What MCP Actually Does (And What It Doesn’t)
At its core, the Model Context Protocol (MCP) is an open protocol that standardizes how AI models receive context and interact with external tools and services.
MCP is an open protocol that standardizes how AI models receive context and interact with external tools and services.
It replaces fragmented, one-off integrations with a universal communication layer. MCP enables AI agents to:
- Discover available tools at runtime
- Fetch live data from databases and files
- Trigger actions without switching applications
It uses JSON-RPC 2.0 for structured, bidirectional communication. The protocol is designed to work alongside existing integration platforms like iPaaS to simplify real-time data flows.
However, MCP has clear boundaries. It handles model-to-tool interaction only. It does not manage agent-to-agent communication or complex orchestration.
Actual data processing depends entirely on external servers. The protocol was directly inspired by the Language Server Protocol, adapting its standardization principles toward an agent-centric execution model.
Before MCP, connecting multiple LLMs to multiple tools created an NxM integration problem, where every new model and tool combination required its own redundant, custom implementation.
How MCP Is Growing API Usage, Not Killing It
While MCP standardizes how AI models interact with tools rather than replacing the APIs those tools depend on, its rapid growth tells a more nuanced story: MCP is actively expanding API usage across the software ecosystem.
Server counts jumped from 100 in November 2024 to over 5,000 by mid-2025. Downloads surpassed 8 million. This scale drives measurable API consumption:
- Network APIs affect 1,438 servers
- System APIs affect 1,237 servers
- Developer Tools generate 626 API calls alone
Less popular plugins collectively produced 1,837 API calls, surpassing mature projects. MCP isn’t reducing API dependency—it’s multiplying it. Major platforms have taken notice, with OpenAI adopting MCP in March 2025 across its ChatGPT desktop app, Agents SDK, and Responses API.
Remote MCP servers have grown nearly 4x since May 2025, with large SaaS companies like Atlassian, Figma, and Asana investing in remote deployments as proof of real customer demand driving the ecosystem forward.
This surge in API activity is increasing demand for integration platforms to manage and secure hybrid cloud and on-premises connections.
Why APIs Still Own the Hard Parts of AI Integration
MCP handles the handshake, but APIs still carry the weight. Security, data validation, error handling, and schema management remain API responsibilities that no protocol layer replaces. When contracts drift, hand-written connectors break silently. When authentication fails, microservices expose vulnerabilities. These aren’t edge cases—they’re operational realities.
MCP simplifies the handshake. APIs carry the weight where reliability actually gets built.
APIs manage the hard parts:
- Schema drift requires dynamic validation and transformation
- Security demands TLS/SSL, authentication, and role-based access control
- Error handling needs centralized logic, not scattered fallbacks
- Cost control means monitoring token usage to prevent expensive model misuse
MCP simplifies discovery. APIs enforce reliability. Unified API layers can sit between MCP servers and underlying providers, standardizing terminology and reducing the cost of switching vendors without rebuilding integrations from scratch. Poor documentation intensifies these challenges further, forcing developers to reverse-engineer endpoint behavior and extending the time it takes to achieve a first working integration. Cloud-native elastic scalability in modern iPaaS platforms also makes it easier to handle spikes in integration traffic without manual intervention.
Where MCP Falls Short in Real Production Environments
Beyond discovery and tool orchestration, MCP introduces production risks that organizations cannot overlook. Security gaps, scaling problems, and operational blind spots create real friction in enterprise environments.
- Remote code execution becomes possible when untrusted servers inject OS-level commands through compromised endpoints.
- Connection limits hit before rate limits in multi-agent systems, blocking scalability without manual tuning. This is exacerbated by inefficient architectures lacking real-time monitoring to detect and respond to bottlenecks.
- Sequential tool calls add measurable latency—10 calls at 50ms RTT generates 500ms overhead before execution begins.
- Credentials stored in plaintext config files lack automated rotation or secure vault integration.
- Tool descriptions injected into model context open a direct path for tool poisoning attacks, where hidden malicious instructions can trigger secret exfiltration while users see only a benign interface.
- MCP lacks built-in logging and auditing capabilities, meaning enterprises must integrate external SIEM solutions to achieve any meaningful security monitoring visibility.
These aren’t edge cases. They’re structural limitations.
Why MCP Will Evolve Rather Than Survive in Its Current Form
The protocol’s survival depends on its willingness to change. MCP’s current form cannot handle what production environments actually demand. Several shifts are already underway:
- Stateless transports replace stateful sessions, enabling horizontal scaling without sticky infrastructure
- Per-request capability discovery eliminates the initialize handshake bottleneck
- Multimodal support expands beyond text to video, audio, and streaming data
- Multi-agent orchestration allows complex workflow coordination across systems
Servers are also gaining active roles rather than staying passive endpoints. Models handle reasoning. Servers control policy and execution. This clearer division makes collaborative workflows possible. Sampling, elicitation, and emerging bidirectionality proposals each extend collaboration without granting servers unchecked autonomy, ensuring human review checkpoints remain embedded in the protocol’s design. Security researchers have flagged serious vulnerabilities in current implementations, with command injection found in 43% of tested MCP servers alongside risks like SSRF and arbitrary file access. MCP evolves by design, not accident. Many organizations struggle with legacy systems that complicate integration and increase operational costs.
