MCP Cheat Sheet

Complete quick reference for the Model Context Protocol - the open standard that connects AI models to tools, data, and services. Architecture, primitives, transports, SDKs, and security in one place.

≈ 10 min read
Anthropic Open Standard
Last updated: April 14, 2026
Download PNG
MCP Cheat Sheet Preview
Click to view full size

What Is MCP?

The open standard that gives AI models a universal way to connect to tools, data, and services

The Core Idea - "USB-C for AI"

MCP (Model Context Protocol) is an open-source, open-standard protocol introduced by Anthropic in November 2024. It standardises secure, two-way connections between AI applications and external tools, data sources, and services - without custom per-integration code. Think of it as a USB-C port for AI: any compliant host (Claude, ChatGPT, Cursor, VS Code Copilot) can plug into any compliant server and immediately discover and use its capabilities.

Nov 2024
Launched by Anthropic
JSON-RPC
2.0 stateful protocol
Open
Source & standard

The 3 Core Components

H
MCP Host

The AI application that coordinates clients and uses provided context. Examples: Claude Desktop, VS Code with Copilot, Cursor, ChatGPT.

Manages multiple MCP clients; one per connected server.
C
MCP Client

Instantiated by the host - one per server. Handles the dedicated connection, capability discovery, and primitive invocation.

Speaks JSON-RPC 2.0 over stdio or HTTP transport.
S
MCP Server

Exposes context to clients. Can be local (e.g., filesystem server on the same machine) or remote (a hosted service over HTTPS).

Declares Tools, Resources, and Prompts on connect.

The Problem Before MCP

M×N Integration Problem

Every AI app needed custom code for every tool. M apps × N tools = M×N unique integrations to build and maintain.

No Common Security Model

Each integration invented its own auth, sandboxing, and data-handling patterns - inconsistent and error-prone.

Context Fragmentation

LLMs couldn't reliably discover what tools were available or how to invoke them without bespoke prompt engineering.

What MCP Solves

Standardised discovery - hosts find tools via tools/list automatically
Reusable servers - build once, work with any MCP-compatible host
Defined security model - OAuth 2.0, TLS, sandboxing, consent flows
Rich context types - Tools, Resources, and Prompts in one protocol
Dynamic updates - servers notify hosts when capabilities change
Human-in-the-loop - sampling and elicitation primitives keep users in control

Key Terminology

Protocol Version
Date-string versioned (e.g. 2025-06-18). Negotiated during initialize. Schema defined in TypeScript-first at schema.ts, also exported as JSON.
Capability
A feature advertised by a client or server during handshake. Servers declare which primitives they support (tools, resources, prompts) and whether they support dynamic list changes.
Primitive
A first-class context type in MCP: Tool (executable action), Resource (read-only data), or Prompt (reusable template). Each has standardised list and get/call methods.
Transport
The underlying communication channel. MCP supports stdio (local, same-machine) and Streamable HTTP (remote, multi-client over HTTPS + SSE).
Notification
A one-way JSON-RPC message (no response expected). Used for lifecycle signals (notifications/initialized) and dynamic updates (notifications/tools/list_changed).
Sampling
Server-to-client primitive (sampling/createMessage) that lets a server request an LLM completion from the host - enabling recursive agent workflows.

Architecture & Transport

JSON-RPC 2.0 over stdio or Streamable HTTP - and how the session lifecycle works

Communication Model

MCP uses stateful JSON-RPC 2.0. A session is established per connection and maintained for its duration. All messages are JSON-RPC request/response pairs or one-way notifications. The schema is defined TypeScript-first and also published as schema.json in the spec repo. 

// JSON-RPC 2.0 request
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "get_weather",
    "arguments": { "city": "London" }
  }
}

// JSON-RPC 2.0 response
{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {
    "content": [{ "type": "text", "text": "16°C, partly cloudy" }]
  }
}

stdio Transport (Local)

Uses stdin / stdout for communication. The host spawns the server as a child process on the same machine.

