Resources

Fundamentals

What is MCP? A practical guide to the Model Context Protocol

A practical explanation of MCP, how clients, servers, tools, resources, and prompts fit together, and what changes when MCP is used in production.

11 min readUpdated 2026-06-27
MCPModel Context ProtocolAI agentsTool use

Written by RTT Intelligence Engineering

Technical notes from the team building governed MCP surfaces for OpenAPI APIs and database scopes.

Reviewed for practical implementation

Focused on usable architecture, security boundaries, and production tradeoffs rather than generic definitions.

MCP in one sentence

MCP, short for Model Context Protocol, is a standard way for AI applications to discover and use external tools and context.

Before MCP, every AI app tended to wire tools in its own way. One integration format for a desktop assistant, another for an editor, another for an internal agent, and so on. MCP gives the ecosystem a common pattern: a client asks a server what tools are available, then calls those tools with structured arguments.

That sounds simple, but it changes the operating model. Instead of pasting secrets into prompts or writing a one-off adapter for every AI client, teams can publish a controlled tool surface that multiple clients understand. The protocol does not make a system secure by itself; it gives teams a predictable interface where security, policy, and observability can be added in a backend layer.

Core architecture

The easiest way to understand MCP is to separate the host, client, server, and primitives.

ConceptWhat it meansExample
MCP hostThe AI application that coordinates one or more MCP clients.Claude Desktop, Cursor, VS Code, or an internal agent workspace.
MCP clientThe connection manager inside the host. A host can create one client per server.A client connected to a GitHub server and another client connected to a database server.
MCP serverThe program or remote service that exposes capabilities to clients.A server that lists support-ticket tools or exposes approved database metadata.
ToolsExecutable functions the AI client may request.create_ticket, search_orders, get_customer_status.
ResourcesContext data the server can provide to the client.A document, schema description, file, or application context object.
PromptsReusable interaction templates exposed by the server.A support triage prompt or a query-planning prompt.

How tool discovery and execution work

A typical MCP tool flow has two important steps: list the tools, then call one tool with structured input.

During discovery, the client asks the server for available tools. The server returns names, descriptions, and input schemas. The model or agent runtime can then decide which tool looks relevant for the user's task.

During execution, the client sends a tool call request to the server. The server validates the request, executes the underlying action if allowed, and returns a structured result. In production, this is where identity, scope, rate limits, redaction, and audit logging should happen.

Simplified MCP tool discovery and call flow

json
{
  "tool_discovery": {
    "method": "tools/list",
    "server_returns": [
      {
        "name": "search_orders",
        "description": "Search orders by customer, status, or date range.",
        "inputSchema": {
          "type": "object",
          "properties": {
            "customerId": { "type": "string" },
            "status": { "type": "string" }
          }
        }
      }
    ]
  },
  "tool_execution": {
    "method": "tools/call",
    "name": "search_orders",
    "arguments": {
      "customerId": "cus_123",
      "status": "open"
    }
  }
}

Why MCP matters for product teams

MCP matters because tool access is where AI moves from answering questions to touching real systems.

A model can write a good answer from static text, but a useful business agent often needs current data, internal APIs, or approved operational actions. MCP gives those capabilities a standard interface that can work across multiple clients instead of being tied to one model vendor's function-calling format.

This is especially useful when the same business capability should be available in more than one place: an IDE, a support console, an internal assistant, and a workflow automation agent. A team can maintain one server-side tool surface instead of recreating the same integration in every client.

What changes in production

In production, MCP is not only a connector pattern. It becomes part of the access and operations model.

  • Credentials should live server-side, not in prompts or copied into every local client config.
  • Tool names and descriptions should be curated so the model can choose the right capability without guessing.
  • Input schemas should be narrow enough to validate before an upstream API, database, or workflow is touched.
  • Tools should be observable: teams need logs, errors, latency, caller identity, and redaction rules.
  • High-risk actions should require stronger policy, confirmation, or a smaller published tool surface.

When MCP is the right fit

MCP is strongest when a team wants reusable AI-facing access to real capabilities, not just a single prompt demo.

SituationWhy MCP helps
Multiple AI clients need the same toolsThe server exposes one tool catalog that compatible clients can discover.
Existing systems already have APIsMCP can sit in front of selected operations without forcing the upstream API to become agent-aware.
A database needs controlled AI accessSchema metadata and executor tools can be separated so the model sees structure without receiving unrestricted data access.
Security review mattersTool publication, validation, credentials, limits, and logs can be treated as product controls instead of prompt conventions.

Common implementation mistakes

Most early MCP mistakes come from treating the protocol as the whole product instead of the interface layer.

MistakeWhy it causes troubleBetter pattern
Expose every available operationThe model sees noisy, risky, or irrelevant tools.Publish a small curated catalog with precise descriptions.
Use broad credentials in the clientLocal config becomes a weak security boundary.Keep upstream credentials in the server or gateway layer.
Let the model decide policyA model suggestion is not authorization.Validate identity, scope, input, and operation state before execution.
Skip observabilityTeams cannot debug or audit tool usage.Log calls with redaction, latency, caller, result state, and policy decisions.

Sources and further reading

Common questions

Is MCP an API?

MCP is a protocol for AI applications to discover and call tools. The tools may call APIs behind the scenes, but MCP itself is the interface between the AI client and the tool server.

Is MCP only for local desktop tools?

No. MCP can be used with local servers and remote servers. Local servers are common for developer tools, while remote servers are important when teams need centralized credentials, policy, and observability.

Does MCP replace REST APIs?

No. MCP often sits in front of existing APIs, databases, or services. It gives AI clients a tool-oriented way to use those systems.

Why do teams need governance around MCP?

MCP tools can touch real systems. Teams need governance for credentials, tool scope, validation, logging, rate limits, and change control.

What is the biggest practical MCP risk?

The biggest risk is exposing tools that are too broad or weakly validated. MCP standardizes the interface, but the server still has to enforce authorization, input validation, and safe execution.