What is the Model Context Protocol (MCP)?

The wire protocol that lets an AI client call tools and read data from external servers over JSON-RPC 2.0. Anthropic released the first draft on November 25, 2024. Three roles in the spec. Client. Server. Host. Auth is OAuth 2.1. Governance moved to the Agentic AI Foundation, a Linux Foundation directed fund, on December 9, 2025. The supporting members read like a list of companies that rarely sign the same document: Anthropic, OpenAI, Block, Google, Microsoft, AWS, Cloudflare, Bloomberg. Which is the main reason CISOs stopped flagging it as a single-vendor risk.

How is MCP different from a REST API or a plugin system?

A REST API is a bespoke HTTP contract, one per product. A plugin system is vendor-specific by design. MCP is narrower and more useful. A model-facing tool-calling JSON-RPC protocol. Published spec, OAuth 2.1 authorization, SDKs in Python, TypeScript, C#, and Java. The practical payoff is portability. The same GitHub MCP server runs under Claude, ChatGPT, Cursor, Microsoft Copilot, and Visual Studio Code without per-client glue code. That glue is the part that used to eat most of the integration budget.

How many MCP servers and clients exist?

The Nerq Q1 2026 census indexed 17,468 servers across registries. Only 12.9% scored high-trust on documentation and maintenance; a long tail exists, and curation is still a real problem. Client support spans roughly 300 products. Claude. ChatGPT. Cursor. Gemini. Microsoft Copilot. Visual Studio Code. Visual Studio 2026 Insiders. Combined Python and TypeScript SDK downloads hit 97 million per month in March 2026, a 970x lift from April 2025's 8 million.

Does MCP require OAuth?

For any server exposing protected resources, yes. The current spec treats MCP servers as OAuth 2.1 resource servers. Three revisions shaped what that means in practice. June 2025 split the MCP server from the authorization server under RFC 9728. November 2025 made PKCE mandatory. March 15, 2026 made RFC 8707 resource indicators mandatory. That last one has teeth: the resource parameter must appear in both authorization and token requests, so a token minted for one server cannot be replayed against another. The due-diligence question writes itself. Does your server validate the resource indicator on every token? If the answer hedges, the answer is no.

What is the difference between MCP and RAG?

Different layers of the stack. RAG (Retrieval-Augmented Generation) is a pattern for grounding a model's answer in retrieved documents. MCP is a wire protocol for how the model calls tools at all. Orthogonal, not competing. Most production systems end up running both. The MCP server exposes the vector store or SQL engine. The RAG strategy decides how the agent uses it. Pipe on one side, decision-making on top of the pipe. The full side-by-side is at /comparisons/mcp-vs-rag.

Model Context Protocol (MCP), explained

Where MCP came from

Anthropic open-sourced MCP on November 25, 2024, with reference servers for Google Drive, Slack, GitHub, Git, Postgres, and Puppeteer, and SDKs in Python, TypeScript, C#, and Java [1]. Block and Apollo were the first two named enterprise adopters. The framing was narrow: end the bilateral integration problem where every AI client re-invented its own way to call tools.

Adoption moved faster than the launch deck predicted. By April 2025 monthly SDK downloads had crossed 8 million. By March 2026 the number had reached 97 million, a 970x lift in eighteen months [3]. OpenAI added MCP support in March 2025, Microsoft in July 2025, and AWS through Bedrock AgentCore in October 2025 [4].

On December 9, 2025, Anthropic announced it would donate MCP to the newly formed Agentic AI Foundation (AAIF), a directed fund under the Linux Foundation co-founded with Block and OpenAI [2]. Supporting members include Google, Microsoft, AWS, Cloudflare, Bloomberg, and Intuit [5]. For CISOs who had quietly flagged single-vendor governance as a procurement risk, that was the threshold event.

The three roles in the spec, and the fourth that emerged

The specification names three participants. A client renders the interaction to the user. Examples include Claude Desktop, Cursor, ChatGPT, Microsoft Copilot, Visual Studio Code, and roughly three hundred others as of April 2026. A host runs the model and orchestrates the tool-call loop. A server exposes data, prompts, or tools through a JSON-RPC 2.0 surface [6].

Production deployments added a fourth role the spec does not describe: the gateway. A gateway sits between many clients and many servers, authenticates each call, enforces per-tool policy, logs the traffic, and brokers enterprise credentials so the user never pastes a Snowflake PAT into a prompt. AWS ships one as AgentCore Gateway; Cloudflare ships one as MCP Server Portals. We cover the pattern in the MCP Gateway entry.

