MCP Quick Reference

The Model Context Protocol on one page — primitives, transports, message flow, security rules.

The primitives

Tools
model-callable functions with JSON-Schema params — the verbs
Resources
readable data (files, tables, docs) addressed by URI — the nouns
Prompts
server-provided prompt templates the user can invoke
Sampling
server asks the CLIENT for a completion — inverts the flow, needs approval
Roots
client-declared directory scopes the server may touch

Architecture & flow

Topology
host app → N clients → N servers (1:1 client:server), JSON-RPC 2.0
Transports
stdio (local child process) · streamable HTTP (remote)
Handshake
initialize → capability exchange → tools/listtools/call
Discovery
clients re-list on listChanged notifications — tools can change mid-session
Why it exists
N models × M tools = N·M custom integrations → N+M with one protocol

Security rules

Tool descriptions are context
a malicious server injects via its own tool docs — vet before install
Rug pulls
server changes descriptions after approval — pin versions, diff on update
Confused deputy
server acts with YOUR creds on injected orders — scope credentials per server
Human-in-the-loop
destructive tools gate on approval; sampling requests always visible
Least privilege
grant roots narrowly; read-only where read-only works