Why This Matters
Most integration issues come from transport mismatch:- local subprocess workflows expect
stdio - hosted/shared workflows expect HTTP transports
- some clients still use older SSE-compatible remote flows
Style Comparison
| Style | Transport | Where it runs | Typical auth | Best use case | Official references |
|---|---|---|---|---|---|
| Local subprocess server | stdio | Local machine (spawned process) | Usually local trust boundary; optional server auth | Browser automation and local dev tooling | MCP transports, Claude Code MCP |
| Remote MCP server (modern) | Streamable HTTP | Remote service | Bearer/session/OAuth (server-defined) | Shared hosted tools and multi-user environments | MCP transports, Claude Code MCP |
| Remote MCP server (legacy compatibility) | SSE + POST fallback | Remote service | HTTP auth (server-defined) | Backward compatibility with older client/server behavior | MCP transports |
| Connector-style remote usage | Remote HTTP MCP only | Remote service reachable by API provider | OAuth or bearer token via connector config | Tool access in API-based agent workflows | Anthropic MCP connector |
| Registry-discovered ecosystem servers | Varies (stdio and HTTP) | Local or hosted | Server-defined | Discovering existing production/community servers | MCP Registry, MCP servers repo, servers README |
How To Choose Quickly
- Use
stdiowhen the tool must run locally and you control the machine. - Use Streamable HTTP when the server is shared, hosted, or multi-tenant.
- Use legacy SSE mode only when a required client/server still depends on it.
- Use connector-style remote MCP when an API provider requires remote-only integration.
Security Notes
- Validate
Originheaders for browser-based transports and avoid exposing local servers beyond trusted boundaries. - Prefer binding local HTTP listeners to loopback (
localhost) unless you explicitly need network exposure. - Treat access tokens as bearer credentials and store/forward them only over TLS.
- Keep remote MCP endpoints authenticated by default; avoid unauthenticated public tool surfaces.