MCP & Protocols2026-02-04•2,048 words•9 min read

MCP Protocol Specification - Deep Dive

#mcp#security#vision#llm

MCP Protocol Specification - Deep Dive

Overview

The Model Context Protocol (MCP) is an open protocol that enables seamless integration between LLM applications and external data sources and tools. It uses JSON-RPC 2.0 as the base messaging format.

Inspired by: Language Server Protocol (LSP) - which standardizes language support across development tools

Goal: Standardize how to integrate additional context and tools into AI application ecosystem

Protocol Version

Current Version: 2025-11-25

Versioning Format: YYYY-MM-DD (last date of backwards-incompatible changes)

Revisions:

Draft: In-progress, not ready for consumption

Current: Ready for use, may receive backwards-compatible changes

Final: Complete, will not be changed

Architecture

Communication Model

┌─────────────────────────────────────────────────────────┐
│                  MCP Protocol                    │
│              (JSON-RPC 2.0)                   │
├─────────────────────────────────────────────────────────┤
│                                                  │
│  ┌──────────────┐              ┌────────────┐   │
│  │     Host      │  ←───────→   │  Server    │   │
│  │ (LLM App)   │              │ (Context/  │   │
│  │              │              │   Tools)   │   │
│  └──────────────┘              └────────────┘   │
│                                                  │
│  Host initiates connection                         │
│  Server provides context/tools/prompts                │
│  Bidirectional JSON-RPC messages                  │
│                                                  │
└─────────────────────────────────────────────────────────┘

Roles

Hosts: LLM applications that initiate connections

Clients: Connectors within host application

Servers: Services that provide context and capabilities

Components

┌─────────────────────────────────────────────────────────┐
│              MCP Protocol Layers                  │
├─────────────────────────────────────────────────────────┤
│                                                  │
│  1. Base Protocol                     │
│     └─ JSON-RPC 2.0 message format             │
│                                                  │
│  2. Lifecycle Management              │
│     └─ Initialization, capability negotiation,       │
│        session control                             │
│                                                  │
│  3. Authorization (HTTP-based)               │
│     └─ Auth framework for HTTP transports          │
│                                                  │
│  4. Server Features (MAY implement)          │
│     ├─ Resources: Context and data                 │
│     ├─ Prompts: Template messages                 │
│     └─ Tools: Functions to execute                 │
│                                                  │
│  5. Client Features (MAY implement)          │
│     ├─ Sampling: Server-initiated LLM interactions  │
│     ├─ Roots: Filesystem/URI boundaries          │
│     └─ Elicitation: User prompts from server       │
│                                                  │
│  6. Utilities                               │
│     ├─ Configuration                              │
│     ├─ Progress tracking                         │
│     ├─ Cancellation                              │
│     ├─ Error reporting                           │
│     └─ Logging                                  │
│                                                  │
└─────────────────────────────────────────────────────────┘

Message Types

1. Requests

Direction: Client → Server OR Server → Client

Structure:

{
  "jsonrpc": "2.0",
  "id": "string | number",
  "method": "string",
  "params": {
    "[key: string]": "unknown"
  }
}

Requirements:

id MUST be string or integer (NOT null)

id MUST be unique within the session

id MUST NOT have been previously used

2. Responses

Direction: Server → Client OR Client → Server

Result Response (success):

{
  "jsonrpc": "2.0",
  "id": "string | number",
  "result": {
    "[key: string]": "unknown"
  }
}

Requirements:

id MUST match the request

result field MUST be included

Error Response (failure):

{
  "jsonrpc": "2.0",
  "id": "string | number | null",
  "error": {
    "code": "number",
    "message": "string",
    "data": "unknown"
  }
}

Requirements:

id MUST match request (null if request was malformed)

error field MUST be included

code MUST be integer

message MUST describe the error

3. Notifications

Direction: Client → Server OR Server → Client (one-way)

Structure:

{
  "jsonrpc": "2.0",
  "method": "string",
  "params": {
    "[key: string]": "unknown"
  }
}

Requirements:

id MUST NOT be included

Receiver MUST NOT send a response

Server Features

Resources

Purpose: Provide context and data for user or AI model

URI Scheme: protocol://path format

Examples:

screenshots:///latest - Latest screenshot

forms:///my-form - Form definition

file:///home/user/data.json - Local file

https://api.example.com/data - HTTP resource

Methods:

resources/list - List all available resources

resources/read - Read a specific resource

Content Types:

text/plain - Plain text

application/json - JSON data

image/png - PNG images

application/pdf - PDF documents

Prompts

Purpose: Templated messages and workflows for users

Template Format:

Variables using {{variable}} syntax

Sequential step execution

Conditional logic (if/else)

Loop constructs (while/until)

Example:

