Model Context Protocol (MCP) in 2026: The Standard for AI Tool Use
MCP became the de facto AI tool-use standard in 2025-2026: Anthropic, OpenAI, and Google all adopted it. Architecture, SDKs, security, gateway options.
Table of Contents
TL;DR: MCP in 2026
| Question | Answer |
|---|---|
| What is it? | An open standard for AI tool use, introduced by Anthropic November 2024 |
| Spec location | modelcontextprotocol.io |
| Adopted by | Anthropic Claude, OpenAI Agents SDK, Google Gemini, Cursor, Zed, many others |
| Transports | STDIO (local), Streamable HTTP (remote); SSE deprecated in spec rev 2025-03 |
| Wire protocol | JSON-RPC 2.0 |
| SDKs | Python, TypeScript (official); other languages vary or community-maintained |
| Primary primitives | Tools (callable), Resources (read-only), Prompts (templates) |
| Need a gateway? | Yes for enterprise: auth, audit, guardrails. FAGI Agent Command Center is the FAGI option. |
Why MCP Won in 2025 and 2026
Before MCP, every AI agent needed bespoke connector code for every tool. Claude integrated with GitHub differently from how gpt-4 integrated with GitHub, which was different from how Gemini integrated with GitHub. The same Postgres connector got rewritten three times.
Anthropic released the Model Context Protocol on November 25, 2024. The spec defines tools, resources, and prompts over JSON-RPC 2.0 with two transports (STDIO and HTTP). Within a year, OpenAI added native MCP support to its Agents SDK (announced March 2025), Google integrated MCP into the Gemini agent stack later in 2025, and the registry at modelcontextprotocol.io grew to hundreds of servers covering GitHub, Slack, Postgres, Google Drive, Stripe, Cloudflare, Linear, Notion, Sentry, and more.
What MCP solved: a single tool implementation runs against any compatible LLM. You write a GitHub MCP server once and it works with Claude, gpt-4o, Gemini, and any agent stack that speaks MCP. That cross-LLM portability is the entire reason MCP took off.
MCP Architecture: Hosts, Clients, Servers
MCP has three roles:
- Host: the user-facing application. Claude Desktop, Cursor, Zed, a custom Python agent. The host decides which servers to connect to and shows tool-call confirmations to the user.
- Client: a connection that lives inside the host. One client per server, one server per client. The client speaks JSON-RPC over the configured transport.
- Server: a process that exposes capabilities. A server advertises a set of tools (callable functions), resources (read-only blobs the LLM can read), and prompts (reusable templates the user can invoke).
+----------------+ +----------------+ +----------------+
| MCP Host | <----> | MCP Client | <----> | MCP Server |
| (Claude, IDE) | many | (one per srv) | one | (github, db, |
| | | | to one | fs, slack) |
+----------------+ +----------------+ +----------------+
JSON-RPC 2.0
STDIO or Streamable HTTPA single host typically connects to many servers. Each (client, server) pair is its own session; the host orchestrates them.
MCP Transports: STDIO vs Streamable HTTP
Two transports in the current spec:
- STDIO. The host launches the server as a subprocess and exchanges JSON-RPC messages over stdin/stdout. This is the default for local servers; it has zero network surface, the host controls lifecycle, and credentials stay on disk. Used for filesystem, local Postgres, local git, and tooling like Puppeteer.
- Streamable HTTP. The server listens on an HTTP endpoint; the client sends POSTs and reads the streamed response. This is the default for remote servers. The original SSE-only transport was deprecated in favor of Streamable HTTP in the 2025-03 spec revision.
OAuth 2.0 is the recommended auth scheme for remote servers. Bearer tokens, mTLS, and API keys are all possible depending on the host’s policy.
A Minimal MCP Server in Python
The official Python SDK (pip install mcp) makes a server about 30 lines. This server exposes one tool that fetches a URL:
import asyncio
import httpx
from mcp.server.fastmcp import FastMCP
mcp = FastMCP("fetch")
@mcp.tool()
async def fetch(url: str) -> str:
"""Fetch a URL and return the response text."""
async with httpx.AsyncClient(timeout=30) as client:
response = await client.get(url)
response.raise_for_status()
return response.text
if __name__ == "__main__":
asyncio.run(mcp.run_stdio_async())Wire it into Claude Desktop by adding to claude_desktop_config.json:
{
"mcpServers": {
"fetch": {
"command": "python",
"args": ["/abs/path/to/fetch_server.py"]
}
}
}Restart Claude Desktop and the fetch tool appears in the tool menu. For the full reference see the MCP Python SDK README.
