Skip to content
5.13Intermediate7 min

MCP vs. OpenAPI: When Do I Need Which?

Blck Alpaca·
Definition

MCP (Model Context Protocol) and OpenAPI/function calling are two ways of connecting AI agents to external tools. OpenAPI describes classic REST interfaces that are wired statically into the agent via function calling. MCP is an open standard for dynamic tool discovery across many clients. MCP pays off with many agents and changing tools, OpenAPI with a self-contained, stable integration.

Key Takeaways

  • OpenAPI/function calling is the simplest choice when an agent uses a limited, stable set of APIs: you define the tool schema once directly in code.
  • MCP (Model Context Protocol, Anthropic 11/2024, under the Linux Foundation/AAIF since 12/2025) standardises tool connectivity via JSON-RPC 2.0 and enables dynamic discovery at runtime.
  • The decisive advantage of MCP is reusability: an MCP server is built once and used by many clients (Claude, Copilot Studio, n8n, LangGraph) without additional effort.
  • Rule of thumb: MCP for connecting to tools/data, A2A for collaboration between agents - complementary rather than competing, according to Google, Microsoft, Salesforce and IBM.
  • MCP brings a larger attack surface (tool poisoning, full-schema poisoning). In 2026, securing it is the operator's responsibility: OAuth 2.1, least privilege, no auto-installation from third-party registries.
  • In the German-speaking (DACH) mid-market, n8n or LangGraph as orchestration plus MCP servers is the rational default in 2026 - often with a few custom MCP servers for internal systems.

MCP (Model Context Protocol) and OpenAPI/function calling are two ways of connecting AI agents to external tools. OpenAPI describes classic REST interfaces that are wired statically into the agent via function calling. MCP is an open standard for dynamic tool discovery across many clients. MCP pays off with many agents and changing tools, OpenAPI with a self-contained, stable integration.

  • OpenAPI/function calling is the pragmatic choice when a single agent uses a small, stable set of tools and you are the only consumer.
  • MCP pays off as soon as several clients need the same tools, the tool set grows, or tools are meant to change at runtime (dynamic discovery).
  • Both together is the normal case: an MCP server frequently wraps exactly the REST APIs documented via OpenAPI and makes them agent-ready.

What this is really about: tool connectivity for agents

An AI agent is an LLM that uses tools in a loop. The central architectural question is not "MCP or OpenAPI" in the sense of an either/or, but rather: How does my agent reliably, securely and maintainably gain access to external functions? There are two schools of thought for this.

Classic function calling with OpenAPI. You describe your functions as a tool schema (name, parameters, types, description) and pass this schema directly to the model in the API call. The schema is often generated from an existing OpenAPI specification, that is, from the machine-readable description of a REST interface. The model decides which function is called with which arguments; your code executes the actual HTTP request and returns the result. This is direct, transparent and requires no additional infrastructure.

MCP - Model Context Protocol. Anthropic introduced MCP on 25 November 2024 as an open standard for connecting AI applications with external systems - file systems, databases, business systems, dev tools. Technically, MCP is based on JSON-RPC 2.0 over several transports: stdio for local servers, originally Server-Sent Events and, since the spec revision of April 2025, Streamable HTTP. The same revision added OAuth 2.1 support, JSON-RPC batching and tool annotations. The November 2025 spec brought asynchronous operations, statelessness and server identity (all figures as of 2026). Instead of hard-coding the tool schema into the agent, an MCP client asks the server at runtime: "Which tools, resources and prompts do you have?"

The difference sounds small but is structural: OpenAPI/function calling binds tools statically into the client, whereas MCP decouples tools as a reusable server from the client.

The five decision dimensions

1. Discovery - static vs. dynamic

With pure function calling, the agent only knows the tools you provide it at call time. If a tool is added, you change code. With MCP, the client queries the capabilities at runtime - new tools on the server are available without any code change. This is the eponymous advantage of MCP for "many, changing tools".

2. Statefulness

OpenAPI calls are by definition stateless HTTP requests. MCP sessions were originally stateful (an open connection with context), but since the November 2025 spec they explicitly also support stateless operation - important for horizontal scaling and serverless deployments.

