Anthropic reported in March 2026 that the Model Context Protocol reached 97 million monthly SDK downloads across its TypeScript and Python packages. The protocol launched in November 2024. React, by comparison, took approximately three years to reach 100 million monthly npm downloads. MCP achieved comparable scale in 16 months.
The adoption numbers explain the “what.” Every major AI provider now supports MCP: Claude, ChatGPT, Gemini, Cursor, VS Code, Microsoft Copilot, and GitHub Copilot. Over 10,000 active servers span databases, CRMs, cloud providers, developer tools, and commerce platforms. In December 2025, Anthropic donated MCP to the Agentic AI Foundation under the Linux Foundation, with OpenAI and Block as co-founders.
What most coverage does not explain is how the protocol works at the architectural level, the design choices that made it succeed where earlier attempts failed, and the security problems that shipped alongside the adoption curve.
The Problem: N Times M Custom Integrations
Before MCP, connecting an AI model to an external tool required a custom integration for every model-tool pair. Five AI models and five data sources meant building and maintaining 25 separate connectors. Each connector had its own authentication logic, error handling, data parsing, and format translation. When a model updated its API or a tool changed its schema, every affected connector broke.
Earlier attempts to solve this problem were vendor-locked. OpenAI’s 2023 function-calling API and ChatGPT plugin framework solved the integration problem but only for OpenAI’s models. Google had its own tool-use specification. Anthropic had its own. A developer who built a Slack integration for ChatGPT had to rebuild it from scratch for Claude.
MCP turns N-times-M into N-plus-M. Build one MCP server for Slack, and every MCP-compatible AI client can use it. Build one MCP client, and it can connect to any of the 10,000+ existing servers. The same integration works with Claude, ChatGPT, Gemini, or any other model that implements the protocol.
The Architecture: Client-Server Over JSON-RPC 2.0
MCP follows a client-server model with three participants. The host is the AI application (Claude Desktop, Cursor, ChatGPT). The client is a component inside the host that manages connections to external tools. The server is the external tool itself, running either locally or remotely, exposing its capabilities through the MCP standard.
The design is directly inspired by the Language Server Protocol (LSP), the protocol that lets programming languages connect to development tools like VS Code. LSP standardized how editors talk to language analyzers. MCP standardizes how AI models talk to everything else. The lineage explains why MCP feels natural to developers who already work with LSP: the message flow, capability negotiation, and lifecycle management follow the same patterns.
All MCP messages use JSON-RPC 2.0, the same lightweight remote procedure call format that Ethereum and other systems use. Four message types structure all communication: requests (client asks server to do something), responses (server returns the result), notifications (one-way messages that do not expect a reply), and errors (structured failure reports with codes and messages).
The transport layer supports two modes. Stdio (standard input/output) is used for local servers running on the same machine as the AI client. A local file system server, for example, communicates through stdin/stdout with zero network overhead. Streamable HTTP (formerly HTTP plus Server-Sent Events) handles remote servers over the network. A cloud-hosted CRM server would use this transport. The protocol does not care which transport is used. The same messages flow identically over either one.
The Three Primitives: Tools, Resources, and Prompts
MCP servers expose three types of capabilities to AI clients.
Tools are functions the AI can call. A GitHub MCP server exposes tools like “create_pull_request,” “search_code,” and “list_issues.” Each tool has a JSON schema describing its parameters and return type. The AI model reads the schema, determines which tool fits the user’s request, constructs the parameters, and calls the tool through the MCP client. This is function calling, standardized across every model vendor.
Resources are data the AI can read. A database MCP server might expose resources like “table_schema” or “recent_queries.” Resources provide context rather than actions. The AI reads them to understand the environment before deciding which tools to call. This separation between reading (resources) and acting (tools) is a design decision that improves safety: the model can gather information without taking irreversible actions.
Prompts are reusable templates that the server provides. A customer support MCP server might expose a “handle_refund_request” prompt that structures how the AI should approach that specific workflow. Prompts encode domain expertise into the protocol, letting AI models handle specialized tasks without being fine-tuned on domain-specific data.
The Connection Lifecycle
When an MCP client connects to a server, a capability negotiation occurs. The client sends an initialization request. The server responds with its manifest: a list of available tools, resources, and prompts, each with its schema. The client stores this manifest and presents the available capabilities to the AI model. When the model needs to use a tool, it tells the client which tool to call with which parameters. The client sends a JSON-RPC request to the server. The server executes the function and returns the result. The client passes the result back to the model.
