New MCP Server: Your Agents Get a Badge, Not a Master Key

Read More

MCP vs REST

The Enterprise Decision Is More About Governance Than Integration

 
 

Key Takeaways

  • An MCP server is a software layer that exposes typed tools, resources, and prompts to AI clients through the Model Context Protocol, an open standard introduced by Anthropic in November 2024 to give LLM applications a uniform way to connect to external systems.
  • The MCP vs REST decision is a requirements decision, like every other integration choice. Functional fit (who calls it, how dynamic the surface needs to be) and non-functional fit (governance, audit, data boundary, latency) drive the answer.
  • The current discourse over-weights protocol mechanics and under-weights governance. Identity propagation, per-user audit attribution, and data egress are the dimensions that compliance reviews actually fail on.
  • Most enterprise MCP deployments call their back-ends with a shared service account. That pattern is the single most common reason a working AI pilot fails its production review.
  • Wrapping an existing REST API in an MCP server is a category-entry move. It solves discovery and composition for agent consumers. Governance is a separate piece of work that the wrap does not do.

What is an MCP server?

An MCP server is a software layer that exposes a set of typed tools, resources, and prompts to AI clients through the Model Context Protocol, an open standard introduced by Anthropic in November 2024 to give LLM applications a uniform way to connect to external systems.

The protocol uses JSON-RPC 2.0, with stdio for local servers and streamable HTTP for remote servers. The MCP server publishes what it can do at session start; the AI client picks tools at runtime based on user prompts. The architecture exists for a single reason: the consumer is an LLM agent that has to discover what is available, pick the right capability, and chain calls without prior knowledge of the capabilities available.

Most discussion of MCP focuses on protocol mechanics: tool discovery, JSON-RPC, transport layers, and integration patterns. Those topics matter, but they are not what determines whether an enterprise deployment survives a production review. The more challenging issue is governance. Identity propagation, per-user audit attribution, and data-boundary enforcement are where working pilots most often fail.

CUSTOMER CASE STUDY

How Ally Built a Modern Fraud Intelligence Platform

Learn how Ally applied graph analytics and contextual investigation tools to uncover complex fraud networks and strengthen fraud prevention.

Read Case Study

Why Is MCP Getting Attention Now?

The protocol arrived in November 2024. In the eighteen months since, Microsoft, Google, AWS, and Cloudflare have all published reference implementations or first-party integrations. Over thirty Common Vulnerabilities and Exposures (CVEs) were filed against MCP servers and infrastructure between January and February 2026 alone, with vulnerabilities ranging from path traversal flaws to a CVSS 9.6 remote code execution in a package downloaded nearly half a million times. The gap between high adoption rates and lagging security issues.

Why is the MCP server vs REST API decision suddenly a conversation?

Solution design is simply a requirements decision. What makes the MCP server vs REST API discussion a live conversation right now is that most current writing on MCP weighs the functional requirements heavily and under-weights the non-functional ones. The non-functional requirements are often where production reviews are won or lost.

The functional axis is the part the field handles well:

  • Use REST when the consumer is application code that knows in advance what it is calling and why.
  • Use MCP when the consumer is an LLM agent that needs to discover capabilities at runtime and chain calls across them.

The dominant advice of "build both, wrap REST in MCP" stops at this level and treats the choice as resolved.

The non-functional dimension though is where the field gets quieter. Identity propagation. Per-user audit attribution. Data egress and boundary control. Latency under tool composition. Token cost when the agent has to load tool schemas at session start. These are the dimensions that decide whether a working pilot survives a production review, and they are the dimensions the discourse under-weights.

Putting the two axes together gives a simple test:

  • REST fits when the integration is system-to-system and the contract is stable.
  • MCP fits when the consumer is agentic, the integration surface is broad enough to justify dynamic discovery, and there is a defensible answer for identity propagation and per-user audit.
  • Wrapping REST in MCP is the right move when you want agent consumers to reach an existing surface. The wrap solves discovery and composition. It does not solve governance.

Two of those three MCP conditions are not enough. Teams regularly satisfy the functional requirements and then discover that governance is the condition that actually qualifies the deployment. It is the difference between a successful pilot and a deployable production system.

The table below provides a comparison of MCP and REST.

