MCP Protocol Explained: How AI Agents Connect to External Tools in 2026

ByL.B. Kaelin

In early 2025, if you wanted an AI agent to query a Postgres database, send a Slack message, and read a file from GitHub, you needed three custom integrations written in three different tool formats. The LangChain agent spoke one language. The OpenAI Assistants API spoke another. The Claude tool-use format spoke a third. Each integration had to be built, tested, and maintained separately for every agent framework and every model provider. That fragmentation cost engineering teams weeks of effort per tool and locked organizations into single-vendor stacks. The Model Context Protocol (MCP) was designed to eliminate that cost entirely.

MCP is an open standard, initially released by Anthropic in late 2024 and now governed as a multi-stakeholder protocol, that defines a single, universal interface between AI agents and the external tools, data sources, and services they connect to. Think of it as the USB-C of AI integrations: one protocol, one connection pattern, and any MCP-compatible agent can use any MCP-compatible server without custom adapter code. As of April 2026, MCP is supported by Claude Desktop, ChatGPT, Visual Studio Code, Cursor, OpenClaw, AWS Bedrock, and dozens of other platforms. The ecosystem includes over 200 MCP servers covering everything from filesystem access and database queries to GitHub, Slack, Postgres, web search, and enterprise CRM systems. This article explains how MCP works at the protocol level, what it standardizes, what it does not, and how you can use it today.

The Problem MCP Solves

Before MCP, every AI agent framework defined its own tool interface. An agent built on LangChain described tools as structured JSON schemas embedded in a system prompt. An agent using OpenAI’s Assistants API defined tools through the API’s function calling endpoint. An agent running on Anthropic’s Claude used a different tool format entirely. A developer building an AI application that connected to three external tools across two frameworks effectively had to build six integrations.

This was not just a developer inconvenience. It had real economic and operational consequences:

  • Repeated integration work. Every tool integration had to be built at least twice — once for each agent framework. An organization maintaining a multi-model agent stack multiplied that cost by every provider.
  • Vendor lock-in. Once you built deep integrations into one framework’s tool system, switching to another meant rebuilding everything. This made it expensive to evaluate new providers or optimize model selection per use case.
  • No shared ecosystem. A well-built integration for GitHub on one platform could not be reused on another. The community could not build a shared repository of tool connectors because there was no standard interface to build against.
  • Enterprise scaling pain. Large organizations with dozens of internal systems (CRM, ticketing, code repos, databases, monitoring) faced an exponentially growing integration surface. Each new agent platform meant negotiating tool access all over again.

MCP solves these problems by standardizing the interface between the agent and the tool. Build one MCP server for your Postgres database, and any MCP-compatible agent — running on any model, on any platform — can query that database. The integration work moves from “build for every framework” to “build once for the protocol.”

MCP Architecture: Hosts, Clients, and Servers

MCP follows a client-server architecture with three distinct roles:

  • MCP Host. The AI application that coordinates the agent’s operation. Examples include Claude Desktop, OpenClaw, Visual Studio Code, and ChatGPT. The host creates and manages connections to one or more MCP servers.
  • MCP Client. A component inside the host that maintains a dedicated connection to a single MCP server. A host with four connected servers runs four MCP clients, one per connection.
  • MCP Server. A standalone process that exposes capabilities — tools, resources, prompts — to connected clients. A server can be local (running as a subprocess on the same machine) or remote (accessible over HTTP).

Here is how the architecture maps in practice:

┌──────────────────────────────────────────┐
│              MCP Host                     │
│  (Claude Desktop / OpenClaw / VS Code)    │
│                                           │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐│
│  │Client #1  │  │Client #2  │  │Client #3  ││
│  │ (GitHub)  │  │ (Slack)   │  │ (DB)      ││
│  └─────┬────┘  └─────┬────┘  └─────┬────┘│
└────────┼────────────┼────────────┼───────┘
         │            │            │
    ┌────▼────┐  ┌────▼────┐  ┌────▼────┐
    │  MCP     │  │  MCP     │  │  MCP     │
    │  Server  │  │  Server  │  │  Server  │
    │ (GitHub) │  │ (Slack)  │  │ (Postgres)│
    └─────────┘  └─────────┘  └─────────┘

The protocol itself operates in two layers:

  • Data layer. Built on JSON-RPC 2.0, this layer defines the message structure, lifecycle management (initialization with capability negotiation, operation, and termination), and the three core primitives (resources, tools, and prompts).
  • Transport layer. Defines how messages move between client and server. MCP supports three transport mechanisms: stdio, Server-Sent Events (SSE), and Streaming HTTP.

The protocol is stateful by default. Client and server maintain an active connection, negotiate capabilities at initialization, and can send notifications when available tools or resources change.

What MCP Servers Can Expose: Resources, Tools, and Prompts

MCP defines three server-side primitives, each corresponding to a different capability an MCP server can offer to an AI agent.

Tools

Tools are executable functions the agent can invoke. A database query tool, a Slack message sender, a file search utility — these are all tools. Each tool has a name, a human-readable description, and an input schema defined in JSON Schema format. The agent discovers available tools through the tools/list endpoint and invokes them through tools/call.

