Best MCP Servers in 2026: 15 We'd Use with Coding Agents

The Model Context Protocol turned the "every integration is bespoke" problem into a plug. Eighteen months after Anthropic shipped MCP, most serious coding agents speak it, and there are thousands of servers on public registries. Most aren't worth installing.

We run MCP in production inside Tembo every day, so this isn't a logo dump. We've narrowed the noise down to 15 servers we'd actually wire to a coding agent in 2026, with notes on what works and what doesn't. Want only five? We'll tell you which.

What Is an MCP Server?

An MCP server exposes external tools, resources, and prompts to an MCP client over a standard wire protocol. MCP itself is "an open-source standard for connecting AI applications to external systems," published by Anthropic in November 2024. Before MCP, every coding agent built one-off integrations for GitHub, Slack, your database, and your tracker. After MCP, AI models and tools speak one protocol, and any compliant server plugs in.

The architecture has three parts: a host (the agentic coding tool, like Claude Code or Cursor), an MCP client (one per server, inside the host), and the server itself, which holds the tools. They talk over JSON-RPC 2.0.

One wrinkle. The official spec lists two transports: stdio for local and Streamable HTTP for remote. Vendor docs (ours included) still list a third, server-sent events (SSE). SSE is now a streaming mode inside Streamable HTTP; legacy endpoints stick around for back-compat.

How We Picked the Best MCP Servers

Three filters:

• Real usage in coding-agent workflows. Not "AI for fun" servers. Tools you'd give Claude Code, Cursor, or Codex when shipping software.
• Maintained and current. Anthropic archived a chunk of its reference servers in 2025; we link to the fork or first-party replacement actually shipping.
• Security posture we can defend. OAuth or scoped tokens beat plaintext API keys for any MCP server. Read-only modes beat unbounded SQL.

We weighted "useful with a background agent" heavily, because MCP compounds when you can hand a long task to an agent and walk away.

The Best MCP Servers for Coding Agents in 2026

1. GitHub MCP Server

GitHub's first-party MCP server gives a coding agent direct access to your repos: browsing code, reading and writing issues, opening and reviewing pull requests, inspecting Actions runs, and pulling security findings. It's the only MCP we'd call mandatory for any agent that ships code.

Best for: any AI agent that opens or reviews pull requests. Non-negotiable for background coding agents.

Caveat: issue and pull request bodies are an active prompt-injection vector, so scope tokens tightly.

2. Filesystem MCP Server

Anthropic's reference server for local file reads, writes, and edits inside an allow-listed directory. It's useful for keeping a local agent within a single project root, but the maintainers themselves describe it as a reference implementation rather than a production security boundary.

Best for: local agents that need file operations inside a sandboxed project root.

Caveat: misconfigured allowed paths give an LLM full read and write access across your home directory.

3. Playwright MCP Server

Browser automation for agents, maintained by Microsoft as a first-party Playwright project. It operates on Playwright's accessibility tree instead of screenshots, which keeps it cheap and vision-model-free, so agents can drive a real browser without burning tokens on image input.

Best for: end-to-end test generation, scraping authenticated UIs, and verifying a deploy.

Caveat: prompt injection from a poisoned page can redirect the browser anywhere.

4. Context7 MCP Server

Anti-hallucination for code, built by Upstash. Context7 pulls version-specific docs and examples from source, so the agent stops inventing API signatures for fast-moving libraries.

Best for: agents writing against Next.js, Supabase, Cloudflare Workers, and similar libraries where training data cutoffs lie.

Caveat: low-risk read-only lookup, but you're sending prompts to a third party.

5. Linear MCP Server

Linear's first-party hosted server is the one we lean on most in our automation templates. Its toolset is rich enough to drive a ticket-to-PR loop end-to-end: find issues, create them, update them, and comment on them.

Best for: any agent that takes a project management ticket, ships code, and updates it.

Caveat: OAuth grants full workspace permissions, so treat tracker content as untrusted input.

6. Slack MCP Server

Where you tell an agent to talk back. Anthropic's reference was archived; the active community-maintained option is Zencoder's fork, and the toolset is straightforward: post messages, reply in threads, react, and read history.

Best for: notification triggers like changelogs, alerts, and pull request-opened pings.

Caveat: posted messages can't be unposted, and channel history is itself an injection surface.

7. Postgres MCP Server

Anthropic archived both the reference Postgres and SQLite servers. The current best replacement is Postgres MCP Pro by Crystal DBA, which adds index tuning, EXPLAIN plans, health checks, and a safe-SQL mode in the same server.

Best for: production AI agents that need data analysis or schema work against a real database, with a read-only mode you can actually trust.

Caveat: without read-only mode enabled, an agent has write access and can DROP or DELETE anything the connection string reaches.

8. Stripe MCP Server

Money-moving tools deserve paranoia, and Stripe's first-party server is built with that posture: permissions are gated by your Restricted API Key scopes, and the tool surface covers payment links, customers, products, refunds, invoices, and subscriptions.

Best for: agents triaging billing tickets, generating payment links, or scoping refunds.

Caveat: API key access equals the ability to move money. Use a Restricted API Key, never the full secret, and start in test mode.

