The SaaS landscape is evolving so fast that it offers more opportunities for developers than anyone could possibly tackle in a lifetime. One of the key decisions developers will increasingly be grappling with when building integrations is whether to lead with Model Control Planes (MCPs) or stick with traditional Application Programming Interfaces (APIs). While APIs remain the tried-and-true, most governed standard, MCPs offer a promising alternative that streamlines AI-driven automation. In my opinion it is trend of embeding deterministic governance directly into the integration plane that make well built MCPs the favorite choice.
The Promise of MCP: Integration with Embedded Human-in-the-Loop Governance
Most integrations traditionally operate at the data level. Platforms expose endpoints to create, read, update, or delete domain data. Your standard CRUD. MCPs take a different approach. Instead of wiring dozens of endpoints and writing custom logic for business rules, an MCP connection behaves like a live, governed session with the platform’s state and policies.
One of my favorite MCPs is the one built by Linear. One compelling feature Linear brings to the table is human-in-the-loop (HITL) governance baked deeply into all write operations. For example, when an AI agent connected via MCP creates or modifies an issue, the server intercepts perceived CRUD requests and waits for the requesting system to normalize user inputs (team and project UUIDs) with explicit user Accept/Reject before doing anything. This exemplifies the deterministic, human-in-the-loop core of the evolving MCP governance.
This sort of user feedback flow protects against data mutation happening without human oversight, reducing risks of AI hallucinations or unintended side effects. It combines automation’s power with the controls companies demand.
Here is Linear’s official MCP documentation for a closer look at these mechanics.
APIs: Still the Gold Standard for Fine-Grained Control
It’s important to clarify that traditional APIs remain the most mature, governed, and widely adopted integration model today. MCPs, while evolving rapidly, are still catching up in areas like versioning, tooling maturity, and ecosystem familiarity. APIs offer precise, explicit control over data, granular permissions, and stable contracts that enterprises deeply rely on.
In scenarios where very tight governance, strict compliance, and predictable control are non-negotiable, APIs continue to lead. MCPs can reduce technical overhead by abstracting complexity, but that simplicity sometimes comes at the cost of the predictive assurances developers and enterprises are used to.
Architectural and Security Innovations to Enable MCPs
Another big area MCPs needed to tackle was OAuth authentication. Unlike traditional web apps with fixed callback URLs, MCP clients often run on user machines with ephemeral local URIs, challenging OAuth’s static redirect paradigm.
Vendors tackle this through clever patterns such as:
-
Dynamic Client Registration (DCR): MCP clients programmatically register themselves with the SaaS OAuth server at runtime, whitelisting their local callbacks on the fly.
-
Cloud-Hosted MCP Proxies: Centralized cloud gateways serve as fixed OAuth clients, funneling tokens securely to local instances.
-
Desktop Deep Linking: Custom OS-level URI schemes let native desktop apps intercept OAuth callbacks without relying on HTTP listeners.
These approaches preserve seamless authentication while enabling secure token issuance for decentralized MCP clients.
MCP integrations in my Projects
With my own projects like MojiTrack and DevRel Dad Chat I will lead with MCP until proven otherwise. DevRel Dad chat for example uses Linear’s MCP server remotely on the user’s behalf. The integration is tools-only with no background syncing, and managed fully through MCP JSON-RPC calls.
With the governance features:
-
Tool Call Normalization: Before approval, write commands like
save_issueresolve ambiguous team or project names to UUIDs, ensuring accuracy even when users provide casual names like "Personal Tasks." -
Explicit User Consent: When the AI agent issues a write operation, the system creates an approval card requiring the user to manually Approve or Reject. The transaction halts until confirmed, enforcing deterministic control.
-
Encrypted, Scoped Tokens: OAuth tokens are encrypted and scoped per user and chat mode for security and isolation.
The user experience is seamless yet secure, preventing autonomous, and mitigating unapproved data mutations by agents.
More MCP Creativity
At HubSpot, my employer, we observe broad industry interest in MCPs, and been deliberate about embedding governance in AI Workflows. That includes honoring authenticated user-level permissions in all responses.
Another interesting case is Robinhood’s MCP, which innovates by restricting AI read access strictly to existing user investment accounts while managing writes through a new AI-controlled account type. This approach pushes the boundaries of MCP design in nuanced and inventive ways. I have only started working with the Robinhood MCP, but excited at the possibility.
My prediction for MCP adoption
Choosing between APIs and MCPs depends largely on the nature of control and governance needed. While MCPs have not yet fully replaced APIs universally, they are becoming a compelling complement, especially in environments where blending automation with manual oversight is crucial.
As MCP standards evolve alongside advances in secure OAuth patterns I suspect there will be a layer of enterprise-grade governance solutions showing up. MCP data firewalls if you will. Solutions like Docker MCP Gateway and Composio. This would give enterprises the balance they seek between integration flexibility and data security.
The areas I remain unsure about with MCP based integrations are:
-
The methods for keeping current on tool capabilities as they come out, which for many vendors is at an insane pace.
-
Standardizing configuration schemas that support a library of MCP connections in a scalable way.
For developers and product teams, understanding when and how to leverage MCPs versus APIs will be key to delivering scalable, secure, and user-trusted integrations in the AI era.
