Protocol Revision: 2024-11-05
- stdio, communication over standard in and standard out
- HTTP with Server-Sent Events (SSE)
stdio
In the stdio transport:- The client launches the MCP server as a subprocess.
- The server receives JSON-RPC messages on its standard input (
stdin
) and writes responses to its standard output (stdout
). - Messages are delimited by newlines, and MUST NOT contain embedded newlines.
- The server MAY write UTF-8 strings to its standard error (
stderr
) for logging purposes. Clients MAY capture, forward, or ignore this logging. - The server MUST NOT write anything to its
stdout
that is not a valid MCP message. - The client MUST NOT write anything to the server’s
stdin
that is not a valid MCP message.
HTTP with SSE
In the SSE transport, the server operates as an independent process that can handle multiple client connections.Security Warning
When implementing HTTP with SSE transport:- Servers MUST validate the
Origin
header on all incoming connections to prevent DNS rebinding attacks - When running locally, servers SHOULD bind only to localhost (127.0.0.1) rather than all network interfaces (0.0.0.0)
- Servers SHOULD implement proper authentication for all connections
- An SSE endpoint, for clients to establish a connection and receive messages from the server
- A regular HTTP POST endpoint for clients to send messages to the server
endpoint
event containing a URI for
the client to use for sending messages. All subsequent client messages MUST be sent
as HTTP POST requests to this endpoint.
Server messages are sent as SSE message
events, with the message content encoded as
JSON in the event data.