Every Protocols (MCP & A2A) comparison and buyer's guide for building AI agents — 73 pieces and counting. Each is a head-to-head or a “best X for Y” roundup with a sources-backed verdict.
The industry is treating 'agent identity' as a new frontier. It's actually two old, solved problems bolted together — and the interesting failure lives exactly at the seam between them.
Five real, self-hostable gateways that put one endpoint in front of many MCP servers — and why the stateless spec is about to change what a gateway is even for.
The first internet-wide measurement of remote MCP servers found 40.55% wide open. The surprise isn't the unlocked doors — it's that the servers that did add OAuth were flawed 100% of the time.
Berkeley's benchmark made its name scoring whether a model emits the right JSON. Its v4 rewrite puts 70% of the weight on agentic and multi-turn tasks — a quiet admission that single-shot accuracy is solved and no longer predictive.
Anthropic's MCP tunnels connect a hosted agent to servers inside your private network over an outbound-only link. The clever part is the direction of the connection — and the threat it doesn't touch.
Apple's agentic bet is the mirror image of MCP: no server, no OAuth, no network hop — just a typed contract the OS reads on-device. An app without one is invisible to Apple Intelligence.
Proof shipped an open HTTP challenge that makes an agent present a signed credential naming the human behind it — arriving, tellingly, after the payment rail it completes.
X now runs an official Model Context Protocol server at api.x.com/mcp so agents can search posts, look up users, and read trends through your own login — but it will not let them post. The asymmetry is the whole design.
The 2026-07-28 MCP spec adopts JSON Schema 2020-12, so a tool can finally declare unions, conditionals, and references. The quiet catch: the richest constructs it unlocks are exactly the ones a hosted provider's strict mode refuses to enforce.
Microsoft's incident response team just walked through a live case: an attacker edits a tool's description — not its code, not your prompt — and the agent quietly exfiltrates your invoices. Here's why this is worse than prompt injection.
Apple's new mcpbridge binary doesn't put AI in Xcode. It exposes Xcode's live compiler state as MCP tools over XPC — so you bring Claude Code, Codex, or Cursor, and the IDE brings the ground truth.
Claude's newest tool-use mode writes a script that calls your tools in a sandbox and returns only the answer. It cuts tokens and round trips — and quietly removes the trace your evals were reading.
The June 2026 spec extension didn't shave clicks off MCP's login flow — it moved the authorization decision away from the one person who was never equipped to make it.
The largest MCP revision since launch adds zero new authorization mechanisms. All six auth SEPs do the opposite — make MCP behave like a boring OAuth 2.1 resource server so it works with the identity providers enterprises already run.
Eleven vendors just agreed on how agents find tools across the open web. The interesting part is what ARD refuses to be — not a protocol, not a registry of record, just the step before invocation.
The MCP registry catalogs tools. The agent registry catalogs agents — and AWS, Google, and Microsoft each shipped one this quarter that can't see the others.
MCP gives an agent tools. ACP gives an agent an editor. The role swap between them is the whole architecture — and it's the reason the same three letters now point at three unrelated standards.
The two best independent SDK generators got bought in 2026 — Fern by Postman, Stainless by Anthropic, which is retiring its shared generator. The layer that turns an API into agent-usable tools stopped being neutral infrastructure.
The NSA's Security Design Considerations for MCP reads like every other threat list until you notice its signature control points the wrong way — at the outbound wire, not the untrusted server. That inversion is the whole document.
The stateless rewrite got the headlines, but the quieter change is the one that tells you what MCP has decided to be. Three original primitives are on the way out — and they're the exact three where the server reached back into your runtime.
The 2026-07-28 revision closes the holes the protocol used to own. The same three headline features quietly relocate the security burden onto server code that mostly doesn't exist yet.
The official MCP registry deliberately refuses to host code — so the hard part, trust, lands wherever the artifact lives. Docker's answer is to make that place an OCI image.
AWS WAF Bot Control can now return an HTTP 402 with a machine-readable price and settle USDC before the request ever reaches your origin. The real shift isn't crypto — it's that a web page finally has an enforceable price for a machine.
