← Back to Articles

MCP: Model Context Protocol for Builders and Leaders

November 6, 2025
Software Engineering Model Context Protocol MCP LLM tools Capability security Agent Integration Observability

MCP for Software Engineers and Tech Leaders

Model Context Protocol (MCP) standardizes how AI systems discover tools, read resources, and invoke actions. Instead of writing custom adapters for every AI integration, you get typed interfaces and guardrails that work across different clients.

I spent three weeks implementing MCP servers before I really understood why this matters. Here’s what I learned about the protocol, its design patterns, and how to ship your first server without getting lost in abstraction.

What MCP Is

MCP is an application-layer contract between a client (your AI runtime or agent) and a server that exposes tools, resources, and prompts. You can run it over HTTP, WebSocket, or stdio. Same messages, different transport.

The protocol organizes everything into four categories:

Tools are typed functions with explicit side-effects. Think “create_ticket” or “search_docs.”

Resources are read-only context like documents or URIs. The client can fetch these without triggering any actions.

Prompts are parameterized templates you can reuse across different sessions.

Sessions scope the interaction with time limits, budgets, and capability restrictions.

The introspection endpoint is what sold me on MCP. Clients can discover what a server offers before making calls. No hard-coded endpoints, no guessing at API shapes.

Why MCP Matters

Before MCP, You had to build custom adapters for every AI integration. Each model runtime had its own quirks. Function calling worked differently in OpenAI versus Anthropic. You’d write the same database search tool three times with slight variations.

MCP fixes this. Write one server, serve multiple clients. The shared contract means you’re not maintaining parallel implementations.

The safety model is better too. Least-privilege capabilities and typed arguments catch errors early. I’ve seen production incidents where an AI agent called an API with the wrong parameter types. Schema validation would have stopped that.

For teams, MCP turns AI enablement into platform work. You build reusable capabilities with consistent logging and audit trails. Ship once, use everywhere.

Core Components and Patterns

Discovery

The client hits one endpoint to learn everything the server can do. You get back server metadata (name, version, contact info), available capabilities (tools, resources, prompts), and policy hints like rate limits and timeouts.

This feels obvious in retrospect, but most AI integrations skip this step. They assume you know what’s available.

Tool Contracts

A tool needs: a name, a description the model can read, input and output schemas (JSON Schema format), a side_effects boolean, timeout settings, and auth scopes.

Keep tools small and composable. I made the mistake of building a “do_everything_with_database” tool early on. Breaking it into read, write, and query tools made debugging and access control much simpler.

Only mark side_effects as true when you’re actually writing data or triggering external actions. The client uses this to decide when to ask for confirmation.

Resources

Resources are read-only context. Each has a URI (the scheme tells you the source), a content_type, optional chunking with ETags, and access control (public, auth-required, or session-scoped).

I use resources for documentation retrieval and knowledge base lookups. They’re lighter than tools because there’s no execution overhead.

Sessions and Policy

Sessions scope everything: which capabilities are allowed, time and token budgets, identity, and trace IDs for logging.

The allowlist approach surprised me at first. You explicitly grant capabilities rather than restricting them. This default-deny model catches permission mistakes before they cause problems.

Transport and Streaming

For long-running operations or large resources, you’ll want streaming. Include backpressure signals and chunk boundaries so clients don’t get overwhelmed. Idempotency keys let you retry safely.

Observability

Log every tool invocation at the boundary. Capture the tool name, a hash of the arguments (never log raw secrets), duration, status, error codes, rate-limit decisions, and the session ID.

Pipe this to OpenTelemetry. Standard spans and metrics make it easy to track down slow calls or permission issues.

Architectural Best Practices

  • Least privilege: grant the minimum capability set for the task.
  • Idempotency: define keys and stable outcomes for retries.
  • Schema discipline: validate inputs and outputs; fail closed on mismatch.
  • Timeouts and budgets: bound latency and compute; return partials when possible.
  • Caching: hash resources; use ETags and content-addressed URIs.
  • Sandboxing: isolate outbound network and filesystem; log egress.
  • Versioning: add capabilities; avoid breaking contracts; negotiate by feature flags.
  • Red-teaming: test prompts and tool descriptions against injection and misuse. Least privilege. Grant only what’s needed for the task. I’ve seen agents with full database write access when they only needed read. That’s asking for trouble.

Idempotency. Use stable keys for retries. Define what a successful outcome looks like so you can recognize it on the second attempt.

Schema discipline. Validate everything. If the input doesn’t match the schema, reject it. If the output is wrong, fail the call. Failing closed is annoying during development but saves you in production.

Timeouts and budgets. Cap latency and compute. Return partial results when you can. I’ve had agents hang for 30 seconds because a search query was too broad. Better to return 10 results fast than wait forever for 1000.

Caching. Hash resources and use ETags. Content-addressed URIs make cache invalidation straightforward.

Sandboxing. Isolate network and filesystem access. Log all egress. This caught an agent trying to POST to an external API it shouldn’t have touched.

Versioning. Add capabilities, don’t break existing ones. Use feature flags to negotiate what’s available. Version bumps are coordination overhead you don’t need.

