What MCP is
MCP is an open protocol, introduced by Anthropic in November 2024, that standardizes how AI apps connect to external tools, data, and prompts. The tagline: "USB-C for AI" — one connector between models and the world. Messages use JSON-RPC 2.0.
The problem it solves: M×N → M+N
Without a standard, connecting M AI apps to N tools means M×N bespoke integrations. MCP lets each app implement a client once and each tool ship a server once → M + N. That "integration explosion" framing is the canonical interview answer for why MCP exists.
Architecture — three roles (candidates conflate these)
- Host — the AI app the user interacts with (Claude Desktop, an IDE like Cursor, a custom agent). Manages the LLM and orchestrates clients.
- Client — lives inside the host; keeps a 1:1 stateful connection to a single server. N servers = N clients.
- Server — a program that exposes capabilities (a GitHub server, a Postgres server). Servers hold no LLM; they just expose primitives.
Three primitives — by who controls invocation
- Tools (model-controlled) — functions the model chooses to invoke to act (query a DB, send email).
tools/list,tools/call. - Resources (app-controlled) — read-only data/context the host decides to surface, addressed by URI.
resources/read. - Prompts (user-controlled) — pre-authored templates the user explicitly selects (a slash command).
prompts/get.
Mnemonic: Tools = model decides, Resources = app decides, Prompts = user decides.
Transport & auth (where stale content goes wrong — be current)
- stdio — the client launches the server as a subprocess (JSON-RPC over stdin/stdout). For local servers.
- Streamable HTTP — for remote servers: a single HTTP endpoint handling POST (client→server) and optional SSE (server→client). This replaced the deprecated "HTTP+SSE" two-endpoint transport from the original spec. Servers MUST validate the
Originheader (DNS-rebinding defense) and bind locally to127.0.0.1. - Auth (rewritten 2025): MCP servers are OAuth 2.0 Resource Servers (not authorization servers). The current spec (
2025-06-18) requires Protected Resource Metadata (RFC 9728) so clients discover the auth server, and Resource Indicators (RFC 8707) so a token minted for server A can't be replayed against server B; auth follows OAuth 2.1. Anything pre-2025 describing MCP servers issuing their own tokens is outdated.
MCP vs plain function calling (the key exam question)
Function calling is a model capability — emitting a structured call. MCP is a protocol/transport standard for where tools live and how they're discovered and served, decoupled from any one model vendor. MCP servers are discoverable and hot-pluggable at runtime, reusable across any host, process-isolated (can run remotely in their own security context), and add resources and prompts — not just tools. Under the hood a host still surfaces MCP tools to the model via normal function calling; MCP standardizes the plumbing behind it. OpenAI adopted MCP in March 2025, which tipped it from "Anthropic thing" to cross-vendor standard.