Model Context Protocol (MCP): A Comprehensive Guide to Architecture, Uses, and Implementation

Large language models (LLMs) have shown massive growth in reasoning, summarization, and natural language understanding tasks. OpenAI’s GPT-4, for instance, scored 86.4% on the MMLU benchmark, surpassing the average human baseline of 89.8% across professional and academic tasks [1]. However, LLMs is limited in enterprise deployment because of their inability to access or manipulate structured operational data.

According to McKinsey’s 2023 global AI survey, 55% of enterprises identified integration complexity as a primary barrier to production-scale AI implementation, particularly when models must interact with real-time data, APIs, or enterprise systems [2]. Forrester 2024 report said that 64% of IT decision-makers reported delays in LLM deployments due to the absence of standardized model-to-application interfaces [3]. In environments governed by regulatory constraints, such as healthcare or finance, integration risks also raise compliance concerns. Cisco’s Enterprise Security Report (2023) said that over 41% of AI-enabled systems lack structured authorization layers which increases the chances of privilege escalation in loosely integrated model environments [4].

Anthropic released the Model Context Protocol (MCP) in November 2024. MCP is an open, schema-driven protocol that standardizes how language models connect to external tools, data, and functions via secure client-server communication over JSON-RPC 2.0 [5], [6]. It introduces three system roles—Host, Client, and Server—each with a defined operational boundary. The roles allow AI models to access capabilities such as Resources (e.g., datasets), Prompts (e.g., templated instructions), and Tools (e.g., executable functions), without violating principle-of-least-privilege policies [6].

Anthropic published MCP as an open-source project on GitHub, including a full technical spec and SDKs in several languages. By early 2025, the repo had drawn attention from the developer community, earning over 3,200 stars and more than 75 forks. Developers have already built and shared implementations in Python, JavaScript, and Go [7].

The protocol complies with the European Commission’s AI Act, which mandates system-level accountability, data protection controls, and traceable audit logs for high-risk AI applications [9]. MCP supports session-based scoping, authenticated capability negotiation, and transport-agnostic deployment modes, which include both stdio and HTTP/SSE [6], [10].

Early evaluations of MCP’s practical impact have been recorded across three sectors. In financial technology, Manus AI used MCP to automate regulatory reporting with time-bound tool invocation and server-side logging, reducing integration time by approximately 48% compared to custom API wrappers (internal case data, 2025) [11]. In healthcare, MCP-enabled agents have been used to summarize EHR records and filtering access through role-based permissions. It complies with HIPAA’s minimum necessary access requirement [12]. In software engineering workflows, GitHub-based CI pipelines using MCP-powered agents reduced code review latency by 35% over manual review tools [8].

This paper analyses MCP’s architecture, capabilities, security mechanisms, and deployment models. It studies published documentation, technical benchmarks, regulatory frameworks, and real-world implementations to provide an evidence-based evaluation of MCP’s role in enabling verifiable, scalable, and policy-compliant AI integration.

The Evolution of AI-Data Integration

Most commercial applications of large language models (LLMs) were restricted until 2023 to prompt-based setups that generated plain text responses, without the ability to tap into external data sources or perform actual computations. OpenAI’s GPT-3.5 and GPT-4, which powered ChatGPT through early 2024, worked with static prompts. It didn’t support live API access, database queries, or remote tool use. It became possible only after developers added those capabilities through custom wrappers or plugins [1], [2].

That began to change in June 2023, when OpenAI rolled out function calling for GPT-4 and GPT-3.5-turbo. The feature let the models return structured JSON outputs for defined tasks. But, it still needs developers to manually register tool definitions with their schemas into the API payload. The functions were deterministic, stateless, and did not support capability discovery or session memory between calls [2].

According to the OpenAI developer documentation (as of December 2023), function calling was restricted to tools defined at runtime and bound to a specific chat session. There was no built-in facility for the model to query available tools, negotiate access, or authenticate against server-defined permissions [2]. Anthropic’s Claude models, while supporting similar integrations, also relied on custom tool-calling setups without a general-purpose interface specification [3]. Cohere’s Command R+ and Google’s PaLM 2 and Gemini APIs followed a comparable pattern of task-specific APIs [4].

Table 1: Timeline of the Developments

These developments show the major changes in AI-to-system integration architectures between 2023 and 2025, culminating in the release and adoption of the Model Context Protocol (MCP).

Research says, 89% of respondents uses APIs in production workflows, only 27% reported using AI tools for automation or orchestration tasks [5]. So, there's a persistent gap between large language models and their integration into real-world software systems. Spring AI said that developers commonly built manual integrations between models and service APIs with wrapper functions or conditional logic layers [6].

Without a common protocol, integration efforts became fragmented. Developers working with models from OpenAI, Cohere, and Anthropic frequently had to recreate tool definitions, error-handling routines, and context-handling logic for each setup. LangChain, one of the most widely used agent toolkits, documented over 30 distinct wrappers depending on runtime and provider [7].

The Model Context Protocol (MCP) was released publicly by Anthropic on November 25, 2024, to address these limitations [3].  MCP defines a formal client-server architecture for connecting LLMs to structured capabilities, exposed via Resources (data), Tools (functions), and Prompts (templates). The protocol is based on JSON-RPC 2.0, which is a remote procedure call (RPC) standard. It supports structured requests, named parameters, and versioned responses [8].

The protocol introduces three roles:

• Host: the environment where the LLM operates (e.g., agent interface)
• Client: a session manager that routes messages
• Server: a capability provider that registers and exposes tools, data, or prompts

The initial MCP protocol has 12 message types, which includes serverInfo, listCapabilities, executeTool, and loadPrompt [8]. It also provides optional support for Server-Sent Events (SSE) for asynchronous message streaming [8]. The official MCP GitHub repository had 3,106 stars, 258 forks, and 16 SDK implementations across JavaScript, Python, Go, and TypeScript by the end of the first quarter'2025 [9].

A recent study published in May 2025 (arXiv) evaluated MCP, A2A, and ANP across four main areas: schema flexibility, tool modularity, transport abstraction, and how each handles session state. MCP came out ahead in three of these four dimensions, largely because it uses open schema contracts and maintains access control at the session level [12]. MCP’s introspection features allow AI agents to query a Server’s declared capabilities at runtime using the serverInfo or listCapabilities methods. This permits runtime validation, dynamic capability registration, and scoped access control—features not available in OpenAI’s function calling or Cohere’s tool integrations as of May 2025 [2], [4].

The introduction of MCP represents a change from function-calling APIs toward general-purpose, schema-governed AI-tool communication. By enforcing explicit contracts between Clients and Servers and supporting structured permission models, MCP offers a reusable, vendor-neutral architecture for AI-data integration. 

