Model Context Protocol
Model Context Protocol, or MCP, is an open protocol for connecting AI applications to tools, data sources, prompts, and external context through a common interface.
Definition
Model Context Protocol is a standard interface for letting AI systems discover and use outside context. Anthropic announced MCP on November 25, 2024, describing it as an open standard for connecting AI assistants to content repositories, business tools, development environments, and other systems where useful data lives.
MCP is easiest to understand as an integration layer. Instead of every AI application building a custom connector for every database, file store, search index, ticketing system, calendar, code repository, or internal service, an MCP-compatible client can connect to an MCP server that exposes capabilities in a predictable shape.
Architecture
MCP clients are AI applications or agent runtimes that connect outward to MCP servers. A client may be a desktop assistant, coding tool, enterprise agent, ChatGPT app, developer platform, or automation environment.
MCP servers expose capabilities to clients. A server can provide access to files, databases, APIs, search tools, internal knowledge, code repositories, enterprise systems, or narrow workflows.
Resources, prompts, and tools are the main server-facing features described in the protocol. Resources provide contextual data, prompts provide reusable prompt templates or workflows, and tools expose callable actions.
Protocol messages use a layered design. The official specification describes base JSON-RPC message types, lifecycle management, capability negotiation, server features, client features, logging, and related utilities.
Transports and authorization matter because MCP may run locally or over HTTP. The 2025 authorization specification defines transport-level authorization for HTTP-based deployments and builds on OAuth 2.1-related mechanisms. Earlier versions did not make authentication and authorization part of the core protocol.
Adoption
MCP began as an Anthropic-led open source project. The official GitHub repository contains the specification, protocol schema, and documentation, and names David Soria Parra and Justin Spahr-Summers as its creators.
By 2025, MCP had moved beyond Anthropic's own products. Microsoft added MCP support to Copilot Studio in March 2025, describing it as a way to bring external data and APIs into agents while using enterprise connector infrastructure and governance controls. OpenAI's developer documentation now describes MCP as an open protocol becoming the industry standard for extending AI models with tools and knowledge, and documents remote MCP servers for ChatGPT apps, deep research, and API integrations.
Why It Matters
MCP turns context into infrastructure. It gives agent systems a standard way to reach outside the chat window and interact with the world of documents, services, permissions, and operational data.
That changes the practical meaning of AI deployment. A model without external context mostly answers from its training and conversation state. A model connected through MCP can retrieve current internal knowledge, call real tools, inspect repositories, query systems, and execute actions that affect live workflows.
MCP also changes institutional dependency. Once organizations expose their knowledge and operations through MCP servers, AI systems become part of the access layer. The protocol is not just a developer convenience; it is a doorway between model behavior and institutional reality.
Risk Pattern
Tool poisoning. Tool names, descriptions, schemas, and outputs become part of model context. A malicious or compromised server can present instructions that influence what the agent believes it is allowed or expected to do.
Prompt injection. MCP lets agents read untrusted content from files, websites, tickets, repositories, and internal systems. If the client does not separate data from authority, hostile text can attempt to redirect the model.
Confused deputy failures. The official MCP security guidance warns about proxy patterns where a server acting for a user can be tricked into granting or forwarding authority in ways the user did not intend.
Token and scope risk. Broad credentials create broad blast radius. The authorization specification warns that stolen tokens can let attackers access protected resources as if requests were legitimate, and the security guidance treats over-broad scopes as a recurring failure mode.
Local server compromise. Local MCP servers can bridge a model to a user's machine, files, or developer environment. That makes transport choice, process isolation, and local access control central rather than incidental.
False standard comfort. A common protocol can make an integration feel safe because it is standardized. Standardization improves interoperability; it does not automatically solve authorization, provenance, data labeling, prompt injection, or human approval.
Governance Requirements
First, MCP deployments need least privilege by default. Servers should expose only the resources and tools needed for a defined task, with narrow scopes, short-lived credentials, and clear revocation paths.
Second, clients need visible approval boundaries. OpenAI's MCP connector guidance describes approval prompts before data is shared with a remote MCP server by default. That pattern matters: users and institutions should know what context is leaving the local environment and what tool calls are being made.
Third, MCP registries and marketplaces need provenance discipline. A server should be identifiable, versioned, reviewed, and auditable. Lookalike servers, stale packages, hidden prompt instructions, and abandoned connectors become supply-chain risks.
Fourth, logs should record the full chain: user intent, server identity, tools listed, tool calls made, resource reads, approvals, returned data, errors, and final outputs. Without that trace, post-incident review becomes guesswork.
Spiralist Reading
MCP is plumbing for the Mirror.
It turns the agent from a conversational surface into a participant in institutional systems. The model can ask the archive, call the calendar, inspect the codebase, query the customer record, search the memory store, and return with an answer shaped by live context.
That is powerful and dangerous for the same reason. MCP makes AI less isolated, but it also gives machine mediation a clearer path into the places where organizations store memory and authorize action. The question is not whether context should be connected. The question is who controls the connection, what the model is allowed to treat as authority, and whether humans can still see the boundary.
Related Pages
- Anthropic
- Prompt Injection
- AI Agents
- Agent2Agent Protocol
- Tool Use and Function Calling
- AI Coding Agents
- Context Windows and Context Engineering
- Retrieval-Augmented Generation
- Agent-Native Internet
- Agent Tool Permission Protocol
- Agent Prompt Hardening
- Vendor and Platform Governance
- Agentic Commerce
- AI Browsers and Computer Use
Sources
- Anthropic, Introducing the Model Context Protocol, November 25, 2024.
- Model Context Protocol, Specification overview, 2024-11-05.
- Model Context Protocol, Authorization specification, 2025-06-18.
- Model Context Protocol, Security Best Practices.
- GitHub, modelcontextprotocol/modelcontextprotocol, official specification and documentation repository.
- Microsoft Copilot Blog, Introducing Model Context Protocol in Copilot Studio, March 19, 2025.
- OpenAI Developers, Building MCP servers for ChatGPT Apps and API integrations.
- OpenAI Developers, MCP and connectors.