MCP server patterns — the Model Context Protocol introduced by Anthropic in late 2024 — have rapidly become the standard way to expose tools and data to LLM agents. Building good MCP servers is its own discipline: poorly designed servers expose too much, leak credentials, return token-bloated responses, or fail to handle the agent’s iterative nature. The teams shipping useful MCP integrations follow a clear set of patterns. Here is what works.
Table of Contents
Tools Are Functions With Schemas
An MCP tool is just a typed function the agent can call. Good tools have narrow scope, clear names, and detailed input/output schemas. The agent’s tool-selection accuracy depends almost entirely on how well your tool descriptions match the user’s actual intent.
Write tool descriptions like documentation for a new engineer, not like API reference. “Searches customer records by email or phone number; returns matching account IDs and basic profile data” beats “queries customer DB.” The official MCP tools documentation shows the schema format.
Resources Stream, Tools Act
MCP distinguishes between Resources (read-only context the agent can pull in) and Tools (actions with side effects). Use Resources for documents, schemas, and reference data. Use Tools for queries with parameters and any state-changing operation.
Most teams overuse Tools and underuse Resources. A “list all open tickets” call should be a Resource with a URI scheme; a “create a ticket” call should be a Tool. The distinction helps agents reason about what is safe to invoke versus what needs confirmation.
Limit Output Token Bloat
The fastest way to ruin agent performance is returning massive payloads. A tool that returns 5000 tokens of JSON eats the agent’s context window and slows every subsequent call. Trim aggressively.
Pagination, field selection, and summarization should all be in your tool design. Return IDs and names by default; let the agent ask for details on specific items. See our production RAG patterns post for adjacent techniques in retrieval design.
Authentication and Authorization
MCP servers run with whatever credentials the host (Claude Desktop, Cursor, your own client) provides. Pass user identity through to your downstream services and enforce per-user authorization at the data layer.
The worst mistake is building an MCP server with admin credentials that any agent invocation can use. Treat the agent like a user with the user’s permissions, not like a superuser. The MCP transport supports OAuth flows for proper user-level auth.
Error Messages Help the Agent Recover
Agent calls fail. The error message is the agent’s only signal for what to do next. “Invalid input” tells the agent nothing. “Field ’email’ must be a valid RFC 5322 email address; received ‘foo@'” lets the agent fix the call and try again.
Good MCP tools return structured errors with: what went wrong, why, and what valid inputs look like. The Anthropic MCP integration docs cover the response format expectations.
Wrap Up
MCP server patterns reward designing for the agent’s perspective: clear tool descriptions, narrow scope, trimmed outputs, structured errors, and proper auth. The MCP ecosystem is exploding — servers for Slack, Notion, Postgres, Linear, and dozens more are available. Build your own for proprietary systems following these patterns and you will dramatically expand what your AI integrations can do. Pair with AI-powered cybersecurity practices for safe agent deployment.
Frequently Asked Questions
What’s the difference between MCP and OpenAI function calling?
Function calling is a model-side capability for structured tool invocation. MCP is a protocol for connecting agents to external tool servers. They are complementary — your MCP server’s tools become functions the model can call.
Can I use MCP outside of Claude?
Yes. The protocol is open and supported by Cursor, Continue, Cline, and a growing list of clients. OpenAI’s Agents SDK has MCP support. The protocol is becoming the standard.
How do I test an MCP server?
The MCP Inspector tool (in the official SDK) lets you exercise tools and resources interactively. Build a regression test suite around your tools the same way you would test an API.
What language should I write an MCP server in?
Official SDKs exist for TypeScript, Python, Go, Java, C#, Kotlin, Rust, and Swift. Pick whatever your team writes — the protocol is identical across implementations.
How do I handle long-running operations?
MCP supports progress notifications during tool execution. For genuinely long operations (more than 30 seconds), return a job ID immediately and provide a separate “check status” tool the agent can poll.