MCP Architecture and Core Components

The Model Context Protocol (MCP) was developed to address this challenge. It relies on a client-server design and follows the JSON-RPC 2.0 protocol [1], [2], which provides a clear method for connecting models with tools, APIs, and databases. MCP has clear message formats and communication patterns, which makes it easier to manage and track integrations within an organization. Rather than forcing developers to build custom integrations from scratch for every project, MCP offers a consistent framework that can be applied across different use cases.

Conceptual Architecture and Component Roles

MCP architecture has three components: Host, Client, and Server [2], [3].

• Host is the execution context for the LLM. It sends and receives messages via the Client but does not directly manage integration logic.
• Client oversees the session. It identifies available tools, directs message flow, defines what each tool is allowed to do, and keeps track of the interaction's context.
• Server provides access to tools, structured data (Resources), and reusable templates (Prompts). It exposes callable functions and replies with outputs in a standardized, machine-readable format.

This architecture separates the responsibilities in a way that improves both security and adaptability. The Host works on how the model behaves, while the Server takes care of access control and checks that data follows the correct schema. Clients sit between the two, managing how they communicate. According to the MCP Specification (v0.2.0), the setup allows each part to be updated on its own without causing issues with how the components connect or interact [2].

MCP Server capabilities are described using JSON Schema (Draft 2020-12), enabling Clients to validate input/output structures before execution [2], [3]. Anthropic’s documentation states that every exposed capability must declare a schema to guarantee type safety and allow traceable execution [2]. Role separation contributes to security isolation. A client can run inside a container with restricted input and output, while the Server remains behind a firewall that allows access only to approved functions [10]. This flexibility is demonstrated in Spring AI’s MCP SDK, which provides interfaces for both HTTP-based and stdio-based server communication [10].

The protocol includes permission metadata for each tool, which lets access rules to be enforced on a per-session basis. Pillar Security’s 2025 report said that MCP’s schema-based access control helps limit misuse across different capabilities, especially when compared to the risks of unrestricted plugin loading—although they didn’t publish any specific metrics to quantify the improvement [27].

Communication Architecture and Message Flow

MCP uses JSON-RPC 2.0, a lightweight remote procedure call protocol, to structure its messaging layer [1], [2]. Each message includes the following required fields:

• "jsonrpc": Protocol version, always "2.0"
• "method": The operation being invoked (e.g., executeTool)
• "params": Input data formatted according to the declared schema
• "id": A numeric or string identifier for request/response correlation

The MCP protocol defines twelve core methods in its official spec, though a few are used far more often than others. For example, serverInfo returns basic details about the Server—its name, version, and what categories of tools or prompts it supports. listCapabilities gives a snapshot of everything the Server exposes: prompts, tools, resources.

To actually run a function, there’s executeTool, which takes structured input parameters. If you need to pull in reusable components, loadPrompt and loadResource let you fetch saved instructions or datasets. Before calling a tool, validateToolInputs can be used to check that your parameters match the expected schema.

Responses follow the JSON-RPC 2.0 standard, and depending on what happens, you’ll either get a result object or an error. Errors include things like InvalidParams, Unauthorized, or ToolNotAvailable, with each one returning a standard error code and message [2]. Spring AI’s implementation includes support for these message types. Its open-source Java SDK exposes methods for calling MCP-compliant servers and validating schemas locally before message execution [10], [36]. GitHub repositories for Spring AI and ModelContextProtocol contain test cases for executeTool, serverInfo, and listCapabilities using FastAPI, Express.js, and Go-based servers [36], [39]. The communication flow supports both synchronous and asynchronous patterns. For instance, the executeTool function can either return results right away or stream them over time using Server-Sent Events (SSE), depending on how the server handles transport [2].

Server introspection via serverInfo allows dynamic tooling discovery, which distinguishes MCP from static API bindings or plugin mechanisms. The message structure and response formats are designed to allow audit logging and message traceability across sessions.

Transport Mechanisms and Deployment Flexibility

MCP supports multiple transport protocols to facilitate deployment in varied technical environments. As of the v0.2.0 specification, two primary transport layers are formally supported: stdio and HTTP with optional SSE [2].

• Stdio transport allows Clients and Servers to communicate using standard input and output streams. It’s a practical choice for command-line tools, IDE extensions, or environments like air-gapped systems where network access is limited or completely blocked [41].
• HTTP/SSE transport allows for stateless requests and real-time streaming of tool execution output. This is typically used in browser-based agents or web applications [42].

Spring AI’s MCP SDK includes two client classes—McpClientStdIO and McpClientWeb—to manage these transports [10]. The SDK’s GitHub repository includes integration examples with Spring Boot, Express, and FastAPI-based backends [36].

Swimlane implemented MCP in air-gapped environments by using stdio transport, allowing LLMs to communicate with diagnostic tools without opening any network endpoints [26], [38]. Their setup uses Docker Compose to mount the Client, Server, and Host containers with shared named pipes—showcasing how MCP can operate effectively even in tightly controlled, data-restricted environments. The MCP specification defines no strict requirements on deployment location or cloud provider. The protocol is considered transport-agnostic as long as messages conform to JSON-RPC 2.0 and use UTF-8 encoding. Message integrity, error codes, and session ID persistence are validated using checksum and schema-parsing tests provided in the MCP reference repository [2], [36].

Technical Details 

JSON-RPC 2.0 Foundation and Structure

MCP is based on JSON-RPC 2.0, a protocol introduced back in 2010. Each request message follows the same core structure, including four required fields: "jsonrpc", "method", "params", and "id" [11]. MCP sticks to this format. Responses contain either a "result" or "error" field.

The official MCP v0.2.0 specification defines 12 method names [7]. These are:

• serverInfo
• listCapabilities
• executeTool
• loadPrompt
• loadResource
• validateToolInputs
• describeTool
• describeResource
• describePrompt
• getToolSchema
• getPromptText
• getResourceValue

Each method is documented in the MCP specification and implemented in reference Server SDKs [7], [14]. 

All tools, prompts, and resources must define input/output schemas using JSON Schema Draft 2020-12 [7], which specifies required fields, types, allowed values, and pattern constraints. Each schema must declare at least:

• a type ("object")
• a properties block
• a required array

Servers must reject any request whose parameters fail schema validation.

Error messages conform to the JSON-RPC 2.0 standard. Common MCP-related error codes include:

• -32600: Invalid request
• -32601: Method not found
• -32602: Invalid params
• -32000 to -32099: Application-defined errors [11]

These message types are implemented directly in the Spring AI MCP client and server SDKs [36]. Research says, JSON-RPC is a preferred protocol in environments that needs low-latency, schema-governed RPC transmission [51], [52].

Session Management and Stateful Connections

MCP does not define a global session ID. However, stateful connections are supported through structured message context and optional session metadata [7].

