Official MCP TypeScript SDK
Official TypeScript SDK for Model Context Protocol clients and servers, with the production v1 `@modelcontextprotocol/sdk` package, active v2 server and client package work, Node.js, Bun, and Deno support, transports, OAuth helpers, tools, resources, prompts, examples, and API documentation.
Open the source and read safety notes before installing.
Safety notes
- The official TypeScript SDK is a protocol library; your MCP server's tool handlers, resources, prompts, transports, and auth logic determine the real risk.
- Treat every registered tool as a model-callable API endpoint and validate inputs, enforce permissions, bound side effects, and sanitize failures.
- HTTP and framework middleware deployments need host validation, authentication, TLS, request limits, logging policy, and abuse controls.
- The upstream main branch documents v2 pre-alpha work; use the production v1 package for stable deployments unless you intentionally accept alpha API churn.
Privacy notes
- MCP clients and servers built with the SDK may expose tool arguments, tool results, resource contents, prompt templates, OAuth state, errors, traces, and logs.
- Avoid returning secrets, private file contents, customer data, privileged paths, internal identifiers, or operational metadata through schemas, examples, errors, or logs.
- Document which MCP client, server, model provider, transport, middleware layer, and logging system can observe each request.
Prerequisites
- Node.js, Bun, or Deno runtime compatible with the SDK generation you choose.
- A decision between production v1 package usage and the upstream v2 alpha split-package track.
- A target MCP transport, such as stdio for local tools or Streamable HTTP for hosted servers.
- Authentication, authorization, and side-effect boundaries for any production MCP server.
Schema details
- Install type
- cli
- Troubleshooting
- No
- Scope
- Source repo
- Estimated setup
- 15 minutes
- Difficulty
- intermediate
- Pricing
- free
- Disclosure
- editorial
- Application category
- DeveloperApplication
- Operating system
- Cross-platform
Full copyable content
npm install @modelcontextprotocol/sdkAbout this resource
Overview
The official MCP TypeScript SDK is the Model Context Protocol project's TypeScript implementation for building MCP clients and servers. It is the highest-demand language SDK for many MCP developers because it maps directly to Node.js tooling, JavaScript/TypeScript agent stacks, and common web-service deployment paths.
As of 2026-06-18, the upstream README distinguishes two generations:
production users are directed to the v1 SDK package, while the main branch is
working on v2 pre-alpha split packages for server, client, and middleware use.
Package Tracks
| Track | Package Surface | Best Fit |
|---|---|---|
| v1 production | @modelcontextprotocol/sdk |
Stable MCP TypeScript client and server development |
| v2 alpha server | @modelcontextprotocol/server |
Testing the next server package generation |
| v2 alpha client | @modelcontextprotocol/client |
Testing the next client package generation |
| v2 middleware | @modelcontextprotocol/node, @modelcontextprotocol/express, @modelcontextprotocol/hono |
Wiring MCP HTTP transport into Node.js, Express, or Hono |
Quick Start
For production v1 usage, install the main SDK package:
npm install @modelcontextprotocol/sdk
For v2 alpha testing, follow the upstream README's split-package instructions for server, client, and optional middleware packages. Do not mix alpha package assumptions into production deployments without a migration plan.
MCP Fit
Choose the official TypeScript SDK when you need MCP support in a TypeScript or JavaScript application, local CLI, agent runtime, serverless service, hosted HTTP server, or developer tool. The SDK is especially relevant when your system already uses Node.js, Bun, Deno, Express, Hono, zod-compatible schemas, or npm package distribution.
The SDK provides protocol mechanics and examples, but it does not make a server safe by itself. Every tool, resource, prompt, transport, and auth callback still needs normal production review.
Use Cases
- Build an MCP server that exposes TypeScript tools, resources, and prompts.
- Build an MCP client or test harness in JavaScript or TypeScript.
- Add stdio MCP support to a local CLI or desktop integration.
- Wire Streamable HTTP MCP support into a hosted Node.js service.
- Prototype Express, Hono, or Node.js HTTP middleware integrations.
- Compare v1 production SDK behavior against the v2 alpha package split.
Source Review
Verified on 2026-06-18:
- The upstream repository identifies itself as the official TypeScript SDK for Model Context Protocol clients and servers.
- The README says the SDK runs on Node.js, Bun, and Deno.
- The README lists server libraries, client libraries, optional middleware packages, runnable examples, server docs, client docs, API docs, and MCP specification links.
- The README states that
maincontains v2 pre-alpha work and that v1 remains the recommended production version until v2 stabilizes. - The npm registry resolves
@modelcontextprotocol/sdkas the v1 package. - The README documents v2 alpha
@modelcontextprotocol/serverand@modelcontextprotocol/clientpackages.
Safety and Privacy
TypeScript MCP servers often run close to local files, developer credentials, internal services, and web APIs. Keep tool schemas narrow, validate all inputs, require authorization for sensitive actions, and return minimal error detail.
For hosted HTTP deployments, add host validation, authentication, transport security, request limits, audit logging, and retention rules before exposing an MCP endpoint outside local development.
Duplicate Check
Checked current content/mcp/, content/tools/, content/skills/, open pull
requests, and repository-wide content for modelcontextprotocol/typescript-sdk,
official MCP TypeScript SDK, Model Context Protocol TypeScript SDK,
@modelcontextprotocol/sdk, TypeScript MCP server SDK, TypeScript MCP client
SDK, MCP Node.js SDK, and MCP Streamable HTTP TypeScript. A guide cites the
TypeScript SDK for MCP auth context, but no dedicated official TypeScript SDK
entry, exact source URL duplicate, target file, or open duplicate PR was found.
