Agentic Experience Design
Model Context Protocol - AXD Protocol Lab walkthrough
Back to Protocol Lab

Agent-to-infrastructure · Anthropic · Open standard, Linux Foundation

Model Context Protocol

The universal interface connecting AI agents to external tools, databases, APIs, and data sources. The agent-to-infrastructure connectivity layer.

Abbreviation: MCP
Overview

The Model Context Protocol is the agent-to-infrastructure connectivity layer of the agentic commerce stack. Developed by Anthropic and now hosted by the Linux Foundation, MCP defines how AI agents access external tools, databases, APIs, and data sources through a standardised interface.

MCP is not a commerce protocol in the same sense as UCP or ACP. It does not handle product discovery or checkout. Instead, it provides the universal interface that enables agents to connect to the tools and data sources they need to perform commerce-related tasks. Think of MCP as the Language Server Protocol of the agentic world - it standardises how agents discover and invoke tools, regardless of which agent platform or commerce protocol is in use.

For commerce organisations, MCP determines which of your internal tools and APIs are visible to external agents. This is both an opportunity and a risk. Exposing your inventory API via MCP means agents can check real-time availability. Exposing your pricing API means agents can compare your prices. The audit of what to expose and what to restrict is the most consequential decision in MCP implementation.

MCP includes explicit user consent architecture for data and tool access, and supports elicitation - where MCP servers can request additional input from agents during a session. These features are particularly important for regulated industries where data access must be explicitly consented and auditable.

Core Question

How does an agent access the external tools, APIs, and data sources it needs?

Core Components

What MCP provides

01

Resource sharing: standardised access to product databases, inventory systems, and pricing APIs

02

Tool invocation: agents discover and execute tools exposed by merchant infrastructure

03

Elicitation support: servers can request additional input from agents during a session

04

Explicit user consent architecture for data and tool access

05

Architecture inspired by Language Server Protocol for ecosystem-wide interoperability

Prerequisites

Before you begin

The following must be in place before starting MCP integration. Missing prerequisites are the most common cause of delayed or failed protocol deployments.

1

Understanding of your existing tool and API surface (MCP exposes these to agents)

2

API authentication infrastructure (MCP uses existing auth mechanisms)

3

Decision on which tools and data sources to expose and which to restrict

Common Failures

What goes wrong

These are the failure modes the AXD Institute has observed across early MCP implementations. Each includes the root cause and the recommended mitigation.

Over-exposure of internal tools

exposing tools that were not designed for external consumption creates security and compliance risk. The audit in Step 1 is the most important step in MCP implementation.

Missing rate limits

agents can issue high-frequency tool invocations that exceed API capacity. Always include rate limiting and implement backoff signals in tool responses.

Consent architecture gaps

tools accessing personal data without explicit consent create regulatory exposure under GDPR, UK GDPR, and the Data Use and Access Act 2025.

Implementation

Step-by-step walkthrough

A sequenced implementation guide for MCP. Each step includes the action, the rationale, and the validation criteria for completion.

1Step 1

Tool and API surface audit

The most important step in MCP implementation. Audit your existing tool and API surface to determine what should and should not be exposed to external agents.

  • Catalog all existing APIs and tools that could be relevant to agent interactions: inventory, pricing, product data, order status, returns, customer service.
  • Classify each tool into three categories: expose (safe and valuable for agents), restrict (internal only), and review (requires further analysis).
  • For each tool in the 'expose' category, assess: does it handle personal data? Does it have rate limiting? Does it have appropriate authentication?
  • Document the decision for compliance purposes. In regulated industries, the MCP tool exposure decision is an auditable compliance artefact.
  • Begin with read-only tools before implementing write or transact tools. Read-only exposure carries lower risk and provides immediate value.
2Step 2

MCP server implementation

Build MCP server endpoints for your approved tool surface. MCP servers expose your tools and data sources to agents through a standardised protocol.

  • Implement MCP server endpoints using the official MCP SDK (available for TypeScript, Python, and other languages).
  • Each exposed tool must include: a clear description (agents use this to decide whether to invoke the tool), input schema, output schema, and error handling.
  • Implement rate limiting on all exposed tools. Agents can issue high-frequency tool invocations that exceed API capacity.
  • Implement backoff signals in tool responses so agents can adjust their invocation frequency.
  • For tools accessing personal data, implement the MCP consent architecture - explicit consent must be obtained before data access.
3Step 3

Consent and authentication architecture

Implement the consent and authentication layer that governs agent access to your MCP tools.

  • Configure MCP authentication using your existing auth mechanisms. MCP does not require a new authentication system.
  • Implement explicit user consent flows for tools that access personal data. Under GDPR, UK GDPR, and the Data Use and Access Act 2025, tools accessing personal data without explicit consent create regulatory exposure.
  • For elicitation-enabled tools (where the MCP server requests additional input from agents), define the elicitation boundaries - what information can be requested and under what conditions.
  • Implement audit logging for all tool invocations. In regulated contexts, this log is a compliance requirement.
4Step 4

Testing and security validation

Validate that your MCP implementation is secure, performant, and correctly scoped.

  • Test tool discovery: verify agents can discover your exposed tools and understand their purpose from the descriptions.
  • Test rate limiting: simulate high-frequency agent invocations and verify rate limits and backoff signals work correctly.
  • Test consent flows: verify that tools accessing personal data correctly require and record consent.
  • Security review: verify that restricted tools are not accessible via MCP. Test for tool enumeration vulnerabilities.
  • Performance testing: verify tool response times under agent-typical load patterns.
5Step 5

Production deployment and monitoring

Deploy MCP servers to production and implement monitoring for tool usage patterns.

  • Deploy MCP servers alongside your existing API infrastructure.
  • Implement monitoring for: tool invocation frequency, error rates, response times, and consent grant/deny ratios.
  • Set up alerting for unusual patterns - sudden spikes in tool invocations may indicate agent misconfiguration or abuse.
  • Track DCR (Delegation Completion Rate) and IFR (Intervention Frequency Rate) for agent sessions that use your MCP tools.
  • Schedule a 30-day review to assess tool usage patterns and identify tools that should be added to or removed from the exposed surface.
Related

Related metrics, frameworks, and essays

AXD Metrics Standard KPIs

Delegation Completion Rate (DCR)
Intervention Frequency Rate (IFR)

AXD Practice Frameworks

Delegation DesignOrchestration VisibilityMemory and Context Continuity
FAQ

Frequently asked questions

ACPAll ProtocolsA2A