// GLOSSARY -- MCP & TOOL INFRASTRUCTURE

What is an MCP Host?

2 min read Updated

An MCP host is the application that embeds and coordinates MCP clients — for example Claude Desktop, Claude Code, Cursor or an IDE. The host creates one client per server connection, manages the LLM integration, and is responsible for enforcing security policies and user consent across all of them.

WHY IT MATTERS

The Model Context Protocol defines a client-host-server architecture with three distinct roles. The host is the container process: it creates and manages multiple client instances, controls their connection permissions and lifecycle, handles user authorisation decisions, and coordinates the AI model's access to context. Each client maintains exactly one stateful session with one server — a strict 1:1 relationship — while servers expose tools, resources and prompts.

This separation is deliberate. The spec's design principles state that servers should not be able to read the whole conversation or "see into" other servers: full conversation history stays with the host, each client connection is isolated, and cross-server interaction is mediated by the host. The host is therefore the trust boundary in an MCP deployment — it decides which servers to connect, which tools the model may use, and when a human must approve an action.

In practice, popular hosts include Claude Desktop, Claude Code, Cursor, Windsurf, VS Code (via its MCP support) and other agent coding assistants. Users often say "client" colloquially for these applications, but in spec terms the application is the host and the per-connection protocol endpoints inside it are the clients. The distinction matters when reasoning about security: consent prompts, sampling control and context aggregation are host responsibilities, not client or server ones.

See mcp host working in your own stack — route your MCP servers through PolicyLayer and every tool call is checked against policy before it runs.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer works with any MCP host. Instead of pointing each host's configuration at upstream servers directly, teams point hosts at the PolicyLayer gateway with a per-person scoped token. Host-level consent prompts remain in place; PolicyLayer adds organisation-level, deterministic policy enforcement and audit beneath them, applied uniformly regardless of which host a person uses.

Browse the MCP server catalogue →

FREQUENTLY ASKED QUESTIONS

What is the difference between an MCP host and an MCP client?
The host is the application (e.g. Claude Desktop or Cursor); a client is the protocol endpoint the host creates for each server connection. One host runs many clients, and each client connects to exactly one server.
Is Claude Code a host or a client?
In spec terms Claude Code is a host: it embeds an MCP client per configured server, coordinates the model, and handles permissions and consent.
Why does the host matter for security?
The host enforces consent, isolates server connections from each other, and keeps full conversation history away from servers — making it the primary trust boundary in MCP's architecture.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.