MCP

MCP(Model Context Protocol)

What? It is the opensource standard way how AI agents(like claude CLI) interacts & gets information from outside world(eg: github, google drive, postgres db reader etc)
Client Server Architecture: AI Agent(eg: Claude CLI) acts as the client, and the service provider(eg: postgres DB reader) act as the server.
Communication: Client and server uses Server-Sent Events (SSE) or WebSockets over HTTP and uses HTTPS (SSL/TLS) to encrypt the JSON-RPC messages.
MCP is Opensource/Vendor Agnostic: That means any agent can use MCP to interact with MCP server and access tools/services


Claude-MCP-Client ---------|
                          MCP-Server <--> postgres-DB-reader
Cursor-MCP-Client ---------|

Message Format: JSON-RPC with specific feilds (eg: methodm params, id etc)


POST /mcp/v1/tools/call HTTP/1.1
Host: mcpserver.com
Content-Type: application/json
Authorization: Bearer <AI_Platform_JWT>
User-Agent: AI-Assistant-Client/1.0

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "fetch_webpage",
    "arguments": {
      "url": "http://www.google.com/"
    }
  },
  "id": 42
}

How MCP Client Authenticate to Server? if human user want to access any service then they provide password, but for AI agent authenticate using OAuth.


  Machine-1                  Machine-2                   Machine-3
Client(claude cli)          (Auth Server)             (Resource Server)
               ---- GET www.google.com -------------------->
               <- 401 Unauthorized Challenge -----------

               -- Authenticate ----->
      my client_id: https://claude.ai/mcp-metadata.json
                                - Fetch public key ----> claude.ai
                                <--- Public key -------
                            Verify Signature

               --- GET google.com Authorization Header: JWT -->

Can existing tools(old postgres DB reader) talk over MCP directly, or do they need an update?
They would need to be updated since every MCP server need to expose some new endpoint eg: tools/list, execute_query.
Endpoint execute_query: MCP server provides a endpoint(execute_query) which accepts the JSON-RPC payload, translates it into an actual SQL query, executes it against the database, and reformats the tabular SQL rows back into clean text/JSON for the AI model.
Why couldn't we use an existing RPC protocol (like gRPC or JSON-RPC)?
MCP is just AI specific way of getting information over existing RPC protocols.
AI agent converts generic prompts to REST endpoint calls(eg: code-review) and use these endpoints to perform the tasks


  Machine-1                             Machine-2
Client(claude cli)                    Server(Postgres Connector)

Message Exchange

@startuml
title MCP Client-Server Sequence Diagram

participant "MCP Client" as Client
participant "MCP Server" as Server

== Connection Setup ==
Client <-> Server: HTTP 3 Way Handshake
Server <-> Client: TLS Tunnel established

== Initialize Handshake (id=1) ==
note over Client: Client Protocol Version\nClient Advertises its Capabilities
note over Client: All MCP Requests use POST\nPOST is required by JSON-RPC 2.0

Client -> Server: POST /jsonrpc\nHost: mcp-server.example.com \nContent-Type: application/json\n initialize (id=1)\n{\n  "jsonrpc": "2.0",\n  "id": 1,\n  "method": "initialize",\n  "params": {\n    "protocolVersion": "2024-11-05",\n    "capabilities": {\n      "roots": {"listChanged": false}\n    },\n    "clientInfo": {"name": "Test", "version": "0.1.0"}\n  }\n}

Server --> Client: POST /jsonrpc\nHost: mcp-client.example.com \nContent-Type: application/json\n Response (id=1)\n{\n  "jsonrpc": "2.0",\n  "id": 1,\n  "result": {\n    "protocolVersion": "2024-11-05",\n    "capabilities": {\n      "tools": {"listChanged": false},\n      "resources": {"listChanged": false},\n      "prompts": {"listChanged": false}\n    },\n    "serverInfo": {"name": "Srv", "version": "0.1.0"}\n  }\n}
note over Server: Server advertises its capabilities

Client -> Server: POST /jsonrpc\nHost: mcp-server.example.com \nContent-Type: application/json\nnotifications/initialized\n{\n  "jsonrpc": "2.0",\n  "method": "notifications/initialized"\n}

== Tools & Resource Discovery (id=2) ==
Client -> Server: POST /jsonrpc\nHost: mcp-server.example.com \nContent-Type: application/json\ntools/list (id=2)\n{\n  "jsonrpc": "2.0",\n  "id": 2,\n  "method": "tools/list"\n}

Server --> Client: POST /jsonrpc\nHost: mcp-client.example.com \nContent-Type: application/json\nresult (id=2)\n{\n  "jsonrpc": "2.0",\n  "id": 2,\n  "result": {\n    "tools": [\n      {"name": "add", "inputSchema": {"type": "object", "properties": {"a", "b"}}},\n      {"name": "echo", "inputSchema": {"type": "object", "properties": {"type": "string"}}}\n    ]\n  }\n}

== Tools Invocation (id=3) ==
Client -> Server: POST /jsonrpc\nHost: mcp-server.example.com \nContent-Type: application/json\ntools/call (id=3)\n{\n  "jsonrpc": "2.0",\n  "id": 3,\n  "method": "tools/call",\n  "params": {\n    "name": "add",\n    "arguments": {"a": 2, "b": 3}\n  }\n}
Server --> Client: POST /jsonrpc\nHost: mcp-client.example.com \nContent-Type: application/json\nresult (id=3)\n{\n  "jsonrpc": "2.0",\n  "id": 3,\n  "result": {\n    "content": [\n      {"type": "text", "text": "2+3 = 5"}\n    ]\n  }\n}

@enduml

All Methods are POST because
- JSON-RPC 2.0 standard requires POST for all calls. Even though it's advertising capabilities, it's still a request expecting a response.