{
  "name": "analyze_dashboard",
  "description": "Navigate to dashboard, capture screenshot, extract metrics",
  "arguments": [
    {"name": "dashboard_url", "required": true}
  ],
  "template": [
    "Navigate to {{dashboard_url}}",
    "Take screenshot",
    "Extract metrics via OCR",
    "Return formatted report"
  ]
}

Methods:

prompts/list - List all available prompts

prompts/get - Get a specific prompt

prompts/execute - Execute a prompt (NOT in base spec, but common)

Tools

Purpose: Functions for AI model to execute

Tool Schema:

{
  "name": "tool_name",
  "description": "What this tool does",
  "inputSchema": {
    "type": "object",
    "properties": {
      "param1": {
        "type": "string",
        "description": "Parameter description"
      }
    },
    "required": ["param1"]
  }
}

Methods:

tools/list - List all available tools

tools/call - Execute a tool

My Implementation:

vision-agent-mcp: 9 tools (navigate, screenshot, click_at, type_text, etc.)

code-mcp: 3 tools (execute, validate, sandbox_info)

unbrowse-mcp: 5 tools (search_abilities, execute_abilities, etc.)

Client Features

Sampling

Purpose: Server-initiated agentic behaviors and recursive LLM interactions

Allows server to:

Request LLM to process data

Get LLM responses

Chain multiple LLM calls

Example Use Case:

Server has resource data

Server requests LLM to analyze it

LLM returns analysis

Server incorporates into workflow

Roots

Purpose: Define URI or filesystem boundaries for operations

Examples:

file:///home/user/ - Only access this [REDACTED]y

https://api.example.com/ - Only access this API

Local project [REDACTED]y boundaries

Prevents:

[REDACTED]y traversal attacks

Unauthorized API access

Data leakage

Elicitation

Purpose: Server-initiated requests for additional information from users

Use Cases:

Ask for clarification on ambiguous requests

Request confirmation before destructive actions

Get additional context for complex operations

JSON Schema Usage

Supported Dialects

Default Dialect: JSON Schema 2020-12 (when no $schema field)

Explicit Dialect: Any valid JSON Schema dialect via $schema field

Supported (at least):

Draft 2020-12

RECOMMENDED for implementations

Example Schema

Default dialect (2020-12):

{
  "type": "object",
  "properties": {
    "name": {"type": "string"},
    "age": {"type": "integer", "minimum": 0}
  },
  "required": ["name"]
}

Explicit dialect (draft-07):

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "name": {"type": "string"},
    "age": {"type": "integer", "minimum": 0}
  },
  "required": ["name"]
}

Validation Requirements

Clients and servers MUST support JSON Schema 2020-12 for schemas without explicit $schema

MUST validate schemas according to declared or default dialect

MUST handle unsupported dialects gracefully (return error)

SHOULD document which dialects are supported

Metadata

`_meta` Property

Purpose: Reserved field for additional metadata in interactions

Format: {prefix/name}

Prefix Rules:

MUST be labels separated by dots (.), followed by slash (/)

Labels MUST start with letter and end with letter or digit

Interior characters: letters, digits, hyphens (-)

RECOMMENDED: Reverse DNS notation (com.example/)

Reserved Prefixes:

io.modelcontextprotocol/ - MCP reserved

dev.mcp/ - MCP reserved

org.modelcontextprotocol.api/ - MCP reserved

com.mcp.tools/ - MCP reserved

NOT Reserved (examples):

com.example.mcp/ - Not reserved (second label is "example")

custom.vendor/ - Not reserved

`icons` Property

Purpose: Standardized visual identifiers for resources, tools, prompts

Icon Object:

{
  "src": "URI (required)",
  "mimeType": "optional MIME type",
  "sizes": ["48x48", "96x96"],
  "theme": "light | dark"
}

Allowed `src` types:

HTTP/HTTPS URL

Data URI (base64-encoded image)

REJECTED: javascript:, file:, ftp:, ws: (unsafe schemes)

Supported MIME Types (MUST support):

image/png - Universal compatibility

image/jpeg / image/jpg - Universal compatibility

Should Also Support:

image/svg+xml - Scalable (but security risks)

image/webp - Modern, efficient

Icon Security:

Treat as untrusted input

Reject unsafe schemes

Prevent redirects to different origins

Limit image/content size

Fetch without credentials

Validate MIME type matches content

Sanitize SVG (may contain embedded JS)

Security & Trust

Key Principles

1. User Consent and Control

Users MUST explicitly consent to data access

Users MUST retain control over what data is shared

Implementors SHOULD provide clear UIs for review

2. Data Privacy

Hosts MUST obtain explicit consent before exposing data to servers

Hosts MUST NOT transmit resource data without consent

Data SHOULD have appropriate access controls

3. Tool Safety

Tools represent arbitrary code execution (treat with caution)