Source citations
Add this badge to your README
Show that Official MCP TypeScript SDK is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/tools/official-mcp-typescript-sdk)How it compares
Official MCP TypeScript SDK side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Official MCP TypeScript SDK Official TypeScript SDK for Model Context Protocol clients and servers, with the production v1 `@modelcontextprotocol/sdk` package, active v2 server and client package work, Node.js, Bun, and Deno support, transports, OAuth helpers, tools, resources, prompts, examples, and API documentation. Open dossier | Official MCP Java SDK Official Java SDK for Model Context Protocol clients and servers, maintained in collaboration with Spring AI, with Java 17+ support, Maven artifacts, synchronous and asynchronous APIs, Reactive Streams, Project Reactor, JDK HttpClient, Servlet transport, JSON binding modules, and conformance tests. Open dossier | Official MCP Python SDK Official Python SDK for Model Context Protocol clients and servers, published as the `mcp` package on PyPI, with FastMCP server helpers, client support, tools, resources, prompts, stdio, SSE, Streamable HTTP, authentication, elicitation, sampling, logging, and standalone development tools. Open dossier | Official MCP Ruby SDK Official Ruby SDK for Model Context Protocol clients and servers, published as the `mcp` gem with JSON-RPC handling, tool, prompt, and resource registration, stdio and Streamable HTTP transports, Rack/Rails integration, roots, sampling, elicitation, logging, cancellation, pagination, and RubyGems metadata. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | tools | tools | tools | tools |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | Model Context Protocol | Model Context Protocol | Model Context Protocol | Model Context Protocol |
| Added | 2026-06-18 | 2026-06-18 | 2026-06-18 | 2026-06-18 |
| Platforms | CLI | CLI | CLI | CLI |
| Source repo | — | — | — | — |
| Safety notes | ✓The official TypeScript SDK is a protocol library; your MCP server's tool handlers, resources, prompts, transports, and auth logic determine the real risk. Treat every registered tool as a model-callable API endpoint and validate inputs, enforce permissions, bound side effects, and sanitize failures. HTTP and framework middleware deployments need host validation, authentication, TLS, request limits, logging policy, and abuse controls. The upstream main branch documents v2 pre-alpha work; use the production v1 package for stable deployments unless you intentionally accept alpha API churn. | ✓The official Java SDK is a protocol library; production risk comes from your MCP tools, resources, prompts, transports, authorization hooks, and framework integration. Validate tool inputs, enforce caller permissions, bound side effects, and avoid returning raw Java exceptions or internal stack details to MCP clients. Servlet, Spring, and remote transport deployments need authentication, TLS, request limits, observability policy, cancellation behavior, and abuse protection. Spring AI MCP security and annotation support may simplify integration, but application owners still need to review authorization, tenant boundaries, and data retention. | ✓The official Python SDK is a protocol library; risk comes from the tools, resources, prompts, transports, auth flows, and server process you build with it. Validate all tool inputs, enforce caller permissions, bound file and network access, and sanitize errors before returning them to an MCP client. HTTP, SSE, and ASGI deployments need authentication, TLS, CORS review, host/path routing controls, request limits, logging policy, and abuse protection. The upstream README says v2 is alpha; production projects should stay on the stable v1 line unless they intentionally pin and test a pre-release. | ✓The official Ruby SDK is a protocol library; risk comes from your registered tools, resources, prompts, transports, session handling, and framework integration. Validate tool arguments, enforce caller permissions, bound file and network access, and sanitize exceptions before returning MCP responses. The upstream README warns that Streamable HTTP session and SSE state are in memory by default; multi-process Rack/Rails deployments need stateless mode or sticky sessions. Rails controller integrations that create servers per request should review user context, tool selection, and request-specific authorization carefully. |
| Privacy notes | ✓MCP clients and servers built with the SDK may expose tool arguments, tool results, resource contents, prompt templates, OAuth state, errors, traces, and logs. Avoid returning secrets, private file contents, customer data, privileged paths, internal identifiers, or operational metadata through schemas, examples, errors, or logs. Document which MCP client, server, model provider, transport, middleware layer, and logging system can observe each request. | ✓Java MCP clients and servers may expose tool arguments, tool results, resource contents, prompt templates, request metadata, correlation IDs, logs, traces, and authorization context. Avoid leaking secrets, customer data, private resources, internal identifiers, stack traces, privileged paths, or token values through schemas, responses, errors, or logs. Document which MCP client, server process, Java framework, model provider, transport, and observability system can observe each request. | ✓MCP Python servers may expose local files, application data, tool arguments, tool results, resource contents, prompt templates, authentication state, logs, traces, and errors. Do not leak secrets, customer data, private paths, internal identifiers, token values, or privileged resource contents through schemas, examples, responses, or logs. Document which MCP client, model provider, server process, transport, ASGI layer, and observability system can observe each request. | ✓Ruby MCP clients and servers may expose tool arguments, tool results, resource contents, prompt templates, request context, session IDs, logs, progress events, exceptions, and filesystem roots. Avoid leaking secrets, customer data, private files, internal identifiers, stack traces, privileged paths, or session contents through schemas, responses, errors, or logs. Document which MCP client, Ruby process, Rack/Rails layer, session store, model provider, transport, and logging system can observe each request. |
| Prerequisites |
|
|
|
|
| Install | | | | |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.