
An LLM that can read files, run code, hit APIs, and send emails is a powerful surface. Without standardised control, it’s also a security nightmare. MCP brings explicit capability negotiation, scoped permissions, and audit‑ready logs — the backbone of any governance story.
Problems MCP Solves
Let’s break down the pain points MCP addresses — and how it addresses them.
| Problem | Before MCP | With MCP |
|---|---|---|
| Tool Integration Complexity | Write custom glue code for every API endpoint; maintain separate connectors for each AI model | Build an MCP server once; any MCP client can discover and call your tools dynamically |
| Context Fragmentation | Context scatters across custom connectors; different models see different slices of the same tool | Standardised resource access; consistent context for every model |
| Repeated Custom Connectors | Every team rebuilds the same integrations — database connectors, file readers, email senders | Shared, reusable MCP servers maintained once by the team that knows the system best |
| Vendor Lock‑In | Integrations are hardcoded to specific models or platforms | MCP works with any compatible host — switch models without rewriting tooling |
How MCP Works
MCP uses a client‑host‑server architecture. The host application creates client instances, each connected to one server, and all communication uses JSON‑RPC 2.0.
The lifecycle of a single MCP exchange follows five clear phases:
Phase by phase:
- Server Discovery — The host creates a client and connects to a server (via stdio subprocess or HTTP).
- Capability Discovery — The server advertises its capabilities during the JSON‑RPC handshake: which tools, resources, and prompts it offers.
- Tool Selection — The client issues a
tools/listrequest to discover available tools, each with a name, description, and input schema. - Tool Execution — The host invokes a tool via
tools/call. The server executes the business logic and returns a structured result. - Result Return — The host receives the result and passes it back to the LLM for further reasoning.
Core MCP Concepts
Every MCP system is built on five core concepts. Understanding them is essential to implementing or using MCP.
MCP Host
The Host is the user‑facing application that runs the LLM and orchestrates agent behaviour. It manages multiple MCP clients and enforces security policies.
- What it does: Creates clients, controls permissions, handles user consent, coordinates tool calls.
- Examples: Claude Desktop, Cursor, a custom agent application, an IDE extension.
- Key responsibility: The host controls what servers are allowed, which tools can be invoked, and how user authorisation is handled.
MCP Client
The Client is a component embedded within the host that manages a dedicated session with exactly one MCP server.
- What it does: Manages transport, handles capability negotiation, routes messages bidirectionally, manages subscriptions.
- Key characteristic: One client per server. A host can run many clients, each connected to a different server.
MCP Server
The Server is a process that exposes capabilities — tools, resources, and prompts — to LLM clients via the protocol.
- What it does: Advertises capabilities, executes tool calls, serves resources, handles prompts.
- Deployment: Servers run as local subprocesses (stdio) or remote services (HTTP).
- Key principle: Servers focus on specific, well‑defined capabilities and operate independently.
MCP Tools
Tools are executable functions that the LLM can call. Each tool has a name, description, and input schema (JSON Schema) defining its parameters.
{
"name": "search_web",
"description": "Search the internet for current information",
"inputSchema": {
"type": "object",
"properties": {
"query": { "type": "string", "description": "Search query" },
"max_results": { "type": "integer", "minimum": 1, "maximum": 50 }
},
"required": ["query"]
}
}
MCP Resources
Resources are read‑only data that the LLM can access — files, database records, API results — exposed as URI‑addressable content.
Example resource: file:///project/README.md
MCP Prompts
Prompts are reusable, template‑based workflows that the server can provide. They help standardise common interactions.
Example prompt: A “code review” prompt that asks the LLM to check for bugs, style violations, and performance issues.
MCP vs Traditional API Integrations
Traditional API integration involves writing custom request/response logic for every endpoint, hardcoding tool definitions directly into prompts or agent code, and redeploying the whole application when a tool changes. MCP completely inverts this pattern.
| Aspect | Traditional API Integration | MCP Integration |
|---|---|---|
| Tool definition location | Hardcoded in agent code or prompts | Advertised by the server via tools/list |
| Integration effort per tool | Write custom client code for each API endpoint | Build an MCP server once — any MCP client can use it |
| Discoverability | Manual, out‑of‑band (documentation, code inspection) | Automatic runtime discovery from the server |
| Maintenance | Update every agent when the tool changes | Update one MCP server; all clients see the new tool definition automatically |
| Deployment coupling | Redeploy the entire agent to add a new tool | Deploy a new MCP server — agent code unchanged |
| Security model | Custom per integration | Standardised authentication, capability negotiation, audit logging |
| Reusability | Near zero (each agent reinvents the wheel) | High (any MCP‑compatible host can reuse the same server) |
MCP vs A2A: Two Protocols, One Ecosystem
This is one of the most common points of confusion. Let’s clarify it once and for all.
