Who is responsible for resolving tool name collisions in a multi-server MCP setup?
MCP guarantees tool-name uniqueness only within a single server. Resolving cross-server collisions is the host's job, usually via server-qualified prefixing.
Imagine three coffee shops in a mall, each with a barista who answers to 'Sam'. If you shout 'Sam, make my order!' across the food court, three people turn around and nobody knows who you meant. The fix is to say 'Bean Street Sam' instead of just 'Sam'. MCP is like the mall: each shop promises its own staff have distinct names, but the mall itself never coordinates names across shops. The host application is the customer who has to add the shop name in front. It collects every tool from every connected server, notices two are both called 'search', and relabels them so the model can point at exactly the one it wants.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: scope of the uniqueness guarantee, the host as aggregation point, server-qualified prefixing, why the model and config priority cannot resolve it, and the shadowing security angle.
| Question | Answer |
|---|---|
| Does the spec enforce global unique tool names? | No, only within a single server's tools/list |
| Can the model disambiguate two identical names itself? | No, it only sees host-supplied names and descriptions |
| Does higher config priority auto-resolve a collision? | No, the spec defines no precedence rule |
| Who must apply server-qualified prefixing? | The host, the only actor that sees all servers |
| What is the failure mode if ignored? | Silent wrong-tool calls and shadowing attacks |
Real products, models, and research that use this idea.
- Claude Desktop reads claude_desktop_config.json, connects to multiple servers, and the client aggregates their tool lists into one model-facing catalog.
- Cursor users routinely run filesystem plus GitHub plus Postgres servers at once, where generic names like search or read collide and need host-side qualification.
- The OWASP MCP Top 10 published in 2025 lists cross-server tool shadowing as a named risk that host disambiguation policy must defend against.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you design a host disambiguation strategy that stays stable as servers are added and removed?
QHow does cross-server tool shadowing become a security exploit, and how does the host defend?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming the protocol or the model resolves duplicate tool names. The host is the only component that sees all servers at once.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.