A Skill is a folder with a SKILL.md and an Apache-2.0 license — no server, no transport, no auth. That's why another runtime can adopt it in an afternoon, and why a Skill can't revoke, throttle, or contain anything.
tool_choice looks like a switch for making a model use tools. It's really the decision of whether a turn is allowed to end the conversation — and leaving 'required' on traps the agent loop with no way out.
A new .well-known discovery file lets clients read an MCP server's identity, transport, and auth requirements without a handshake — and it pointedly refuses to list the tools.
A 1988 access-control bug is the shape of 2026's worst MCP breaches. Understanding the confused deputy tells you why 'just add OAuth' doesn't fix your agent — and what the spec actually changed.
Function-calling leaderboards test a model against a handful of curated tools. A real MCP host hands it thousands — and that is a different benchmark, with a different failure mode.
A new automated auditor didn't just flag risky code in Model Context Protocol servers — it wrote the prompts to prove the holes were real. 67 already carry CVE IDs, and almost none are AI-specific.
Most MCP servers are REST APIs underneath. The honest question isn't which transport to use — it's how much of your API to expose, and the data says the answer is about a fifth of it.
The biggest Model Context Protocol revision since launch deletes the session, the handshake, and even the client-side LLM call. The headline isn't new features — it's that the protocol got smaller.
Deploy a LangGraph agent and it auto-publishes a /mcp endpoint, so any client can call it as a tool. Convenient — and lossy. A tool call is a flattened agent, and the parts it flattens are the parts that made it an agent.
The Agent2Agent protocol now claims 150-plus organizations and a slot in every major cloud. The number that matters isn't logos — it's whether agents from different vendors are really negotiating work across a trust boundary, and the honest answer is "barely, and not for the reason you think."
Everyone tunes a tool's inputs — name, schema, description. The likelier production failure is the output: the right tool returns a payload that floods the model's context window.
The 2026-07-28 spec made MCP stateless. Long-running work and statelessness are in direct tension — and the Tasks extension resolves it by handing the bookkeeping to the client. The tell is what got deleted.
The next Model Context Protocol release stops adding features to the core and starts subtracting them. The Extensions framework is how — and 'in the spec' no longer means 'in the core.'
The try/except instinct that keeps a normal program alive is the one that kills an agent. A tool error isn't an exception to catch — it's the next message in the conversation, and where you put it decides whether the agent can recover.
For a year the question that stalled enterprise bets on MCP was 'what happens when Anthropic changes its mind?' In December that question got an answer — and the answer reveals what the standards war was really about.
A new web standard lets a website hand an AI agent a typed menu of its own functions — no server, no OAuth. The catch is hiding in that 'no OAuth.'
The most common serious flaw in MCP servers isn't prompt injection. It's SSRF — the boring, pre-AI bug that sank Capital One — and we just installed it by the thousand.
The first official MCP extension lets a server ship an interactive interface into the chat, not just a string. The clever part is a flag that says who each result is for.
The query assumes three live standards fighting for the agent-to-agent layer. Two of the three answers are already settled — and the third isn't even in the same race.
OWASP now has a third Top 10 — one scoped to a single protocol. The surprise isn't a new class of AI attack; it's that connecting an agent to MCP servers re-exposes 2010-era web and supply-chain bugs through a channel that auto-executes them.
The 2026-07-28 release candidate kills the session and the handshake, graduates Tasks and Apps to extensions, and deprecates Sampling. The real story isn't statelessness — it's a shrinking core.
Loading every tool definition upfront doesn't just burn context — it tanks tool selection. The fix has three shapes: tool search, tool-RAG, and code execution. Pick by what you retrieve, and when.
One paradigm has an agent write a Python snippet as its action; the other has it emit a structured JSON tool call. The 20% accuracy gap everyone quotes is real — but only on the tasks where it applies.
The Apps SDK isn't a rival to MCP. Your ChatGPT app IS an MCP server — the only proprietary part is how ChatGPT renders and discovers it.
The July 28 release candidate rips out sessions and the initialize handshake, deprecates Sampling and Roots, and adds MCP Apps — the clean break agent developers have to plan for.
Three different things hide under \"structured output\": valid JSON, the right shape, the right values. Each method buys you a different one — and none of them buys the last.