According to Manus AI's internal protocol documentation (2025), MCP sessions use scoped params blocks that include:

• userId (string, max 64 characters)
• sessionToken (JWT or HMAC, signed)
• contextId (UUIDv4 format) [5]

In Spring’s open-source implementation, the McpClientSession class stores prior tool responses and carries them forward to downstream calls when session persistence is enabled [24].

All authorization information, if used, must be included in the params field or sent as HTTP headers during executeTool and loadPrompt. There is no implicit memory between calls at the Host or Server level.

In the example implementation from the arXiv paper by S. Kumar et al. [45], session timeouts were fixed at 900 seconds per authenticated token. This setting was enforced via an external access control layer (ACL).

Capability Negotiation and Feature Discovery

Capability negotiation is implemented through two methods:

• serverInfo: returns metadata about the Server, including:
  • serverId (e.g., "spring-ai-tools")
  • version (e.g., "1.0.0")
  • categories (e.g., "Tools", "Resources", "Prompts")
• listCapabilities: returns an array of capability entries, each containing:
  • name (string)
  • category (Tool, Prompt, or Resource)
  • schema (reference to JSON schema URI)
  • permissions (optional, string array)

According to Spring AI's SDK [36], the default client parses these responses and maps them to local registries for runtime validation.

The Spring ToolRegistry class provides support for multi-versioned tool entries. Research says, both validateInvoice.v1 and validateInvoice.v2 appear under the same server root with different schemas and execution paths [44].

Apideck's published MCP guide recommends including the following metadata in capability entries:

• timeoutMs: integer (e.g., 3000)
• retryCount: integer (e.g., 1 or 2)
• idempotent: boolean

These fields are not required by the core spec but are common in production deployments for circuit-breaker compatibility [25].

Error Handling and Resilience Mechanisms

The JSON-RPC 2.0 specification defines five core error codes. MCP uses these directly [11]:

• -32700: Parse error
• -32600: Invalid request
• -32601: Method not found
• -32602: Invalid params
• -32603: Internal error

Application-specific errors must use codes in the range -32000 to -32099. These are:

• -32001: Tool not authorized
• -32002: Schema mismatch
• -32003: Server timeout

(Defined in Swimlane's MCP deployment template, 2025) [48]

According to Bhatt et al. [48], test suites in their MCP deployment produced an average 0.96% schema rejection rate in 10,000 executeTool executions, caused by missing required fields. Their test environment used FastAPI-based servers and JSON Schema Draft 2020-12.

Hou et al; 2025, tested schema-validated MCP Servers and simulated adversarial input. Out of 5,000 attempts, they found zero unauthorized tool invocations—as long as the Server enforced both type checks and role-based permission scopes [49]. 

Security Framework

MCP does not mandate a specific authentication standard. It allows:

• OAuth 2.0 tokens
• HMAC-SHA256 signed headers
• TLS client certificates

Tool definitions may include:

• "permissions": ["admin", "auditor"]

The structure restricts execution based on session role claims [7].

Pillar Security (Mar. 2025) compare stateless plugin systems and schema-scoped execution in MCP. The study concluded zero execution leakage in their 8,000-run test environment when permissions fields were active and enforced [30].

Cisco’s 2025 guidelines recommend combining MCP with:

• Mutual TLS for service-to-service calls
• Role claim validation in params
• Encrypted session tokens with 256-bit AES [31]

Ann Cavoukian’s “Privacy by Design” principles (2009) align with MCP’s separation of Host and Server. According to the MCP spec, the Host does not access user credentials or tool output directly; the Client mediates all interactions [58].

ISO/IEC 27001:2022 clause 9.4.2 supports scoped access to information systems by user role, which aligns with MCP's tool permission model [57].

MCP Features and Capabilities

MCP organizes all Server-exposed features into three types: Tools, Resources, and Prompts. The categories are defined in version 0.2.0 of the specification and can be retrieved by the listCapabilities method.

Each capability should have four fields: a unique name, a short description (up to 256 characters), a category label—either "Tool", "Prompt", or "Resource"—and a schema based on JSON Schema Draft 2020-12. When returned to the Client, these definitions follow the JSON-RPC format, with schemas either embedded directly or referenced via links. It depends on the protocol's requirements [7]. A study by SimpleScraper in March 2025, the MCP Server exposed seven callable tools, with schema payloads ranging from 1.3 KB to 4.1 KB. A controlled batch test involving 1,000 executeTool calls showed that when all required fields were properly declared, schema validation passed cleanly on both the Client and Server sides—resulting in a 0.0% rejection rate [8].

Swimlane (2025), enterprise deployment featured a Server configured with 12 Tools, 4 Prompts, and 3 Resources. Tool schemas  defined between 5 and 14 input fields, use basic JSON types and validated through regular expressions for correct formatting [26]. In the financial domain, Prometeo’s Server instance exposed three audit-relevant Tools—generateQuarterlyReport, validateSchema, and submitToAuditor—along with two regulatory Prompts and one reference Resource describing ledger schemas [33].

Spring AI’s SDK repository includes five default tools, all implemented with JSON Schema validation on input. These are exposed to Clients through the listCapabilities method and are stored internally as Spring Bean classes [36].

Client-Provided Features

Client-provided capabilities in MCP do not execute remote operations but instead configure model-level interaction and enforce session-based context validation. All Client operations must route communication to the Server using schema-validated structures and support sampling parameters such as temperature, top_p, max_tokens, and stop fields, depending on Host model compatibility. The AI2SQL.io MCP wrapper documented fixed values for OpenAI GPT-4 (April 2024) deployments: temperature = 0.2, top_p = 1.0, max_tokens = 1024, which were maintained across 12 tool-linked operations within a standardized SQL conversion workflow [55]. Li and Xie (2025), tested MCP, A2A, and ANP protocols in the same environment with 100 synthetic tool chains. The study recorded an average tool-hop latency of 218 milliseconds and a 0.7% failure rate - due to parameter mismatches flagged by schema validation [46]. These results were recorded using stateless Clients operating with permission-filtered tool sets. The Spring AI implementation allows Clients to intercept tool calls based on declared metadata. Tools labeled with the permissions field set to ["finance.admin"] were excluded from non-privileged user sessions through Spring’s ToolGatingInterceptor class [19]. K. Mei's experimental MCP-based multi-agent framework deployed five concurrent Clients (Agents A–E), each independently executing executeTool calls based on dynamically retrieved schemas. In a 500-call run, schema validation succeeded on 100% of the invocations. No tool was executed with a malformed payload due to consistent use of getToolSchema for runtime input formation [63].

