Now in early access, book a 30-minute demo →
← Back to blog Guide

Top MCP Servers 2026: The Ten Developers Actually Run

TL;DR
  • 2026 is MCP's infrastructure phase: protocol governance moved to the Linux Foundation, the Streamable HTTP transport made remote servers mainstream in the enterprise, and the public ecosystem passed 14,000+ MCP servers.
  • This guide names a concrete top ten developers actually run in 2026 - Playwright, GitHub, Context7, Filesystem, Slack, PostgreSQL, Figma, the AWS servers, Sentry, and Notion - but the order is not an authoritative usage ranking.
  • Every server on the list earns the same three checks: the scopes it holds, its transport (local stdio versus remote HTTP), and its auth (static key versus OAuth).
  • Playwright MCP (Microsoft) has crossed 30,000+ GitHub stars, and browser and live-docs servers double as egress channels and prompt-injection entry points.
  • Whatever a server can reach, the agent can reach - so a database server is data access and an AWS server is cloud-control access, both running with the agent's authority.
  • You can't govern what you can't see: inventory every configured MCP server before you try to set policy on any of them.

The top MCP servers of 2026 are no longer experiments bolted onto a chat window - they are infrastructure. This is the year the Model Context Protocol crossed into its infrastructure phase: governance of the protocol moved to the Linux Foundation, the Streamable HTTP transport made remote MCP servers practical to run as shared enterprise services, and the public ecosystem passed 14,000 MCP servers. What was a handful of local reference servers a year ago is now a supply chain of vendor-hosted, OAuth-backed tools your developers and agents reach for every day.

This guide names a concrete ten - the MCP servers you are most likely to find configured across real 2026 setups - and, for each, spells out what it grants and the three checks a security team should run. Two ground rules. First, the order is not an authoritative usage ranking; there is no official leaderboard, so read this as a qualitative snapshot, not a scoreboard. Second, if you want the broader category-level reference that is not tied to a named ten, the MCP servers developers use is the companion to this page, and the security foundations sit in the complete MCP server security guide and the Model Context Protocol security explainer.

Why the top MCP servers of 2026 look different

A year ago, most MCP usage meant a local stdio server launched next to a coding agent. Three shifts changed the shape of the list. The move of protocol governance to the Linux Foundation signaled that MCP is durable enough for vendors to invest in first-party servers. Streamable HTTP replaced the older transport and made it realistic to run a remote MCP server as a hosted, authenticated service that many clients share. And the ecosystem crossing 14,000+ servers means the question is no longer whether your teams use MCP - it is which servers, holding which access, are already running on your endpoints.

The practical consequence is a barbell. On one end, local stdio servers still dominate for filesystem and browser work. On the other, remote OAuth-backed servers now carry the SaaS and cloud integrations. Both ends need the same discipline, and neither is visible unless you are looking. That is the throughline of this list: every server is a specific kind of access running with the agent's authority, and whatever untrusted input steers the agent can turn into calls against that access.

The ten MCP servers defining 2026

Each entry below states what the server grants and then the three checks - scopes, transport, auth - that decide its real risk. Names are real, published servers; the ordering is illustrative, not a ranking.

1. Playwright MCP (Microsoft)

Microsoft's Playwright MCP server drives a real browser - navigating, clicking, filling forms, and reading rendered pages - and with 30,000+ GitHub stars it is the browser-automation server most teams reach for. Scopes: every site the machine can reach and any session the browser already holds. Transport: usually local stdio beside the developer's browser. Auth: it typically inherits existing browser sessions rather than carrying a separate key, so the credential you are trusting is whatever is already logged in. Treat it as both an egress channel and an injection entry point, because untrusted page content flows straight into the agent.

2. GitHub MCP (official)

The official GitHub MCP server exposes repositories, issues, pull requests, and Actions to an agent. Scopes: whatever the underlying token or GitHub App grants - read, write, or organization administration. Transport: available as a remote Streamable HTTP endpoint or run locally. Auth: OAuth or a fine-grained personal access token. The token scopes are the whole game here: grant read where read is enough, keep write narrow, and never wire an agent to a token that can administer the org. The same discipline shows up for coding agents in securing AI coding agents and CLIs.