One‑Line Distinction
- MCP is vertical — agent/app ↔ tool/resource access.
- A2A is horizontal — agent ↔ agent communication.
Comparison Table
| Aspect | MCP (Model Context Protocol) | A2A (Agent‑to‑Agent Protocol) |
|---|---|---|
| Primary purpose | Agent‑to‑tool / agent‑to‑resource communication | Agent‑to‑agent communication and collaboration |
| Direction | Vertical (agent to external systems) | Horizontal (agent to agent) |
| What it connects | AI agents to tools, databases, files, APIs | Multiple AI agents to each other |
| Origin | Anthropic (November 2024), now under Linux Foundation | Google (April 2025), now under Linux Foundation |
| Key primitives | Tools, Resources, Prompts, Sampling, Roots | Agent Cards, Tasks, Messages, Artifacts |
| Example | A Data Agent uses MCP to connect to a PostgreSQL database | A Research Agent delegates a query to the Data Agent via A2A |
| Analogies | USB‑C for AI: one connector, many devices | Ethernet for agents: network protocol for agent‑to‑agent communication |
How They Work Together
MCP and A2A are not competitors — they are complementary and designed to work in concert.
Think of a typical enterprise workflow:
- Your Research Agent needs to analyse customer data.
- It uses A2A to delegate the task to a Data Agent.
- That Data Agent uses MCP to connect to the actual PostgreSQL database, execute the query, and retrieve results.
- The Data Agent returns the results via A2A to the Research Agent.
┌─────────────────┐ A2A ┌──────────────────┐
│ Research │ ──────────────────► │ Data Agent │
│ Agent │ │ │
└────────┬────────┘ └────────┬─────────┘
│ (A2A) │ (MCP)
│ ▼
│ ┌───────────┐
│ │ PostgreSQL│
│ │ Database │
│ └───────────┘
▼
┌─────────────────┐
│ Final Result │
└─────────────────┘
In many production architectures, agents communicate via A2A while each agent internally uses MCP to interact with the tools and data sources it needs. This separation keeps concerns distinct: tool integration evolves independently from agent orchestration logic.
Common MCP Use Cases
MCP is already deployed across production environments in multiple industries. Here are the most common patterns.
1. Secure Code Execution and Developer Automation
Agents that generate, test, and deploy code are among the highest‑value MCP use cases. An agent receives a task, discovers available tools via MCP, executes in an isolated sandbox, and returns results through the protocol.
Example: A GitHub agent that reads pull requests, runs tests, and deploys to staging — all through MCP tool calls.
2. Enterprise Knowledge Agents
Agents that need to query internal data sources — Confluence, Notion, SharePoint, internal wikis — use MCP resources to fetch documents and MCP tools to run searches. The MCP host aggregates tools from all connected servers into a unified registry.
Example: A customer support agent that retrieves product documentation from Confluence, checks order status from an internal database, and drafts a response.
3. Customer Support Automation
An MCP host (the support agent) connects to multiple MCP servers: a CRM server for customer data, a knowledge base server for documentation, and a ticketing server for updates. The agent dynamically selects the right tool based on the user’s request.
Example: “Check my order status” → agent discovers the get_order tool via tools/list, invokes it with the order ID, and returns the result.
4. Cross‑System Workflow Automation
MCP servers can expose entire workflows as prompts. A single prompt might invoke multiple tools in sequence: fetch data from a database, run an analysis, generate a report, and email the result.
Example: A weekly sales report workflow — triggered by a prompt — that pulls data from PostgreSQL, calculates KPIs, generates a chart via a visualisation tool, and emails the report to stakeholders.
5. IDE Assistants and Coding Tools
Cursor, VSCode extensions, and other IDEs use MCP to give AI assistants access to files, linters, test runners, and documentation.
Example: An AI coding assistant that reads your project files (via MCP resources), runs linting (via MCP tools), and suggests fixes — all through a standardised interface.
