Study Notes — Certification Prep

Model Context Protocol
Study Guide

An emerging open standard establishing a universal interface between AI models, tools, and data.

Updated: April 2026

Version: 1.0

Category: Protocol

Reading Time: ~10 min

Author: Michaël Bettan

Definition & Value Proposition

What is MCP?

The Model Context Protocol (MCP) is an emerging open standard providing a universal interface between LLMs, tools, and data. It establishes a secure, bidirectional communication channel using JSON-RPC 2.0.

Think of it as the "USB-C port for AI"; any compliant tool can be plugged in and immediately utilized.

Note: The ecosystem is rapidly growing but early-stage. MCP is one of the leading approaches for agent interoperability.

What Problem Does It Solve?

Historically, every third-party API has a different structure, leading to an M × N problem (M models × N tools = massive duplication of integration effort).

MCP provides a standardized guide telling the AI Agent exactly what an external system can do, what inputs it requires, and what outputs it will return.

Complexity formula: Legacy = O(N × M) → MCP = O(N + M). Adding one new model equals one new client. Adding one new tool equals one new server.

LLMs vs. AI Agents

LLMs (Large Language Models): The "brain" (e.g., Gemini, GPT-4, Claude). Natively, they can only generate text (or multimodal outputs). They cannot take actions.

AI Agents: The brain paired with memory, reasoning loops, and Tools. Agents interact with third-party APIs to retrieve data, make decisions, and take actions (e.g., scanning a codebase to find a bug, or hitting a booking API to reserve a flight).

Value Proposition

For Developers

Eliminates custom parsing or integration glue code for every new AI platform.

For Agents

Provides instant access to a massive ecosystem of data sources and capabilities.

For End-Users

Yields highly personalized AI assistants that securely access private data (e.g., Google Calendar, Notion) to take real-world action.

Architecture & Workflow

MCP Server

LLM-agnostic component that responds to JSON-RPC requests. Exposes Tools, Resources, and Prompts within isolated functional domains.

MCP Client

Spawned 1:1 per server. Serializes LLM intents into JSON-RPC messages, manages the transport lifecycle, and executes capability negotiation. Lives inside the Host.

The Host

The application running the AI model (e.g., Claude Desktop, Google ADK). Orchestrates workflow, enforces auth policies, spawns MCP Clients, and requests Human-in-the-Loop (HITL) approvals. Maintains ultimate authority over what the model sees/does.

Standard Workflow

MCP standardizes the exact sequence of communication between the Client (LLM Host) and Server. All communication uses JSON-RPC 2.0 request IDs to match async responses to their original requests.

Initialize Request

Client sends its protocol version and capabilities (e.g., roots, sampling).

Initialize Response

Server responds with its own capabilities (tools, resources, prompts).

Initialized Notification

Client confirms receipt. Handshake complete — no tool calls or prompt fetches permitted before this point.

Operation / Execution

Client requests tool execution, fetches resources, or utilizes prompts.

Session Management

Termination, handling resumability, connection drops, and graceful closures.

Core Capabilities

Servers expose functionality through standardized building blocks:

Resources (Data Sources)

Static data/context the server provides to empower the LLM (similar to RAG). Application-controlled.

Can be fixed (config://app) or templated (settings://{type}).
Enterprise examples: postgres://prod-db/schema, github://repo/main/commits.
Payloads: Raw UTF-8 text (logs, code, JSON) or base64-encoded binary (images, PDFs) with explicit MIME declarations.
Servers notify clients when resources change via resources/updated.

Tools (External Actions)

Executable functions performed on behalf of the LLM (e.g., execute_query), dispatched via tools/call.

Inputs/outputs rigorously defined using JSON Schemas. Model-controlled.
The Host intercepts payloads before execution — typically requesting explicit user authorization (HITL) for state-altering operations.
Tools are model-controlled but Host-gated.

Prompts (Workflows)

Pre-built messages hosted on the server that automatically inject context. User-controlled.

Migrates prompt engineering to the Server layer to keep client applications thin and let domain experts control interaction patterns, reducing hallucination.
Server dynamically constructs a pre-configured array of messages with context resolved server-side.

Just-In-Time (JIT) Discovery

Runtime capability negotiation.

Unlike traditional tool calling (hardcoded schemas pre-loaded at initialization, wasting tokens), MCP agents discover capabilities dynamically at runtime.
Exposed via tools/list and resources/list.

MCP Apps

Interactive, specialized mini-apps that can run directly inside the AI client's UI to provide a richer user experience (Note: this is currently Claude-specific, not part of the core MCP specification).

