Which MCP architectural role is responsible for enforcing user consent policies and orchestrating the AI workflow?
The host is the user-facing app that orchestrates the workflow and enforces consent; clients live inside it (one per server) and servers only expose capabilities.
Think of a power strip in your home. The strip is the host: it sits on your desk, you control it, and you decide which appliances get power. Each socket on the strip is a client: one dedicated socket per device, managing that single connection. The appliances plugged in are servers: a lamp, a charger, a fan, each offering one capability. The lamp cannot decide whether it is allowed to draw power, you do, by flipping the switch on the strip. In MCP, the host owns the same authority: it approves tool calls, enforces what the user permitted, and drives the conversation, while clients just carry messages and servers just offer tools.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: name the three roles, draw the one host to many clients to many servers topology, then argue why consent enforcement lands on the host and not the credential-holding server.
| Role | Where it runs | Owns consent? | Key responsibility |
|---|---|---|---|
| Host | User-facing app | Yes | Orchestrates workflow, gates every tool call |
| Client | Inside the host, one per server | No | Manages one JSON-RPC session lifecycle |
| Server | Separate process | No | Exposes tools, resources, prompts |
Real products, models, and research that use this idea.
- Claude Desktop acts as the host, spawning one client per configured server and prompting the user before each tool call.
- Cursor and Zed both function as MCP hosts, aggregating tools from multiple servers and enforcing their own approval UI.
- An Anthropic filesystem or GitHub server exposes tools and resources but defers every consent decision to the connecting host.
What an interviewer would ask next. Try answering before peeking at the approach.
QWhy does MCP isolate one client per server instead of multiplexing many servers over one client?
QIf the host is the only enforcement point, what attacks does that leave it exposed to?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming the server enforces consent because it owns the credentials. The server only offers capabilities; the host decides whether each call is permitted.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.