Tools are the primitive most people associate with MCP. They represent actions the agent can take in the world. When an agent decides it needs to send a notification, it calls the appropriate tool with the required parameters, and the MCP server executes the action and returns the result.

Resources

Resources are data sources the agent can read. A file on disk, a database record, an API response payload — any structured or unstructured data identified by a URI. Resources are read through the resources/read endpoint. Where tools represent actions, resources represent information the agent consumes to make decisions or generate responses.

Resources support URI-based addressing, content type negotiation, and subscription patterns. A server can notify connected clients when a resource changes, enabling reactive agent behaviors.

Prompts

Prompts are reusable templates that structure interactions between the agent and the language model. They include system prompt templates and few-shot examples. A prompt might define how the agent should format its response when querying a specific database or how it should present data retrieved from a CRM system.

Prompts give server authors a way to encode domain-specific interaction patterns that the consuming agent can leverage without reinventing the prompt structure for each integration.

Client-Side Primitives

MCP also defines three client-side capabilities. Sampling allows the server to request a language model completion from the host’s model — useful when the server needs model access without including its own SDK. Elicitation allows the server to request input from the user, enabling interactive confirmation workflows. Logging allows the server to send structured log messages to the client for debugging and monitoring.

Transport Options: stdio, SSE, and HTTP Streaming

MCP supports three transport mechanisms, each suited to different deployment scenarios.

stdio (Standard Input / Output)

The stdio transport launches the MCP server as a child process of the host and communicates through the process’s stdin and stdout. This is the simplest and most secure transport: there is no network exposure, no ports to open, and no authentication to manage. The server runs on the same machine as the agent, with the same filesystem and network access as the host process.

stdio is ideal for local development tools, filesystem servers, and any scenario where the tool and the agent share a machine. It is also the fastest transport, since data never leaves the local process boundary.

One critical implementation detail: servers using stdio must never write to stdout for logging or debugging purposes. Any output on stdout will corrupt the JSON-RPC message stream. Logging must go to stderr or a file.

Server-Sent Events (SSE)

The SSE transport uses HTTP for client-to-server communication and Server-Sent Events for server-to-client streaming. This enables remote MCP servers to push notifications, streaming responses, and status updates back to connected clients.

SSE is well-suited for servers that provide real-time data — stock tickers, event streams, monitoring dashboards — where the server needs to push updates to the agent without waiting for a client request.

Streaming HTTP

Streaming HTTP is the recommended transport for remote MCP servers. It uses standard HTTP POST for client-to-server messages and supports optional streaming for responses. This transport works with standard HTTP infrastructure: load balancers, reverse proxies, CDNs, and API gateways.

Authentication is handled at the transport layer. Bearer tokens, API keys, and OAuth 2.0 are all supported, with OAuth recommended as the best practice for production deployments. The transport layer does not enforce a specific auth mechanism, allowing server operators to use whatever fits their existing infrastructure.

The MCP Ecosystem in April 2026

The MCP ecosystem has grown substantially since the protocol’s initial release. What started as an Anthropic-specific initiative is now a multi-stakeholder standard with broad platform support.

Platform Support

  • Claude Desktop and Claude Code. The original MCP hosts. Anthropic shipped MCP support in November 2024 and has continued to expand capabilities through 2025 and 2026.
  • ChatGPT. OpenAI added MCP support in early 2025, making it possible to use the same MCP servers across both major AI platforms.
  • OpenClaw. Native MCP support enables OpenClaw agents to connect to external tools through the protocol, complementing OpenClaw’s own skill system. Skills handle agent-native behavior; MCP handles external tool connections.
  • Visual Studio Code and Cursor. Both IDEs support MCP for agent-powered coding workflows, allowing AI coding assistants to access linting, testing, deployment, and monitoring tools through the protocol.
  • AWS Bedrock. AWS added MCP support through Bedrock AgentCore, marking the first major cloud provider to adopt the protocol.
  • MCPJam. A community platform for discovering and sharing MCP servers, similar to a package registry for protocol-based tools.

Available Servers

As of April 2026, over 200 MCP servers are available across these categories:

  • Version control: GitHub, GitLab
  • Communication: Slack, Discord
  • Databases: Postgres, SQLite, MySQL, MariaDB
  • File systems: Local filesystem, cloud storage (S3-compatible, GCS)
  • Web: Search (Bing, Brave, SearXNG), web scraping, browser automation
  • Development: Docker, Kubernetes, Sentry, PagerDuty, Jira
  • Monitoring: Datadog, Grafana, Prometheus
  • Enterprise: Salesforce, HubSpot, ServiceNow, Workday

The community continues to add servers weekly, and several companies now offer managed MCP server hosting as a service.

What MCP Is Not: Clearing Up Common Misconceptions

As MCP has gained adoption, several misconceptions have emerged. Here is what MCP is not.

MCP Is Not a Model Fine-Tuning Protocol

MCP has nothing to do with training or fine-tuning language models. It does not define training data formats, model architectures, or training procedures. MCP operates entirely at the application and integration layer.

