This feels like less of a hack and more of discovering what some of the HTTP headers are for. You’re choosing rather reasonably how to present the resource found at /mcp when a client is asking for the resource to be presented in HTML format. It’s perfectly fine to offer an HTML response that says “hey this is not really presentable in HTML. Do this instead.”
"Sorry, you have been blocked
You are unable to access hybridlogic.co.uk
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data."
The specification still leaves a lot to be desired, especially as it relates to auth. There are lots of bad ways to do auth with MCP and only a couple of good ways. It also puts a lot of pressure on the various IdP vendors and relies on lesser used areas of OAuth 2.0/2.1 (like DCR, token exchange, etc.). It started out in a place where the assumption was you were running an MCP Server on a laptop or you were a SaaS provider serving lots of individual users -- somehow DCR in the initial spec iteration seemed like a good idea (spoiler: it wasn't) and fortunately, the latest revision has somewhat addressed that. XAA/ID-JAG & CIMD should continue to round-out some client management and auth solutions for the enterprise.
Gateways are another area that needs to be addressed in the spec. There isn't a formal definition of one in the spec, and yet, there are lots of "gateways" out there. What a gateway is and what it should do is an open question and it means different things to different people depending on who you ask. For example, who does token exchange: the MCP server or the MCP gateway? Both are valid answers right now depending on the implementation or your opinion of which is best.
More spec iterations should be coming this year. I'm still pretty optimistic about MCP as a whole, as it remains a good way to standardize tool calls across agents and some of the other entities that it provides like resources and prompts are genuinely useful to add more determinism to an agent. Interceptors and skills will be good, too.
If you're interested in helping to evolve the spec further, the MCP Contributors Discord is active. There are lots of IGs/WGs that solicit feedback and you can participate in meetings with your feedback.
I have also been finding the MCP auth story to be really lacking was excited to see OAuth 2 support until I tried to get it to work at work and realized our idp implementation didn't support 2.1, and went into the spec and started wondering if anyone had a good experience yet. Luckily most of our environment can settle on a OAuth token env var standard until that's all in order.
I think this probably also helps when truly clueless users drop the link into an agent directly, because then the agent will relay the message to the user.
Is this not the intended use of request headers?
I once worked for $COMPANY and we had a network scanning application. Always generated a lot of tickets from angry people wanting to scream about bots.
So we put a web page page on each worker that would inherit some details from whatever job was running, and say “I’m a $TYPE_OF_SCANNER FROM $COMPANY doing $THING_THAT_BENEFITS_YOU.
This behavior is covered by our terms of service page at $LINK.
If you believe that we should not be doing this, please contact $SUPPORT and provide this code:
$SCAN_JOB_IDENTIFIER”
Call volume and unhappy customers went way down.
You can still keep using Rest API with swagger docs and tell the AI to read the swagger docs. It's the same thing. The entire Rest API specification is a lot more flexible than the JSON RPC format /mcp uses.
Personally, for just tools, I wire up tool calls with context captured via system prompt.
In fact, this is how Kubernetes APIs work. Even the CLI asks YAML or JSON content type when `-o yaml` or `-o json` is specified.
Also, some other sites (albeit sometimes looking at the User-Agent header, hence more hacky) also doing the same. For example `ipinfo.io` returns HTML page when opened in a browser but a JSON (prettified) when requested via cURL.
Can I just say that anybody involved with MCP's launch should be ashamed of what they put out there. I understand tool calling. I understand specs. I read MCP's "spec" and I used useless word salad that alternates between baby's first wire format and pie-in-the-sky marketing speak. Several of the navigation links I encountered were broken.
Poorly thought out, poorly communicated, but it's the only thing out there that 1) meets the need, and 2) published by people with a huge amount of reach. Right place, right time, shit effort. So it gets adoption. Like the history of PCs, of the internet, or everything, I guess. Worse truly is better.
https://github.com/modelcontextprotocol/modelcontextprotocol...
CLIs are working better with current harnesses in my experience, but no idea how I would ship them.
some folks go to the trouble of publishing with `brew`
then there's the old `curl -LsSf https://example.com/install.sh | sh`
For example, is a typical Google Drive user expected to install an official google drive CLI and a skill md file just to interact with Google Drive in the chatgpt app? That seems absurd, IMO. Clicking “install” via an MCP / Plugin marketplace and then logging in via Oauth is less confusing.
MCP is also way more convenient (as a user) if i’m interacting with an API that supports oauth anyway. I don’t need to generate an api key, install a binary, create an md file, etc. CLIs and skills are great too! But not always the best choice.
note: cli tools do auth too — gh and claude code itself have some of the nicest auth flows i've experienced
I like their solution. It feels like because remote MCP servers are built on HTTP that they are actually using the spec as intended. Serving html when asked for it.
Isn't this literally against the entire point of MCP
