mm.tech
architecture··4 min

Stdio vs HTTP for MCP

Transport choice changes everything. Latency, security model, deployment story. A practical decision tree.

MCP supports two transports. Stdio (stdin/stdout pipes between processes) and HTTP+SSE (server-sent events over HTTP). They look interchangeable in the spec. They are not.

Stdio: the MCP server is a subprocess of the agent (Claude Desktop, Claude Code, Cursor). The agent spawns it, pipes JSON-RPC over stdin/stdout, kills it on exit. Latency is sub-millisecond. Authentication is implicit (the user already has process access). Deployment is "ship a binary or an npm package, the user runs npx".

HTTP+SSE: the MCP server is a long-running web service. The agent connects via HTTPS, opens an SSE stream, sends JSON-RPC requests over POST. Latency is whatever your network is, plus TLS handshake. Authentication is OAuth 2.1 PKCE or bearer tokens. Deployment is "host the server somewhere, manage the cert, manage the auth".

Pick stdio when: the user runs the agent locally, the data is local, you don't need multi-tenancy, you want zero-config UX. Pick HTTP when: you have multi-tenant data on a server, you need OAuth, you need to expose the same MCP server to many users, you need to update the server without users updating their npm package.

Real example. local-memory-mcp is stdio: SQLite file lives on the user's disk, no server needed, npx and you are running. studiomeyer-memory is the HTTP version of the same thing: multi-tenant, OAuth, hosted at memory.studiomeyer.io. The interface is similar but the deployment story is completely different.

The trap I fell into: building HTTP-only when stdio would have shipped in a day. mcp-personal-suite started as HTTP because I was thinking "SaaS". Wrong. The thing wraps your local email and calendar. It needs to be local. I rewrote it as stdio, threw away the SaaS scaffolding, shipped two weeks faster.

Decision tree: is the data local to the user? Stdio. Does the user run the agent locally? Probably stdio. Do you need to update the server without users acting? HTTP. Do you have multi-tenant data on your servers? HTTP. Do you need both? Build the stdio version first, the HTTP version second, share the core logic.