The first authentication spec was unusable for enterprises because it combined the auth server (like Okta) and the resource server into one. This prevents integration with central Identity Providers (IDPs). The spec was fixed by separating them, making the MCP server a pure resource server.
Related Insights
The evolution of a protocol like MCP depends on a tight feedback loop with real-world implementations. Open source clients such as Goose serve as a "reference implementation" to test and demonstrate the value of new, abstract specs like MCPUI (for user interfaces), making the protocol's benefits concrete.
The MCP transport protocol requires holding state on the server. While fine for a single server, it becomes a problem at scale. When requests are distributed across multiple pods, a shared state layer (like Redis or Memcache) becomes necessary to ensure different servers can access the same session data.
MCP shouldn't be thought of as just another developer API like REST. Its true purpose is to enable seamless, consumer-focused pluggability. In a successful future, a user's mom wouldn't know what MCP is; her AI application would just connect to the right services automatically to get tasks done.
OpenAI integrated the Model-Centric Protocol (MCP) into its agentic APIs instead of building its own. The decision was driven by Anthropic treating MCP as a truly open standard, complete with a cross-company steering committee, which fostered trust and made adoption easy and pragmatic.
MCP was born from the need for a central dev team to scale its impact. By creating a protocol, they empowered individual teams at Anthropic to build and deploy their own MCP servers without being a bottleneck. This decentralized model is so successful the core team doesn't know about 90% of internal servers.
The MCP protocol made the client's return stream optional to simplify implementation. However, this backfired as most clients didn't build it, rendering server-side features like elicitations and sampling unavailable because the communication channel didn't exist. This is a key lesson in protocol design.
Real-world adoption in specific verticals like finance is shaping the MCP protocol. For example, legal contracts requiring mandatory attribution of third-party data are leading to a "financial services interest group" to define extensions. This shows how general-purpose protocols must adapt to niche industry compliance needs.
A robust identity strategy is "T-shaped." The horizontal bar represents the entire user lifecycle (pre-auth access, phishing-resistant auth, post-auth session security). The vertical bar represents deep integrations beyond SSO, including lifecycle management, risk signal sharing, and system-wide session termination.
OpenAI uses two connector types. First-party (1P) "sync connectors" store data to enable higher-quality, optimized experiences (e.g., re-ranking). Third-party (3P) MCP connectors provide broad, long-tail coverage but offer less control. This dual approach strategically trades off deep integration quality against ecosystem scale.
Exposing a full API via the Model Context Protocol (MCP) overwhelms an LLM's context window and reasoning. This forces developers to abandon exposing their entire service and instead manually craft a few highly specific tools, limiting the AI's capabilities and defeating the "do anything" vision of agents.