Transports & Execution

Transports

STDIO (Standard I/O): Server communicates through stdin/stdout. Messages must be newline-delimited (\n). Stderr is strictly for logging.
Stdio Security: Servers run as OS subprocesses; prompt injections can pass malicious parameters. Mitigation: Containerize (Docker), use AppArmor, run as non-root. Clients spawn Server directly via subprocess.Popen or child_process.spawn. Clients must never treat stderr as a protocol failure.
Streamable HTTP: The modern standard for web consumption. Uses a single /mcp endpoint.
○ POST: All JSON-RPC Requests and Notifications.
○ GET: Server streams responses back via SSE (Accept: text/event-stream).
○ HTTP is stateless: Server assigns Mcp-Session-Id at init; Client appends it to subsequent requests.
○ Resumability: Uses Mcp-Session-Id and Last-Event-Id headers to safely drop and restore connections.
SSE (Server-Sent Events): Legacy unidirectional communication [Deprecated].

Advanced Interactive Workflows

Beyond simple request/response, modern MCP supports complex, agentic interactions:

Notifications: Asynchronous, real-time messages sent outside the standard request cycle to report progress on long-running tasks (e.g., "Processing file 2 of 3...").
Sampling (Reverse Delegation): Reverses the standard flow. The server delegates a complex generative task back to the client's LLM (e.g., summarizing a server-side document). Requires Low-level API (setRequestHandler); not available via FastMCP decorators.
Elicitation (Pausing for Input): The server pauses execution because it needs more human information.
Flow: User asks to book a trip → Server pauses → Triggers a typed JSON schema (e.g., {alternate_dates: string}) → Client renders prompt → User responds → Flow resumes.

Performance Optimization: Prompt Caching

Static schemas, system instructions, and tool descriptions can be cached at the provider level (e.g., via Anthropic's cache_control header) to reduce token costs by up to 90% and slash latency for repeated calls.

Implementation Guide

Strict Output Schemas

Output schemas must resolve to "type": "object". Using *args/**kwargs, legacy Pydantic v1, or non-serializable objects triggers PydanticSchemaGenerationError at initialization.

FastMCP (Python)

High-level SDK. Uses decorators (e.g., @mcp_server.tool); auto-generates JSON schemas from type hints/docstrings.

Google ADK (MCPToolset)

Queries list_tools at init and auto-converts schemas to native BaseTool instances. Uses AsyncExitStack for safe subprocess teardown. Use tool_filter=[] for least-privilege.

LangChain (MultiServerMCPClient)

Manages concurrent connections to multiple servers. Use npx or uvx to spin up ephemeral servers on the fly, eliminating host machine dependency.

High vs Low-Level APIs

High-level: SDK decorators + auto routing. Best for simple servers.
Low-level: Manual setRequestHandler. Required for Sampling, Elicitation, and advanced architectures.

Deterministic Tool Design (Agentic Success)

Anti-Pattern — Legacy API Pass-Through: Wrapping REST endpoints 1:1 fails as they are for deterministic software. Rule: Tools must be contextually enriched (the Semantic Layer) with rich descriptions and self-describing payloads.

Unconstrained responses cause token exhaustion (e.g. Claude Code truncates at ~25,000 tokens — causing silent context failures). Use:

Mandatory Pagination (limit/offset or cursor)
Server-Side Filtering (done natively, not inside the LLM context)
Intelligent Truncation (return summary + instructions to refine the query)

Client Configuration (mcp.json)

// To connect an agent to an MCP server, configure a JSON file in the IDE/Client
{
  "mcpServers": {
    "my-server": {
      "command": "node", // or python
      "args": ["server.js"],
      "env": {
        "API_KEY": "..." // API keys must NOT be hardcoded! Inject via environment variables.
      }
    }
  }
}

Security & Operations (Production)

Authentication & Authorization

Basic Auth: Simple API keys sent via HTTP headers (low security).
JWT (JSON Web Tokens): Stateless, scalable tokens including specific scopes (e.g., User.Read) to allow granular Role-Based Access Control (RBAC). JWTs should map roles to permissions (e.g., readers can call readFile, writers can call writeFile).
OAuth 2.1 Flow: Decouples credentials via IdP. Flow: 401 Unauthorized → Protected Resource Metadata (PRM) (RFC 9728) → Discover scopes/IdP URI → Token. Anti-Pattern: Blindly forwarding client tokens without validating audience.
CSRF Protection: Proxies executing OAuth flows must generate a cryptographically secure state parameter, store it server-side, and validate strictly on callback redirect.

