
MCP servers for Claude, Cursor, and VS Code: what to connect first
A practical guide to MCP: how a server differs from an extension or API key, which connections pay off first, and how to avoid granting an agent excessive access.
MCP addresses an unglamorous but important problem: it gives an AI application one way to discover external tools and data. Instead of building a separate adapter for GitHub, files, a database, or Slack, a host runs an MCP client that talks to a compatible server. The official MCP architecture separates the host, client, and server; a server can expose tools, resources, and prompts. That boundary matters more than the promise to “connect everything,” because it is where access and responsibility are defined.
One protocol, three roles, and separate connections
The host is Claude, Cursor, an editor, or another application where the user works. The host creates a client for every configured server. Each server exposes a specific capability: read an allowed directory, query GitHub, run safe database queries, or control a browser. This is not one omnipotent tunnel. Several narrow servers are easier to disable, inspect, and provision with separate credentials.
MCP documentation commonly uses stdio for a local connection: the host launches a process and exchanges messages over standard input and output. A remote server uses Streamable HTTP. The choice changes deployment and trust. A local process inherits access on the current machine; a remote service receives data over the network and needs its own authentication.
Filesystem and GitHub create the first useful boundary
Connect the least dramatic server that removes frequent friction with a clear blast radius. Filesystem access helps when the host cannot read a required directory or when the root must be tightly constrained. GitHub adds issues, pull requests, checks, and repositories. For development, that pair supplies task context and the place where work is recorded.
Begin with read access. If a server can create branches, close issues, or merge pull requests, enable those actions separately. A token covering an entire organization is convenient in a demo and risky in daily work. Prefer a dedicated identity, minimal scopes, and a sandbox repository for the first trial.
Databases, Slack, and Drive need a stricter trust model
A Postgres server can inspect a schema, diagnose queries, and analyze data. The read-only user, however, must be enforced by the database rather than promised in a system prompt. Add statement timeouts, block sensitive schemas, and keep an audit trail for production access. Slack and Google Drive may reveal conversations or documents that the user never intended to put into the task, so limit workspaces, channels, and folders.
MCP resources are useful for context; tools are for actions. If a job can be solved with a read-only resource, do not expose a write tool. This is especially important around billing, CRM, remote shells, and infrastructure.
Browser MCP and PhonePi serve interfaces, not bulk APIs
Browser MCP lets an agent work through a web page, while PhonePi MCP extends a related approach to an Android device. They are useful for interface testing, reproducing a customer journey, and systems without a suitable API. UI automation is still slower and more fragile than a direct API because selectors, sessions, dialogs, and permissions change.
Use a browser or phone bridge when the interface itself matters. Prefer an official API with idempotency and operation logs for bulk synchronization, billing, and critical writes.
A server is not an extension, an API key, or a finished integration
An extension adds UI or behavior to an application. An API key proves who calls a service. An integration describes a finished business workflow. An MCP server is a programmatic contract through which a host discovers and invokes capabilities. The server may still require an API key, OAuth, or local authorization. The protocol neither invents permissions nor guarantees implementation quality.
Check the publisher, repository, dependencies, update path, and declared tools. A server installed from a random README executes code with local privileges. Pin its version and inspect the configuration before introducing secrets.
A small set beats a catalog of twenty servers
A sensible developer sequence is: local files inside an allowed root, one GitHub repository, then a browser for validation. Add databases, chats, and cloud documents only for a specific recurring workflow. Remove connections that produce no value after a week.
Before enabling writes, answer five questions: which data can the server see, which actions can it take, where are secrets stored, who confirms irreversible actions, and where is the audit trail? MCP lowers integration cost, but it does not remove the threat model. A good configuration makes an agent more useful precisely because it does not grant everything at once.