3. Standardisation and ecosystem

This is where MCP's strongest argument lies. OpenAI adopted MCP in March 2025, Google DeepMind in April 2025, alongside Microsoft Copilot Studio, Cursor, Zed, Windsurf, Replit, Sourcegraph, Block and dozens more. The SDKs report 97M+ monthly downloads across Python and TypeScript; Anthropic's Claude ships with a directory of 75+ official MCP connectors. On 9 December 2025, Anthropic donated MCP to the newly founded Agentic AI Foundation (AAIF) under the Linux Foundation - with Block and OpenAI as co-founders and platinum support from AWS, Bloomberg, Cloudflare, Google and Microsoft. MCP is therefore no longer a vendor standard but industry consensus. OpenAPI is likewise an established, broadly supported standard - but it describes HTTP APIs in general, not the agent-specific tool-use protocol.

4. Effort

Function calling via OpenAPI has the lower initial effort: no server, no transport layer, no auth layer for MCP. MCP requires you to build or operate a server - but it pays off as soon as more than one client uses the same tool. In the DACH mid-market, the rule of thumb for 2026 is: use the vendors' standard MCP servers, plus a small set of your own MCP servers for proprietary internal APIs.

5. Tool use vs. agent-to-agent

Important for the distinction: MCP is the standard for agent-to-tool. For genuine collaboration between agents there is A2A (Agent2Agent, Google 04/2025, Linux Foundation 06/2025). The official line from Google, Salesforce, Microsoft and IBM is: "MCP is for capabilities (agent-to-tool), A2A for collaboration (agent-to-agent)." Microsoft's own guidance is explicit: "Use MCP for tool and data access. Use Linux Foundation A2A for cross-platform agent-to-agent messaging." You can indeed expose an agent as an MCP "server" with tool-shaped capabilities - that works, but it is not the design goal of MCP.

Comparison table: MCP vs. OpenAPI/function calling

Criterion

OpenAPI / function calling

MCP (Model Context Protocol)

Primary purpose

REST API description, tools embedded directly into the model

Standardised agent-to-tool connectivity

Tool discovery

Static (schema fixed in the client)

Dynamic at runtime

Transport

HTTP/REST

JSON-RPC 2.0 over stdio + Streamable HTTP (as of 2026)

State

Stateless (request/response)

Stateful or stateless (since the Nov 2025 spec)

Reuse across clients

Has to be re-integrated per client

Build the server once, many clients (Claude, Copilot Studio, n8n, LangGraph)

Auth

Freely selectable (often API key/OAuth)

OAuth 2.1 (since the April 2025 spec)

Initial effort

Low

Medium (build/operate a server)

Ecosystem

Broad (REST in general)

Industry-wide for agents; AAIF/Linux Foundation since 12/2025

Security maturity

Proven, well-understood REST risks

New attack surface (tool/full-schema poisoning), operator responsibility

Ideal for

1 agent, stable tool set, one consumer

Many clients, growing/changing tool set

Concrete example: SEO audit agent

Suppose an agency builds internal tools around SEO: a crawler, a keyword database, a CMS and a reporting function.

Scenario A - a single agent, OpenAPI is enough. There is exactly one audit agent that calls four stable REST endpoints. You generate the four tool schemas from the existing OpenAPI specs, embed them directly - done. No server operation, minimal effort. If you introduced MCP here, you would pay for server infrastructure with no return.

Scenario B - productised tools, MCP wins. The agency now operates several agents (audit agent, on-page agent, newsletter pipeline) and customers should be able to call the keyword research from their own stacks (such as Copilot Studio or n8n). Instead of maintaining the keyword schema anew in every client, you build one MCP server "SEO keyword research" and a shared MCP server library across all products. Pseudocode:

```
keyword_server = MCPServer("seo-keyword-research")
keyword_server.tool("get_keyword_volume", schema=...)
keyword_server.tool("get_serp_overview", schema=...)

Every client (Claude, n8n, LangGraph) connects and

discovers both tools via dynamic discovery at runtime.

