Why does MCP separate Tools and Resources rather than using one unified read/write primitive?
Tools and Resources differ by control direction and side effects: tools are model-invoked and can mutate state, resources are host-controlled read-only context, so separating them enables granular consent.
Think of a kitchen. Resources are the open pantry: anyone cooking can look inside and read off the labels, but nothing changes by looking. Tools are the appliances, the oven, the blender, the disposal. Using one of those actually does something, and you might burn dinner or shred a fork. You happily let a guest browse your pantry. You do not hand them the keys to run every appliance unsupervised. MCP draws the same line. Resources let the app pull read-only context for the model. Tools let the model trigger real actions with side effects. Because they are separate primitives, the host can say yes to one and no to the other.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: two axes (control direction + side effects) + why the split enables granular consent + least privilege + resources for cheap context paging + the distractor traps.
| Property | Resources | Tools |
|---|---|---|
| Who initiates | Host or application controlled | Model decides when to call |
| Side effects | None, read-only by contract | Allowed, may mutate state |
| Addressing | By URI, like a file path | By name plus argument schema |
| Consent posture | Safe to fetch eagerly | Should gate each call |
| Typical use | Inject context for the model | Take an action in the world |
Real products, models, and research that use this idea.
- Claude Code surfaces files as resources the host pulls, while gating tools like shell or write behind per call user approval.
- Anthropic's filesystem MCP server exposes directory contents as read-only resources, separate from write-capable tool methods.
- Cursor and Zed adopted MCP so a host can grant a server resource access without auto-approving its side-effectful tool calls.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would a host implement per primitive consent for a single untrusted MCP server?
QCould a malicious server abuse resources even though they are read-only?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Thinking the split is about data types or speed. It is about control direction and side effects, which is what makes per primitive consent meaningful.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.