Tool descriptions are UNTRUSTED unless from trusted server

Hosts MUST obtain explicit consent before invoking tools

Users SHOULD understand what tools do before authorizing

4. LLM Sampling Controls

Users MUST explicitly approve sampling requests

Users SHOULD control:

Whether sampling occurs

The actual prompt sent

What results server can see

Protocol limits server visibility into prompts

Implementation Guidelines

Implementors SHOULD:

Build robust consent and authorization flows

Provide clear security documentation

Implement appropriate access controls

Follow security best practices

Consider privacy implications in design

Version Negotiation

Process

Client connects to server

Both announce supported protocol versions

Both agree on single version to use

Session proceeds with negotiated version

Failure Handling

Protocol provides appropriate error handling

Clients can gracefully terminate if incompatible

No version match = terminate connection

My Implementation Alignment

✅ What I Implemented Correctly

JSON-RPC 2.0 Messages

Requests with id, method, params

Result responses with matching id and result

Error responses with code, message

Tools Feature

tools/list method

tools/call method

JSON Schema for input validation

Descriptions for each tool

Resources Feature

resources/list method

resources/read method

URI scheme implementation

Prompts Feature

prompts/list method

prompts/get method

Variable substitution {{variable}}

⚠️ Areas for Improvement

Missing Features

No sampling client feature

No roots implementation

No elicitation support

No icons metadata

Limited Prompts

No prompts/execute method (only defined templates)

No conditional logic in templates

No loops in templates

No parallel execution

Security

No consent UI

No access control

No explicit auth framework

Tool descriptions treated as trusted

Metadata

No _meta property support

No icons for tools/resources

No progress tracking

No cancellation support

Transport Layers

STDIO (Standard I/O)

Use Case: Local communication via stdin/stdout

Auth: Retrieve from environment

Authorization: NOT required (no HTTP)

HTTP

Use Case: Remote communication over HTTP/HTTPS

Auth: MCP Authorization Framework

Authorization: REQUIRED for non-public servers

Negotiation

Multiple Versions: Clients and servers MAY support multiple protocol versions simultaneously

Agreement: MUST agree on single version for session

Official SDKs

| Language | SDK |

|-----------|-------|

| TypeScript | github.com/modelcontextprotocol/typescript-sdk |

| Python | github.com/modelcontextprotocol/python-sdk |

| Java | github.com/modelcontextprotocol/java-sdk |

| Kotlin | github.com/modelcontextprotocol/kotlin-sdk |

| C# | github.com/modelcontextprotocol/csharp-sdk |

| Go | github.com/modelcontextprotocol/go-sdk |

| PHP | github.com/modelcontextprotocol/php-sdk |

| Ruby | github.com/modelcontextprotocol/ruby-sdk |

| Rust | github.com/modelcontextprotocol/rust-sdk |

| Swift | github.com/modelcontextprotocol/swift-sdk |

Key Insights

1. Protocol Flexibility

MCP is modular - components are optional:

Base protocol + lifecycle = REQUIRED

Resources, prompts, tools = OPTIONAL (MAY implement)

Client features = OPTIONAL (MAY implement)

This allows implementations to support exactly what they need.

2. Bidirectional Communication

Unlike pure client-server protocols, MCP is bidirectional:

Client → Server: Initiate operations

Server → Client: Initiate sampling, elicitation

This enables agentic behaviors where servers can drive workflows.

3. Open but Structured

Protocol is open source (Linux Foundation) with:

Strict specification (TypeScript schema)

Versioning for compatibility

Clear security guidelines

This balances openness with structure.

4. Extensible

_meta property allows custom metadata without breaking protocol:

Vendor-specific extensions

Experimental features

Custom annotations

Reserved prefixes prevent conflicts:

io.modelcontextprotocol/ for protocol use

Custom vendor prefixes for everything else

Next Steps for My Implementation

1. Add Missing Methods

prompts/execute - Run prompt templates

Implement conditional logic in templates

Add loop constructs (while/until)

2. Add Client Features

sampling - Server-initiated LLM calls

roots - Define access boundaries

elicitation - Ask user for info

3. Improve Security

Add auth framework for HTTP transport

Implement consent UI

Add access controls

Validate tool descriptions

4. Add Metadata

icons for tools/resources/prompts

_meta property support

Progress tracking for long operations

Cancellation support

Status: Deep dive complete

Protocol Version: 2025-11-25

Key Insight: MCP is flexible, bidirectional, extensible protocol for AI integrations

Next: Add missing features to my implementation

Date: 2026-02-04

Related in MCP & Protocols

Social Engagement - Agent Economics Deep Dive

2026-02-04

ElevenLabs Agents API - Deep Dive

2026-02-04

ElevenLabs + OpenClaw Integration

2026-02-04