- Initialize Handshake
(Both sides exchange protocolVersion, advertise Capabilities) -
C->S initialize (id=1) Request
S->C result for id=1 (protocolVersion, capabilities, serverInfo) Response
C->S Initialized. notification

--------- Tools & Resouce Discovery ------------
C->S tools/list (id=2) Reqeuest
S->C result for id=2 (tools list for inputs) Response

------- Tools Invocation -------------
C->S tools/call add(2,3) (id=3) Reqeust
S->C result for id=3 Response
C->S resources/list (id=5) Request
S->C result for id=5 Response
C->S resouces/read (id=6) Request
S->C result for id=6 Response

Modes of Operation

There can be 2 modes of operation: Local, Remote

	Local / STDIO	Remote (HTTPS/SSE)
What	Claude CLI runs on a machine and for all operations it need not to leave the machine	Claude CLI need to connect to MCP server over the netwrok or within company network and client need to auth via OAuth
Example	1. git clone repo; Ans ask questions about repo 2. Shell commands 3. Spawning subagent 4. Searching Company's Jira, Google docs, confluence(if skill is imported to claude cli agent)

MCP vs HTTP

Traditional Web Traffic With MCP


POST /submit-form HTTP/1.1        <<< Method(POST), Endpoint(https://www.google.com/submit-form)
Host: www.google.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer jwtToken
name=alice&message=hello


POST /mcp/v1/tools/call HTTP/1.1        < < POST method to send data. /mcp/v1/tools/call(This is REST endpoint of MCP Server)
Host: mcpserver.com     << MCP Server(https://mcpserver.com)
Content-Type: application/json
Authorization: Bearer AI_Platform_JWT
User-Agent: AI-Assistant-Client/1.0
{                                       << Payload
  "jsonrpc": "2.0",
  "method": "tools/call",               << Method
  "params": {
    "name": "fetch_webpage",
    "arguments": {
      "url": "http://www.google.com/"
    }
  },
  "id": 42
}

Headers:
- Are HTTP headers or WebSocket upgrade headers, SSE headers

Host	HTTP Host header, often present
Content-Type	Content-Type: application/json [Often] Content-Type: text/event-stream [Used for Streaming]
Authorization	Authorization: Bearer_token OR Authorization: X-API-Key: abc123 [API Keys] OR Authorization: Cookie: sessionid=xyz [Cookies] OR Authorization: mTLS OR Authorization: local
User Agent	Claude OpenAI SDK LangChain Cursor custom agent absent entirely

Destination Endpoint https://www.google.com/submit-form
Reqeust is directed to final destination visible in HTTP Request api.external-mcp-provider.com
HTTP Request sent MCP Server endpoint. method is present in json body

Payload Body contains the raw data intended for the destination JSON-RPC object

Json Structure Attached No Always

Reaching endpoint Directly reach MCP client can reach resource via MCP Server

MCP parsing in SWG

Netskope must look past the HTTP headers and parses the JSON body.
Earlier blocking policy was created by finding destination URL in HTTP header eg(https://google.com) but in MCP Json body has to be parsed.

Common MCP Request Examples

HTTP GET (same for SSE,)


POST /rpc HTTP/1.1
Host: mcp_server.com
Content-Type: application/json
Authorization: Bearer token
{
  "method": "tools/call",
  "params": {
    "name": "Access Page",
    "arguments": {
      "url": "https://example.com"
    }
  }
}

// Response
{
  "content": [
    {
      "type": "text",
      "text": "content of webpage https://example.com"
    }
  ]
}

DB Access


{
  "method": "tools/call",
  "params": {
    "name": "postgres.query",
    "arguments": {
      "sql": "SELECT * FROM users"
    }
  }
}

Filesystem Access


{
  "method": "tools/call",
  "params": {
    "name": "filesystem.read",
    "arguments": {
      "path": "/etc/passwd"
    }
  }
}

github access


{
  "method": "tools/call",
  "params": {
    "name": "github.get_file",
    "arguments": {
      "repo": "org/private-repo",
      "path": "secrets.txt"
    }
  }
}

What would surely present in MCP Request

This is high probability that these fields would be present in MCP request:
1. Method / Operation type: tools/call, action:invoke, op:call
2. Structured Json:
Capability Identifier(name in params)
Sensitive Payload Data(URLs, SQL, file paths, prompts, shell commands, repo names)