The MCP library, read in order — from the foundations (what MCP is, how it differs from function calling and REST, and its tools/resources/prompts primitives) through building (stand up a server, expose an agent as one), transport and spec evolution (stdio vs SSE vs streamable-HTTP, then the 2026 stateless rewrite), discovery (server cards and the official registry), security (authorization, the confused-deputy trap, the OWASP MCP Top 10), the evaluation that measures MCP tool use, and the essay on who actually controls the protocol.
They are not competing ways to give a model tools. One is the engine; the other is a distribution standard wrapped around it — and you pay for the wrapper in tokens and attack surface.
Most MCP servers are REST APIs underneath. The honest question isn't which transport to use — it's how much of your API to expose, and the data says the answer is about a fifth of it.
The Model Context Protocol defines three server primitives split by who's in control — the model, the app, the user. The ecosystem implemented one of them.
The protocol everyone adopted in 2025 is simpler to build for than the hype suggests — but the part that decides whether your server works isn't the code.
Deploy a LangGraph agent and it auto-publishes a /mcp endpoint, so any client can call it as a tool. Convenient — and lossy. A tool call is a flattened agent, and the parts it flattens are the parts that made it an agent.
The Model Context Protocol replaced its HTTP+SSE transport with Streamable HTTP in 2025. Choosing it does not make your server serverless-friendly — and the reason is the part nobody reads.
The biggest Model Context Protocol revision since launch deletes the session, the handshake, and even the client-side LLM call. The headline isn't new features — it's that the protocol got smaller.
A new .well-known discovery file lets clients read an MCP server's identity, transport, and auth requirements without a handshake — and it pointedly refuses to list the tools.
The official MCP Registry isn't an app store — it's a canonical metadata feed built to prove who owns a server name, and it leaves search and curation to everyone downstream.
Between two spec revisions in 2025, MCP servers quietly stopped being their own authorization servers. The one parameter that change forces your client to send is the whole security story.
A 1988 access-control bug is the shape of 2026's worst MCP breaches. Understanding the confused deputy tells you why 'just add OAuth' doesn't fix your agent — and what the spec actually changed.
OWASP now has a third Top 10 — one scoped to a single protocol. The surprise isn't a new class of AI attack; it's that connecting an agent to MCP servers re-exposes 2010-era web and supply-chain bugs through a channel that auto-executes them.
Function-calling leaderboards test a model against a handful of curated tools. A real MCP host hands it thousands — and that is a different benchmark, with a different failure mode.
For a year the question that stalled enterprise bets on MCP was 'what happens when Anthropic changes its mind?' In December that question got an answer — and the answer reveals what the standards war was really about.