What is a Remote MCP Server?

The MCP specification defines two standard transports: stdio, where the client launches the server as a subprocess, and Streamable HTTP, where the server runs as an independent process exposing a single MCP endpoint (e.g. https://example.com/mcp) handling HTTP POST and GET, optionally streaming responses via Server-Sent Events. Remote servers use the latter — the earlier HTTP+SSE transport from protocol version 2024-11-05 is deprecated and replaced by Streamable HTTP.

Authorisation differs sharply from local servers. The spec's authorisation framework is OAuth 2.1-based and applies to HTTP transports: clients obtain tokens via an authorisation server and present them on requests. Sessions are tracked with the MCP-Session-Id header. This gives operators real identity, token scoping and revocation — none of which exist for a subprocess inheriting its parent's environment.

The operational and security trade-offs cut both ways:

• For remote: centrally patched and versioned, no code executing on user machines, credentials stay server-side, per-user authorisation and revocation, no supply-chain pull of npx packages at launch.
• Against remote: a network dependency and shared attack surface; your data transits a third party's infrastructure; the operator can change tool behaviour at any time without anything changing locally — a variant of the MCP rug pull risk; and the spec requires servers to validate Origin headers and authenticate connections properly.

PolicyLayer's gateway fronts both remote and local-style upstreams: teams register a remote server's HTTP endpoint once, and clients connect through PolicyLayer with per-person scoped tokens instead of sharing upstream credentials. The public catalogue at /tools records per-tool risk classifications for thousands of MCP servers, remote and local alike.