Previously in the seriesThe Bare Minimum SetupCLAUDE.md Done RightModels, Tiers, and EffortThe Context Window TaxHooks That Guard Your CodeIntroductionClaude Code is reasonably capable out of the box — it reads files, writes code, and runs shell commands. But real projects don't live in isolation: issues are in GitHub, errors surface in Sentry, and data lives in a database. Without connecting Claude to those systems, you're always doing the bridgework yourself. MCP (Model Context Protocol) is the mechanism for closing that gap — a standardized interface for connecting Claude Code to external tools and data sources.\This article covers how MCP servers are configured, which ones I've found worth adding, and a few things that catch people off guard. Worth saying upfront: you can achieve similar integration without MCP — shell scripts, CLI tooling, and Bash tool calls get you a long way. Whether that's preferable is a legitimate debate and not one I'll settle here. MCP servers are one approach, and this article is about using them well. \One other thing worth noting: MCP servers extend what Claude can reach, but they don't change what Claude is allowed to do — that's still hooks and permissions territory, covered in the previous article. The two layers complement each other rather than overlap.How MCP Servers Plug InAn MCP server is a process — local or remote — that exposes a set of tools over a defined protocol. Claude Code acts as the client. When a server is connected, its tools show up alongside Claude's built-in tools (Bash, file read/write, search), and Claude can invoke them the same way.\There are three transport types:stdio — runs a local process on your machine. Used for things that need direct system access: file system, local databases, Docker.HTTP — connects to remote services. This is the current recommended transport for cloud-based servers.SSE (Server-Sent Events) — the older remote transport. Deprecated as of early 2026 in favor of HTTP. You'll still find many servers that use it, but new integrations should use HTTP.\Configuration scope matters almost as much as which server you add:local (the default) — available only to you in the current project. Stored in ~/.claude.json, keyed by project path. The right place for credentials and servers you're testing before committing to a team config.project — stored in .mcp.json at the project root. Shared with everyone on the team via version control. Server definitions go here; credentials do not.user — available to you across all projects, also stored in ~/.claude.json but globally. Personal servers you want everywhere, regardless of which project you're in.\The practical pattern: define the server shape in .mcp.json (server name, command, args). Then have each developer supply their own credentials via local config or environment variables. Server names stay consistent, secrets stay private.Adding a ServerThe CLI command is:claude mcp add --scope project github \ -- npx -y @modelcontextprotocol/server-github\For servers that need credentials, you don't want those in .mcp.json. Use the --env flag or reference an environment variable:claude mcp add-json github \ '{"type":"http","url":"https://api.githubcopilot.com/mcp","headers":{"Authorization":"Bearer '"$GITHUB_TOKEN"'"}}'\Inside a session, /mcp opens the management panel — you can enable, disable, and reconnect servers without touching config files.\To see what's connected:claude mcp listServers Worth AddingI'll be direct: most of the lists out there include 50+ servers. That's not useful. The ones I actually run, and have found genuinely improve the workflow rather than just add noise:\GitHub — the one I'd install first. PR review, issue lookup, creating branches, and checking CI status. The integration is official and maintained by GitHub. Use the HTTP transport with a personal access token.claude mcp add-json github \ '{"type":"http","url":"https://api.githubcopilot.com/mcp","headers":{"Authorization":"Bearer '"$GITHUB_TOKEN"'"}}'\PostgreSQL — direct database access. Ask Claude to query a table, explore a schema, or find records matching a condition. More useful than it sounds: schema questions that would take three manual queries can become one natural-language ask.{ "mcpServers": { "postgres": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-postgres"], "env": { "POSTGRES_CONNECTION_STRING": "$DATABASE_URL" } } }}Filesystem — worth considering when you want to give Claude explicit, scoped access to specific directories with structured operations (list, read, write, move) rather than raw shell access. The path argument acts as a whitelist — Claude can only operate within what you declare.claude mcp add --scope project filesystem \ -- npx -y @modelcontextprotocol/server-filesystem /home/user/shared\Sentry — if you're debugging production issues, having Sentry connected means Claude can pull the actual stack trace for a given error and work with it directly, rather than you copying it in manually.\Context7 — provides up-to-date library documentation. Claude's training data has a cutoff; framework APIs change. Context7 pulls the current docs for a library and makes them available during the session. I use this when working with dependencies that release frequently.claude mcp add context7 -- npx -y @upstash/context7-mcp@latestBefore You Add Anything: SecurityMCP servers are more dangerous than they look, and this is worth understanding before you start installing things from npm.