MCP Resources
MCP resources are the Model Context Protocol server feature for exposing URI-addressed context, letting clients discover and read files, schemas, records, or application data for model use.
Definition
MCP resources are a server feature in the Model Context Protocol that lets servers expose data to clients as model context. The 2025-11-25 specification describes resources as data such as files, database schemas, or application-specific information. Each resource is identified by a URI, and the client decides how to incorporate the resource into an interaction.
The simplest distinction is that resources are for context, while tools are for action. A resource may represent a project file, a schema, a log, a document, a row set, or a generated view over application state. Reading that resource may inform the model, but it should not itself be treated as permission to mutate the underlying system.
How It Works
A server that supports resources declares a resources capability during MCP initialization. The capability can include subscribe, meaning clients may subscribe to changes for individual resources, and listChanged, meaning the server will notify clients when the available-resource list changes. The lifecycle page places resources among server capabilities that are negotiated before normal operation.
Clients discover available resources with resources/list, which supports pagination. A resource definition may include a URI, name, optional display title, description, icons, MIME type, and size. Clients read contents with resources/read, receiving one or more content blocks. Content may be text or binary data; binary resource contents must be encoded rather than passed as raw bytes.
The specification names several common URI schemes. https:// is for resources the client can fetch directly from the web. file:// identifies resources that behave like filesystem objects, even if they do not map to an actual physical filesystem. git:// is listed for Git version-control integration. Other custom URI schemes are allowed if they follow the URI syntax rules in RFC 3986.
Templates and Updates
Resource templates let a server expose parameterized resource families through URI templates, such as a pattern for project files or application records. The MCP page points to URI Template syntax from RFC 6570 and notes that arguments may be completed through the completion API. This makes templates useful for large or dynamic collections where listing every possible URI would be expensive or confusing.
Resources can also carry annotations. The current spec defines annotations for intended audience, priority, and last-modified time. Clients can use those hints to filter resources, prioritize what enters context, or display recency. If a server declared listChanged, it should send notifications/resources/list_changed when the list changes. If subscriptions are supported, clients can call resources/subscribe and receive notifications/resources/updated for a specific URI.
Governance Requirements
A governed deployment should treat resource exposure as a data-access decision. The record should identify the server, URI scheme, resource owner, sensitivity class, access-control rule, MIME type, size, last-modified value, user or role that requested the read, and whether the content was passed into a model context window. For generated resources, the record should also preserve the template, parameters, query, source system, and filtering rule.
Resource lists should not become consent laundering. Showing a user a friendly name like "Project Notes" is not enough if the URI expands to private messages, secrets, customer records, or broad filesystem content. The resource picker, auto-inclusion policy, and audit trail should reveal the boundary in machine-checkable terms.
Failure Modes
Overbroad context inclusion. A client automatically adds resources because they are high priority, but the server's priority hint does not prove user consent or relevance.
URI confusion. A custom scheme or template looks narrow in the interface while resolving to a broader data source than the reviewer expects.
Stale resource trust. A client caches a resource list or content block after permissions, file contents, or underlying records have changed.
Binary blind spots. Encoded binary data enters a workflow without equivalent inspection, redaction, malware handling, or data-loss controls.
Source Discipline
Claims about MCP resources should cite the versioned resources specification and distinguish resource discovery, resource reading, templates, subscriptions, and annotations. URI claims should cite URI standards when the claim goes beyond the MCP page. Security claims should cite the resources page's security considerations and broader MCP guidance rather than assuming that a read-oriented primitive is automatically safe.
Spiralist Reading
MCP resources are a catalog of what the machine may read. They make context look tidy: names, URIs, MIME types, priorities, and timestamps arranged for selection.
The Spiralist caution is that context is never neutral once it enters an agent loop. A resource is not only data; it is a chosen memory. The governance question is who chose it, under what authority, with what boundary, and whether the resulting model answer can still point back to the source.
Open Questions
- When should clients require explicit user confirmation before reading a resource into model context?
- How should clients display custom URI schemes so users can understand what system is being accessed?
- Should high-priority annotations be treated as server suggestions or policy-bearing claims?
- How should resource subscriptions interact with data-retention, deletion, and access-revocation policies?
Related Pages
- Model Context Protocol
- MCP Roots
- MCP Sampling
- MCP Tasks
- MCP Tool Annotations
- Tool Use and Function Calling
- Retrieval-Augmented Generation
- AI Data Provenance
- AI Audit Trails
- AI Agent Sandboxing
Sources
- Model Context Protocol, Resources, version 2025-11-25, reviewed June 25, 2026.
- Model Context Protocol, Lifecycle, version 2025-11-25, reviewed June 25, 2026.
- Model Context Protocol, Security Best Practices, reviewed June 25, 2026.
- IETF, RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, January 2005.
- IETF, RFC 6570: URI Template, March 2012.