# Server reads JSON-RPC from stdin,
# writes responses to stdout.
Host process → spawn → MCP Server process
  stdin  ←→  JSON-RPC messages
  stdout ←→  JSON-RPC responses
High performance - no network overhead
Single-client by design - natural isolation
Best for local tools: filesystem, CLI, databases
Not suitable for remote or multi-client scenarios

Streamable HTTP Transport (Remote)

Uses HTTP POST + Server-Sent Events (SSE). Clients POST requests; servers stream responses. Supports multiple concurrent clients.

Auth options
Bearer tokensAPI keysOAuth 2.0Custom headers
Supports multiple clients simultaneously
Works across networks and organisations
Always use TLS (HTTPS) in production

Session Lifecycle

1
Initialize

Client sends initialize with its protocol version and capabilities.

{ "method": "initialize",
  "params": {
    "protocolVersion": "2025-06-18",
    "capabilities": { "sampling": {} },
    "clientInfo": { "name": "MyHost" }
  }
}
2
Server Responds

Server replies with its capabilities and server info.

{ "result": {
  "protocolVersion": "2025-06-18",
  "capabilities": {
    "tools": { "listChanged": true },
    "resources": {}
  },
  "serverInfo": { "name": "my-server" }
}}
3
Initialized Notification

Client confirms session is ready with a one-way notification.

{ "method": "notifications/initialized" }

// No response expected - this is a notification
4
Discovery & Calls

Client discovers capabilities then invokes them.

// Discover tools
{ "method": "tools/list" }

// Call a tool
{ "method": "tools/call",
  "params": { "name": "my_tool",
    "arguments": { ... } } }
Dynamic updates: If the server declared "listChanged": true, it sends notifications/tools/list_changed whenever its tool list changes. The client should re-call tools/list on receipt.

Primitives

The three server-to-client context types, plus server-initiated capabilities

Tools

Executable Actions

Functions the LLM can invoke to take actions or fetch live data. Each tool has a JSON Schema input definition that the model uses to construct valid calls.

Methods
tools/listReturns available tools
tools/callInvokes a named tool
// tools/list response (one tool shown)
{ "tools": [{
  "name": "get_weather",
  "title": "Get Weather",
  "description": "Get current weather for a city",
  "inputSchema": {
    "type": "object",
    "properties": {
      "city": { "type": "string" }
    },
    "required": ["city"]
  }
}]}
Tool results contain a content array (text, image, or embedded resource) and an optional isError flag.

Resources

Read-Only Data

Structured, URI-addressed read-only data the model can consume as context - files, database records, API responses, etc. The model reads but does not modify resources.

Methods
resources/listLists available resources
resources/readReads a resource by URI
// resources/list response
{ "resources": [{
  "uri": "file:///project/README.md",
  "name": "Project README",
  "mimeType": "text/markdown"
}]}

// resources/read request
{ "method": "resources/read",
  "params": { "uri": "file:///project/README.md" } }

Prompts

Reusable Templates

Parameterised prompt templates and workflows defined by the server. Hosts present these to users or the LLM as pre-built interaction patterns.

Methods
prompts/listLists available templates
prompts/getGets a rendered template
// prompts/get request
{ "method": "prompts/get",
  "params": {
    "name": "code_review",
    "arguments": { "language": "python" }
  }
}
// Returns messages array ready to send to LLM

Server → Client

Advanced

Servers can initiate requests back to the host, enabling recursive agent workflows and user interaction flows.

sampling/createMessage

Server asks the host to run an LLM completion - enabling agentic loops where a tool result feeds back into the model.

elicitation/request

Server requests structured input from the end user - the host shows a UI form and returns the user's response.