Authorization, briefly

The auth surface is the part that moved the most. An MCP server acts as an OAuth 2.1 resource server; the MCP client is an OAuth 2.1 client making protected-resource requests on behalf of the user. Three revisions mattered for procurement: June 2025 split the MCP server from the authorization server and introduced Protected Resource Metadata under RFC 9728; November 2025 made PKCE mandatory and replaced ad-hoc client registration with Client ID Metadata Documents; March 15, 2026 made RFC 8707 resource indicators mandatory to prevent token mis-redemption between tools [7].

This term is often misused. For example, vendors claiming "MCP auth" that have not implemented RFC 8707 resource indicators are a full spec revision behind as of April 2026. The short due-diligence question: does the server validate the resource indicator on every token?

Why enterprise buyers care

Before MCP, integration was bilateral. After MCP, tooling is portable: the same GitHub server works in Claude, Cursor, and ChatGPT. That shifts the vendor-lock conversation away from the integration layer (where it was always a dead weight) toward the model and platform layers, where honest procurement discussions can happen.

The Nerq Q1 2026 census indexed 17,468 MCP servers across registries, though only 12.9% scored "high trust" on documentation, maintenance, and reliability [8]. The practical reading: a long tail exists, curation remains a real problem, and programs that vet servers against the AAIF governance process run into fewer surprises.

Frequently asked

Model Context Protocol (MCP), the common questions

What is the Model Context Protocol (MCP)?

The wire protocol that lets an AI client call tools and read data from external servers over JSON-RPC 2.0. Anthropic released the first draft on November 25, 2024. Three roles in the spec. Client. Server. Host. Auth is OAuth 2.1. Governance moved to the Agentic AI Foundation, a Linux Foundation directed fund, on December 9, 2025. The supporting members read like a list of companies that rarely sign the same document: Anthropic, OpenAI, Block, Google, Microsoft, AWS, Cloudflare, Bloomberg. Which is the main reason CISOs stopped flagging it as a single-vendor risk.
Who created MCP and who governs it today?

Anthropic, on November 25, 2024. Single-vendor origin. CISOs flagged that quietly as a procurement risk for most of 2025, and they were right to. December 9, 2025 closed the objection. Anthropic donated the project to the Agentic AI Foundation (AAIF), a directed fund under the Linux Foundation co-founded with Block and OpenAI. Day-to-day technical direction still sits with the maintainers, guided by the Specification Enhancement Proposal (SEP) process. The neutral-governance conversation now passes the laugh test, which is all most procurement committees were asking for.
How is MCP different from a REST API or a plugin system?

A REST API is a bespoke HTTP contract, one per product. A plugin system is vendor-specific by design. MCP is narrower and more useful. A model-facing tool-calling JSON-RPC protocol. Published spec, OAuth 2.1 authorization, SDKs in Python, TypeScript, C#, and Java. The practical payoff is portability. The same GitHub MCP server runs under Claude, ChatGPT, Cursor, Microsoft Copilot, and Visual Studio Code without per-client glue code. That glue is the part that used to eat most of the integration budget.
How many MCP servers and clients exist?

The Nerq Q1 2026 census indexed 17,468 servers across registries. Only 12.9% scored high-trust on documentation and maintenance; a long tail exists, and curation is still a real problem. Client support spans roughly 300 products. Claude. ChatGPT. Cursor. Gemini. Microsoft Copilot. Visual Studio Code. Visual Studio 2026 Insiders. Combined Python and TypeScript SDK downloads hit 97 million per month in March 2026, a 970x lift from April 2025's 8 million.
Does MCP require OAuth?

For any server exposing protected resources, yes. The current spec treats MCP servers as OAuth 2.1 resource servers. Three revisions shaped what that means in practice. June 2025 split the MCP server from the authorization server under RFC 9728. November 2025 made PKCE mandatory. March 15, 2026 made RFC 8707 resource indicators mandatory. That last one has teeth: the resource parameter must appear in both authorization and token requests, so a token minted for one server cannot be replayed against another. The due-diligence question writes itself. Does your server validate the resource indicator on every token? If the answer hedges, the answer is no.
What is the difference between MCP and RAG?

Different layers of the stack. RAG (Retrieval-Augmented Generation) is a pattern for grounding a model's answer in retrieved documents. MCP is a wire protocol for how the model calls tools at all. Orthogonal, not competing. Most production systems end up running both. The MCP server exposes the vector store or SQL engine. The RAG strategy decides how the agent uses it. Pipe on one side, decision-making on top of the pipe. The full side-by-side is at /comparisons/mcp-vs-rag.