Explain why MCP separates Tools and Resources into distinct primitives. What security or design concern motivates this split?
Tools are model initiated, possibly side effecting actions; Resources are host controlled read only context. Splitting them lets hosts scope read access apart from action access and simplifies consent.
Picture a library with two desks. At the reference desk you read any book on the shelf, and reading never changes anything, so the librarian lets you browse freely. At the second desk you can ask staff to mail a letter, charge your card, or shred a file, and those actions change the world, so staff check with you before doing each one. MCP works the same way. Resources are the books you read, and the host decides which to hand over. Tools are the actions the model asks to perform, and each one may need your approval first. Lumping them into one read or write desk would force the same caution onto harmless reads, or worse, let a risky action slip through unguarded.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: two axes (control direction plus side effect risk) + read only vs side effecting + security scoping + consent modeling + tie to the MCP threat model.
| Aspect | Tools | Resources |
|---|---|---|
| Who initiates | Model decides to call it | Host application selects it |
| Side effects | May write, delete, or trigger actions | Read-only, never mutates state |
| Addressing | Named function with JSON Schema args | URI-addressed data reference |
| Consent | Often needs explicit user approval | Usually loaded without per item prompt |
| Risk plane | Action plane, the dangerous surface | Read plane, the safe surface |
Real products, models, and research that use this idea.
- Claude Code gates each MCP tool call behind user approval while letting the host load file Resources by URI without a prompt per file.
- Anthropic's filesystem MCP server exposes file contents as read only Resources and separately exposes write or edit operations as Tools.
- The OWASP MCP Top 10 (2025) centers tool poisoning and rug pull risks on the Tools plane, validating why Resources stay read only.
- Cursor and Zed both surface MCP Tool calls for confirmation in 2026 while treating Resource reads as ambient context.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow does the Tools versus Resources split interact with the MCP threat model, like tool poisoning or rug pulls?
QWhy are Resources URI-addressed and host-pulled rather than just exposed as read only tools?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Saying the split is just cosmetic naming. It encodes a real control direction and side effect boundary that drives permissioning and consent.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.