MCP apps explained: Why AI agents are forcing SaaS to become context engines

A week ago, Anthropic officially launched MCP Apps, and the AI industry largely missed the significance of what just happened. While tech Twitter debated prompt engineering techniques and model benchmarks, a fundamental shift in how we think about software took place.

MCP Apps aren't just another integration feature. They represent the inversion of how we've built software for the last two decades.

The question nobody asked

HubSpot's Dharmesh Shah recently posed a thought experiment that cuts to the heart of what's happening:

His answer: It would use the proven tools.

Yes, this seems obvious once stated, but the implications are profound.

As Dharmesh points out, if you have a 200+ IQ human join your team and you ask them to summarise sales in Europe last quarter, you don't want them to start "vibe coding" their own CRM. You want them to access the system of record, the tool that was specifically built for that purpose.

The same logic applies to AI agents. When an AI agent needs to know how many customers signed up last month, it shouldn't reason over reddit comments and internal emails to make its best guess. It should query the CRM and get the definitive answer.

Tool use was one of the biggest advancements in AI. Once we started giving AI access to tools, it became exponentially more effective.

But here's where it gets interesting: for AI agents to use existing software tools effectively, those tools need to expose themselves in agent-friendly ways.

When Anthropic launched Model Context Protocol in November 2024. The protocol was elegant in its simplicity, like a USB-C port for AI applications. Forward-looking companies immediately understood what this meant: they could build MCP servers to expose their tools, resources, and capabilities to AI agents.

Then came the extension: MCP Apps.

MCP Apps don't replace MCP servers, they enhance them. An MCP server is still the foundation that exposes your tools and data. But now, instead of returning only text or JSON, your MCP server can return interactive UI components.

What MCP apps actually change

Officially launched in late January 2026, with MCP apps, tools can now return interactive UI components instead of plain text.

Anthropic partnered with launch partners including Amplitude, Box, Canva, Clay, Figma, Hex, Monday, and Slack to demonstrate what this unlocks. The beauty is these aren’t AI generated approximations. They're the actual product interfaces, rendered as interactive components within Claude (or any other MCP-supporting AI client).

The product teams at these companies made deliberate choices about which data layers to expose. Amplitude focuses on their insights layer. Box emphasizes search and document preview. Each company is essentially asking: "What is the essence of our value when an AI agent is the interface?”

Layers in SaaS are being re-exposed

This is where Dharmesh's insight becomes critical for SaaS companies.

Nothing dramatically changes in the software. The CRM still manages customer data, enforces workflows, maintains data integrity. But the access pattern fundamentally shifts.

This is what companies are wrestling with as they build MCP Apps: What is the essence of our tool when an AI agent is the interface?

Looking at the launch partners' choices is instructive:

• Amplitude focuses on their insights layer, not raw event data, but the analysed insights that humans actually care about
• Box emphasises search and document preview, the finding and reviewing capabilities
• Slack surfaces conversation search and message drafting, the collaboration primitives
• Figma provides file discovery and preview, and the design assets

… and so on.

Each company made deliberate choices about which capabilities translate to agent-driven workflows. They're decomposing their products into:

1. Systems of record (the authoritative data)
2. Core capabilities (the proven tools Dharmesh talks about)
3. Agent-accessible interfaces (the MCP Apps components)

The hidden obstacle to becoming a “proven tool”

So if the future is AI agents using proven tools via MCP Apps, what does it actually take to expose your tool this way?

This is where the gap between vision and reality becomes brutally clear.

Everyone gets excited about the strategic positioning to become the default tool that AI agents choose in your category. The product discussions focus on the exciting stuff: Which capabilities should your MCP apps expose? How do you design interactive components that render beautifully in Claude or ChatGPT? What workflows translate best to agent-driven use?

Essentially, before you can build MCP Apps, you need a production-grade MCP server that involves a complete workflow, from creating the tools, to hosting the server, to authentication, to governance.

The fundamental infrastructure problem is: How do you let thousands of different AI agents access your MCP server securely on behalf of millions of users?

Building an MCP server

Let me walk through what it actually takes to build a production-grade MCP server:

1. Define your tools: Decide which capabilities to expose (search, create, update, analytics, etc.)
2. Build the MCP server: Implement the protocol, create tool definitions, handle requests
3. Host and deploy: Set up infrastructure, ensure reliability and performance
4. Implement authentication: Secure access for AI agents acting on behalf of users
5. Add governance: Audit logs, compliance, access controls, rate limiting

Most companies can handle steps 1-3, they're familiar engineering problems. Step 4 is where things get complicated, and it's what we'll focus on here because it's both critical and commonly underestimated.

So what is different about securing a remote MCP server?

Let me explain.

When your SaaS product is a traditional web application, authentication is well-understood. Users authenticate themselves with with credentials or SSO, sessions are maintained with cookies. Your security team has built robust integrations with Okta, Microsoft Entra ID, Google Workspace, and access control is based on user identity and roles.

