built throughORANGEBOX·see what it ships·$1 →

What is the Model Context Protocol (MCP)?

The short answer

The Model Context Protocol (MCP) is an open standard, released by Anthropic in November 2024, that lets AI applications connect to external data sources, tools, and prompts through a uniform JSON-RPC 2.0 interface. It is to AI assistants what the Language Server Protocol is to code editors: one client-server contract that replaces N-by-M custom integrations. MCP is supported natively by Claude Desktop, Claude Code, OpenAI's Agents SDK, Google's Gemini API, Microsoft Copilot Studio, and a growing public registry of servers.

The longer answer

The Model Context Protocol was announced by Anthropic on November 25, 2024, alongside an open specification, reference SDKs in Python and TypeScript, and a set of pre-built servers for Google Drive, Slack, GitHub, Postgres, and Puppeteer. The design problem MCP solves is the same one that produced the Language Server Protocol (LSP) in 2016: every editor used to need a custom integration for every language, which scales poorly. MCP applies the same logic to AI — every model used to need a custom integration for every tool. With MCP, a model or "host" speaks one protocol to many servers, and a server speaks one protocol to many models.

Under the hood, MCP is JSON-RPC 2.0 over stdio, HTTP+SSE, or "Streamable HTTP" (added in the 2025-03-26 revision). The protocol defines three primitives a server can expose: resources (read-only data the model can pull, addressed by URI), tools (executable functions the model can call), and prompts (parameterized templates the user can invoke). Clients negotiate capabilities during an initialize handshake, then exchange tools/list, tools/call, resources/read, and prompts/get requests. Sampling — letting a server ask the client to perform an LLM completion — is also part of the spec but adoption is limited.

Adoption moved fast. OpenAI committed to MCP in its Agents SDK in March 2025. Google's Gemini API added MCP support, and Demis Hassabis publicly endorsed it. Microsoft shipped MCP integration in Copilot Studio (May 2025) and Windows 11 in May 2025. By late 2025, the public registry at github.com/modelcontextprotocol/servers listed hundreds of community and reference servers, and the official MCP registry preview launched in September 2025.

Security has been the contested dimension. Equixly disclosed (April 2025) that 43% of audited MCP server implementations had command-injection flaws. Trail of Bits documented "rug pull" and "tool poisoning" attack classes. CVE-2025-49596 (CVSS 9.4) hit Anthropic's own MCP Inspector via a no-auth default; CVE-2025-6514 (CVSS 9.6) hit mcp-remote with 437,000+ npm downloads. The 2025-06-18 spec revision added OAuth 2.1 authorization in response.

For builders, the practical pattern is: write a server once in the Python or TypeScript SDK, declare your tools and resources, and any MCP-aware client — Claude Desktop, Cursor, Windsurf, Zed, Codeium, OpenAI Agents, Gemini, Copilot — can use it. The "N-by-M to N-plus-M" reduction is real. The 2026 trajectory is toward signed servers, audited registries, capability-scoped tokens, and runtime sandboxing.

Key facts

  • MCP was open-sourced by Anthropic on November 25, 2024, with Python/TypeScript SDKs and reference servers for Google Drive, Slack, GitHub, Git, Postgres, and Puppeteer (Anthropic announcement, 2024-11-25).
  • The wire protocol is JSON-RPC 2.0 transported over stdio, HTTP+SSE, or Streamable HTTP (spec revision 2025-06-18).
  • Three core server primitives: resources, tools, prompts; clients additionally expose sampling and roots (spec section "Server Features", 2025-06-18).
  • OpenAI committed to MCP in the Agents SDK on March 26, 2025; Google Gemini API added support April 2025.
  • Microsoft Copilot Studio announced GA MCP support on May 19, 2025 at Build 2025; Windows 11 integration same week.
  • CVE-2025-49596 (CVSS 9.4) — RCE in Anthropic's MCP Inspector via browser CSRF on no-auth default config (NVD, 2025-07-01).
  • CVE-2025-6514 (CVSS 9.6) — OS command injection in mcp-remote versions 0.0.5–0.1.15, 437,000+ weekly npm downloads (JFrog, 2025-07-09).
  • Equixly's April 2025 audit found command-injection vulnerabilities in approximately 43% of sampled MCP servers.
  • The official MCP registry preview launched at registry.modelcontextprotocol.io in September 2025.
  • The 2025-06-18 revision introduced OAuth 2.1 resource-server authorization, replacing the looser auth posture of the 2024-11-05 draft.

Related questions

Sources

LAB · ATOMEONS · MARCO ISLAND FLÆONS RESEARCH · 12 PAPERS · CC-BY 4.0ORANGEBOX v1.0.0-beta · TURBO-OPTIMIZE CLAUDE · SHIPPED 2026-05-30B00KMAKR v3.2.0 · AI PUBLISHING COCKPIT · MAC + WINDOWSFREE LAUNCH WEEK · ENDS JUNE 6 · §4A NO-SAAS LOCKFOUNDER'S VIEW · NEXT BROADCAST IN ...CITE THE WORK · FORWARD THE LINK · NO ALGORITHMLAB · ATOMEONS · MARCO ISLAND FLÆONS RESEARCH · 12 PAPERS · CC-BY 4.0ORANGEBOX v1.0.0-beta · TURBO-OPTIMIZE CLAUDE · SHIPPED 2026-05-30B00KMAKR v3.2.0 · AI PUBLISHING COCKPIT · MAC + WINDOWSFREE LAUNCH WEEK · ENDS JUNE 6 · §4A NO-SAAS LOCKFOUNDER'S VIEW · NEXT BROADCAST IN ...CITE THE WORK · FORWARD THE LINK · NO ALGORITHM