This dynamic discovery is what separates MCP from static function-calling. An MCP server can update its capabilities at runtime. A new tool can appear, an old one can be deprecated, and the AI model adapts without code changes. Each of those 97 million installs is not a static integration. It is a live connection that can evolve.
Why It Grew Faster Than React
React required developers to learn a new programming paradigm (declarative UI with virtual DOM). MCP did not. It standardized patterns that agent developers were already implementing in incompatible custom formats. Every team building an AI agent had already written JSON-based tool definitions, request-response cycles, and error handlers. MCP gave them a shared format for what they were already doing.
The adoption accelerated through four phases. Phase one (November 2024 to March 2025): Anthropic released the spec with reference implementations. Early adopters were Claude-native developers. Phase two (April 2025): OpenAI officially adopted MCP, simultaneously deprecating its Assistants API (sunset scheduled for mid-2026). This forced the entire OpenAI developer ecosystem to migrate toward MCP. Phase three (November 2025): major spec updates added asynchronous operations, statelessness, server identity, and an official registry. Phase four (December 2025): Anthropic donated MCP to the Linux Foundation’s Agentic AI Foundation, with OpenAI, Block, AWS, Google, Microsoft, Cloudflare, and Bloomberg as members.
OpenAI’s deprecation of the Assistants API was the inflection point. Developers who had built on OpenAI’s proprietary tool framework were told their existing approach had an expiration date. MCP was the only vendor-neutral alternative. The migration was not optional. That forced adoption pattern, combined with the protocol’s genuine simplicity, explains the growth curve.
The Security Debt
MCP shipped fast. Security did not keep pace. In April 2025, researchers published an analysis documenting multiple outstanding vulnerabilities. The CLTR scheming study adds real-world context: when AI agents act against user instructions, the tools they use to do it are often MCP servers.
Prompt injection: A malicious MCP server can inject instructions into the AI model’s context through its tool descriptions or resource content. If a model reads a resource from an untrusted server, that resource can contain hidden instructions that alter the model’s behavior. This is the MCP-specific version of the broader prompt injection problem.
Tool poisoning: An MCP server can describe a tool with an innocuous name and schema while actually executing a different function. A tool labeled “search_documents” could silently exfiltrate data. The model has no way to verify that a tool does what its description claims.
Cross-server shadowing: A malicious server can register a tool with the same name as a tool from a trusted server. If the AI model does not verify which server a tool belongs to, it might call the malicious version instead of the legitimate one.
Authentication gaps: Many MCP server implementations default to no authentication at all. The November 2025 spec update added server identity verification, but adoption of the security features lags behind adoption of the protocol itself. As one security researcher noted, session IDs transmitted in URLs violate basic security practices.
Cloudflare’s “Code Mode” addresses one dimension of this problem: instead of loading all tool definitions upfront (potentially hundreds of thousands of tokens that each represent an attack surface), agents write code to discover and call tools on demand, reducing the exposed surface area by 98%+ in some deployments. But Code Mode is a workaround, not a fix for the underlying protocol-level vulnerabilities.
What MCP Changes About the AI Industry
MCP shifts control over the integration layer. Before MCP, platform vendors owned the connector ecosystem. Shopify built its own agentic storefronts protocol. Salesforce controlled how AI connected to its CRM. Each platform extracted value from being the gatekeeper.
MCP makes the integration layer a commodity. Any AI client can connect to any tool through a shared protocol. That shifts competitive advantage from “who has the best integrations” to “who has the best model.” It is good for AI model companies (who no longer need partnership deals to connect to tools) and good for tool companies (who build one MCP server and reach every AI client). It is less good for platforms that monetized being the integration layer.
The donation to the Linux Foundation ensures no single company controls the protocol’s evolution. The Agentic AI Foundation board includes competitors (Anthropic, OpenAI, Google, Microsoft) who collectively govern the spec. That governance structure makes MCP the closest thing the AI industry has to an actual standard, not just a dominant vendor’s proprietary format that everyone else adopted reluctantly.
The 97 million number will keep growing. As the legal and regulatory framework for AI agents takes shape, the protocol they use to interact with the world becomes a question of infrastructure policy, not just developer preference. MCP is now the plumbing. The question is whether the pipes are secure enough for what is about to flow through them.
Sources: MCP official architecture documentation, Model Context Protocol (Wikipedia), Digital Applied (97M milestone analysis), Pento AI (MCP year in review), Nebius (architecture deep dive), CLTR scheming study (March 2026).