A Minimal MCP Client in Python
import asyncio
from mcp import ClientSession, StdioServerParameters
from mcp.client.stdio import stdio_client
async def main() -> None:
params = StdioServerParameters(
command="python",
args=["fetch_server.py"],
)
async with stdio_client(params) as (read, write):
async with ClientSession(read, write) as session:
await session.initialize()
tools = await session.list_tools()
print("Tools:", [t.name for t in tools.tools])
result = await session.call_tool(
"fetch",
{"url": "https://example.com"},
)
print("Result:", result)
if __name__ == "__main__":
asyncio.run(main())This is the same pattern any host uses internally. The difference between an embeddable client and Claude Desktop is mostly UI plus credential storage.
Security: What MCP Solves, What It Doesn’t
MCP solves the integration sprawl problem. It does not solve:
- Prompt injection through tool descriptions and resource content. A malicious MCP server can ship a tool description that tries to manipulate the LLM. A malicious file fetched as a resource can carry injection payloads. The host has to defend against this.
- Capability creep. Hosts can expose broad tool sets unless users or administrators scope the available servers and tools. In a production agent you want to restrict the tool set per task.
- Audit and policy. The protocol gives you structured tool-call events; turning them into auditable traces, retention policies, and rate limits is the host or gateway’s responsibility.
This is where an MCP gateway helps. The gateway sits between the agent and the MCP servers, applies policy (which tools, which users, which arguments), records traces, and enforces guardrails on the inputs and outputs.
MCP Gateways, Hosts, and Clients in 2026
Distinguish two roles. A gateway is a router that sits between the agent and one or more MCP servers, centralizing auth, audit, and policy. A host is the user-facing app, and a client is the in-process connection.
Gateway and control-plane options for MCP in 2026:
- FAGI Agent Command Center (/platform/monitor/command-center). BYOK gateway with guardrails, traceAI observability, and policy on MCP tool calls. Designed for enterprise agents where you need to centralize key custody, audit every tool call, and screen tool inputs and outputs for prompt injection or PII leakage before they reach the LLM or the external API. The FAGI Protect guardrails library (turing_flash, turing_small, turing_large) can be wired into the gateway’s call path.
- Custom in-process routers built on the official Python or TypeScript SDK. Many teams start here for a single agent before standardizing on a managed gateway.
MCP hosts and clients commonly used in 2026:
- Anthropic Claude Desktop. A widely used MCP host with mcp.json local server configuration and tool-call confirmation prompts. Single-user.
- Cursor. MCP client built into the editor with mcp.json config; popular for developer agents.
- Cline and Continue.dev. Open source IDE agents with first-class MCP client support.
- OpenAI Agents SDK. Added native MCP client support in 2025; works with any spec-compliant MCP server.
For multi-agent backends, putting policy at the gateway layer (rather than in every agent) is the same architectural choice as API gateways for microservices.
Where Future AGI Fits in an MCP Stack
Two surfaces:
- Agent Command Center at
/platform/monitor/command-center: BYOK gateway for MCP servers and LLM providers with guardrails, key custody, audit logs, and the option to route through FAGI Protect (turing_flash ~1-2s cloud, turing_small ~2-3s, turing_large ~3-5s) before the tool call leaves the agent. The official FAGI MCP server is at docs.futureagi.com/docs/quickstart/setup-mcp-server. - traceAI (github.com/future-agi/traceAI, Apache 2.0): OpenTelemetry instrumentation for the agent’s LLM calls and tool calls. Pair it with the gateway to get end-to-end spans on every MCP exchange.
Further Reading
- Official spec: modelcontextprotocol.io
- Python SDK: github.com/modelcontextprotocol/python-sdk
- TypeScript SDK: github.com/modelcontextprotocol/typescript-sdk
- Server registry: github.com/modelcontextprotocol/servers
- Anthropic launch blog: anthropic.com/news/model-context-protocol
For wider agent-stack context see Top 5 LLM Observability Tools 2025, Open Source Stack for AI Agents in 2025, and Building Multi-Agent AI with Future AGI.
Frequently asked questions
What is the Model Context Protocol (MCP)?
Who adopted MCP in 2025 and 2026?
How is MCP different from OpenAI function calling?
What are MCP servers, MCP clients, and MCP hosts?
What transports does MCP support?
How secure is MCP?
What is an MCP gateway and why do I need one?
How do I get started with MCP in 2026?
API vs MCP in 2026: REST, gRPC, and GraphQL versus Model Context Protocol. Discovery, context streaming, security, versioning, and when to combine both.
Voice AI evaluation infrastructure in 2026: five testing layers, STT/LLM/TTS metrics, synthetic test harness, traceAI instrumentation, and Future AGI Simulate.
OpenAI Frontier vs Claude Cowork 2026 head-to-head: agent execution, governance, security, pricing, and the eval layer every CTO needs on top of both.
