7 min read

How to Build an MCP Server in Python

This guide covers building production-ready MCP servers in Python using the official SDK and FastMCP, along with key tradeoffs between local and remote deployment architectures. It also breaks down hidden cost drivers like authentication and token overhead that routinely exceed server development expenses, and outlines critical security updates required before the July 2026 MCP specification finalizes.

Featured image for "How to Build an MCP Server in Python"

The official Python SDK for MCP just crossed 262 million monthly downloads, yet most teams building MCP servers in 2026 will spend more on authentication and token overhead than on the actual server code. If you’re about to write a Python MCP server, the protocol is the easy part — it’s the non-functional requirements that’ll wreck your budget and timeline.

This guide covers building a working MCP server in Python using both the official SDK and FastMCP, the tradeoffs between local and remote deployments, and the security changes you need to understand before the July 2026 spec finalizes. The code examples are minimal by design. The analysis of what comes after the code is where the real decisions live.

The Python SDK Landscape in 2026

The official Python SDK for MCP is the mcp package (v1.28.1 stable), requires Python 3.10 or newer, and the v2 line is currently in alpha. You should pin mcp>=1.27,<2 in production until the stable v2 release ships — the v2 alpha already includes breaking changes to auth modules and wire validation.

FastMCP is a Pythonic framework for building MCP servers; it registers tools with the @mcp.tool() decorator and runs over stdio by default for local hosts, per DigitalOcean’s MCP Python tutorial. It’s the faster path from idea to working server, and it abstracts away enough protocol detail that you can focus on what your tool actually does.

Here’s the thing most tutorials skip: the SDK choice matters less than the deployment architecture. Local MCP servers run as subprocesses over stdio, while remote MCP servers use Streamable HTTP — a single bidirectional endpoint introduced in the March 2025 specification, per Google Cloud’s guide to managed MCP servers. That transport decision determines your auth model, your hosting costs, and your security surface.

ApproachBest ForTransportAuth ModelTypical Effort
Official MCP SDK (v1.28.x)Production servers needing full protocol controlstdio or Streamable HTTPOAuth 2.1 (remote) or implicit (local)2-4 weeks for basic tool surface
FastMCP (v3.4.0)Rapid prototyping and Pythonic tool registrationstdio by default, HTTP via ASGISame as SDK; FastMCP adds auth middleware1 week for focused server
Azure Functions MCP extensionTeams already on Azure, event-driven scalingStreamable HTTPBuilt-in EasyAuth integration1-2 weeks if familiar with Functions
FastMCP remote bridge (fastmcp-remote)Connecting stdio-only clients to HTTP serversstdio proxy to HTTP upstreamAutomatic OAuth for HTTPS backendsHours, not weeks

What Building an MCP Server Actually Costs

Those numbers sound absurd until you break down where the money goes.

The dominant cost drivers for MCP server builds are authentication, audit logging, safety/compliance, and distribution — not the server code itself, per Launch Day Advisors. A single-source integration starts around $8,000 in pure development cost, but that’s before you add per-user token passthrough, audit surfaces, or multi-tenant isolation. Full enterprise integrations covering four or more systems run $40,000–$75,000 in dev cost alone, according to AppMatic Tech’s cost breakdown.

Build-cost estimates for MCP servers are reliably 60–80% of actual final costs, and switching costs dominate buy-side TCO after 18 months. Teams routinely discover by month three that they’re short two engineers and a designer, and by month six that the first ship won’t clear the safety bar enterprise procurement asks about.

If you’re building a production-grade MCP server for your SaaS product, the total cost picture is even starker — our cost analysis for SaaS MCP servers breaks down the initial build plus 10–20% annual maintenance that most teams underestimate by 60–80%.

The Token Tax Nobody Budgets For

MCP protocol overhead can increase token consumption 19–40x compared to direct API calls for common workflows including code review, PR triage, and documentation updates. That’s not a theoretical concern — mid-market teams running Sonnet across 12 connectors regularly burn €20,000–€80,000 per year in Anthropic token costs alone, often exceeding platform fees.

The mechanism is straightforward. Every time an agent discovers or invokes a tool, a substantial amount of metadata gets injected into the context window. Tool definitions alone consume 500 to 1,500 tokens per function. For complex workflows, this overhead scales linearly with the number of servers connected.

This creates an uncomfortable economic reality: for high-volume, low-complexity agent tasks, MCP can be economically unviable regardless of whether you build or buy the server.

