On June 30, X switched on an official Model Context Protocol server at api.x.com/mcp. Point Claude, Cursor, or Grok Build at that one URL, authenticate with your own X account, and the platform hands your agent a set of tools: search posts, look up users, read conversations and trends. No server to build, no API plumbing to wire, no auth flow to babysit. It is the frictionless version of something developers have been hand-rolling for a year.

And it will not let your agent post.

That is not an oversight, and it is not a beta gap. X shipped a read-only door on purpose. The server is not connected to X's Write API, so an agent working through api.x.com/mcp can see everything your logged-in eyes can see and do nothing your logged-in hands could do. Read the timeline, analyze the trend, summarize the thread — then stop.

The read/write asymmetry isn't a limitation of the hosted MCP server. It is the hosted MCP server.

The one idea worth taking away#

The interesting move here is not "big platform adopts MCP." That was inevitable once every AI client learned to speak it. The interesting move is where X drew the line — and the line runs exactly between reading and writing.

Think about why. A read tool is cheap to expose and hard to abuse: the worst case is that an agent summarizes your feed a little too enthusiastically. A write tool is a loaded weapon. An autonomous agent with post access is a spam cannon, a harassment vector, a way to launder a botnet through thousands of "real" accounts holding valid OAuth tokens. The community X MCP servers — the self-hosted ones people have run for months — mostly do support posting, because they run on a developer's own API keys and nobody at X is standing at that door. X's official server closes it.

So the pattern to watch is this: when a platform hosts its own MCP server, it becomes the policy enforcement point. Not the client, not the model, not the prompt. Route an agent through a community server and X has no idea an agent is involved — it just sees API calls from a key. Route it through api.x.com/mcp and X decides, at the server, what an agent is allowed to touch. "Use the user's own account permissions" sounds like a convenience. It is also a leash whose other end X now holds — and it lands in the same place the MCP spec's own auth rewrite has been heading: make the resource server the point where identity and scope are actually enforced.

Free layer, metered floor#

The second tell is the pricing shape. The MCP layer is free; the X API underneath it is not. Every tool call your agent makes still spends your X API quota, at X's rates, under X's rate limits.

That is a funnel, and a familiar one. The free wrapper lowers the activation energy so that more agents attach to X more often; the calls they generate flow straight into the metered API where the money is. A hosted MCP server is a customer-acquisition surface for API consumption — a loss-leader that turns "I wanted my assistant to check X" into billable traffic. Read access is the bait precisely because it is cheap to give away and it drives volume.

What this means if you build agents#

Three practical takeaways:

The headline is "X adopts MCP." The story is that X used MCP to draw a line it could not draw before — one that lets a hundred agents read its firehose while none of them can pull the trigger. Every platform with something worth reading and something worth protecting is going to want that line. Now they have the template.