Model Context Protocol
The Model Context Protocol (MCP) is an open protocol that standardizes how AI applications connect to external tools, data sources, and services.
Released in November 2024, MCP uses a client-server architecture with JSON-RPC 2.0 messaging to establish stateful sessions between AI applications and context providers. The protocol was inspired by the Language Server Protocol (LSP), which standardized how development tools interact with programming languages.
MCP addresses the combinatorial complexity of integrating multiple LLMs with multiple tools, known as the "M×N problem," by providing a unified protocol that both LLM vendors and tool builders can follow. Rather than requiring custom adapter code for each integration, MCP converts the M×N problem into a more manageable M+N problem, where a single implementation on each side enables universal interoperability. The protocol focuses solely on context exchange and does not dictate how AI applications use LLMs or manage the provided context.
The protocol ecosystem includes the MCP specification, official SDKs for TypeScript, Python, Java, Kotlin, C#, Swift, Rust, and Dart, development tools such as the MCP Inspector, and reference server implementations. By March 2025, over one thousand community-built MCP servers and thousands of MCP-integrated applications had been deployed. [[OpenAI]] adopted MCP in March 2025, with CEO Sam Altman stating that "People love MCP, and we're excited to add support for it in our products." [[Google|Google DeepMind]] announced support for the standard in April 2025. At Google I/O in May 2026, the company announced that Gemini Spark, its flagship 24/7 personal AI agent, connects to third-party tools through MCP, and launched Antigravity 2.0 with first-party Google Workspace MCP servers for Gmail, Drive, Calendar, Chat, and People API — leading industry observers to declare the protocol debate effectively settled for the agent era. By December 2025, the ecosystem had grown to over 10,000 active public MCP servers and 97 million monthly SDK downloads, with the protocol accumulating over 37,000 GitHub stars in under eight months. By April 2026, monthly SDK downloads had reached 110 million — a milestone that took React three years to achieve. A Nerq census in Q1 2026 indexed 17,468 MCP servers, with remote server deployments growing 400% since May 2025 and 59% of servers using Streamable HTTP transport. TanStack released @tanstack/ai-mcp in June 2026, a host-side MCP client library that transforms any MCP server into typed tool arrays for use with any AI provider adapter, with edge-deployable Streamable HTTP as its primary transport.
On December 9, 2025, Anthropic transferred stewardship of the protocol to the Agentic AI Foundation (AAIF) under the Linux Foundation, with founding members including Amazon, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI. The AAIF grew to 190 organizations through two expansion waves in 2026, adding members including JPMorgan Chase, American Express, Red Hat, Stripe, F5, GoDaddy, and TRON alongside research institutions, government agencies, and South Korean and European AI engineering firms. The first half of 2026 saw MCP transition from a promising experiment to infrastructure through a series of milestones: MCP Apps shipped in January as the protocol's first official extension, co-developed by Anthropic and OpenAI with same-day support across Claude, ChatGPT, Goose, and VS Code; more than 30 MCP-related CVEs were filed in January and February, establishing tool poisoning as a mainstream security concern; the 2026 roadmap was published in March with enterprise readiness as its top priority; and the largest specification revision since launch locked as the 2026-07-28 release candidate in May, introducing a stateless protocol core with _meta-based client information, server/discover RPC, and a formal deprecation policy. Agentgateway joined the AAIF as its fourth hosted project in June 2026, with contributors including AWS, Microsoft, Cisco, Adobe, and Apple. The first MCP Dev Summit was held in New York City in April 2026 with approximately 1,200 attendees. Two subsequent MCP Dev Summit India events in Bangalore and Mumbai (June 2026) drew nearly 100 developers each, where the dominant conversation had shifted from building MCP servers to governing them at scale — enterprises managing 20+ servers and 50+ developers reported no central audit trail, credential sprawl, and critical governance gaps. Two flagship conferences — AGNTCon + MCPCon Europe in Amsterdam (September 17–18) and AGNTCon + MCPCon North America in San Jose, California (October 22–23) — anchor the 2026 calendar, alongside regional MCP Dev Summits in Seoul, Shanghai, Tokyo, Toronto, and Nairobi.