MCP serverREST API
What it isAn open protocol layer that exposes typed tools, resources, and prompts to AI clients via JSON-RPC 2.0, using stdio for local servers and streamable HTTP for remote servers.An architectural style for stateless HTTP access to resources, defined by URL paths and verbs.
Primary consumerLLM agents and AI applications via MCP-compliant clients. The client is non-human and discovers what is available at runtime.Application code written by humans. The client knows in advance what it is calling and why.
Discovery modelIn-protocol self-description. The client retrieves tool, resource, and prompt schemas at session start.Out-of-band documentation. OpenAPI or Swagger schemas, or human-authored docs the developer reads first.
State modelStateful session with shared context across calls in the same connection.Stateless per request. Each call carries its own auth, parameters, and context.
Identity propagationOAuth 2.1 to the MCP server. Forwarding the requesting user's identity through the agent into the underlying system is implementation-dependent and the most common production failure point.Per-request auth header. The caller decides what identity context to send, and the back-end enforces against it. The pattern is well-understood.
Best-fit caseAgent runtimes that need dynamic tool discovery, multi-tool reasoning, and a self-describing interface for non-human consumers.Stable, predictable, system-to-system integration where the contract changes slowly and the consumer is known in advance.

The important distinction is not that MCP and REST serve different consumers. Most architects already understand that. The more consequential distinction is governance. REST inherited decades of patterns for propagating user identity, enforcing permissions, and attributing actions. MCP is still developing those operational patterns. The architectural risk is not adopting MCP. The risk is assuming the protocol solves governance problems it was never designed to solve.

How does an MCP server work?

Five components make MCP work: tools, resources, prompts, transport, and authorization.

The first four explain why MCP is useful. Tools expose actions an agent can invoke. Resources expose structured context. Prompts provide reusable workflows. Transport standardizes communication between client and server.

Authorization is different. It determines whether the identity of the requesting user survives the trip from the AI client, through the MCP server, and into the underlying system. That is where most enterprise deployments encounter trouble. A server can expose well-formed tools, use OAuth correctly, and successfully execute requests, yet still lose the identity of the originating user before reaching the back-end system. The result is an agent operating under a shared service account, with accountability detached from the human who initiated the action.

That distinction matters because production reviews rarely fail due to tool schemas or transport protocols. They fail when auditors discover that actions cannot be reliably attributed to individual users.

What happens to MCP servers at enterprise scale?

Three governance failures repeatedly surface in enterprise MCP deployments;

  • The service account trap. Production MCP deployments commonly call the back-end with a single shared credential. Every request appears to come from the same technical identity, regardless of which employee actually initiated it. The agent effectively runs with the permissions of every user combined, and compliance reviews catch it. SOC 2, HIPAA, PCI-DSS, and GDPR all require per-user accountability that a shared credential cannot produce.
  • The identity-forwarding gap. OAuth 2.1 can authenticate the user to the MCP server, but that does not automatically mean the user's identity is forwarded to the back-end system the tool calls. Azure architects building MCP through API Management have documented the same gap: until per-user identity is forwarded all the way to the back-end, the integration is only safe for public or system-level APIs. Current workarounds include subscription-level authorization and bespoke JWT-forwarding policies. Most public MCP implementations stop at the server boundary, so the back-end call goes out under whatever credential the server holds.
  • The audit attribution gap. Tool name plus timestamp does not satisfy a SOC 2 or HIPAA audit. A defensible audit log records which human user the request originated from, what the agent's reasoning was at the point of the call, what data the call returned, and whether an access policy was consulted before the operation was permitted. Standard MCP server logging records none of those by default.

The same pattern sits behind all three failures. Enterprise integration evolved around known applications calling known interfaces. MCP changes the assumption. The consumer is now an agent that discovers capabilities at runtime and decides what to do mid-session. The protocol arrived quickly. The governance patterns needed to support it are still catching up.


Download free ebook
"How DataWalk AI is Transforming Investigative
and Intelligence Analytics


Download the eBook

FAQ

No. The MCP server and the REST API operate at different layers of the integration stack. Many MCP servers call REST APIs internally as their execution layer; the protocol layer is added so non-human consumers can discover and compose what is available. The decision is which layer the consumer needs.
Wrapping earns the right to be evaluated by agent runtimes, and that is a reasonable first move. It does not change the underlying identity, audit, or data-boundary posture. If the wrapped REST API used a service account before, the MCP wrapper calls it with the same service account after, and the production review fails at the same point. The wrap is a discovery-and-composition fix. Governance is the second piece of work, and the architecturally harder one.
Three conditions need to hold together.
1. The consumer is an LLM agent that needs to discover capabilities at runtime.
2. The integration surface is broad enough that hand-coding each integration would be uneconomic (the N×M to N+M math).
3. And the governance requirements (identity propagation, per-user audit, data boundary control) can be met under your specific MCP implementation.

Two of three is not enough.
 

Join the next generation of data-driven investigations:
Discover how your team can turn complexity into clarity fast.

 
Get A Free Demo