Notifications
notifications/tools/list_changed - tool list updated
notifications/resources/list_changed
notifications/prompts/list_changed
notifications/message - server log event

Primitive Quick-Reference

PrimitiveDirectionList MethodGet / CallUse Case
ToolsServer → Clienttools/listtools/callExecute actions, fetch live data
ResourcesServer → Clientresources/listresources/readInject read-only context (files, DB records)
PromptsServer → Clientprompts/listprompts/getReusable prompt templates & workflows
SamplingClient → Server-sampling/createMessageServer requests an LLM completion
ElicitationClient → Server-elicitation/requestServer requests structured user input

SDKs & Quick Start

Official SDKs with type-safe servers, transport abstraction, and full protocol compliance

Tier 1 SDKs

Full Feature Support · Actively Maintained
TypeScript
Node · Bun · Deno
npm install @modelcontextprotocol/sdk
GitHub repoAPI docs
Python
Recommended: uv
uv add "mcp[cli]"
# or: pip install "mcp[cli]"
GitHub repoAPI docs
C# / .NET
.NET 8+
dotnet add package ModelContextProtocol
GitHub repoAPI docs
Go
Go 1.21+
go get github.com/modelcontextprotocol/go-sdk
GitHub repo
Lower tiers also available:Java, Rust (Tier 2) · Swift, Ruby, PHP (Tier 3). All support the same primitives and transports.
P

Python - Minimal Server

A complete stdio MCP server in under 20 lines using the decorator API:

from mcp.server.fastmcp import FastMCP

app = FastMCP("weather-server")

# Register a Tool
@app.tool()
async def get_weather(city: str) -> str:
    """Get current weather for a city."""
    return f"Weather in {city}: 16°C, partly cloudy"

# Register a Resource
@app.resource("config://settings")
async def get_settings() -> str:
    """Application settings."""
    return '{"theme": "dark", "units": "metric"}'

# Run over stdio
if __name__ == "__main__":
    app.run(transport="stdio")
T

TypeScript - Minimal Server

A complete MCP server using the TypeScript SDK with Zod for input validation:

import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod";

const server = new McpServer({
  name: "weather-server",
  version: "1.0.0",
});

// Register a Tool with Zod input schema
server.tool(
  "get_weather",
  "Get current weather for a city",
  { city: z.string().describe("City name") },
  async ({ city }) => ({
    content: [{ type: "text", text: `Weather in ${city}: 16°C` }],
  })
);

// Connect and run
const transport = new StdioServerTransport();
await server.connect(transport);

MCP Inspector - Debug Your Server

The official interactive development and debugging tool. Connects to any MCP server via stdio or HTTP and lets you browse capabilities, test tools, and inspect messages.

# Launch inspector against a server
npx @modelcontextprotocol/inspector \
  python my_server.py

# Or against a running HTTP server
npx @modelcontextprotocol/inspector \
  --url http://localhost:3000/mcp
github.com/modelcontextprotocol/inspector
Browse all exposed tools, resources, and prompts
Execute tool calls with custom arguments
Inspect raw JSON-RPC message traffic
Read resources and render prompt templates

Security Best Practices

Based on the OWASP MCP Security Cheat Sheet - developer-actionable controls by layer

Source: OWASP Cheat Sheet Series - MCP Security Cheat Sheet (2026) and Anthropic's official security guidance. MCP servers are a significant attack surface: treat all tool inputs as untrusted and apply defence-in-depth.

Auth & Authorisation

OAuth 2.0 + PKCE mandatory for remote servers
Least-privilege scopes - grant only what the tool needs
Short-lived tokens with automatic rotation
Session binding: <user_id>:<session_id>
Never share tokens across different MCP servers

Sandboxing

Run local servers inside containers or chroot jails
Restrict filesystem access to only required paths
Isolate sensitive servers from each other
Bind HTTP servers to 127.0.0.1 unless remote access is intended
Use MCP proxy/gateway for cross-server access policies