MCP Learning Path
This article is your entry point. The AgentDevPro Handbook includes a complete series of implementation guides, each building on the previous.
📍 Your recommended learning path:
1. MCP Overview (this article)
↓
2. MCP Server — building servers that expose tools, resources, and prompts
↓
3. MCP Client — connecting agents to servers, runtime discovery
↓
4. MCP Resources — exposing read‑only data as URI‑addressable resources
↓
5. MCP Tools — designing executable functions with JSON Schema
↓
6. MCP Prompts — creating reusable, template‑based workflows
↓
7. MCP Security — authentication, authorisation, and secure deployment
↓
8. MCP Deployment — packaging, scaling, and production operations
↓
9. MCP Best Practices — production‑grade patterns from real deployments
What Each Article Covers
| Article | URL | What You’ll Learn |
|---|---|---|
| MCP Server | /guides/mcp/server/ | Building MCP servers, exposing capabilities, JSON‑RPC handler implementation, local vs remote servers |
| MCP Client | /guides/mcp/client/ | Connecting agents to MCP servers, runtime tool discovery, handling tool calls and resources |
| MCP Resources | /guides/mcp/resources/ | Exposing read‑only data, URI addressing, resource subscriptions and change notifications |
| MCP Tools | /guides/mcp/tools/ | Designing tool schemas, input validation, error handling, idempotent tool design |
| MCP Prompts | /guides/mcp/prompts/ | Creating reusable prompt templates, arguments and variables, composable workflows |
| MCP Security | /guides/mcp/security/ | Authentication, OAuth 2.0, API keys, authorisation, credential management, OWASP MCP Top 10 |
| MCP Deployment | /guides/mcp/deployment/ | Packaging, containerisation, scaling, networking, monitoring, incident response |
| MCP Best Practices | /guides/mcp/best-practices/ | Production patterns: idempotency, timeouts, retries, logging, observability, anti‑patterns |
Related Handbook Topics
- A2A (Agent‑to‑Agent) —
/guides/a2a/— agent orchestration and collaboration - Agent Workflows —
/guides/agent-workflows/— orchestrating multi‑step agent tasks - Agent Memory —
/guides/agent-memory/— long‑term shared memory across agents
MCP Best Practices Overview
While the dedicated Best Practices article goes deep, here’s a high‑level summary of what makes a production‑ready MCP implementation.
| Practice Area | Key Principle | Why It Matters |
|---|---|---|
| Keep tools focused | Each tool does one thing, described clearly | Improves discoverability and reduces LLM confusion |
| Validate inputs | Enforce JSON Schema validation on every tool call | Prevents malformed inputs from reaching internal systems |
| Secure credentials | Never store credentials in code or .env files; use a secrets vault with runtime injection | Prevents credential exposure and enables rotation |
| Monitor usage | Log every tool call: which agent, which tool, which parameters, outcome | Creates audit trail for security and debugging |
| Version your tools | Include version metadata; support backward‑compatible changes | Allows safe evolution without breaking clients |
| Set timeouts | Every tool call should have a maximum execution time | Prevents hanging agents and resource exhaustion |
| Design for idempotency | Repeated identical tool calls should produce the same effect | Enables safe retries without double execution |
| Layer security | Don’t rely on a single control — use defence in depth | Reduces risk of single point of failure |
These principles are explored in depth with code examples in the MCP Best Practices article.
Frequently Asked Questions
1. What is the Model Context Protocol (MCP)?
MCP is an open protocol that standardises how AI applications and agents connect to external tools, data sources, and APIs. It replaces custom integration code with a single, consistent interface.
2. Why was MCP created?
MCP solves three problems: the N×M integration explosion (each model to each tool), fragmented tool‑description formats across AI providers, and the security and governance challenges of giving LLMs external access.
3. Is MCP open source?
Yes. MCP is an open standard published by Anthropic and now hosted under the Linux Foundation's Agentic AI Foundation.
4. Who created MCP?
Anthropic launched MCP in November 2024. In June 2025, Anthropic donated it to the Linux Foundation for neutral, open‑source governance.
5. How do MCP servers work?
An MCP server is a process that advertises its capabilities — tools, resources, prompts — to MCP clients via JSON‑RPC 2.0 over stdio (local subprocess) or HTTP (remote service). Clients discover available tools at runtime and invoke them by name.
