book

The MCP Standard: A Developer's Guide to Building Universal AI Tools with the Model Context Protocol

Name: The MCP Standard: A Developer's Guide to Building Universal AI Tools with the Model Context Protocol
Author: Srinivasan Sekar
ISBN: 9798868823640

by Srinivasan Sekar

February 2026

Intermediate to advanced

285 pages

4h 17m

English

Apress

Read now

Unlock full access

The MCP Standard
Foreword
Introduction
What This Book Is AboutWho This Book Is ForThe Journey AheadA Word on PhilosophyHow to Use This BookThe Bigger Picture
Acknowledgments
Table of Contents
About the Author
About the Technical Reviewers
Part I: The Foundation: Why MCP Matters
1. The Age of Tooling Chaos
The M×N Integration NightmareA Closer Look at the Pain: Anatomy of the Chaos1. Interfaces2. The Developer’s Cognitive Tax3. The API Treadmill and Technical Debt by Fragmentation4. The Siloed Garden of InnovationEchoes of the Past: Lessons from the Cloud Native RevolutionChapter SummaryKey Takeaways
2. The Solution: A Universal Language for AI
Introducing the Model Context Protocol (MCP)The Monolithic Agent: An Architecture Before MCPThe MCP Architecture: The Decoupled AgentThe Core Promise: A Standardized Interface for Capabilities1. Tools: Designed for Model Control2. Resources: Designed for Application Control3. Prompts: Designed for User ControlKey Benefits of a Unified ApproachAnalogy: The Universal Translator for AI AgentsMCP in the Emerging Agentic Ecosystem: A Look AheadChapter SummaryKey Takeaways

