Is MCP Dead? From Protocol Design to Production

Problem Space

Integrating AI models with external services required a custom adapter for each model‑to‑service pair, resulting in an N × M explosion of adapters, fragmented security boundaries, inconsistent context handling, and low ecosystem reuse.

Protocol Release Timeline

Initial Release (Nov 2024)

Anthropic open‑sourced Model Context Protocol (MCP) with TypeScript and Python SDKs. The protocol uses JSON‑RPC 2.0 and defines three core primitives— Tools , Resources , Prompts —and two transport methods: stdio and SSE . Roles are split into Host, Client, and Server.

Adoption Surge (H1 2025)

Third‑party MCP servers appeared for SaaS platforms (GitHub, PostgreSQL, Notion, Jira). Model providers (OpenAI, Google Gemini, Microsoft Copilot) added MCP support, and IDEs (Cursor, Windsurf, Zed, VS Code, JetBrains) integrated varying levels of MCP.

Key Iterations

June 2025 – OAuth‑based authentication: MCP servers become OAuth 2.1 Resource Servers; authentication is delegated to an independent Authorization Server.

Nov 2025 – Streamable HTTP transport replaces early SSE; a Tasks primitive is introduced for asynchronous, long‑running operations.

Dec 2025 – Anthropic donates MCP to the Linux Foundation’s Agentic AI Foundation (AAIF), making it a community‑driven standard.

Core Architecture

Host / Client / Server

Host runs the AI application (e.g., Claude Desktop, Cursor), enforces security policies, manages UI and session logic, and decides which MCP servers to connect.

Client lives inside the Host, maintains a one‑to‑one stateful connection to a Server, translates AI requests into JSON‑RPC messages, and handles connection lifecycle, subscriptions, and push notifications.

Server is a lightweight process exposing Tools, Resources, and Prompts. Each Server follows a single‑responsibility principle, enabling independent deployment and reuse.

Transport Layer

All transports use JSON‑RPC 2.0 messages.

stdio – Default local transport. The Host spawns the Server as a subprocess and communicates via stdin/stdout using a Content‑Length header. It offers zero‑network latency but has no built‑in authentication and does not scale horizontally.

Streamable HTTP – Standard for remote servers. Clients send HTTP POST requests; Servers stream results via Server‑Sent Events. Supports standard HTTP authentication (Bearer token, API key) and OAuth 2.1 flows, allowing cloud deployment and geographic distribution.

Primitives

Tools : Executable actions (API calls, DB writes, message sending) defined by JSON Schema. The model decides when to invoke them; the Server executes and returns results.

Resources : Read‑only data (file contents, query results, API responses) injected into context by the Host. Models cannot fetch Resources autonomously.

Prompts : Reusable workflow templates triggered by the UI and controlled by the Host.

Servers may also push notifications when available Tools or Resources change.

Production Guidelines

Authentication & Authorization

Remote MCP servers must implement OAuth 2.1 as Resource Servers and delegate authentication to an independent Authorization Server. Integration with existing SSO systems is recommended.

Least‑Privilege Principle

Server credentials should match the minimal required scope. Start with read‑only scopes and avoid wildcard scopes such as files:* or admin:*. Regularly review and tighten permissions.

Prompt‑Injection Mitigation

Treat all external data (PDFs, emails, web pages, API responses) as untrusted; sanitize before injecting into model context.

Human Approval for High‑Risk Operations

Tools that write, delete, or send data outward must be flagged for risk and require manual approval at the Host level. MCP explicitly mandates retaining a human veto capability.

Tool Poisoning Defense

Validate the provenance and version of Tool definitions to prevent hidden malicious commands (“Rug Pull”).

Connection Management

For Streamable HTTP servers, implement connection reuse and keep‑alive to avoid costly handshakes on every tool call.

Timeout Strategies

Set differentiated timeouts: lightweight queries (5–10 s), external API calls (≈30 s), and use the Tasks primitive for long‑running jobs to avoid blocking.

Streaming Responses

Prefer streaming large text outputs so AI clients can process partial results incrementally.

Tool Count Control

Limit the number of Tools exposed by a single Server; split functionality into multiple dedicated Servers to improve model selection accuracy and initialization performance.

Observability

Logging

Record each tool invocation with name, input, output (redacted as needed), latency, and error code.

Distributed Tracing

Assign a unique session_id to each MCP session and a call_id to each tool call to reconstruct the full call chain.

Metrics

Monitor tool success rates, P95/P99 latency distributions, error‑type breakdowns, and heatmaps of tool invocation frequency.

Version Management

MCP includes a handshake‑time version negotiation. Tool schema changes require careful handling.

Backward‑Compatible Changes

Add optional fields, extend enumerations, or modify descriptive text.

Breaking Changes

Removing fields, changing field types, or renaming Tools/fields requires a migration strategy, typically using semantic versioning and exposing both old and new versions (e.g., query_database_v2) with deprecation timelines.

Testing Strategy

Unit Tests

Validate Tool business logic and JSON Schema enforcement, including boundary and invalid‑input handling.

Integration Tests

Use MCP Inspector for end‑to‑end tool call verification across the JSON‑RPC link.

Security Tests

Run mcp‑scan in CI/CD pipelines to detect tool‑poisoning risks and fuzz test inputs that may be concatenated into SQL or shell commands.

Typical Scenarios

Codebase Q&A & Assisted Development : A GitHub MCP server fetches issues, PRs, and code files to provide context‑aware suggestions.

Automated Data Analysis : MCP servers connect to data warehouses, allowing natural‑language queries that generate and execute SQL.

Infrastructure Automation : K8s or cloud‑platform MCP servers enable natural‑language driven infra queries and actions with human‑approved high‑risk steps.

Customer Support & Ticketing : Integration with CRM and ticket systems lets AI retrieve order status or user info and perform standardized operations.

Future Roadmap (2026)

Transport & Scalability

Standardize session creation, migration, and recovery to reconcile stateful Server sessions with cloud‑native stateless scaling.

Task Enhancements

Define retry semantics and result‑expiry policies for failed Tasks based on production feedback.

Governance Maturity

Introduce contributor tiers and working groups to drive protocol evolution.

Enterprise Readiness

Finalize audit‑log standards, SSO integration guidelines, and formalize the MCP Gateway pattern.

Current Shortcomings

Discoverability : No neutral, quality‑vetted registry for MCP servers.

Testing Standardization : Lack of a unified compliance test suite; quality relies on developer diligence.

Multimodal Support : Specification is text‑centric; handling of images, audio, etc., is limited.

State Management : No standardized interface for persisting cross‑session state; applications must implement custom solutions.

Conclusion

MCP addresses the N × M integration problem with a clean JSON‑RPC‑based client‑server protocol released as open source, enabling rapid community iteration. It simplifies tool orchestration compared with pure Function Calling, but migration costs grow with tool count, multi‑provider needs, and enterprise governance requirements. MCP complements, rather than replaces, REST APIs; it does not solve model reasoning or automatically resolve security concerns.

References:

https://aaif.io/projects/model-context-protocol/

https://www.digitalapplied.com/blog/mcp-97-million-downloads-model-context-protocol-mainstream

https://www.truefoundry.com/blog/mcp-security-risks-best-practices

https://mcp-toolbox.dev/