
Master MCP Transports, Scopes, Authentication, Resources, Prompts, and Tool Search
Configure Claude Code MCP servers across HTTP, stdio, and WebSocket transports with correct scopes, OAuth, resources, prompts, elicitation, and tool search.
Master MCP Transports, Scopes, Authentication, Resources, Prompts, and Tool Search
Quick answer
Use remote HTTP for most hosted MCP services, stdio for trusted local processes that need machine access, and WebSocket only when bidirectional push behavior is required; SSE is deprecated where HTTP is available. Choose local scope for one private project, project scope for reviewed team configuration, and user scope for personal tools across projects. Keep credentials outside committed JSON, authenticate remote servers with scoped OAuth or dynamic headers, and treat all server output as untrusted. Anthropic's MCP reference documents current transports and capabilities.
Select the transport deliberately
# Remote streamable HTTP
claude mcp add --transport http docs https://mcp.example.com/mcp
# Local stdio; `--` separates Claude flags from the server command
claude mcp add --transport stdio local-tools -- node ./tools/server.js
# Inspect configuration and health
claude mcp list
claude mcp get local-tools
Stdio processes inherit a local execution environment and may access files or credentials unless constrained. Remote services receive data over the network. WebSocket is appropriate for persistent event push but has different authentication constraints. Record why a transport is necessary in the project review.
Apply the correct scope
| Scope | Loads in | Shared | Typical use |
|---|---|---|---|
| Local | Current project | No | experiments, private tokens |
| Project | Current project | Yes through .mcp.json | reviewed team service |
| User | All projects | No | personal general tooling |
Project configuration is executable integration metadata. A cloned repository must not silently earn trust in its declared servers. Review the command, endpoint, environment interpolation, package source, and tools before approval.
Design authentication for revocation
Prefer OAuth with minimal scopes for hosted services. Use /mcp for supported authentication flows. For static or dynamic headers, reference environment-managed values rather than committing secrets. Separate read-only and write-capable credentials when possible, and use different identities for development and production.
Ask:
- Can this token read private code or customer data?
- Can it create, update, or delete external objects?
- Is every call attributable to a user or service identity?
- Can it be rotated without changing committed config?
- Does the server retain prompts or tool inputs?
Understand tools, resources, prompts, and elicitation
Tools perform parameterized actions. Resources expose addressable content that can be referenced. Prompts can appear as reusable commands. Elicitation lets a server request additional user input through supported flows. Do not auto-approve interaction merely because it originates from an installed server; a server can request secrets or authorization it does not need.
Tool search defers large MCP tool schemas until relevant, reducing startup context. Inspect /mcp for tool counts and context cost. Give servers and tools distinct, descriptive names so search can select correctly.
Operate for failure
Set sensible startup and tool timeouts, cap output, and handle connection errors explicitly. A missing MCP result is not proof that no issue exists. For critical workflows, distinguish “query returned zero records” from “server failed to authenticate.” Avoid relying on automatic reconnection for non-idempotent calls.
Mastery lab
Connect one read-only local server and one remote OAuth server in a disposable project. Verify scope, inspect tools/resources/prompts, test an authentication failure, cap a large result, block mutation tools, and remove both servers cleanly. Write a threat model before enabling them in a real repository.
FAQ
Should project MCP configuration include environment values?
It may reference required variable names, but secrets should come from secure local or managed injection.
Does MCP tool search make many servers harmless?
It helps context cost, not security or operational complexity. Disable integrations you do not need.
Can Claude Code itself act as an MCP server?
Claude Code documents a server mode for compatible clients. Constrain its exposed tools and environment like any other agent surface.