Protocol
What is an MCP server
An MCP server is a process that exposes data and capabilities to an LLM client (Claude Desktop, Claude Code, Cursor, Windsurf, others) over the Model Context Protocol. It does three things: exposes Resources for the model to read, Tools for the model to call, and Prompts the user can invoke through the client.
What it does, mechanically
The server runs as either a local subprocess (stdio transport) or a remote
HTTP/SSE endpoint. The wire is JSON-RPC 2.0. On connect, the server completes
an initialize handshake with the client and advertises its supported
capabilities. The client then issues discovery requests against
resources/list, tools/list, and
prompts/list to learn what is available. From that point on the
client invokes tools, reads resources, and surfaces prompts to the user as
the session progresses.
The server is reactive. It does not call out on its own initiative. It
responds to JSON-RPC requests, emits notifications when its state changes
(for example notifications/tools/list_changed), and optionally
asks the client for things via the inverse client capabilities (Sampling,
Elicitation, Roots) when those were negotiated at initialize.
The three server-side primitives
Resources
Read-only data addressed by URI with content-type metadata. The client fetches a resource and streams it into the model's context. File contents, database schemas, API responses, log tails.
Tools
Invocable verbs with side effects. Each tool ships a JSON Schema describing its required and optional arguments. The client formats requests against the schema; the server executes and returns structured output or an error flag.
Prompts
Parameterized message templates the server makes available to the client. The client surfaces them to the user (typically as slash commands or quick actions), the user picks one, and the templated message becomes the next turn.
The lifecycle of a session
Six stages, in order:
- Launch. The client spawns the server (stdio) or opens an HTTP/SSE connection (remote).
- Initialize handshake. Client and server exchange protocol versions and identifying metadata.
- Capability negotiation. Server declares which of Resources, Tools, Prompts it implements; client declares which of Roots, Sampling, Elicitation it offers back.
- Discovery. Client issues
resources/list,tools/list,prompts/listand caches the schemas. - Invocation. The client invokes tools, reads resources, or surfaces prompts as the session needs them. Both sides may emit notifications when underlying state changes.
- Cleanup. The client closes the connection. A stdio server's process terminates; a remote server keeps running.
What runs the server
The MCP client runs the server. For stdio servers, the client (Claude Code, Claude Desktop, Cursor, etc.) spawns the server as a child process when the user opens a session and pipes JSON-RPC messages over stdin/stdout. For remote servers, the client opens an HTTP connection and uses Server-Sent Events for server-to-client streaming plus HTTP POST for client-to-server requests. The server author writes the server; the client author writes the spawning and connection logic; the user installs the server into the client via a per-client config file.
The privilege model
A local stdio MCP server runs with the same OS permissions as the client
process that spawned it. It can read whatever environment variables, files,
and credentials that process can read. The protocol does not sandbox
anything. Installing a third-party MCP server carries the same threat model
as running npm install against an unverified package or
executing a downloaded binary. Review the source, scan the server, or
restrict it to a sandboxed environment before running it against a session
that holds production credentials.
Scan a server before you install it for the first time. The trust report covers source review, sandboxed runtime behavior, publisher provenance, and incident history.