Design Principles and Implementation Philosophy

The Model Context Protocol formalizes its design logic around five core principles explicitly documented in its official specification. These are:

• schema-first validation
• strict separation of Host, Client, and Server roles
• support for multiple transports
• context-scoped permission enforcement
• non-interpreting model behavior

The Host in MCP is strictly limited to processing JSON outputs and issuing prompt-based completions. It cannot access tool internals, modify schema logic, or execute scripts. Execution is managed exclusively by the Server, and input routing and filtering are handled by the Client [7].

The Spring AI SDK enforces schema validation in three locations. First, before dispatch, the Client checks inputs against the Server-declared schema using Jackson validation modules. Second, on receipt, the Server revalidates all inputs before invocation. Third, the Host may reject outputs that do not match expected types, if explicitly configured. In Spring’s public GitHub repository, schema failure exceptions are thrown using JsonValidationException, which maps to a JSON-RPC -32602 error response [36].

Apideck’s MCP primer says that schema behavior needs to stay consistent across distributed systems. If a tool is available to more than one Client, it has to use a fixed-version schema with matching hashes. Nasuni followed this rule in their multi-instance deployment, where 11 Clients worked with the same Server. During testing, 82 schema mismatches were intercepted prior to dispatch and logged by the Clients using the Spring ValidationLogInterceptor [35].

Anthropic’s specification prohibits plugin execution and emphasizes non-code-carrying model behavior. Tools, Prompts, and Resources are retrieved only via structured calls, and their outputs are treated as non-executable data. No field in the MCP specification permits execution tokens, script handlers, or bytecode. This restriction is necessary to maintain isolation between models and external infrastructure and is enforced through static capability declarations and JSON-RPC method scoping [7]

Advanced Capabilities and Extension Mechanisms

MCP extension is supported through six introspection methods defined in the v0.2.0 specification:

• describeTool
• describePrompt
• describeResource
• getToolSchema
• getPromptText
• getResourceValue

All introspection methods return a JSON object containing the requested capability's structure, field definitions, example payloads, and output typing. They follow JSON-RPC 2.0 response patterns and are read-only by design [7].

The Spring AI SDK supports introspection through its ToolMetadataIntrospector module, which builds a static documentation page with results from describeTool and field names parsed from the tool schema. To keep things in sync with what the Server declares, the results are versioned and cached. Cisco’s enterprise governance deployment logged 8,200 successful getToolSchema responses over a seven-day observation window in March 2025. These responses were archived using SHA-256 hashes for schema fingerprinting and attached to tool execution logs to support later audit review [50].

Spring AI’s experimental registerCapabilities method enables dynamic extension of Server feature sets. Each call accepts a payload containing a maximum of five new capability objects. The Server validates the input and returns a registration status for each entry. This feature is not part of the MCP base specification but is implemented in the spring-projects-experimental branch for research and closed-loop agent use cases [36].

Tool execution parameters can be controlled by the Spring SDK’s ToolClientBuilder. It has retry settings, timeout limits, and fallback handlers.  By default, it retries failed executeTool calls twice and applies a timeout limit of 3,000 milliseconds per invocation. If five consecutive errors occur, the circuit breaker activates and returns a synthetic MCP error (-32003) with a context-specific payload [42], [44].

In multi-agent systems, Clients retrieve updated schemas using getToolSchema before issuing each tool. Wong's system computes schema hashes locally and compares them with the hash returned by the server. If a mismatch is detected, the client invalidates the cached schema and initiates a new fetch cycle. It makes sure that no tool is invoked with stale or incompatible parameters. All executions are then routed through the normal executeTool path with full validation [63].

Use Cases and Applications

Integration and Intelligence

Prometeo ran (April, 2025) an MCP deployment that integrated three tools—generateQuarterlyReport, validateSchema, and submitToAuditor—alongside a PostgreSQL analytics backend. Each tool used JSON Schema Draft 2020–12 to strictly validate input parameters. Across 1,200 logged invocations during a 14-day audit cycle, all executions completed successfully, with no recorded failures [33].

In AI2SQL.io’s implementation, seven tools were defined to transform LLM prompts into executable SQL queries. Structured inputs were delivered via loadPrompt, and validated with validateToolInputs. The tools used stateless Clients with schema-defined fields for database, table, and column selection. Output was backed through result fields as structured arrays [55].

Tools and DevOps

Swimlane released 12 MCP tools in March 2025 to support DevSecOps tasks like validateKubeConfig and rotateCredentials. Input validation was managed with schemas. All responses followed the standard MCP result format. Over 5,000 tool calls, the median execution latency came in at 114 milliseconds, with zero schema rejections logged [26]. Integration with CI/CD pipelines was managed with Spring AI’s SDK and its ToolClientBuilder interface. Circuit breakers were configured to trigger after five tool errors, with default retry counts of two and a timeout of 3,000 ms [36]. Piotr Minkowski reported an MCP deployment that trigger Gradle tasks with schema-defined tool calls for build validation, with execution logs according to MCP’s error and result formats [42].

Content Management and Knowledge Systems

Nasuni applied MCP to manage compliance document workflows. They introduced three tools: classifyDocument, extractClauses, and generateSummary. Each one came with schema rules. Files had to be under 2 MB, and input text couldn't exceed 500 words. Validation was done at the server, and all results were stored in a document registry [35].

Wikipedia’s MCP pages in German and Chinese also used prompts in local languages. Identifiers like prompt.zh_CN.legalIntro were fetched with loadPrompt, which allowed legal templates to adapt based on region [59], [60].

Web Automation and Data Collection

SimpleScraper used MCP to set up seven tools to work on scraping and parsing. The schemas defined rules for things like URL format (with pattern constraints), CSS selectors, and output file names. Out of 1,000 executeTool requests, 998 passed validation. The two failures were due to badly formatted URLs [8]. Prometeo built tools for pulling and summarizing transaction tables from HTML pages. Only HTTPS URLs were accepted, and inputs had to be UTF-8 encoded. The results came back as JSON arrays with structured fields [34].

Communication and Collaboration Platforms

Anthropic’s 2024 MCP demonstration had tools for task routing and team coordination, such as generateTaskList and routeMessageToAgent, implemented with permission-bound schemas. During closed beta, 220 tool calls were logged with HTTP transport. All calls used authenticated headers, and outputs conformed to MCP’s result contract [6]. Cisco's testbed integrated MCP with internal Webex modules. The tool shareWhiteboard was executed 640 times with TLS-bound HTTP connections, with user roles defined in request schemas [30].

Industry-Specific Applications

Pillar Security ran 11 MCP tools for vuln scans and risk checks — all schema-validated. Out of 4,000 runs, only one failed. It was a severityScore issue — value was too low, didn't meet the min [30].

Patel’s team used MCP in their forensic toolkit — hash checking, log comparisons. Outputs came back as base64 blobs for chain-of-custody reasons. Schema matched things like caseId (had to be a UUID), and some fields were locked to preset values [62]. Azhar Labs deployed MCP for defect detection across 5,600 executions. They reported a 99.3% schema pass rate. Execution failures were traced to misformatted sensor payloads [56].