3. MCP and the AI-Native Transformation
Learning from History: From Cloud Native to AI NativeThe Role of Standardization in Technological WavesHow MCP Paves the Way for AI-Native ArchitecturesPositioning Your Organization for the FutureChapter SummaryKey Takeaways
Part II: The Architecture: A Technical Deep Dive
4. The MCP Architectural Roles
The Host: The Conductor of the AI OrchestraCore Responsibilities of the Host1. Managing the User Experience (the Stage)2. Maintaining Session State (the Director’s Notes)3. Initiating and Configuring Connections (Assembling the Orchestra)4. Governing Capability (The Ultimate Gatekeeper)The ClientCore Responsibilities of the Client1. Managing the Connection Lifecycle (Opening Diplomatic Channels)2. Serializing and Deserializing Messages (Translation and Interpretation)3. Dynamic Capability Discovery (Requesting the Menu)The Server: The Specialist in the WorkshopCore Responsibilities of the Server1. Advertising Skills (Putting Up a Sign)2. Listening for and Executing Requests (Fulfilling the Order)3. The Range of Servers (from Local Scripts to Enterprise Services)A Complete Interaction TraceChapter SummaryKey Takeaways
5. The Language of MCP: Tools, Resources, and Prompts
Breaking Down MCP’s Core CapabilitiesTools: The Verbs of ActionAnatomy of a ToolAdvanced Capabilities: ResourceLinks and Server-Side SamplingResources: The Nouns of ContextPrompts: The Grammar of ConversationSummary Table: Tools vs. Resources vs. PromptsOverview of Tools, Resources, and PromptsChapter SummaryKey Takeaways
6. Under the Hood: The Protocol Specification
The Transport Layer: How Messages Travel1. Standard I/O (stdio)2. Streamable HTTPThe Message Format: The Anatomy of a RequestThe Interaction Flow: A Step-by-Step SequenceError Handling and TimeoutsChapter SummaryKey Takeaways
Part III: The Practitioners: Building with MCP
7. For the Tool Provider: Creating an MCP Server
A Complete, End-to-End Guide to Building the Advanced MCP ServerStep 1: Environment SetupStep 2: Create and Populate the DatabaseStep 3: The Server Foundation and Core LogicStep 4: Building Rich, Discoverable ResourcesStep 5: Implementing PromptsStep 6: Advanced Tool ImplementationTool 1: Listing Tables with PaginationTool 2: Creating a Table and Notifying the ClientTool 3 and 4: The Admin/Modification Flow (Dynamic Capabilities and Advanced Notifications)Tool 5: Interactive User Creation with Complex ElicitationStep 7: Running the ServerOption 1: Running with stdioOption 2: Running with StreamableHTTPStep 8: Testing and VerificationChapter SummaryKey Takeaways
8. For the AI Application Developer: Building an MCP Client
Step 1: Project Scaffolding and Environment SetupStep 2: Defining Schemas and Initializing the Core ComponentsStep 3: The Bidirectional Contract-Handling Server-Initiated CommunicationHandling NotificationsResponding to Server RequestsStep 4: Orchestrating the Agent—The Manual Tool-Calling LoopStep 5: Running the End-to-End System and a Guided InteractionInteraction 1: Dynamic CapabilitiesInteraction 2: ElicitationInteraction 3: Resource UpdatesChapter SummaryKey Takeaways
Part IV: Security and Production Readiness
9. The Agentic Threat Landscape
A New Paradigm, a New Attack SurfaceThe Lethal Trifecta: A Recipe for DisasterCase Studies in Agentic Failure: Two Real-World BreachesCase Study 1: The GitHub MCP Exploit (the Hijacked Agent)Case Study 2: The Asana Data Leak (the Broken Wall)A New Framework: Securing Flows, Not Just PromptsA Catalog of Agentic ThreatsChapter SummaryKey Takeaways
10. Foundational Security: Authentication with OpenID Connect (OIDC)
The Architectural Pattern: The Three Roles of OAuthUnderstanding OAuth 2.1 vs OpenID Connect (OIDC)Step 1: Configuring the Google Cloud OAuth 2.1 Client for OIDCStep 2: Building the Server-Side OAuth 2.1/OIDC Authentication Flow2.1. Server and Session Setup2.2. The /authorize and /callback Endpoints2.3. The /token Endpoint and PKCE Validation2.4. Protecting and Proxying the MCP EndpointStep 3: Building the Advanced OAuth/OIDC Client3.1. The HTTPCallbackOAuthMCPClient ClassRunning the End-to-End System: A Look at the LogsProduction Readiness: Analysis and RecommendationsChapter SummaryKey Takeaways
11. Server-Side Hardening: Mitigating Common Vulnerabilities
Vulnerability 1: Excessive Permission ScopeThe Fundamental ProblemThe Threat: The Valet with the Master KeyExploit 1: The Unconstrained Log ViewerAttack Vector 1—Implementation Bug (Path Traversal)The AttackWhy This HappensMitigation 1: Fix the Implementation Bug (Application-Level Defense)Why This WorksThe Hidden Problem: Architectural FlawMitigation 2: Fix the Architectural Flaw (Operating System-Level Defense)Dockerfile (Minimal Hardening)Docker Compose (Where the Security Happens)What This DoesProof It WorksWhy Both Mitigations Are RequiredVulnerability 2: Malicious Code ExecutionThe Threat: The Unsandboxed PlaygroundThe Exploit: The “Helpful” Report GeneratorThe Mitigation: Never eval( ), Use Safe InterpretersVulnerability 3: Command InjectionThe Threat: The Unescaped StringThe Exploit: The Insecure Diagnostic ToolThe Mitigation: Parameterized ExecutionChapter SummaryKey Takeaways
12. LLM-Centric Threats: Injection and Poisoning
Vulnerability 1: Prompt Injection (Direct and Indirect)The Threat: The Deceitful ConversationThe Exploit: The Poisoned DocumentThe Mitigation: Data/Instruction Separation and SanitizationVulnerability 2: Tool PoisoningThe Threat: The Deceptive ToolmakerThe Exploit: The Deceitful CalculatorThe Mitigation: Host-Side Validation and SandboxingChapter SummaryKey Takeaways
13. Ecosystem and Dynamic Threats
Vulnerability 1: Tool Shadowing (Tool Hijacking)The Threat: The Fake Person in the WorkshopThe Exploit: The Hijacked EmailThe Mitigation: Namespacing, Prioritization, and Host-Level Defenses1. For Server Developers: Use Namespacing2. For Host Developers: The Critical Defense LayerVulnerability 2: Rug Pull AttacksThe Threat: The Bait-and-SwitchThe Exploit: The Weather Tool That SpiesThe Mitigation: Immutable Definitions and Host-Level AuditingChapter SummaryKey Takeaways
Part V: The Playbook: A Real-World Case Study
14. Deep Dive Case Study: Building an Agentic RAG System
Understanding RAG: Grounding LLMs in RealityAgent vs. LLM vs. RAGThe Limitation of Basic RAGThe Next Evolution: Agentic RAGThe Architecture: A Secure, Multi-tool, Agentic SystemAgentic Design Patterns in Our SystemBuilding Blocks of Our AI AgentTech Stack AnalysisImplementation Phase 1: Infrastructure and Data IngestionScrape the DocumentationEmbedding and Upserting the DataImplementation Phase 2: Building the Multi-tool MCP ServerRegistering the ToolsHandling Tool CallsImplementation Phase 3: Building the Agentic ClientThe System PromptProcessing User InputBringing It All Together: A Live ExecutionStep 1: Setup and Data IngestionStep 2: Server and Client InitializationStep 3: Interactive Session—The Agent in ActionScenario A: Internal Knowledge SuccessScenario B: Web Search FallbackChapter SummaryKey Takeaways
Part VI: The Horizon: The Future of MCP
15. Navigating the Ecosystem: Servers, Clients, and Registries
The Server Landscape and the Rise of RegistriesThe Official MCP Registry: An App Store for AI ToolsA Tour of the Server EcosystemThe Host and Client Landscape: Where the Magic Happens1. The AI-Powered IDEs: The Developer’s Cockpit2. The Conversational Powerhouses: Desktop Agents3. The Headless and Terminal Clients: For the Power UserChapter SummaryKey Takeaways
16. The Evolving Ecosystem and What’s Next
Introduction: From a Standard to an EcosystemThe Path to a Formal StandardThe Growing Adoption: The Network Effect in ActionEmerging Patterns and Best PracticesFinal Thoughts: Your Role in Building a Unified AI Future
Appendix A: MCP Resource Compendium
Official Protocol ResourcesOfficial SDKs and ToolsServer Registries and Discovery PlatformsPopular MCP Host ApplicationsSecurity Tools and Resources
Appendix B: Glossary of Terms
Index

Content preview from The MCP Standard: A Developer's Guide to Building Universal AI Tools with the Model Context Protocol

S. SekarThe MCP Standardhttps://doi.org/10.1007/979-8-8688-2364-0_12

12. LLM-Centric Threats: Injection and Poisoning

Srinivasan Sekar¹

(1)

Bengaluru, Karnataka, India

In the last chapter, we made our server less vulnerable to common software problems. We built a strong fence around our playground to keep our tools from running malicious codes or getting files they shouldn’t. Our code is now a lot safer. But the most intriguing and difficult part of keeping agentic systems safe isn’t keeping the code safe; it’s keeping the “mind” of the agent itself safe.

This chapter provides excellent details about threats that target LLMs. These attacks don’t use a bug ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9798868823640Purchase Link Publisher Website

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The MCP Standard: A Developer's Guide to Building Universal AI Tools with the Model Context Protocol

by Srinivasan Sekar

12. LLM-Centric Threats: Injection and Poisoning

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.