```

A new tool on the server is immediately available to all clients - without any code change in the agents. It is precisely this reusability lever that is the strongest MCP argument in 2026. In a realistic mid-market project, the budget envelope for the first year of a multi-agent programme, depending on the number of in-house MCP servers, is around EUR 150k-500k, with the upper end driven mainly by custom MCP servers across multiple internal systems (as of 2026).

Decision guide in three questions

  1. How many clients use the tool? One -> OpenAPI/function calling. Several -> MCP.
  2. How stable is the tool set? Stable and small -> OpenAPI. Growing or changing -> MCP (dynamic discovery).
  3. Is it about tools or agent cooperation? Tools/data -> MCP. Genuine agent-to-agent collaboration across platform boundaries -> A2A (do not repurpose MCP).

An important reality check from practice: for DACH mid-market projects, it holds that you "will write or consume MCP servers, whether you planned to or not" - SAP Joule Studio 2.0, Microsoft 365 Copilot, Copilot Studio, Salesforce Agentforce, n8n and LangGraph all speak MCP. The decision is therefore often less "whether MCP" than "where MCP first".

Do not underestimate security

MCP's openness has a downside. In 2025, several attack classes were documented: indirect prompt injection via MCP server descriptions, tool poisoning (Invariant Labs WhatsApp PoC, March 2025), look-alike server squatting and CyberArk's full-schema poisoning (every part of a tool schema is an injection vector, not just the description). The cause is MCP's "optimistic trust model". Securing it is the operator's responsibility: sandboxing, scope-limited tokens, OAuth 2.1 scopes, least privilege - and no autonomous installation of MCP servers from untrusted registries. Classic OpenAPI integrations have the advantage here of proven, well-understood REST security models.

For agencies and B2B decision-makers

If you are starting a self-contained pilot project with one agent and a few stable APIs, begin lean with OpenAPI/function calling - this lowers the time to value. As soon as you want to productise several agents or reuse tools across customer systems, MCP is the strategically correct investment: one server, many clients. For agencies this is a concrete product lever - your own vertical MCP servers (SEO, CMS, newsletter) plus A2A AgentCards make your services directly callable from your customers' Salesforce, Joule or Copilot Studio estates. Blck Alpaca supports DACH companies with exactly this architectural decision - from tool connectivity via MCP to secure, governance-compliant multi-agent orchestration.

FAQ

Is MCP a replacement for OpenAPI?
No. OpenAPI describes an HTTP/REST interface, MCP is a protocol for connecting tools to AI agents via JSON-RPC 2.0. In practice you combine the two: an MCP server often wraps exactly those REST APIs that are documented via OpenAPI and makes them agent-ready. MuleSoft, for example, is used at Salesforce as an MCP wrapper for non-MCP APIs.
When is classic function calling with OpenAPI enough?
When a single agent needs a manageable, stable set of tools (around three to ten) and you are the only consumer. In that case, embedding the tool schemas directly is the fastest route without additional server infrastructure. As soon as several clients use the same tools or the tool set changes frequently, the switch to MCP pays off.
What does dynamic tool discovery mean in MCP?
An MCP client asks the server at runtime which tools, resources and prompts are available, instead of hard-coding them. New tools on the server become available to the agent without any code change. With pure OpenAPI function calling, by contrast, you have to manually update the tool schema in the agent with every change.
Is MCP stateful or stateless?
MCP uses JSON-RPC 2.0 over several transports (stdio locally, Streamable HTTP since April 2025). Originally a session was stateful. The November 2025 spec version explicitly added statelessness, asynchronous operations and server identity, so that MCP servers can also be operated statelessly and scaled horizontally (as of 2026).
What about the security of MCP?
MCP exposed several documented risks in 2025: indirect prompt injection via tool descriptions, tool poisoning (Invariant Labs WhatsApp PoC) and CyberArk's full-schema poisoning. The cause is the optimistic trust model. Securing it is the operator's responsibility: sandboxing, OAuth 2.1 scopes, least privilege and no autonomous installation of MCP servers from untrusted registries.

Want to go deeper?

Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.

Subscribe to newsletterOur services
PreviousMCP Security: Prompt Injection, Tool Poisoning and Permission ManagementNextCode Execution with MCP: Token Efficiency for Complex Agents