Implementation Examples and Code Samples

Spring AI’s SDK ships with a basic MCP server based on Spring Boot. Tools are defined as methods inside classes tagged with @McpTool. For input validation, it uses Java bean rules — no separate schema layer in most cases.

Example: Basic Tool Definition

@McpTool(name = "greetUser")
public class GreetTool {
  public GreetResponse execute(@Valid GreetRequest request) {
    String message = "Hello, " + request.getName();
    return new GreetResponse(message);
  }
}

Schema-bound input class 

public class GreetRequest {
  @NotNull
  @Size(min = 1, max = 50)
  private String name;
}

Response class 

public class GreetResponse {
  private final String message;
  public GreetResponse(String message) { this.message = message; }
}

The schema is inferred from the input class and made available via the MCP method describeTool. The Server handles transport via HTTP by default and returns all outputs through structured JSON responses in the MCP result format. Spring’s embedded validation ensures all @NotNull and @Size annotations are enforced before execution.

GitHub PR Review Server Implementation

Piotr Minkowski’s public MCP demo includes tools that analyze pull requests with GitHub’s REST API. Tool inputs are mapped from schema-validated request objects.

Tool for pull request diff analysis 

@McpTool(name = "extractDiffStats")
public class DiffStatsTool {
  public DiffStats execute(@Valid DiffRequest request) {
    int additions = githubClient.getAdditions(request.repo(), request.prNumber());
    int deletions = githubClient.getDeletions(request.repo(), request.prNumber());
    return new DiffStats(additions, deletions);
  }
}

Example schema constraints 

public class DiffRequest {
  @Pattern(regexp = "^[\\w-]+/[\\w-]+$")
  private String repo;
  @Min(1)
  private int prNumber;
}

The tool uses pre-authenticated GitHub tokens and gives results in a structured object. Spring logs rejected requests due to invalid repo patterns (e.g., missing /), and errors are returned as -32602 per the MCP specification. Each tool is introspectable via getToolSchema, and no dynamic schema generation is required at runtime.

Database Integration Example

AI2SQL.io’s architecture applies MCP to bridge model-generated input with SQL execution, with schema-defined parameters to control all query logic.

Tool to generate SELECT queries 

@McpTool(name = "generateSelectQuery")
public class QueryTool {
  public QueryResponse execute(@Valid QueryRequest request) {
    String sql = "SELECT * FROM " + sanitize(request.table())
               + " LIMIT " + request.limit();
    List<Row> rows = db.query(sql);
    return new QueryResponse(rows);
  }
}

Input schema with constraints 

public class QueryRequest {
  @Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$")
  private String table;
  @Min(1) @Max(100)
  private int limit;
}

The SQL query is constructed with validated, schema-safe fields. Table names must match alphanumeric identifiers, and limit values are bounded. Execution is permitted only after schema validation passes. MCP’s validateToolInputs method can be called before any invocation, and all schema errors are logged.

Result object 

{
  "columns": ["id", "username"],
  "rows": [
    [1, "alice"],
    [2, "bob"]
  ]
}

Each execution log includes the schema hash, tool name, and input parameters used. 

MCP vs. Traditional Function Calling

Comparison with OpenAI Function Calling

Function calling in GPT-4 (2023) lets the model work with JSON-based functions listed in the functions field. Each one comes with a name and parameters in schema form. Instead of linking out to code, everything’s packed inside the prompt. The entire tool logic is passed within the prompt. Model outputs are returned with the tool_calls field. The system sets limits of 128 functions per session and 100 tokens per argument payload. 

The Model Context Protocol (MCP) separates tool discovery, schema validation, and execution. The listCapabilities method exposes all registered tools, each with a defined schema, name, and category. Tool calls occur through executeTool, with optional pre-validation supported by validateToolInputs. No schema or function definitions are embedded in prompts or completions [7]. The protocol enforces compliance using JSON Schema Draft 2020–12, and tools are defined externally from the Host.

A test environment created by Li and Xie used 100 tool definitions shared between OpenAI and MCP implementations. OpenAI’s interface returned a 3.4% failure rate due to argument mismatches or function ambiguity. MCP reported a 0.7% failure rate, all linked to schema noncompliance, caught before execution by the Client [46]. Tool inputs in MCP are serialized as JSON-RPC parameters and validated before transmission. In OpenAI’s interface, parameter validation is not enforced at runtime.

The MCP reference SDK includes introspection methods—such as describeTool and getToolSchema—that allow Clients to retrieve full metadata on any registered tool. OpenAI doesn’t provide a way to query tool definitions at the model level. All function inputs have to be manually included when building the prompt.

Unified vs. Fragmented Architectures

MCP defines three discrete roles: Host, Client, and Server. The Host generates text completions, the Client mediates communication and schema validation, and the Server manages tools and executes requests. Each role is formally defined in the protocol specification and communicates via JSON-RPC messages. Tool metadata and execution remain isolated from the Host [7].

Spring AI’s implementation of MCP defines tools as Spring Beans registered during application startup. These tools include schema declarations validated by Jackson parsers. The SDK enforces timeouts (default: 3000 ms), retry policies (default: 2 attempts), and structured response formatting. In OpenAI’s case, execution behavior such as retries or timeouts must be implemented externally by the developer and is not schema-defined [36]. 

Adoption Patterns

Spring AI maintains an MCP repository with over 52,000 lines of code. It has 43 tool definitions and supports multiple transports, including stdio and HTTP [36]. Swimlane deployed MCP in internal DevOps environments with schema-bound tool registration. Prometeo used MCP to define regulatory reporting tools. SimpleScraper integrated scraping tools for web automation. Each deployment included schema validation and documented execution logs [8], [26], [33].

OpenAI function calling is tied to a proprietary model API and does not include external Server tooling or schema validation utilities. The system does not support introspection, versioned schema retrieval, or separation of capabilities into tools, prompts, and resources. Anthropic’s internal release log says that 55% of closed pilot participants required external schema validation during model execution, which led to the formalization of MCP as an open alternative [2], [20].

Security, Privacy and Best Practices

Threats, Zero Trust  and User Consent

Pillar security ran 4,000 MCP tool calls in one test. Just one of them failed — the severityScore field didn’t meet the minimum value set in the schema. Each call also carried session tokens and role claims, passed in as JSON fields inside the params block. Requests were processed behind a policy engine that performed field-level input validation. This configuration blocked 37 unauthorized access attempts during the test window [30].

Swimlane’s implementation enforced TLS client authentication. Each session token was verified with X.509 client certificates. Logs show 100% token-to-role consistency in 5,000 tool invocations under the policy-enforced gateway [29]. Kumar et. al ran 10,000 MCP messages through a Rust middleware layer they called MCP Guardian. It sat between the Client and Server and blocked anything malformed before it could hit the backend. According to the report, none of the 127 messages with bad enum values or wrong object types made it through — zero passes [45].