9. Sentry MCP Server

Sentry's first-party server is available as a hosted OAuth endpoint or a self-hosted stdio variant for air-gapped setups. Sentry's own framing tells you the use case: "primarily designed for human-in-the-loop coding agents." Issue retrieval, event and issue search, trace inspection, and releases are all in scope.

Best for: wiring "production error to PR" automations that need full stack-trace context.

Caveat: the self-hosted variant requests broad workspace scopes.

10. Atlassian (Jira/Confluence) MCP Server

Atlassian's first-party server, branded Rovo MCP, covers Jira, Confluence, and Compass. Tools summarize and search across them, plus create and update issues and pages, with all actions respecting existing access controls.

Best for: Atlassian Cloud shops that need AI agents to read runbooks or open project management tickets.

Caveat: Cloud only. Jira Server and Data Center aren't supported, and Confluence pages remain an injection surface.

11. Notion MCP Server

Notion's first-party hosted server has a deep tool surface across pages, databases, comments, and natural language search. The 2.x line treats data sources as the primary abstraction, which makes it the right shape for grounding agents in a Notion-based knowledge base.

Best for: knowledge-base-grounded agents that sync Notion pages, look up runbooks, or summarize.

Caveat: Notion's own README warns "there is a non-zero risk to workspace data by exposing it to LLMs."

12. Firebase MCP Server

Google's first-party Firebase server, shipped inside firebase-tools and reusing the CLI's local credentials. Capabilities span Auth, Firestore CRUD, Cloud Messaging, Crashlytics, App Hosting deploys, Functions logs, and Remote Config.

Best for: Firebase-native teams who want their AI agent to deploy or query Firestore.

Caveat: the agent inherits your full Firebase CLI credentials, so point it at a non-prod project ID.

13. Brave Search MCP Server

Brave's first-party server, built on the Brave Search API, replaces the archived Anthropic reference. Tools cover web, local, video, image, news, and a summarizer, which is enough surface to ground an agent against live web data without spinning up a custom scraper.

Best for: research tasks and real-time web search.

Caveat: web search results are an injection surface, and sites can plant adversarial text in titles.

14. Memory / Knowledge Graph MCP Server

An Anthropic reference server providing persistent memory backed by a local JSON knowledge graph. It's useful for prototyping stateful behavior (entities, relations, observations, and a search interface), but it's built as a starting point, not a production memory layer.

Best for: stateful AI agents remembering facts across sessions, or prototyping memory patterns.

Caveat: the JSON file is the trust boundary, and adversarial inputs can poison memory across sessions.

15. Tembo MCP Server

Quick disclosure: this one is us. Our MCP server exposes Tembo's core orchestration primitives for task management: create sub-issues, send Slack messages, and list and filter tasks. It runs over stdio and ships in every workspace.

Tembo MCP doesn't replace the servers above; it sits alongside them and bundles the rest. The built-in trio (Tembo MCP, Playwright MCP, Context7 MCP) ships pre-configured. Integration MCPs for GitHub, Linear, and Notion light up automatically when you connect the matching integration, and the rest of the supported stack (GitLab, Bitbucket, Jira, Sentry, Slack, PostgreSQL, AWS, Supabase, Raycast) is wired up through native UI connectors so engineers don't end up babysitting a stack of MCP JSON files. Custom MCPs over stdio, HTTP, or SSE drop in from settings.

Best for: teams who'd rather click "Connect Linear" once than have every engineer wire the same five servers by hand.

MCP Servers by Use Case

Different jobs need different MCPs. The table below maps common workflows to the servers we'd pair, with agent orchestration in mind for the multi-server cases.

Install five: GitHub, Filesystem (or your agent's built-in equivalent), Playwright, Context7, and whichever tracker your team uses. That covers most coding-agent work without expanding your blast radius.

Official vs. Community MCP Servers: What's the Difference?

The most under-discussed thing about MCP in 2026: "official" is doing a lot of unearned work.

What Anthropic actually maintains as official servers is short. The active reference set in modelcontextprotocol/servers is: Everything (test), Fetch, Filesystem, Git, Memory, Sequential Thinking, and Time. The repo describes them as "reference implementations to demonstrate MCP features and SDK usage… not as production-ready solutions."

Almost every popular MCP server people call "official" has been archived. The archived list includes GitHub, Slack, PostgreSQL, SQLite, Sentry, Brave Search, GitLab, Google Drive, Puppeteer, and Redis. Most were replaced by first-party vendor builds (GitHub by GitHub, Sentry by Sentry) or community forks (Slack by Zencoder, Postgres by Crystal DBA).

So "official GitHub MCP" usually means the first-party server GitHub ships at api.githubcopilot.com/mcp/, not the archived Anthropic one. Both work; only one is maintained, so prefer first-party vendor servers when they exist. For the broader MCP ecosystem of niche cases vendors haven't covered, reach for punkpeye/awesome-mcp-servers.

Security and Trust Considerations

MCP gives an LLM a hand, and the trust model has to keep up.