6. What are the three core MCP primitives?
Tools (executable functions), Resources (read‑only data), and Prompts (reusable templates). MCP also defines Sampling (server‑initiated LLM requests) and Roots (permission boundaries).
7. How is MCP different from a traditional API?
Traditional APIs require custom client code for every endpoint, hardcoded tool definitions, and redeployment when tools change. MCP servers advertise their capabilities dynamically; clients discover tools at runtime and invoke them through a standardised interface.
8. How is MCP different from A2A?
MCP is for agent‑to‑tool communication (vertical). A2A is for agent‑to‑agent communication (horizontal). They are complementary — most production systems use both.
9. Can MCP and A2A work together?
Absolutely. A typical workflow: Agent A uses A2A to delegate a task to Agent B. Agent B uses MCP to access a database, execute the query, and return results via A2A. They’re designed to be used together.
10. Does MCP support streaming responses?
Yes. MCP uses Server‑Sent Events (SSE) for streaming. The 2025‑03‑26 specification introduced Streamable HTTP as the modern transport layer.
11. What transport protocols does MCP use?
MCP supports stdio (for local subprocesses) and HTTP (for remote services), both using JSON‑RPC 2.0. The original HTTP+SSE transport from 2024‑11‑05 remains backward‑compatible.
12. What programming languages have MCP SDKs?
Official SDKs are available in Python and TypeScript. Community SDKs cover Java, C#, Rust, Go, Ruby, and more.
13. Which applications support MCP today?
Claude Desktop, Cursor, Windsurf, ChatGPT, Cline, the OpenAI Agents SDK, Google ADK, Microsoft Agent Framework, and many others.
14. How do I secure an MCP server?
Follow the OWASP MCP Security Guide: strong authentication (OAuth 2.0, mTLS), authorisation per tool and resource, strict input validation, session isolation, and audit logging. Never store credentials in code or .env files — use a secrets vault with runtime injection.
15. Can one MCP host connect to multiple servers?
Yes. A host can run multiple client instances, each connected to a different server. The host aggregates tools, resources, and prompts from all connected servers into a unified registry.
16. What happens when a server’s tool set changes?
The server sends a notifications/tools/list_changed event. The client re‑fetches the tool list mid‑session. No restarts. No redeployment of the agent.
17. How do I test an MCP server?
Unit test the tool implementation logic separately from the MCP handler. Integration test with a real MCP client (or the SDK’s test harness). End‑to‑end test with your actual host application.
18. Can an MCP server be a remote cloud service?
Yes. MCP supports HTTP transport, so servers can run anywhere — on‑premises, cloud VMs, serverless functions, or as containers in Kubernetes.
19. What security risks should I be aware of?
MCP servers operate with delegated user permissions and dynamic tool‑based architectures. Key risks: command injection, path traversal, SQL injection, secret exposure, and lateral movement. The OWASP MCP Top 10 provides a comprehensive risk assessment.
20. Where can I find the official MCP specification?
The official specification is at modelcontextprotocol.io. The source code and schemas are on GitHub under the Model Context Protocol organisation.
Conclusion
MCP is transforming how AI agents connect to the outside world. By providing an open, standardised protocol for tool and resource access, it eliminates the endless custom integrations that have slowed AI development for years.
- What MCP is — an open protocol for standardised AI‑to‑tool communication, now hosted under the Linux Foundation
- Why it matters — replaces N×M integrations with N+M, adds standardised security and governance, and makes tools reusable across any MCP‑compatible host
- How it works — JSON‑RPC 2.0 over stdio or HTTP, runtime capability discovery, and three core primitives: Tools, Resources, Prompts
- Where MCP fits in the ecosystem — MCP handles agent↔tool communication; A2A handles agent↔agent communication. Together, they provide a complete interoperability layer for production agent systems
The ecosystem is growing rapidly. Official and community SDKs support all major programming languages, and adoption spans from individual developers to large enterprises. The Linux Foundation’s stewardship ensures MCP will remain an open, neutral standard.
Your Next Step
Now that you understand what MCP is and why it matters, continue your journey with the next article in the series:
👉 MCP Server — building servers that expose tools, resources, and prompts →
You’ll learn how to build your first MCP server, implement tool handlers, and expose capabilities that any MCP‑compatible agent can discover and use.
This article is part of the AgentDevPro Handbook — practical, engineering‑focused guides for building production AI agent systems.