The 2026-07-28 Spec Changes You Need to Plan For

the MCP 2026-07-28 specification makes the protocol stateless, eliminates protocol-managed sessions (removing session hijacking risk), mandates OAuth 2.1 with PKCE, and introduces MCP-specific HTTP headers such as MCP-Method and MCP-Name. The final version publishes July 28, 2026, with a 12-month deprecation window for legacy functionality.

The headline improvement: previous versions relied on a stateful initialization process that established long-lived sessions through the Mcp-Session-Id header — a high-value target because an attacker who stole one could impersonate an authenticated user. The new spec removes protocol-managed sessions entirely.

But the new stateless MCP specification introduces security risks including client-held state objects that can be hijacked, a _meta object for metadata injection, and potential data leakage via MCP-specific HTTP headers, per SecurityWeek’s analysis. Because the protocol no longer keeps permanent sessions, it issues tracking identifiers and state objects that the server hands to the client. If you use predictable tracking IDs or fail to validate the integrity of a returned state object, an attacker could guess or alter those values to hijack another user’s active workflow.

The practical implication: security decisions the protocol used to enforce now fall to you as the developer. Our Node.js MCP server guide covers the specific code changes you’ll need to implement before the stateless spec finalizes, and the same patterns apply to Python.

Enterprise Authorization Is Finally Here

Enterprise-Managed Authorization (EMA) for MCP went stable on June 18, 2026, allowing organizations to govern server access through identity providers such as Okta via Cross App Access, per Web Developer’s announcement. This is the missing piece for teams who need “works on my laptop” to become “passes security review.”

EMA builds on the Identity-Based Just-in-Time Authorization Grant pattern. When a user opens an MCP client and selects an enterprise-managed server, the client redirects through the org’s IdP. The IdP issues a scoped grant tied to that user’s identity and group membership. The developer experience target is authorize once, inherit everywhere.

For Python developers, this means your server needs to validate grants from the org’s IdP rather than managing OAuth flows directly. The first IdP integration ships with Okta, with more expected as the extension stabilizes.

The Security Landscape Is Shifting Underneath You

Amazon Q Developer Extension for VS Code automatically loaded MCP server configurations from workspace files without user consent, enabling arbitrary code execution and cloud credential theft (CVE-2026-12957), fixed in language server version 1.65.0. This isn’t an isolated incident — it’s part of a broader pattern where MCP auto-execution creates systemic supply chain risk.

The lesson for Python developers: if your server accepts configuration from workspace files or environment variables, you’re responsible for validating that input. The SDK won’t do it for you.

The public MCP catalog contains over 10,000 active servers and covers more than 80% of common integration needs; custom builds are recommended only for proprietary data, custom auth/audit requirements, sub-second local execution, or unique tool surfaces. Before you build, check whether a vendor-maintained server already exists for your integration. The best MCP servers for developers in 2026 covers which ones are production-grade versus community experiments that’ll fail under load.

When Building Makes Sense (And When It Doesn’t)

The decision framework is simpler than most vendors want you to believe. Default to buying — the public catalog covers 80%+ of integration needs. Build only when you hit one of these conditions:

  • Proprietary data the public catalog can’t reach. Your internal APIs, custom databases, or unique data sources.
  • Auth or audit requirements public servers don’t meet. Healthcare, finance, or any context where per-user token passthrough is non-negotiable.
  • Sub-second local execution. Workflows where network round-trips break the agent experience.
  • A tool surface no one else has standardized. Genuine product differentiation, not reinventing Slack integration.

If your project hits any of those, the right pattern isn’t “wire up a public server” — it’s “build the MCP server as an internal product.” Single-purpose scripts rot. Production-grade servers with auth, observability, and SDKs take 8–16 weeks but actually survive contact with real users.

For the build path, Azure Functions supports hosting MCP servers via an MCP extension (all languages) or self-hosted SDK approach (preview), with official tutorials covering C#, Python, and TypeScript. If you’re already on Azure, this is the fastest path to a hosted server with built-in authentication.

The Recommendation

Start with FastMCP for your first server. You’ll have a working tool surface in days, not weeks, and the Pythonic decorator pattern means your code stays readable. Pin the SDK version, plan for the stateless spec changes coming in July, and model your token costs before you scale.

Then ask yourself the uncomfortable question: does this server need to exist at all? If a vendor-maintained public server covers your use case, the economically rational choice is to use it and spend your engineering time on something that actually differentiates your product. The protocol is the cheap part. Everything else is where budgets go to die.