Prompt injection from the MCP server outputs. Any tool result containing user-authored text (issue bodies, Slack messages, Confluence pages, scraped web content) can include natural-language instructions that the LLM treats as commands. Docker's MCP Horror Stories: The GitHub Prompt Injection Data Heist walks through a real attack where a poisoned issue body coerced an agent into exfiltrating private repo data. Treat tool outputs as untrusted input. The OWASP MCP Security Cheat Sheet catalogs the patterns.

OAuth scopes and blast radius. Remote MCP servers (Linear, Atlassian, Notion, GitHub, Stripe) request workspace-scoped OAuth tokens, and a compromised host means full workspace access. Use the smallest scope that works, and for Stripe, never the full secret key.

Filesystem permissions. The reference Filesystem server is only as safe as its allowed-directories list. The common foot-gun: --allowed-directories / "just for testing."

Supply chain via npx and uvx. Running npx -y @somepackage/mcp fetches and executes whatever's published, every launch. CVE-2025-6514 in the mcp-remote package is the canonical incident. Pin versions, audit packages, and prefer hosted remote MCPs when the vendor offers them.

LLM intent vs. action. Red Hat's security write-up puts it cleanly: even when a user doesn't intend a destructive action, an LLM with tools may decide it's appropriate. The guardrail is at the tool boundary, not at the prompt.

First-party-hosted remotes are the safer default when you trust the vendor and want to avoid executing packages locally. Reach for local/self-hosted only when data-boundary control beats the convenience of a hosted endpoint.

How to Install and Configure an MCP Server

Most MCP clients use the same JSON shape. The first-party hosted server at https://api.githubcopilot.com/mcp/ is the current canonical path. The stdio config below is shown as a fallback for environments that need local execution. Here's the canonical Claude Desktop config for the GitHub MCP server, dropped into claude_desktop_config.json:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..."
      }
    }
  }
}

That's the local stdio path using the legacy reference package. For the current first-party server, point at the remote endpoint and let OAuth handle auth. Cursor, VS Code, and Claude Code consume a near-identical config.

Three rules that save pain later:

1. Use environment variables for tokens and API keys. Don't hardcode ghp_... into a file you commit.
2. Test locally before wiring an agent up. Run with the MCP inspector, exercise the MCP tools by hand, then hand the keys to the LLM.
3. Document which MCPs each agent has. When something breaks at 2 a.m., you want a one-line answer to "what could this thing reach?"

Running MCP Servers at Team Scale

A coding agent with five MCP servers on a single engineer's laptop reduces context switching across tools. The same setup, fifty engineers later, is configuration drift, context switching across configs, and an audit headache. Each developer ends up with subtly different MCP versions, scopes, and tokens scattered across claude_desktop_config.json files nobody is reviewing.

Our take: the Model Context Protocol belongs at the workspace layer, not on the laptop, and most of the wiring should be handled via a UI click rather than a JSON file. That's the bet we built Tembo around. Every workspace ships our Tembo MCP server, Playwright MCP server, and Context7 MCP server (for semantic search and cross-file context) pre-configured over stdio. Integration MCPs for GitHub, Linear, and Notion light up automatically when the matching integration is connected, and the rest of the supported stack (GitLab, Bitbucket, Jira, Sentry, Slack, PostgreSQL, AWS, Supabase, Raycast) is wired up the same way: connect once in the UI, and the agent can use it. We support stdio, HTTP, and SSE for any custom MCP you want to drop in on top. Each agent runs in an isolated sandbox, so a compromised tool can't reach your laptop. Engineers connect GitHub, connect Linear, dispatch work, and get pull requests back. Self-host in your own VPC if your security team needs it inside the perimeter.

Wrap-Up

MCP isn't shiny anymore. By 2026, it's just the default integration layer for AI tools and coding agents. Nobody is still asking "Should we use MCP?" Everyone does. What teams actually argue about now is which servers belong on the boring, stable list everyone converges on. The 15 above are ours.

Want bundling, native UI connectors instead of a fleet of MCP configs, an audit trail, and a sandbox you can defend? Try Tembo free and dispatch your first agent against your repos.

FAQ

What is the best MCP server? For coding agents and AI assistants, the GitHub MCP server is the one nobody can skip. Pair it with Filesystem, Playwright, Context7, and your tracker (Linear or Atlassian), and you've covered most workflows.

How do I install MCP servers in Cursor or Claude Code? Cursor reads MCP server configs from its settings UI; Claude Code uses ~/.claude.json (or claude_desktop_config.json for the desktop app). The JSON shape is the one shown above.

Are MCP servers safe? Safer than ad-hoc shell scripts, riskier than nothing at all. Prompt injection, supply chain via npx, and overbroad OAuth scopes are the three live risks, and first-party-hosted servers with OAuth are the safer default.

How many MCP servers can I run at once? No hard cap, but every server is more tools, more tokens in the context, and more attack surface. Five well-chosen MCPs beat fifteen redundant ones.

What's the difference between official and community MCP servers? "Official" usually means an Anthropic-maintained reference server (Filesystem, Memory, Git, Fetch, Time, Sequential Thinking, Everything) or a first-party vendor build. Many "official" names are first-party builds that replaced archived Anthropic references.