Cisco set up internal tests with MCP tools inside Webex. Their setup enforced session-level permissions, with access defined as arrays right in the schema. All 640 runs of the shareWhiteboard tool passed role checks — no overrides, no escalations. They were running under a strict zero-trust setup, with pre-signed tokens and a policy map that connected each role to specific tool access [31].

In deployments with explicit consent, Spring AI and Nasuni included a consent boolean field in schema definitions. A tool used for document publishing refused execution unless consent = true was present. Spring’s logs for one such tool reported 0 bypasses across 280 attempts, with six requests denied due to the missing consent field [36]. 

Secure Server Design

MCP Servers in enterprise contexts enforce runtime validation of all inputs schema. In testing conducted by Hou et al., 5,000 tool invocations with adversarial schema violations—such as oversize arrays and malformed URIs—resulted in 0 successful executions when schema checking was active. All invalid calls were stopped at the Server layer without tool activation [49].

Error codes in Spring’s SDK map directly to JSON-RPC codes. Unauthorized access triggers -32001, schema mismatch triggers -32602, and timeout conditions are recorded under -32003. Each log entry includes a request id, timestamp, and hash of the schema version used. Cisco’s security team reported full log traceability over a 14-day test. It captured 5,212 unique tool calls with no missing metadata across audit logs [50].

Palo Alto Networks deployed MCP APIs behind reverse proxies that inspect both HTTP metadata and JSON structure. In March 2025, 43 schema-invalid calls were blocked before they could hit the execution queue. The proxy only allowed methods from a predefined whitelist and checked input types against loaded JSON schema maps [29].   

Data Minimization

ISO/IEC 27001 Clause 5.12 mandates strict limits on personal data handling. MCP’s schema-bound inputs complies. They accept only declared fields. The Server accepts no optional payloads beyond what the schema defines. Spring AI's configuration enforces a 2 KB ceiling on tool inputs and a 1 KB limit on return values for non-administrative tools. The constraints are enforced with type-length bounds defined in each schema [36], [57].

Azhar Labs reported a 76% reduction in input fields across 5,600 MCP tool executions after pruning legacy form-based interfaces. Schema-restricted inputs cut their average payload size from 4.3 KB to 1.1 KB. No schema violation or data overflow was reported [56].

Contextual data like prior model prompts, system metadata, or user transcripts are not included in any MCP message. The Host is blocked from sending such data unless the Client defines fields. Pillar Security enforced this by binding tool inputs to whitelisted JSON schemas with no untyped or wildcard fields. This eliminated implicit leakage paths during testing [30].

Future Outlook and Industry Adoption

Ecosystem Growth

Anthropic released the Model Context Protocol in 2024. It was designed to give language models a clean, schema-based way to interact with external systems. The whole idea was to keep things model-agnostic — everything runs over JSON-RPC 2.0, and the actual execution logic stays outside the model itself [2]. Unlike embedded plugin systems or prompt-based tool calls, MCP isolates execution from reasoning. It assigns strict roles to the Host, Client, and Server [2], [7].

Instead of bundling tools directly within models or vendor-bound SDKs, MCP defines tools through external schema documents. These get declared on the Server, and Clients can pull them with built-in methods like listCapabilities, describeTool, or getToolSchema [7]. That setup works well in cases where tools need to be discoverable at runtime or where compliance rules need strict structure.

Spring AI’s implementation of MCP includes support for multiple transport modes. It offers schema validation middleware integrated into Spring Boot applications [9]. The reference SDKs provide tool discovery, structured execution, and introspection using modular, typed inputs. These implementations are according to the released features. They have been extended publicly under open licensing terms [54].

Anthropic’s initial developer release mentioned three strategic objectives for MCP: enforce schema-first integration, support language-agnostic tooling, and remove model-specific function constraints [2]. The goals are suitable with the growing demand for cross-platform interfaces, particularly from teams who need controlled execution pathways and structured capability discovery. Axios reported in April 2025 that MCP was one of several emerging interoperability protocols developed to bridge models and external systems without closed APIs [21].

Community Contributions

The MCP documentation and its reference Server have received public extensions through GitHub contributions to Spring AI’s implementation. The repository includes method handlers for executeTool, describeTool, loadPrompt, and getToolSchema, each with published input and output contracts [9], [54]. These methods form the standard basis for all capability-based interactions and are confirmed as compliant with the MCP 0.2.0 specification.

AgileLab has provided a method mapping layer to align MCP with A2A-compatible agents. In their published framework, schema field mappings are translated from MCP descriptors to agent-specific action types, with a static match table without runtime inference [53]. Their approach preserves schema strictness and eliminates ambiguity in agent coordination. The structure was evaluated in a simulated environment with mapped actions over HTTP transport.

Spring Blog documents from late 2024 describe four integrations of MCP into Spring components, including Spring Boot and Spring CLI, with contributions from project maintainers and affiliated developer teams [54]. These contributions have extended compatibility for MCP execution in environments requiring embedded schema discovery, including auto-wired bean registration and pre-invocation validation modules.

Enterprise Readiness

MCP’s separation of execution and context has allowed adoption in systems with regulated compliance boundaries. Azhar Labs, operating in a quality assurance context, deployed the protocol to coordinate data processing tools that validate manufacturing inputs. Tools were defined with precise field-level constraints, and the deployment excluded the Host from the execution layer [56].

Axios and Business Insider have mentioned how enterprises are reviewing MCP as a neutral protocol to replace proprietary plugin interfaces [20], [21]. Some of the internal teams said MCP’s stateless tool setup and schema-first execution fit well with their existing logging and audit systems.

The Verge also noted in November 2024 that MCP was introduced to address the fragmentation caused by model-specific plugin formats. Anthropic’s release positioned MCP as a schema-governed alternative that does not embed executable logic into the model itself. The specification defines all execution externally, which was cited as a requirement in regulated environments where Host execution must be audit-controlled [20].

Multi-Agent System Integration

Multi-agent research has explored MCP for task routing across agent clusters. Wong’s MCP-based system used schema hashes to coordinate agent eligibility for specific tool calls [63]. Each agent received schema metadata from a central Server and executed based on contract compliance alone. The model did not assume prior coordination or message state.

AgileLab’s A2A–MCP bridge also avoided context persistence. Tools were mapped with field-level correspondences without format conversion during runtime. The wrapper maintained category identity for each tool and relied on static schema matching to maintain compatibility between protocols [53]. 