\Every MCP server you connect to exposes a set of tool definitions to Claude's context. Those definitions include names, descriptions, and parameter schemas — and the model reads them and treats them as instructions. This is how tool poisoning works: a malicious server embeds hidden instructions inside a tool description, invisible in any UI but fully visible to the model. The tool might be called add and appear to add two numbers, but its description could silently instruct Claude to read your SSH keys and pass them as a parameter before doing anything else.\What makes this hard to catch: you never see the raw tool descriptions. You see the tool name in the approval prompt, not the full metadata the model receives. By the time Claude is acting on hidden instructions, there's nothing in the interface that signals something is wrong.\There's also a rug pull variant: a server that looked clean at install time can silently modify its tool descriptions after you've already approved it. The approval you gave was for version one; you're now running version two.\Anthropic's own documentation is direct about this: third-party MCP servers are used at your own risk, and servers that fetch untrusted content carry prompt injection risk by design.\Practical steps I actually follow:Install only from sources with a clear owner and auditable source code. The @modelcontextprotocol/ namespace on npm and first-party servers (GitHub's official server, Anthropic's own) are a reasonable baseline. Random packages from community lists are not.Run mcp-scan after adding any server. It's a scanner from Invariant Labs that checks tool descriptions for hidden instructions and pins tool hashes so you're alerted if a server's tools change after initial install:uvx mcp-scan@latest\No configuration required — it auto-discovers Claude Code's MCP configs.\Give servers the minimum access they need. Database servers should use a read-only connection string unless you specifically need writes. Filesystem servers should be scoped to a directory, not your home folder. If you need a server to have write access, a PostToolUse hook that logs or audits those calls is a reasonable additional layer — the previous article covers hook setup in detail.Keep the number of installed servers small. Every additional server is an additional attack surface, and as noted below, there's a context cost too.Common PitfallsEvery server costs contextThis is the one that bites people who add too many servers at once. Each connected MCP server exposes its tool definitions to Claude's context window, and those definitions take space even when the tools aren't being used. Add five servers, and you might be paying for 20-30 tool definitions per session, whether you use them or not.\Before the MCP Tool Search (now available in Claude Code), this was a serious problem. With it enabled, servers load lazily — tools don't expand in context until they're actually needed. But not all servers support this yet, and it's worth checking.\My rule: if I haven't used a server in a week, I disable it. The /mcp disable command does this without removing the configuration, so re-enabling is one command.Credentials in project-scope configIt's easy to accidentally put an API token directly in .mcp.json — especially when copying a config from documentation. If .mcp.json is committed (and it usually should be, so team members share the server definitions), that token is now in version control.\The correct pattern: server name, command, and args in .mcp.json; credentials in environment variables or in local scope. If you use $VAR_NAME syntax in the config, Claude Code will expand it from the environment at startup.{ "mcpServers": { "github": { "type": "http", "url": "https://api.githubcopilot.com/mcp", "headers": { "Authorization": "Bearer $GITHUB_TOKEN" } } }}\Set GITHUB_TOKEN in your shell profile. Commit the config. Don't commit the token.SSE servers that silently failIf you're connecting to an older MCP server that uses SSE transport, you may hit connection failures that give you no useful error message. Claude Code treats SSE as legacy, and some servers have configuration quirks around how the endpoint URL should be specified.\If a server shows as "disconnected" in /mcp with no clear reason: check whether it's using SSE, whether there's an HTTP transport variant available, and run claude mcp get to inspect the config. That's usually enough to find the mismatch.SummaryMCP servers are the extension layer that makes Claude Code genuinely useful for real-project work rather than just file editing. The configuration model is straightforward once you understand scopes: project-level for server definitions, local or environment for credentials. \The security model requires more deliberate care than most tutorials suggest — run mcp-scan, install only from sources you trust, and scope access down to what's actually needed. Start with one or two servers that match your actual daily workflow rather than adding a dozen at once — every server has a context cost, and the ones you never use still pay it.\In the next article, I'll look at skills — what they actually are in Claude Code, why most examples you'll find don't fire reliably, and how to write ones that consistently do.\