Model Context Protocol (MCP): The USB-C of AI Integrations

Introduction
Why Context Matters
From Function-Calling to MCP — A Short History
Anatomy of the Protocol

4.1 Message Lifecycle
4.2 Client ↔ Server Roles
4.3 Transport & Security

Core Capabilities

File & Workspace Access
Tool Invocation
Streaming Events

Implementations in the Wild
Building an MCP Server from Scratch
Security Considerations
The Road Ahead
Conclusion

1. Introduction

In the early days of large-language-model (LLM) applications, every product team built a bespoke bridge between their model and the outside world. One integration per vendor, per data source, per tool—the classic N x M problem. By late 2024 this duct-tape approach was clearly unsustainable.

Enter the Model Context Protocol (MCP), an open standard spearheaded by Anthropic and quickly embraced by OpenAI, Google DeepMind, Replit, Sourcegraph, and dozens of other toolmakers[^verge]. MCP's goal is disarmingly simple:

Give any AI assistant a universal, secure USB-C port to read context and execute actions.

If you've experimented with the Language Server Protocol (LSP) you'll feel right at home—MCP deliberately borrows its JSON-RPC 2.0 message flow and capability-negotiation dance. But the scope is broader: files, HTTP requests, databases, browser automation, payments, even drones—if it speaks JSON, it can be an MCP tool.

In this post we'll unpack how MCP works, why it matters, and how to get your hands dirty writing your own MCP server.

2. Why Context Matters

LLMs are statistical parrots; they hallucinate when they lack grounding data. Retrieval-augmented generation (RAG) helps, but falls over when the required context lives behind an authenticated API or calls for real-time mutation ("send the customer a refund").

MCP treats context as a first-class citizen. A running assistant can:

Discover tools exposed by the host (e.g., fs.readFile, github.listPullRequests).
Request snippets of data to enrich its reasoning.
Invoke side-effectful actions with tight permission scopes.

The result is an agent that feels plugged in rather than trapped in a sandbox.

3. From Function-Calling to MCP — A Short History

Though MCP is a new standard, it's not the first attempt to standardize the integration of LLMs with external tools.

Year	Milestone	Limitation
2023	OpenAI `functions` API	Vendor-specific, read-only JSON schema.
2023	ChatGPT Plug-ins	HTTP only, OAuth friction, closed beta.
2024	Anthropic MCP v0.1	Open spec, bidirectional, local servers.
2025	OpenAI o3 adopts MCP	Cross-model interoperability, security reviews.

MCP didn't arrive in a vacuum—it's the pragmatic consolidation of lessons from earlier attempts. Think of it as function-calling 2.0 with streams, auth, and capability discovery baked in.

4. Anatomy of the Protocol

4.1 Message Lifecycle

All traffic is JSON-RPC 2.0 over WebSocket (or stdin/stdout for local servers). A typical flow:

sequenceDiagram
    participant Client (LLM)
    participant Server (Tool Host)
 
    Client->>Server: initialize(params)
    Server-->>Client: initialize/response (capabilities)
 
    Client->>Server: fs/readFile { path: "README.md" }
    Server-->>Client: fs/readFile/result { content: "# My Project" }
 
    Client->>Server: github/createIssue { title, body }
    Server-->>Client: progress/notify { id:42, pct:50 }
    Server-->>Client: github/createIssue/result { url:"…" }

The key idea: the model is just another JSON-RPC client.

4.2 Client ↔ Server Roles

MCP Client – the model runtime (Claude, GPT-o3, etc.).
MCP Server – any process exposing tools. Multiple servers can be daisy-chained.

A desktop IDE like Zed ships a local server; a SaaS like Wix proxies cloud tools behind a remote server.

4.3 Transport & Security

Auth: servers advertise supported methods (none, bearer, mTLS).
Permissions: every method declares a scope; clients must request scopes up-front.
Streaming: long-running calls emit $/progress notifications.

5. Core Capabilities

File & Workspace Access

{
  "method": "fs/readFile",
  "params": {
    "path": "src/app/page.tsx",
    "maxBytes": 16384
  }
}

The bread-and-butter of coding assistants. Reads are chunked; writes require explicit allowWrite scope.

Tool Invocation

Servers surface arbitrary verbs—from stripe/createCustomer to postgres/query. Each method ships a JSON Schema so the assistant can self-validate payloads before making the call.

Streaming Events

Agents thrive on incremental feedback. MCP streams partial results via $/progress and can be cancelled with $/cancel—crucial for UI responsiveness.

6. Implementations in the Wild

Claude Desktop – ships a local server exposing macOS Finder, Calendar, and shell commands.
Replit – their "AI Coder" talks to a workspace server granting code search and unit-test execution.
Sourcegraph Cody – uses MCP to index huge monorepos without slurping gigabytes into context tokens.
Cloudflare Workers – a wrangler mcp:deploy command lets you host serverless MCP endpoints at the edge.
OpenAI Agents SDK – went GA in March 2025 with crystal-clear docs on writing adapters.

7. Building an MCP Server from Scratch

Below is the skeleton of a TypeScript server that exposes a single calculator/add method.

/* eslint-disable no-console */
import { WebSocketServer } from 'ws'
import { createRpcServer } from 'mcp-ts'
 
const wss = new WebSocketServer({ port: 8080 })
 
wss.on('connection', (socket) => {
  const rpc = createRpcServer(socket)
 
  rpc.register('initialize', () => ({
    protocolVersion: '0.1.0',
    capabilities: ['calculator/add']
  }))
 
  rpc.register('calculator/add', ({ a, b }: { a: number; b: number }) => a + b)
 
  console.log('MCP client connected')
})

Run it, then point your favourite assistant at ws://localhost:8080. Voilà!

8. Security Considerations

MCP's power is a double-edged sword. Researchers have already demonstrated:

Prompt injection via shared tools - a malicious document can whisper fs.deleteHomeDir.
Tool squatting - a fake github/* method that exfiltrates private code.
Chained tool exploits - combining fs.readFile with curl.post to leak secrets.

Best practices:

Principle of least privilege - export the smallest possible surface area.
User-visible permissions UI - think Android intents.
Content scanning - strip or escape !@tool: directives in user-authored files.

9. The Road Ahead

The MCP steering group is working on:

v0.2 capability namespaces - prevent name collisions.
Binary streaming - send large blobs without base64 overhead.
Formal security model - inspired by Chrome extensions' manifest v3.
Spec merge with lang-chain schema - convergence of agent ecosystems.

Expect vibrant debate, but the consensus seems clear: MCP is winning.

10. Conclusion

For AI builders in 2025, wiring an assistant to real-world tools shouldn't feel like soldering wires—it should be as simple as plugging in a cable. Model Context Protocol does for AI what USB-C did for hardware: one connector to rule them all.

Whether you're shipping an enterprise knowledge bot or the next killer coding IDE, learning MCP is quickly moving from nice-to-have to table stakes. Grab the spec, spin up a toy server, and let your models finally talk to the universe.

"In the history of software, protocols that shrink integration costs win. MCP is on track to become the TCP/IP of the agentic era."

Demis Hassabis, CEO Google DeepMind[^techcrunch]

[^verge]: Roth, Emma. "Anthropic launches tool to connect AI systems directly to datasets." The Verge (Nov 2024). [^techcrunch]: Wiggers, Kyle. "OpenAI adopts rival Anthropic's standard for connecting AI models to data." TechCrunch (Mar 2025).