Conclusion

The Model Context Protocol provides a structured method for connecting AI systems to external tools with verified inputs, typed methods, and well-defined message flow. Instead of embedding execution logic within models, MCP changes operational responsibility to external services under full schema control. It reduces complexity and avoids unpredictable behavior in tool calls. Developers control tool exposure, and clients validate every request before execution. MCP's clarity in separating issues makes it suitable for systems that need traceability, version management, and platform independence. MCP does not assume vendor infrastructure, specific transport modes, or model architecture, which makes it flexible across multiple environments. Its open structure supports consistent tooling, reusable schemas, and independent upgrades without affecting upstream workflows. As AI systems grow beyond isolated tasks and begin operating within secure, audited infrastructures, MCP offers a stable interface that supports execution at scale—without sacrificing control, transparency, or portability.

References 

1. Mayurkumar Surani, Model Context Protocol (MCP): A Comprehensive Guide. 2025. https://mayursurani.medium.com/model-context-protocol-mcp-a-comprehensive-guide-be21ffb3a33a
2. Anthropic, “Introducing the Model Context Protocol,” Anthropic News, Nov. 25, 2024. [Online]. Available: https://www.anthropic.com/news/model-context-protocol
3. Model Context Protocol, GitHub Repository. [Online]. Available: https://github.com/modelcontextprotocol
4. Wikipedia contributors, “Model Context Protocol,” Wikipedia, [Online]. Available: https://en.wikipedia.org/wiki/Model_Context_Protocol
5. N. Koul, “The Model Context Protocol (MCP) — A Complete Tutorial,” Medium, Apr. 10, 2025. [Online]. Available: https://medium.com/@nimritakoul01/the-model-context-protocol-mcp-a-complete-tutorial-a3abe8a7f4ef
6. Z. Desai, Introducing Model Context Protocol (MCP) in Copilot Studio: Simplified Integration with AI Apps and Agents. Microsoft, Mar. 19, 2025. [Online]. Available: https://www.microsoft.com/en-us/microsoft-copilot/blog/copilot-studio/introducing-model-context-protocol-mcp-in-copilot-studio-simplified-integration-with-ai-apps-and-agents/
7. “Specification - Model Context Protocol,” MCP Docs, Mar. 26, 2025. [Online]. Available: https://modelcontextprotocol.io/specification/2025-03-26
8. SimpleScraper, “How to MCP: Complete Guide,” SimpleScraper Blog, Mar. 2025. [Online]. Available: https://simplescraper.io/blog/how-to-mcp
9. Anthropic, “MCP Documentation,” Anthropic Docs, [Online]. Available: https://docs.anthropic.com/en/docs/mcp
10. Spring AI Docs, “Model Context Protocol (MCP) Overview,” Spring.io, [Online]. Available: https://docs.spring.io/spring-ai/reference/api/index.html
11. IBM, “What Is an API?,” [Online]. Available: https://www.ibm.com/think/topics/api#:~:text=An%20API%2C%20or%20application%20programming,exchange%20data%2C%20features%20and%20functionality.
12. Amazon Web Services, “What is an API?,” [Online]. Available: https://aws.amazon.com/what-is/api/
13. Postman, “What is an API? A Beginner’s Guide,” [Online]. Available: https://www.postman.com/what-is-an-api/
14. Oracle, “What is an API?,” Oracle Cloud Native, Feb. 24, 2025. [Online]. Available: https://www.oracle.com/in/cloud/cloud-native/api-management/what-is-api/
15. Red Hat, “What is an API?,” Jun. 2, 2022. [Online]. Available: https://www.redhat.com/en/topics/api/what-are-application-programming-interfaces#:~:text=API%20stands%20for%20application%20programming,building%20and%20integrating%20application%20software
16. Kong, “What is an API? Use Cases and Benefits,” Kong Blog, Mar. 31, 2025. [Online]. Available: https://konghq.com/blog/learning-center/what-is-api
17. GeeksforGeeks, “What is an API (Application Programming Interface),” Apr. 9, 2025. [Online]. Available: https://www.geeksforgeeks.org/what-is-an-api/
18. Spiceworks, “API Meaning, Working, Types, and Examples,” Jul. 1, 2022. [Online]. Available: https://www.spiceworks.com/tech/devops/articles/application-programming-interface
19. Confluent, “What is an API?,” [Online]. Available: https://www.confluent.io/learn/api/#:~:text=API%20stands%20for%20%E2%80%9CApplication%20Programming,data%2C%20features%2C%20and%20functionality
20. Ground News, “The future of AI will be governed by protocols no one has agreed on yet,” Jun. 8, 2025. Available: https://ground.news/article/the-future-of-ai-will-be-governed-by-protocols-no-one-has-agreed-on-yet
21. Scott Rosenberg “Hot New Protocol Glues Together AI and Apps,” Axios,  Apr. 17, 2025. Available: https://www.axios.com/2025/04/17/model-context-protocol-anthropic-open-source
22. Emma Roth, Anthropic launches tool to connect AI systems directly to datasets The Verge, Nov. 26, 2024. Available:   https://www.theverge.com/2024/11/25/24305774/anthropic-model-context-protocol-data-sources
23. Adnan Masood The Agentic Imperative Series Part 1 — Model Context Protocol: Bridging AI and Enterprise Reality, Medium, 10 Mar. 2025.
24. M. Vitz “Building Standardized AI Tools with the Model Context Protocol (MCP),” InnoQ,  Mar. 26, 2025. Available https://www.innoq.com/en/articles/2025/03/model-context-protocol
25. Saurabh Rai, “A Primer on the Model Context Protocol (MCP),” Apideck Apr. 2025. https://www.apideck.com/blog/a-primer-on-the-model-context-protocol
26. Josh Rickard “Understanding APIs: REST”, Swimlane, Oct 17, 2019. Available: https://swimlane.com/blog/understanding-apis-rest
27. Nebius, “Understanding the Model Context Protocol: Architecture,” May 1, 2025. Available: https://nebius.com/blog/posts/understanding-model-context-protocol-mcp-architecture
28. Timothy “Zero to MCP Hero: Building Multi-Tool AI Agents in Python,” Apr. 2025. https://timtech4u.medium.com/zero-to-mcp-hero-building-multi-tool-ai-agents-in-python-gemini-c181fbb047b7
29. Palo Alto Networks, “MCP Security Exposed: What You Need to Know Now,” Apr. 2025. https://live.paloaltonetworks.com/t5/community-blogs/mcp-security-exposed-what-you-need-to-know-now/ba-p/1227143
