MCP (Model Context Protocol) is how Claude Code talks to external systems — databases, issue trackers, browsers, monitoring — through a standard JSON-RPC interface. It stopped being "Anthropic's protocol" on December 9, 2025, when Anthropic donated it to the Linux Foundation's new Agentic AI Foundation, co-founded with OpenAI and Block, with Google, Microsoft, AWS, Cloudflare, and Bloomberg as supporting members. At donation time the ecosystem counted 10,000+ active public MCP servers and 97M+ monthly SDK downloads across Python and TypeScript. A server you configure once works in Claude Code, Cursor, VS Code, Codex, and Gemini without rewrites — which is also why every section below applies beyond Claude Code.
That maturity changed the practical advice. The current spec revision is 2025-11-25, the SSE transport is deprecated in favour of streamable HTTP, most serious vendors now host remote servers with OAuth instead of asking you to run npx processes, and several of the reference servers that every 2025 tutorial recommended — PostgreSQL, GitHub, Puppeteer, Slack — have been archived. This page covers the current setup, which servers are worth the context cost, and the security model.
What changed in the MCP ecosystem since launch?
- •November 2024 — Anthropic announces MCP. Adoption is Claude-only for the first few months.
- •March–April 2025 — OpenAI adopts MCP across the Agents SDK and ChatGPT desktop; Google DeepMind confirms Gemini support. The protocol becomes the de facto standard in roughly five months.
- •September 2025 — the official MCP Registry launches in preview as the canonical index of public servers, replacing scattered awesome-lists.
- •November 2025 — spec revision 2025-11-25 ships as the current version.
- •December 2025 — MCP moves to the Agentic AI Foundation under the Linux Foundation, alongside Block's goose and OpenAI's AGENTS.md.
- •April 2026 — the AAIF holds the first MCP Dev Summit North America in New York with roughly 1,200 attendees. Vendor-neutral governance is no longer theoretical.
How do I add an MCP server to Claude Code in 2026?
Two paths: claude mcp add for your own machine, or a checked-in .mcp.json at the project root to share servers with your team. A persistent myth from early tutorials is that servers go in .claude/settings.json — they never did; that file is for hooks and permissions. Remote servers use streamable HTTP and OAuth (run /mcp in a session to authenticate); local stdio servers run as child processes:
# Remote server over streamable HTTP (the current default for vendors)
claude mcp add --transport http github https://api.githubcopilot.com/mcp/
# Local stdio server — note the -- separating Claude's flags from the command
claude mcp add --env AIRTABLE_API_KEY=YOUR_KEY --transport stdio airtable \
-- npx -y airtable-mcp-server
# Share with the team via .mcp.json instead of your local config
claude mcp add --scope project --transport http sentry https://mcp.sentry.dev/mcp{
"mcpServers": {
"github": {
"type": "http",
"url": "https://api.githubcopilot.com/mcp/"
},
"playwright": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@playwright/mcp@latest"]
}
}
}Three details that save debugging time. Scopes: --scope local (default, just you, this project), project (the shared .mcp.json — teammates get an approval prompt before it runs), and user (all your projects). The type field accepts streamable-http as an alias for http, so configs copied from server docs work unmodified. And ${VAR} expansion works in .mcp.json, so secrets stay in your environment rather than in git.
Which MCP servers are worth installing?
Fewer than you think — every connected server costs context and adds attack surface (more below). These categories earn their keep in real coding sessions:
Code hosting — GitHub MCP
GitHub's official remote server (https://api.githubcopilot.com/mcp/, OAuth) handles issues, PRs, and code search. Honest caveat: if the gh CLI is installed, Claude Code drives it directly with zero context overhead — the MCP server wins mainly in clients without shell access.
Browser control — Playwright MCP
Microsoft's @playwright/mcp drives a real browser through the accessibility tree rather than screenshots, making "open the page, click the button, read the error" loops reliable. It displaced the archived Puppeteer reference server as the default choice.
Library docs — Context7
Upstash's Context7 serves version-pinned documentation on demand, which beats a model guessing at an API from training data that predates your dependency versions.
Observability — Sentry, PostHog
Vendor-hosted remote servers let the agent pull the actual stack trace or session data while fixing a bug, instead of you pasting fragments into chat.
Databases — your vendor's server, not the archived reference
@modelcontextprotocol/server-postgres — the one in every 2025 tutorial — is archived and unmaintained. Use the server your database vendor ships (Supabase, Neon, PlanetScale and others maintain official ones), and connect it read-only unless you enjoy explaining dropped tables.
On that last point: the official modelcontextprotocol/servers repo (87k+ stars) now maintains only seven reference implementations — Everything, Fetch, Filesystem, Git, Memory, Sequential Thinking, and Time — explicitly as educational examples, not production tools. GitHub, GitLab, PostgreSQL, Puppeteer, Redis, Slack, SQLite, and Google Drive were all moved to an archive. If a blog post tells you to install one of those, the post is stale.
When is an MCP server the wrong tool?
- •A CLI already exists.
gh,aws,kubectl,psql— an agent with shell access uses these with no per-session setup and no extra tool definitions. MCP earns its place for systems without a good CLI or for clients without a shell. - •You need procedural knowledge, not capability. "How our team writes release notes" is not a tool — it is an Agent Skill, a Markdown file the agent loads on demand. Skills carry knowledge; MCP carries capability.
- •You are hoarding servers. Claude Code's tool search defers loading tool definitions until needed, which blunted the old "every server eats your context window" problem — but each connected server is still an approval surface and a failure mode. Connect what the current project uses, prune the rest with
claude mcp list.
How risky are third-party MCP servers?
Risky enough that the 2025-11-25 spec literally instructs clients to treat tool descriptions as untrusted input. The known attack classes, all demonstrated by Invariant Labs against real servers in 2025: tool poisoning (malicious instructions hidden inside a tool's description), rug pulls (a server changes its tool behaviour after you approved version one), and confused-deputy flows where one server exfiltrates data another server had legitimate access to. These are the MCP-specific rows in the broader incident catalogue at how AI agents get compromised.
The working defence is boring: prefer official vendor-hosted servers over anonymous community packages, pin stdio server versions instead of @latest (yes, the Playwright snippet above trades that off for freshness — pin it in CI), grant read-only credentials wherever the server supports them, and review what .mcp.json ships to teammates — the project-scope approval prompt exists precisely because a poisoned repo config is an attack vector. Prompt injection through fetched content survives all of this, which is why permission prompts and sandboxing stay on even when they are annoying.
Hooks and slash commands — the rest of the harness
MCP is one of three extension points in Claude Code. Hooks run deterministic shell commands on lifecycle events — the harness pushing back on the model — and custom slash commands package prompts you trigger explicitly. Together they form the harness layer described in harness engineering:
{
"hooks": {
"PostToolUse": [
{
"matcher": "Edit|Write",
"hooks": [{ "type": "command", "command": "pnpm biome format --write" }]
}
],
"Stop": [
{
"hooks": [{ "type": "command", "command": "pnpm check" }]
}
]
}
}