Skip to main content
mcpai agentsintegrationsinfrastructureprotocols

What an MCP Server Actually Is (and Why Operators Should Care)

Plain-English explainer of Model Context Protocol servers, clients, and hosts — and why every operator wiring AI agents to real tools needs to understand MCP now.

Mark Lighty · Editor in Chief ·

If your agent can reason beautifully but can’t touch your CRM, query your database, or read a Slack thread, it’s a very expensive chatbot. That’s the gap Model Context Protocol — MCP — was built to close. It has moved faster than almost any open standard in recent memory, and operators who don’t understand its basic plumbing are going to make costly architectural decisions. Here’s what you actually need to know.

The Problem MCP Solves

Even the most sophisticated models are constrained by their isolation from data — trapped behind information silos and legacy systems. Every new data source requires its own custom implementation, making truly connected systems difficult to scale.

The engineering label for this is the N×M integration problem. In a multi-system enterprise, every one of N tools must be integrated with every one of M models or agents, causing unmanageable complexity as the ecosystem grows.

Instead of every AI tool building integrations with every service, MCP introduces a standardized protocol — GitHub builds one MCP server, Google Drive builds one, Slack builds one. The equation changes from N×M to N+M integrations. A massive reduction in complexity.

What MCP Actually Is

The Model Context Protocol (MCP) is an open standard and open-source framework introduced by Anthropic in November 2024 to standardize the way AI systems like large language models integrate and share data with external tools, systems, and data sources. Think of it less like a library and more like a shared grammar — a contract that any compliant tool and any compliant model can speak.

Think of it as a USB-C port for AI: any compliant host (Claude, ChatGPT, Cursor, VS Code Copilot) can plug into any compliant server and immediately discover and use its capabilities.

The protocol is open source, spec-versioned by date, and has achieved industry-wide adoption backed by competing giants including OpenAI, Google, Microsoft, AWS, and now governance under the Linux Foundation.

The Three-Layer Architecture

MCP has three distinct roles. Getting these straight matters because operators often conflate “server” and “client” here, which leads to bad purchasing and build decisions.

The Host is the AI application the user interacts with. The host is the AI application that coordinates clients and uses provided context — examples include Claude Desktop, VS Code with Copilot, and Cursor. It manages multiple MCP clients, one per connected server.

The Client lives inside the host and manages individual connections. Communication in the MCP ecosystem between the host and server must go through a client. This client exists within the host and converts user requests into a structured format that the open protocol can process. Multiple clients can exist with a singular MCP host, but each client has a 1:1 relationship with an MCP server.

The Server is what operators are usually building or buying. The server is the external service that provides context to the LLM by converting user requests to server actions — examples include Slack, GitHub, Git, Docker, or web search. It can be local (a process on the same machine) or remote (a hosted service over HTTPS).

What a Server Actually Exposes

MCP defines three core primitives — things a server can offer to a host. Tools are actions the AI can ask the server to perform; think of them as functions the AI can call (e.g., create_github_issue). Resources are structured data sources that the AI can read, providing context without requiring active queries. Prompts are predefined templates or instructions that help shape the AI’s behavior for specific tasks.

Under the hood, all communication travels via JSON-RPC, transformed into a stateful session protocol, meaning clients and servers can continually interact within an established session. This matters operationally: agents can call a tool, get results, and continue reasoning in the same session, enabling multi-step logic and complex workflows with context retained server-side if necessary.

One subtle but critical point: even with Model Context Protocol, the input/output to/from LLMs remain text only — the LLM cannot directly invoke code or talk to the MCP server. Instead, when the LLM wants to invoke an MCP tool, it outputs JSON in a particular format corresponding to a JSON-RPC call. The host application detects this, invokes the tool, and feeds the result back. The model never touches the wire directly.

Where MCP Sits in an Agent Stack

If you’re running agent infrastructure — whether that’s CrewAI, n8n, Lindy, or something custom built with Claude Code — MCP is the layer that connects your agent’s reasoning loop to actual systems. Without it, you’re writing bespoke API connectors for every tool, maintaining auth flows manually, and rebuilding this plumbing every time a tool changes its schema.

For coding agents specifically — Cursor and Claude Code both support MCP natively — this means a single server can give an agent access to your docs, your database, and your deployment pipeline without a single line of custom integration code per tool. By making it easier for developers to connect agents to many different sources of data, it’s now possible to provide agentic systems with more detailed and rich context than would otherwise be possible without significant time and investment.

For browser and web-action agents like Browser Use, MCP servers can expose structured tool APIs that replace fragile DOM scraping with deterministic function calls.

Adoption Is Real, Not Hype

MCP went from 100,000 downloads in November 2024 to 97 million monthly SDK downloads by late 2025.

The ecosystem now counts over 5,800 MCP servers and 300-plus MCP clients.

In March 2025, OpenAI officially adopted MCP, having integrated the standard across its products including the ChatGPT desktop app.

Following that announcement, the protocol was adopted by major AI providers including OpenAI and Google DeepMind. The spec itself is actively maintained — the June 2025 MCP spec update classifies MCP servers as OAuth Resource Servers and requires MCP clients to implement Resource Indicators (RFC 8707). Auth is no longer an afterthought.

The Security Reality Operators Need to Hear

MCP’s power comes with real surface area. In April 2025, security researchers released an analysis concluding there are multiple outstanding security issues with MCP, including prompt injection and poisoned tools that allow for data exfiltration through other connected tools.

The practical guidance: deploy comprehensive security measures including OAuth 2.1 authentication, role-based access controls, version pinning to prevent unauthorized updates, and trust domain isolation. Treat all tool logic and MCP servers as potentially untrusted, and implement private registries for curated server deployments. Don’t wire an MCP server with broad database permissions and no scope controls just because it’s quick to stand up.

What This Means for How You Build

MCP is not a product you buy — it’s infrastructure you adopt. The practical operator checklist is short:

  1. Audit what your agents can’t reach today. If the answer includes your CRM, your docs, your internal APIs, you have an integration debt problem that MCP can systematically reduce.
  2. Prefer MCP-native tooling. When evaluating agent platforms, check whether they expose or consume MCP natively. Platforms that don’t are betting against the standard that every major AI lab has already committed to.
  3. Treat every server as a trust boundary. Scope permissions tightly, pin versions, and don’t let agent-facing servers have write access to systems that don’t need it.
  4. Watch the spec. MCP is still evolving fast. The major spec release on November 25, 2025 introduced a Tasks API for long-running operations, so agents can kick off asynchronous jobs via MCP and check back later for results — crucial for scaling AI workflows without blocking interactive sessions.

Bottom line: MCP is the closest thing the AI tooling world has to agreed-upon plumbing for connecting models to real systems, and it has the cross-industry backing to stay that way. Operators who understand the host/client/server separation and build their agent stacks around MCP-compatible components will spend far less time on integration debt. The security risks are real but addressable — scope your servers tightly and stay current with the spec.

About the author

Mark Lighty

Editor in Chief

Mark Lighty is the Editor in Chief of AI Runs My Company. He's an independent operator and software engineer who builds production AI agent systems across legal-tech, growth, and outbound automation, and writes here about the patterns separating working deployments from demos. He works daily with Claude Code, the Anthropic API, MCP-based tool surfaces, Clay-style enrichment workflows, and the agent-orchestration patterns this site covers.

Get in touch

Pitch a tool, send a correction, or just say hi — we read everything.

Contact us