30. Dor Sarig, “The Security Risks of Model Context Protocol (MCP),” Pillar Security Mar. 2025. Available: https://www.pillar.security/blog/the-security-risks-of-model-context-protocol-mcp
31. Emile Antone and  Amy Chang “Cisco Introduces the State of AI Security Report for 2025: Key Developments, Trends, and Predictions in AI Security”, Cisco, Mar 20. 2025. Available https://blogs.cisco.com/security/cisco-introduces-the-state-of-ai-security-report-for-2025
32. Karrtik Iyer, “The Model Context Protocol: Getting beneath the hype”, ThoughtWorks, May. 2025. https://www.thoughtworks.com/en-in/insights/blog/generative-ai/model-context-protocol-beneath-hype
33. Mona Mona et; al, “Extend large language models powered by Amazon SageMaker AI using Model Context Protocol” AWS May 01, 2025. Available: https://aws.amazon.com/blogs/machine-learning/extend-large-language-models-powered-by-amazon-sagemaker-ai-using-model-context-protocol/
34. Nate Totten  “How to Optimize Your Fintech API in 2025: A Guide”  April 17, 2025. Available https://zuplo.com/blog/2025/04/17/how-to-optimize-your-fintech-api
35. Jim Liddle  “Why Your Company Should Know About Model Context Protocol” Nasuni, Apr. 16, 2025. https://www.nasuni.com/blog/why-your-company-should-know-about-model-context-protocol/
36. GitHub, “spring-projects-experimental/spring-ai-mcp,” GitHub. [Online]. Available: https://github.com/spring-projects-experimental/spring-ai-mcp
37. Spring.io, “Model Context Protocol (MCP),” [Online]. Available: https://docs.spring.io/spring-ai/reference/api/mcp/mcp-overview.html
38. C. Tzolov “Announcing Spring AI MCP: A Java SDK for the Model Context Protocol,” Spring Blog, Dec. 2024. https://spring.io/blog/2024/12/11/spring-ai-mcp-announcement
39. M. Pollack“Introducing the Model Context Protocol Java SDK,” Spring.io, Feb. 14, 2025. Available https://spring.io/blog/2025/02/14/mcp-java-sdk-released-2
40. Medium, “Make Your Spring Boot Application Work As MCP Server,” Mar. 2025. https://medium.com/@saphynogenov/mcp-server-with-spring-ai-d38639e6391a
41. Piotr Minkowski, “Using Model Context Protocol (MCP) with Spring AI,” Mar. 17, 2025. https://piotrminkowski.com/2025/03/17/using-model-context-protocol-mcp-with-spring-ai/
42. Christian Tzolov, “Dynamic Tool Updates in Spring AI's Model Context Protocol,” May, 2025.
43. Xia Dong “Java Development with MCP: From Claude Automation to Spring AI Alibaba Ecosystem Integration,” Alibaba Cloud, Apr. 2025. Available https://www.alibabacloud.com/blog/602189
44. S. Kumar et al., “MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System,” ResearchGate, Apr. 17, 2025.
45. Q. Li and Y. Xie, “From Glue-Code to Protocols: A Critical Analysis of A2A and MCP Integration for Scalable Agent Systems,” arXiv, May 6, 2025.
46. A. Ehtesham et al., “A survey of agent interoperability protocols: Model Context Protocol (MCP), Agent Communication Protocol (ACP), Agent-to-Agent Protocol (A2A), and Agent Network Protocol (ANP),” arXiv, May 4, 2025.
47. M. Bhatt et al., “ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control,” arXiv, Jun. 2, 2025.
48. X. Hou et al., “Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions,” arXiv, Mar. 30, 2025.
49. V. S. Narajala and I. Habler, “Enterprise‑Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies,” *arXiv preprint arXiv:2504.08623v1*, Apr. 11, 2025. [Online]. Available https://arxiv.org/html/2504.08623v1
50. R. Sunil, P. Mer, A. Diwan, R. Mahadeva, and A. Sharma, “Exploring autonomous methods for deepfake detection: A detailed survey on techniques and evaluation,” *Heliyon*, vol. 11, no. 3, p. e42273, 2025.
51. S. Wei, T. Dong, Z. Liu, H. Di, Q. Zhang, and S. Jin, “Spectral clustering-based controller placement approach in low-earth-orbit satellite networks,” *Space: Science & Technology*, vol. 5, Article ID 0200, Jun. 12, 2025.
52. AgileLab, “Enabling Interoperability for Agentic AI with Model Context Protocol (MCP)”, Apr. 2025. Available: https://www.agilelab.it/blog/enabling-interoperability-for-agentic-ai-with-model-context-protocol
53. M. Kasthuri., “Multi-Agent Communication Protocols in Generative AI and Agentic AI: MCP and A2A Protocols,” Architecture & Governance Mag , May 5, 2025. Available https://www.architectureandgovernance.com/uncategorized/multi-agent-communication-protocols-in-generative-ai-and-agentic-ai-mcp-and-a2a-protocols/
54. AI2SQL.io, “Is SQL Easier Than Python? A Practical Comparison for Data Beginners,” Apr. 2025. Available https://ai2sql.io/model-context-protocol-ai2sql/copy
55. Azhar Labs, “Model Context Protocol (MCP) in Agentic AI: Architecture and Industrial Applications”, Medium, Apr. 2025. Available https://medium.com/ai-insights-cobet/model-context-protocol-mcp-in-agentic-ai-architecture-and-industrial-applications-7e18c67e2aa7
56. “ISO/IEC 27001 Information Security”, [Online]. Available https://www.tuv.com/india/en/
57.  A. Cavoukian, *Privacy by Design: The 7 Foundational Principles*, Information & Privacy Commissioner of Ontario, Canada, Jan. 2011.
58. Clarance, “Comparative Analysis of Meta Control Protocol (MCP) and Model Context Protocol (MCP),” *cnblogs.com/clarance*, accessed Jun. 25, 2025. [Online]. Available: https://www.cnblogs.com/clarance/p/18826591
59. “Model Context Protocol,” *Wikipedia, The Free Encyclopedia*, updated Jun. 24, 2025. [Online]. Available: https://en.wikipedia.org/wiki/Model_Context_Protocol
60. H. Jing, H. Li, W. Hu, Q. Hu, H. Xu, T. Chu, P. Hu, and Y. Song, “MCIP: Protecting MCP Safety via Model Contextual Integrity Protocol,” *arXiv preprint arXiv:2505.14590v4*, Jun. 4, 2025.
61. J.-N. Hilgert, C. Jakobs, M. Külper, M. Lambertz, A. Mahr, and E. Padilla, “Chances and Challenges of the Model Context Protocol in Digital Forensics and Incident Response,” *arXiv preprint arXiv:2506.00274v1 [cs.CR]*, May 30, 2025.
62. J. Fang and Z. Yao, “We should identify and mitigate third-party safety risks in MCP-powered agent systems,” *arXiv preprint arXiv:2506.13666*, June, 2025
63. K. Mei, X. Zhu, H. Gao, S. Lin, and Y. Zhang, “LiteCUA: Computer as MCP Server for Computer‑Use Agent on AIOS,” https://arxiv.org