Red-teaming. Test your prompts and tool descriptions against injection attacks. I spent an afternoon trying to trick my own search tool into returning admin credentials. Found two issues.

Contract tests. Run golden tests offline for each tool. Check success paths and error handling. These tests run faster than integration tests and catch regressions early.

Example: Ship a Read-Only Search Tool via MCP

Let’s build an internal document search tool. Read-only, simple, good first MCP server.

  • name: search_docs
  • description: “Full-text search across internal docs. Read-only.”
  • input_schema:
    • query: string (required)
    • limit: integer (default 5, max 20)
  • output_schema:
    • results: array of { title: string, uri: string, snippet: string }
    • total: integer
  • side_effects: false
  • timeout_ms: 4000
  • auth_scopes: [“search.read”]
  1. Implement discovery
  • GET /mcp/introspect returns:
    • server: { name, contact }
    • tools: array with the search_docs schema above
    • resources: none for this minimal example
    • policy: { max_timeout_ms, rate_limit_hint }
  • Keep this response cacheable for seconds to reduce chatter.
  1. Implement invocation
  • POST /mcp/tools/invoke accepts:
    • tool: string (“search_docs”)
    • args: object matching input_schema
    • idempotency_key: string (optional)
    • session_id: string
  • Response:
    • status: “ok” | “error”
    • content: object matching output_schema (on ok)
    • error: { code, message, retryable: boolean } (on error)
    • meta: { duration_ms, trace_id }
  • Validate args against JSON Schema; reject on extra fields; truncate output to limit.
  1. Register with a client
  • Provide a small client config:
  • The client calls /mcp/introspect, learns search_docs, and can invoke it when the model selects that tool.
  1. Add observability
  • Emit a structured log per call with:
    • trace_id, session_id, tool, args_fingerprint, duration_ms, outcome
  • Export traces and metrics. Set SLOs on availability and p95 duration.
  1. Harden incrementally
  • Rate limit by IP and token scope.
  • Add output redaction if snippets may include secrets.
  • Add a resource listing later (e.g., “/kb/topics”) with stable URIs for grounding.

This minimal server demonstrates the essential MCP loop: discover, call, observe, govern.

Adoption Paths

Start with read-only tools. Search, retrieval, analytics. Prove the model works and the integration is safe.

Then wrap existing services. I took a legacy API that returned XML and put an MCP interface in front of it. The model got clean JSON schemas, the old service kept running unchanged.

Let your platform team own auth, audit, and sandboxing. Centralizing policy here means individual tool authors don’t have to re-implement it.

Only add side-effecting tools (ticket creation, deployments) after you’ve tested read-only flows extensively. Add dry-run modes and require approvals for destructive actions.

Common Pitfalls

Overbroad capabilities. I once made an “admin_tools” server. It could do everything. Terrible idea. Split tools by action and resource. One tool for reading user data, a separate tool for writing it.

Hidden coupling. Prompts that assume specific tool quirks will break when you update the implementation. Document your invariants. Make them explicit in the description field.

Unbounded context. Don’t inline 50MB of data in a response. Cap chunks, use streaming, and prefer URIs that the client can fetch on demand.

Missing backpressure. Early versions of my search tool would return 1000 results and overwhelm the client. Stream with explicit limits. The client can ask for more if it needs them.

Measuring Success

Integration lead time. How many days does it take to add a new tool? Before MCP, our team averaged five days. After: one day, sometimes less.

Reliability. Track error rates by tool and reason code. You’ll spot bad schemas and timeout issues fast.

Latency. Set a p95 budget for each tool and track it. My search tool targets 400ms. When it spikes, I investigate.

Cost. Tokens and compute per successful outcome. MCP doesn’t eliminate costs, but structured calls waste fewer tokens than freeform API descriptions.

Coverage. What percentage of calls have complete traces and audit logs? Aim for 100%. Gaps here mean blind spots when something goes wrong.

Conclusion

MCP turns AI integration into interface design. You define tools with schemas, enforce least-privilege access, and get observability for free.

Start with one read-only tool. Wire it through discovery, measure it, iterate. Don’t try to build the perfect abstraction on day one.

I’ve shipped four MCP servers now. The first one took me a week because I overthought the architecture. The fourth took an afternoon. You’ll get faster as the patterns click.

Build your first endpoint this week. Prove it works, earn trust, then expand.

Related Articles

AI Coding Assistants: Trends, Limits, and What's Next

January 10, 2026

What AI coding assistants actually do well, where they fail, and how to use them without breaking things or forgetting how to code.

Structured Outputs in LLMs: Reliable Data for Real Pipelines

January 17, 2026

Structured outputs turn LLM text into dependable, validated data. Learn schemas, validation loops, and practical patterns for extraction, routing, and ETL.

Microservices Redesign for Builders and Leaders

November 16, 2025

Microservices are not the default. Explore universal-interface architecture and the modular monolith, with concrete patterns, migration steps, and metrics.

Wrestling with a technical challenge?

I help companies automate complex workflows, integrate AI into their stacks, and build scalable cloud architectures.

Get Your AI Plan View My Services Connect on LinkedIn