Related read: How enterprise MCP works along with SSO and scoped auth

This model works perfectly because you control the client; it's your web app running in a browser. But when your product becomes an MCP server that AI agents access, everything changes: The client is no longer your web app. It's Claude Desktop. Or ChatGPT. Or VS Code. Or Cursor. Or hundreds of other AI tools you don't control.

Each of these MCP clients needs to:

1. Discover your MCP server automatically
2. Request access on behalf of a specific user
3. Get granted specific permissions
4. Received scoped access and tokens
5. Have those tokens validated on every request
6. Respect scope-based restrictions on which tools they can invoke

And your enterprise customers need:

1. Audit logs showing which AI agent accessed what data, when, and why
2. The ability to revoke access if a user leaves or if an AI tool is compromised
3. Integration with their existing identity providers (they won't accept a separate auth system)
4. Fine grained access control over broad permissions
5. Compliance with SOC 2, GDPR, HIPAA, or whatever regulations govern their industry

This is a fundamentally different authentication model than most SaaS companies have built and it's table stakes for enterprise adoption of your MCP server.

The market opportunity

Let me be blunt about what's happening: MCP Apps represent a massive market opportunity for companies that move fast.

But to capture this opportunity, you need to ship production-grade MCP servers first. And the companies that solve the authentication and authorization challenge quickly will have a significant first-mover advantage. Here’s where the “proven tools” thesis matters strategically: The companies with the best tools win in an agent-driven world.

Look at what’s happening already:

• Over 7500+ MCP servers are listed on PulseMCP registry
• Remote MCP servers (the kind enterprises deploy) are up nearly 4x since May 2025
• 50% of Fortune 500 companies are piloting MCP integrations as of mid-2025
• Major companies including Postman, Shopify, Hugging Face, ElevenLabs, Stripe, Intercom, Notion, Replit, and Sourcegraph have built MCP integrations

I strongly believe that the early movers in MCP Apps will establish themselves as the default tools in their category, because the network effects are powerful.

• Distribution advantage: Being available in Claude, ChatGPT, and every other MCP client means instant access to millions of AI-savvy users
• Reinforcement advantage: The more AI agents successfully use your tool, the more it becomes the "proven tool" for that use case
• Ecosystem advantage: Being a well-integrated MCP app means other tools build complementary integrations around you
• Data moat advantage: As AI agents use your tool more, you accumulate better understanding of how agents work, making your integrations even better

What this means for rapidly-scaling SaaS companies

If you're running a growth-stage B2B SaaS company, here's how to get started to capitalise on the MCP Apps opportunity:

1. Define what "proven tool" means for your category: Ask yourself, if an AI agent needs to accomplish tasks in your category, why would it choose your tool over alternatives?
2. Decompose your product into: Core authoritative data (what state you're the source of truth for), best-in-class capabilities (what actions you do better than anyone), and essential interfaces (what components AI agents actually need)
3. Build your MCP server foundation with the right security architecture: You can't skip to the exciting MCP Apps UI layer without first building a secure MCP server foundation. Start with a clear authentication strategy:
   1. If you have robust OAuth 2.1 infrastructure already, extend it to your MCP server
   2. If you don't, decide whether to build from scratch (4-6 month effort) or use a provider
   3. Do NOT launch with API keys or weak authentication, enterprise customers will reject it
4. Layer on MCP Apps interactive components strategically: Once your MCP server foundation is secure and working, you can enhance it with interactive UI components (MCP Apps).
5. Track how AI agents use your tool: This is the strategic move that builds long-term advantage. As you deploy your MCP server and watch how AI agents use it, start tracking: which tools get invoked most frequently, what sequences of actions solve specific problems, what agent requests fail or produce poor results, and, what human overrides or corrections occur.

This creates a powerful reinforcement loop: more agent usage → better agent interfaces → more agent preference → category dominance.

What we’re building at Scalekit

At Scalekit, we're all-in on the agentic future. We're building the authentication infrastructure layer that makes secure MCP deployments possible. We handle:

Inbound auth flow: MCP clients and users accessing your MCP servers

• Dynamic Client Registration with PKCE
• Client ID Metadata Documents (CIMD) support
• Scope and permission management

Outbound auth flow: Your AI agents connecting to external tools on behalf of users

• OAuth token management
• User consent flows
• Granular permission controls

We have 100+ customers who deployed secure remote MCP servers in hours instead of months. We've built the infrastructure so they can focus on building great AI experiences instead of auth plumbing. And we practice what we preach, we've built our own Scalekit MCP Server so developers can manage organisations, users, and authentication connections through natural language queries in their AI tools.

The bigger picture

Let me close with a prediction: In 12 months, we won't talk about "MCP Apps" as a separate category. We'll just talk about software. Every B2B SaaS product will have:

1. A web interface (for direct human use)
2. An API (for programmatic access)
3. An MCP server (for AI agent access)

The question is: Is your tool good enough to be the one they choose?