Input / Output Validation

Treat all tool inputs as untrusted - they come from an LLM, not directly from the user.
Strict JSON Schema with additionalProperties: false
Sanitise against injection, SSRF, path traversal
Sanitise outputs before returning to LLM context
Strip instruction-like patterns from data being passed back

Tool Poisoning & Rug Pull

A malicious server could change tool definitions after the host has approved them (rug pull). Mitigate by:

Hash tool definitions/schemas on first load
Re-validate schema hashes before every tools/call
Use mcp-scan-style static analysis on server packages
Pin server versions and verify checksums

Transport & Message Security

TLS everywhere - never send MCP over plain HTTP in production
Message signing with ECDSA P-256
Include nonce + timestamp in signed messages to prevent replay attacks
Mutual TLS (mTLS) for server-to-server scenarios

Human-in-the-Loop

Require explicit user consent UI for destructive or irreversible actions
Show the full parameters of a tool call before executing
Require consent when connecting to a new or changed server
Use elicitation/request to collect user input mid-tool

Security Checklist - Monitoring & Supply Chain

Monitoring
  • Log all tool invocations (redact secrets from logs)
  • Integrate with SIEM for anomaly alerting
  • Alert on unusual tool call frequency or patterns
  • Track which servers and tools are in active use
Supply Chain
  • Only install servers from verified, trusted sources
  • Verify package checksums and signatures before install
  • Scan all dependencies for known vulnerabilities
  • Watch for typosquatting in server package names

Official Resources

Primary sources only - spec, SDKs, reference servers, and security guidance

Official Site & Specification

MCP Documentation & Guides
Architecture, quickstarts, SDK docs, and client lists
modelcontextprotocol.io
Protocol Specification (Canonical)
Full spec, JSON schema, and SEPs (Standard Enhancement Proposals)
modelcontextprotocol.io/specification/latest
Specification GitHub Repo
Schema source (schema.ts + schema.json), SEPs, and docs
github.com/modelcontextprotocol/modelcontextprotocol

SDKs & Reference Servers

TypeScript SDK
github.com/modelcontextprotocol/typescript-sdk
Python SDK
github.com/modelcontextprotocol/python-sdk
Reference Servers & Community Links
Official reference implementations + curated community servers
github.com/modelcontextprotocol/servers
MCP Inspector (Dev Tool)
github.com/modelcontextprotocol/inspector

Anthropic & Security

Anthropic Launch Post
Original announcement with technical goals and architecture rationale
anthropic.com/news/model-context-protocol
OWASP MCP Security Cheat Sheet
Developer-actionable security controls (2026)
cheatsheetseries.owasp.org · MCP_Security_Cheat_Sheet

Enterprise & Cloud

Microsoft Azure MCP Server
Enterprise reference implementation and developer docs for Azure-hosted MCP servers
learn.microsoft.com · azure-mcp-server/overview
Microsoft Learn MCP Server
MCP server exposing Microsoft Learn documentation as AI-accessible context
learn.microsoft.com

SDK API Documentation

TypeScript
ts.sdk.modelcontextprotocol.io
Python
py.sdk.modelcontextprotocol.io
C#
csharp.sdk.modelcontextprotocol.io

More Cheatsheets

Other quick-reference guides you might find useful.

ElevenLabs preview

ElevenLabs

Models, Voices, API & Agents

Current quick reference for ElevenLabs models, voice cloning, streaming, API usage, and platform updates.

Voice AITTS
WebMCP preview

WebMCP

W3C Browser AI Tool API Reference

Complete quick reference for the W3C WebMCP browser API - register JavaScript functions as AI-callable tools with full IDL, code examples, and security guidance.

AIBrowser APIW3C
Playwright preview

Playwright

End-to-End Testing & Browser Automation

Complete quick reference for Playwright - Browser/Context/Page/Locator primitives, locator strategies, web-first assertions, Codegen, Trace Viewer, language bindings, and best practices.

TestingAutomationMicrosoft