Identity & MCPOps

Least Privilege: Servers must execute actions under the specific identity of the user, not generic accounts. Use granular OAuth scopes.
MCPOps (Observability): Every tools/call request must be logged with user session ID, prompt ID, and latency. Integrate with Prometheus/Grafana TraceQL for real-time monitoring.

Resilience Mechanisms

Put MCP web servers behind API Gateways to implement:

Load Balancing: Distribute traffic.
Rate Limiting: Prevent token/cost abuse, and stop agents entering infinite ReAct loops (accidental DoS).
Circuit Breakers: Fail gracefully if backends go down.
Server Isolation: Use K8s Network Policies to sandbox untrusted connectors.

Common MCP Security Threats

Increased Attack Surface

MCP introduces new attack vectors requiring strict controls, including prompt injection, tool poisoning, data exfiltration, and privilege escalation.

Prompt Injection

Attackers overriding instructions. Mitigation: Separate system/user channels, cleanse input.

Tool Poisoning

Compromised servers advertising harmful methods. Mitigation: Strict schema validation against allow-list.

Data Exfiltration

Risk of agents leaking sensitive data retrieved from tools. Mitigation: Strict egress controls.

Privilege Escalation

Agents performing actions beyond intended authorization. Mitigation: Role-Based Access Control (RBAC) and Human-in-the-Loop (HITL).

Malicious Connectors

Untrusted connectors pointing to attacker servers. Mitigation: Pin connector URLs/fingerprints.

SSRF

Cascade risk with excessive outbound network access. Mitigation: Network policies to block egress.

Guardrails & Testing

AI behavior is unpredictable. Mitigation: Use MCPSafetyScanner CLI in CI/CD to probe exposed MCP methods with adversarial inputs. Audit for GDPR/HIPAA.

Human-in-the-Loop (HITL)

Require explicit user approval before executing irreversible or sensitive tools (e.g., delete, send).

Multi-Agent Collaboration

Agent-to-Agent (A2A) Model

Extends the MCP philosophy using specialized agents (e.g., a "Flight Agent" and a "Hotel Agent") rather than one monolithic agent. In A2A, agents advertise capabilities via Agent Cards (a JSON resume of abilities) and assign Tasks — the A2A equivalent of MCP's tools/list handshake.

Selection Rule	MCP	A2A (Agent-to-Agent)
Architectural Boundary	Vertical integration (Agent ↔ System)	Horizontal orchestration (Agent ↔ Agent)
Execution Flow	Synchronous request/response (waits for schema-validated result)	Asynchronous streaming (streams progress updates over long workflows)
Primary Use Case	Deterministic tasks (query DB, call API, read file)	Cognitive reasoning, multi-step planning
Production Pattern	Used by sub-agents for low-level execution	Meta-agent distributes tasks to sub-agents

Glossary

Separation of Concerns

LLM/generative AI logic lives on the client; data, tools, and business logic live on the server.

JSON-RPC 2.0

The message format used for all MCP communication.

Tool

Executable function the AI can call — model-controlled.

Resource

Static data or context the AI can read (similar to RAG) — application-controlled.

Prompt

Pre-built templated message or workflow — user-controlled.

Schema Validation

Rigorous JSON Schema validation (using jsonschema or Zod) enforced on the client side to reject malformed parameters.

Context Manager

Allocates/releases server resources safely, even on error.

ABAC

Attribute-Based Access Control — fine-grained access tied to user identity attributes.

PRM

Protected Resource Metadata: OAuth 2.1 document (RFC 9728) advertising required scopes and IdP URI.

Semantic Layer

Enrichment applied to raw API responses before returning to the LLM (resolves keys, adds context, filters noise).

Token Passthrough

Anti-pattern: blindly forwarding client tokens to downstream APIs without validating audience (RFC 8707) — enables hijacking/replay attacks.

MCPOps

Operational discipline for MCP deployments: audit logging, rate limiting, distributed tracing.

AsyncExitStack

Python construct ensuring safe MCP subprocess teardown in Google ADK sessions.

Self-Assessment Questions

Q1. What are the three core capabilities exposed by an MCP server?

Resources (static data), Tools (executable functions), and Prompts (pre-built workflows).

Q2. What is the difference between MCP and A2A (Agent-to-Agent)?

MCP focuses on vertical integration (Agent to System) and deterministic tasks, while A2A focuses on horizontal orchestration (Agent to Agent) and cognitive reasoning/planning.

Q3. Why should API keys NOT be hardcoded in the MCP client configuration file?

To prevent security leaks. They should be injected via environment variables instead.