Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Arquitectura Inteligencia Artificial

MCP as multi-vendor standard: patterns already mature

5 min read 172 reads
MCP as multi-vendor standard: patterns already mature
Table of contents
  1. Key takeaways
  2. Clear separation: generic vs domain-specific tools
  3. Explicit per-server policies
  4. Authentication and credentials outside the model
  5. Server composition
  6. Antipatterns avoided after a year’s experience
  7. Conclusion

Actualizado: 2026-04-30

The Model Context Protocol[1], proposed by Anthropic in November 2024, has completed the full cycle: experiment → multi-adoption → de facto standard. In 2026, with OpenAI, Google, Cursor, Claude Code, VS Code, and hundreds of community tools supporting it, operational patterns are mature.

Key takeaways

  • The proven pattern combines community generic MCP servers with custom servers for domain logic.
  • Explicit policies at the agent layer define which operations require human confirmation.
  • Credentials never travel to the model: the server holds them locally and executes on its behalf.
  • Composition with per-server prefixes (fs:read_file, db:query) avoids name collisions.
  • MCP servers without contract tests break silently on every upgrade.

Clear separation: generic vs domain-specific tools

The usual 2026 pattern combines:

  • Community MCP servers for generic capabilities: file system, bash, web fetch, search. They install via npx, uvx, or MCP marketplaces.
  • Custom servers for domain logic. Built with the official SDK and versioned alongside the product.

Don’t mix. Locally modifying the generic MCP server is a bug waiting to happen: the next update overwrites changes. Custom capabilities go in your own server.

Explicit per-server policies

Each MCP server declares which tools it exposes and with what parameters. The part managed at the agent layer is policy. Typical example with the filesystem server:

  • read_file: allowed freely.
  • write_file: requires confirmation outside a specific directory.
  • delete_file: never executes without explicit validation.

This is orders of magnitude more reliable than letting the model decide which operations to execute without restrictions.

Authentication and credentials outside the model

Credentials don’t travel to the model:

  1. The MCP server holds them locally.
  2. The model requests operations by name and parameters.
  3. The server executes with its credentials.

This dramatically reduces the prompt injection attack vector seeking to exfiltrate tokens. The pattern:

  • Environment variables at server startup.
  • Never in the agent’s prompt.
  • Credential rotation without agent redeploy.

Server composition

A mature agent speaks with several MCP servers at once. Tools are presented to the model with per-server prefixes:

  • fs:read_file
  • db:query
  • web:fetch

This avoids name collisions. The orchestrator decides which server each operation goes to; the model doesn’t choose explicitly.

Antipatterns avoided after a year’s experience

Three errors seen less frequently but still appearing:

  1. Exposing dangerous tools without policy: delete, rm -rf, unfiltered db query.
  2. Custom MCP servers without tests: breaking contract on upgrade drops the agent without clear warning.
  3. Shared memory between MCP servers that should be isolated: enables cross-injection.

Conclusion

MCP in 2026 is a proven standard. Deployment patterns are well understood: community generics + domain-specific custom, explicit policies, credentials outside the model, prefixed composition, contract tests. Teams following this blueprint have stable agents; those improvising fight silent breakages.

Was this useful?
[Total: 6 · Average: 4.5]
Post Views: 172
  1. Model Context Protocol

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

445 Articles 72K Reads Rating

Related posts