By early 2026, MCP entered a phase of broader scrutiny alongside its rapid growth. A benchmark found that when connecting to multiple servers, up to 72% of an agent's context window could be consumed by tool schema definitions alone. Mitigations emerged at the client layer — Claude Code implemented progressive tool discovery achieving approximately 85% token reductions, and Cloudflare introduced Code Mode, which collapsed all tool definitions into two search-and-execute tools for a 94% reduction in token overhead. The gateway pattern emerged as the dominant architectural approach for enterprise deployments, with organizations converging on a centralized gateway paired with a registry as the control plane for all agent interactions. Virtual MCP Servers, tool aliasing, and semantic tool search emerged as key patterns for managing multi-server deployments at scale. Security researchers identified widespread vulnerabilities across the ecosystem: a systematic study of 67,057 MCP servers across six public registries found 833 servers with exploitable vulnerabilities, and an OWASP MCP Top 10 framework formalized ten critical risk categories. Independent surveys converged on 38-41% of MCP servers having no authentication whatsoever, with only 8.5% using OAuth. In May 2026, the NSA's Artificial Intelligence Security Center issued its first formal security guidance on MCP, identifying serialization risks, trust boundaries, and agent misuse as significant concerns. In June 2026, an IETF Internet-Draft formally analyzed recurring MCP vulnerability classes and introduced Protocol Pivoting as a cross-protocol lateral-movement pattern. Academic research produced the first formal security analysis of MCP (arXiv:2601.17549), identifying three architectural vulnerabilities and demonstrating that the proposed MCPSec extension reduced successful attacks from 52.8% to 12.4%. The nginx-ui vulnerability (CVE-2026-33032, CVSS 9.8) became the most high-profile MCP-specific CVE, actively exploited in the wild within weeks of disclosure, and a fundamental design flaw in the STDIO transport mechanism was disclosed potentially affecting over 200,000 server deployments. Six documented real-world security incidents spanning 2025 to 2026 demonstrated that traditional security monitoring was not designed to detect MCP attack patterns. Academic research further demonstrated that LLMs cannot reliably self-enforce tool access control via prompts, with role escalation attacks achieving up to 96% unauthorized invocation, while a proxy-enforced attribute-based access control layer achieved 0% by filtering tools at discovery time. Enterprise security platforms emerged to provide content firewalls, immutable audit logging, and zero-trust identity management for MCP deployments. By mid-2026, MCP was transitioning through the Gartner Hype Cycle's trough of disillusionment, with critics citing token overhead, security concerns, and protocol complexity, while enterprise adoption continued to accelerate through centralized gateway architectures, OAuth 2.1 standardization, and the forthcoming specification update. In parallel, the MCP-AX Internet-Draft was published with the IETF in May 2026, specifying a hierarchical aggregation protocol that extends MCP to resource-constrained embedded devices through transport bridging and recursive namespace delegation.
MCP Apps, released in January 2026 and standardized under SEP-1865, extended the protocol to support interactive UI components through sandboxed iframes with bidirectional JSON-RPC over postMessage, and was adopted by Claude, ChatGPT, VS Code with GitHub Copilot, Goose, Postman, Microsoft 365 Copilot Chat, and Elastic within months. The MCP-Cosmos research framework (arXiv:2605.09131, May 2026) demonstrated that world model-augmented MCP agents raised tool call success rates from 77.7% to 100% and parameter accuracy from 31.3% to 61.0%. A specification update planned for July 2026 — the largest revision of the protocol since launch — introduced a stateless protocol core enabling horizontal scalability on plain HTTP infrastructure, a formal extensions framework under which MCP Apps and Tasks became the first official extensions, authorization hardening with OpenID Connect alignment, and a formal deprecation policy with Roots, Sampling, and Logging deprecated. The 2026 MCP roadmap shifted from milestone-based releases to priority-driven development across four areas: transport evolution and scalability, agent communication, governance maturation, and enterprise readiness. The first alpha of the MCP Python SDK v2 shipped on June 19, 2026, rewriting the SDK core for the stateless protocol, with the new Dispatcher pipeline replacing ServerSession and FastMCP renamed to MCPServer. A comprehensive migration guide covering all seven breaking changes — stateless core, required headers, error code migration, caching semantics, trace context standardization, deprecations, and JSON Schema 2020-12 — was published alongside the release candidate.