MCP Is Not a Replacement for Function Calling

Function calling is a model-level interface that defines how the model requests a tool call in its output. MCP is a system-level interface that defines how the agent discovers and invokes tools. The two complement each other. An agent running on GPT-5 uses GPT-5’s native function calling to request tool calls, then routes those calls through MCP servers to execute them. MCP does not care what model is inside the agent, and the model does not care what protocol connects it to tools.

MCP Is Not an AI Security Protocol

MCP does not define authentication, authorization, or audit controls beyond basic transport-layer authentication. It does not specify how server access should be governed, how tools should be isolated from each other, or how tool outputs should be validated before being passed to the model. These concerns are left to the implementation. Security-conscious teams should treat MCP servers as untrusted and apply the same access controls and input validation they would apply to any external API.

MCP Is Not a Deployment or Orchestration Framework

MCP does not specify how servers are deployed, versioned, monitored, or scaled. It does not include service discovery, load balancing, or health checking. These are infrastructure concerns that the deployment environment must handle. MCP solves the integration problem without trying to solve every operational problem.

MCP Is Not Tied to Any Single Model Provider

Early adoption was driven by Anthropic because Anthropic built the first reference implementation, but the protocol is provider-agnostic. An MCP server built today works with any MCP-compatible host. This provider independence is the protocol’s strongest feature for enterprises seeking to avoid vendor lock-in.

MCP in OpenClaw: How to Connect External Tools to Your Agent

OpenClaw operators have two complementary systems for extending their agents: skills and MCP. Understanding the distinction between them is important for building effective agent workflows.

Skills Are Agent-Native Behavior

OpenClaw skills define how an agent behaves internally. A skill’s SKILL.md file contains instructions that guide the agent’s reasoning, tool use, and output formatting. Skills control the agent’s decision logic — what to prioritize, how to respond, which tools to invoke and in what order. Skills are unique to OpenClaw and are loaded into the agent’s context window.

MCP Connects External Tools

MCP servers provide OpenClaw agents with access to external systems: databases, APIs, file systems, communication platforms. An OpenClaw agent can connect to a Postgres MCP server to query customer data, a Slack MCP server to send notifications, and a GitHub MCP server to create pull requests — all without custom integration code.

How They Work Together

A typical pattern: a skill defines the workflow (“when the agent detects a production issue, it should query the error logs, create a Jira ticket, and notify the on-call engineer”), and MCP servers provide the connection to each system (Postgres for logs, Jira MCP server for ticketing, Slack MCP server for notifications). The skill tells the agent what to do. MCP tells the agent how to connect.

Configuring MCP in OpenClaw

To connect an MCP server to OpenClaw, you configure it in the host’s settings, typically through a configuration file or the OpenClaw dashboard. You specify the server’s transport (stdio for local servers, HTTP URL for remote servers) and any required authentication tokens. Once configured, the agent discovers the server’s capabilities automatically and can invoke its tools as needed.

OpenClaw’s permission model applies to MCP servers just as it applies to native tools. You can restrict which agents have access to which MCP servers and configure per-tool access controls.

Getting Started: Your First MCP Server

Building an MCP server is straightforward with the official SDKs. Here is a practical walkthrough using Python and the FastMCP library.

Prerequisites

  • Python 3.10 or higher
  • The mcp Python package (version 1.2.0 or higher)

Step 1: Set Up Your Project

mkdir my-mcp-server
cd my-mcp-server
python -m venv .venv
source .venv/bin/activate
pip install mcp httpx

Step 2: Define Your Server

Create a file called server.py and import the FastMCP class:

from mcp.server.fastmcp import FastMCP

mcp = FastMCP("my-tool-server")

Step 3: Add a Tool

Define a tool using the @mcp.tool() decorator. The function name, docstring, and type hints are automatically used to generate the tool’s JSON Schema:

@mcp.tool()
def calculate_delivery_time(
    distance_km: float,
    speed_kmh: float = 40.0
) -> str:
    """Calculate estimated delivery time based on distance and speed."""
    hours = distance_km / speed_kmh
    return f"Estimated delivery time: {hours:.1f} hours"

Step 4: Add a Resource

@mcp.resource("config://app")
def get_config() -> str:
    """Return the application configuration."""
    return "{\"version\": \"1.0\", \"mode\": \"production\"}"

Step 5: Run Your Server

mcp run server.py

This starts the server using the stdio transport, ready to connect to any MCP-compatible host. To connect it to OpenClaw or Claude Desktop, add the server’s command to the host’s MCP configuration file.

Production Considerations

For production deployments, consider the following:

  • Use the Streaming HTTP transport for remote servers that need to support multiple concurrent clients
  • Implement OAuth 2.0 authentication for all remote servers
  • Log to stderr or a file, not stdout (critical for stdio servers)
  • Implement proper error handling and return descriptive error messages
  • Consider rate limiting and connection pooling for high-traffic servers
  • Use environment variables or a secrets manager for API keys and credentials

Sources