A tool description isn't documentation — it's a prompt you pay for on every call and the model rereads more carefully than your system prompt. Treat it like one, and stop shipping your whole API as tools.
Protocol tests prove your server works. They say nothing about the failure that actually breaks users — a perfectly valid server whose tool descriptions make the model reach for the wrong tool.
The code is the easy part. The decision that quietly dictates your hosting bill, your scaling story, and your deploy strategy is one you make before you write a line: will your server hold a session, or not?
Every tool you connect sits in the context window competing for attention. Past a few dozen, accuracy falls. The fix isn't a bigger model — it's treating tool selection as a search problem.
They get pitched as three ways to extend an agent. They aren't interchangeable — a tool is an action, a Skill writes knowledge into the context window, and a subagent keeps work out of it.
The official MCP Registry isn't an app store — it's a canonical metadata feed built to prove who owns a server name, and it leaves search and curation to everyone downstream.
The worst MCP attacks aren't bugs in a server's code — they're features of a trust model that drops every tool's description into one undifferentiated context. Here's the threat map, and the defenses that actually hold.
An agent needs two identities at once — proof it is itself, and proof of whose authority it's borrowing right now — and the dangerous failures all live at the seam between them.
Parallel tool calling is two decisions people treat as one — the model emitting several calls, and your runtime actually running them at once. The API gives you the first for free and does nothing about the second.
The Model Context Protocol defines three server primitives split by who's in control — the model, the app, the user. The ecosystem implemented one of them.
Most MCP servers only answer requests. Sampling and elicitation are the two features that let a server reach back through the client — one to the model, one to the human — and almost no one implements either.
Loading every tool definition into context and round-tripping every result is how MCP agents stall. Code execution flips the model into a programmer — and moves the hard part to your sandbox.
MCP standardized how an agent calls a tool. It said almost nothing about how the agent logs in as you — and that gap is the whole product these three are selling.
One agent, twenty MCP servers, and a context window drowning in tool definitions. The gateway is the layer that puts a single governed door in front of all of them.
They get pitched as competitors. They're not even the same kind of thing — and the difference that actually decides your architecture is what each one costs you in tokens.
Three protocols want to let your agent spend money. They aren't three answers to one question — they answer three different ones, and they stack.
Between two spec revisions in 2025, MCP servers quietly stopped being their own authorization servers. The one parameter that change forces your client to send is the whole security story.
They are not competing ways to give a model tools. One is the engine; the other is a distribution standard wrapped around it — and you pay for the wrapper in tokens and attack surface.
The Model Context Protocol replaced its HTTP+SSE transport with Streamable HTTP in 2025. Choosing it does not make your server serverless-friendly — and the reason is the part nobody reads.
The protocol everyone adopted in 2025 is simpler to build for than the hype suggests — but the part that decides whether your server works isn't the code.
The hard part of remote MCP auth was never the login. It's proving a token was minted for *your* server and no one else's — the audience claim that turns a friendly proxy back into a locked door.
There are two things called FastMCP, and one of them lives inside the official SDK. Picking the right way to build an MCP server starts with untangling that — and deciding how much you want the framework to do for you.
The model that emits a correctly-shaped tool call once is rarely the one that holds up across a multi-turn conversation and eight repeated trials. Pick by failure mode, not top-line score.
Stop reading "A2A vs MCP" as a fork in the road. One protocol points your agent down at tools; the other points it sideways at other agents. Here is how to use both without picking a loser.
Not buyer's guides — the news, teardowns, and explainers behind this topic.
The one-click tools that turn a REST spec into an MCP server work perfectly — and that's the problem. The easier the conversion, the worse the agent, because ease produces the exact abstraction an LLM can't use.
Depending on which tracker you trust, the Model Context Protocol ecosystem has 2,000 servers, or 16,000, or 59,000. The 30x spread isn't a measurement error. It's the only honest number.
The NSA just published security guidance for the Model Context Protocol. Buried in it is the reason your firewall can't see what your agents are doing.
A field guide to the Model Context Protocol repositories that actually matter — the SDKs, the reference servers, and the connectors that earn a place in your config.