Enterprise MCP adoption accelerated across multiple sectors. Salesforce released the Data 360 MCP Server as an open-source developer preview, consolidating 200 REST API endpoints behind three facade tools. The Summer '26 release introduced Salesforce Hosted MCP Servers as a centerpiece of the Headless 360 initiative, offering both pre-built standard servers (SObject CRUD, SOQL, Data 360, Tableau) and custom servers built from Apex, Flows, REST endpoints, and Prompt Builder. [[Google|Google Cloud]] announced the general availability of the Remote MCP Server for AlloyDB as part of a rollout of over 50 Google-managed MCP servers, enabling AI agents to securely connect to operational data in AlloyDB with fine-grained IAM authorization and Model Armor security. [[Smartsheet]] expanded its MCP Server from Claude-only to support ChatGPT, Microsoft Copilot, and Gemini Enterprise, reporting 22,000+ unique users, 3 million AI actions, and weekly tool calls growing from 42,000 to over 700,000 since launch. [[Pinterest]] built an internal MCP ecosystem with 66,000 monthly invocations and an estimated 7,000 hours saved per month, alongside an external advertiser-facing Pinterest MCP server in alpha. [[Workato]] expanded its Enterprise MCP catalog to 48 pre-built servers covering content creation, agreement workflows, and enterprise integrations. [[HashiCorp]] released the Terraform MCP Server v1.0 for both HCP Terraform and Terraform Enterprise. [[Atsign]] expanded its AI Architect product with MCP integration for visual system design. Workable launched a native MCP server with 59 tools across recruiting and HR at no additional cost. [[Nexla]] launched MCP Studio for building governed, task-specific MCP servers across 600+ enterprise systems. Sectigo introduced the industry's first globally available MCP server for certificate lifecycle management. eXo Platform released an MCP server exposing 98 tools across 10 digital workplace capability domains. [[Solana|Solana Foundation]] published an official MCP portal for blockchain developer tooling. Xinhua Finance (China's state financial information platform) launched a comprehensive MCP service matrix with 30+ core services across six categories, covering 200+ countries and 68 million market entities. [[Tencent Cloud]] built an extensive MCP ecosystem including 34+ cloud product MCP tools and an MCP Hub strategy driving the transition from Function Call integrations to standardized protocol adoption. [[Valona Intelligence]] launched an MCP server for competitive and market intelligence across 200,000+ verified sources. [[Lifesight]] launched an MCP connector for unified marketing measurement. [[Florence Healthcare]] released MCP access across 11 clinical workflow tools serving 65,000 research sites. [[Digital Realty]] launched ServiceFabric MCP, extending AI-native control surfaces to over 800 data centers for Private AI infrastructure management. [[LoginRadius]] delivered enterprise-grade MCP authorization using OAuth 2.1 with PKCE. [[Lasso]] released the first open-source security-centric MCP gateway for agentic workflows. [[Ambition]] launched an MCP integration for revenue performance teams, providing a permission-aware execution layer for coaching, pipeline, and sales methodology data. [[Sumsub]] became the first identity verification platform to enable AI agents to configure full compliance workflows from AML policy documents automatically. [[Nexxen]] launched nexAI with both MCP and A2A interoperability in the advertising technology space. [[Atlan]] announced Context Agents and expanded MCP servers at Snowflake Summit 2026, reporting 17x customer adoption growth. [[Quantifi]] opened the first MCP closed beta for commercial risk analytics, giving AI coding assistants direct access to 1,500+ API members. [[Webull]] launched an MCP server for retail investing, enabling natural-language trading through conversational AI. The MCP Java SDK reached version 2.0.0, tracking the 2025-11-25 specification with Streamable HTTP as the primary transport and JSON Schema 2020-12 validation. China's Ministry of Industry and Information Technology opened public consultation on MCP application security requirements in March 2026, signaling regulatory engagement with the protocol in the world's largest AI market. The Agent-to-Agent protocol reached v1.0 with a formal Technical Steering Committee, and Google's A2A and Anthropic's MCP were positioned as complementary layers in an emerging multi-protocol agent stack. Enterprise MCP deployments from Block, Microsoft, Forbes, Cloudflare, Autodesk, and Uber confirmed MCP was operating at production scale across ride-sharing, retail, financial data, and professional services.