3. Context7 (live documentation)

Context7 pulls version-accurate, live documentation for libraries and frameworks into the agent's context so generated code targets the current API. Scopes: outbound retrieval of public documentation. Transport: a remote HTTP service, also runnable locally. Auth: an optional API key for higher limits. Its value is fresh external content, which is also its risk - anything a docs server returns is untrusted input, the same surface behind the MCP tool-poisoning campaign.

4. Filesystem (reference)

The reference Filesystem server reads and writes files inside configured directories. Scopes: exactly the paths you point it at - a single project folder is reasonable, the home directory or root is not. Transport: local stdio. Auth: none, because it runs with the local user's file permissions. The entire risk is scope, so bound the directories tightly and treat write access as the sharp edge.

5. Slack MCP

The Slack MCP server lets an agent read channels, search history, and post messages. Scopes: governed entirely by the OAuth scopes on the connection - reading public channels is very different from posting and reading private conversations. Transport: remote HTTP. Auth: OAuth. Verify the exact scopes and, in particular, whether the agent can send messages, not just read them.

6. PostgreSQL MCP

A PostgreSQL MCP server connects an agent directly to a database for queries and, if allowed, writes. Scopes: whatever the database role can touch - the gap between a read-only replica and a privileged production account is enormous. Transport: local stdio or a remote endpoint. Auth: a database connection string, which should map to a dedicated least-privilege role, never a shared admin login. This is one of the most consequential servers on the list because a manipulated prompt against a broadly privileged connection is a data-exfiltration and data-destruction risk.

7. Figma MCP

The Figma MCP server hands an agent design context - frames, components, and Dev Mode specs - so it can turn a design into code. Scopes: the files and projects the connected account can open. Transport: a local server alongside the Figma desktop app, or a remote endpoint. Auth: OAuth or a personal token scoped to the account. Confirm which files it can reach and whether the token is scoped to a single team rather than everything the user can see.

8. The AWS MCP servers (ECS, EKS, Serverless, Billing)

AWS publishes a family of MCP servers for its services - among them ECS, EKS, Serverless, and Billing - that let an agent inspect and act on cloud resources. Scopes: defined by the IAM identity the server assumes, which is the single most important control here. Transport: local stdio next to the AWS credentials. Auth: standard AWS credentials or an assumed role. Back these with a narrowly scoped IAM role, because a billing-read server and a cluster-mutating server sit at opposite ends of the blast-radius spectrum.

9. Sentry MCP

The Sentry MCP server brings error, issue, and performance data into the agent so it can triage and explain failures. Scopes: the projects and organizations the connection can read. Transport: a remote HTTP service. Auth: OAuth. It is mostly read-oriented, but confirm whether it can resolve or mutate issues and exactly which projects it can see.

10. Notion MCP

The Notion MCP server exposes workspace pages and databases for reading and writing. Scopes: the pages and databases shared with the integration - Notion's model lets you share a subset rather than the whole workspace, so use it. Transport: remote HTTP. Auth: OAuth. Because a workspace often holds sensitive internal knowledge, verify exactly which content is shared with the connection and whether the agent can write.

The 2026 servers at a glance

The table pairs each server with what it grants and the three checks. Again, this is a qualitative reference, not a ranked ordering.

MCP serverWhat it grantsScopes / transport / auth to verify
Playwright (Microsoft)Full browser control over any reachable siteWhich sessions it inherits; local stdio; no separate key - trusts the logged-in browser
GitHub (official)Repos, issues, pull requests, ActionsToken scopes (read/write/admin); remote HTTP or local; OAuth or fine-grained PAT
Context7Live external documentation into contextOutbound retrieval only; remote HTTP; optional API key - treat returned docs as untrusted
Filesystem (reference)Read/write files in configured directoriesExact directories exposed; local stdio; runs with local user permissions
SlackRead channels, search history, post messagesOAuth scopes; remote HTTP; can it post or only read; private vs public data
PostgreSQLDirect database query and, if allowed, writesRead-only vs read-write role; stdio or remote; dedicated least-privilege DB account
FigmaDesign frames, components, Dev Mode specsFiles/projects reachable; local or remote; OAuth or team-scoped token
AWS (ECS/EKS/Serverless/Billing)Inspect and act on cloud resourcesIAM role scope is decisive; local stdio; assumed-role or standard credentials
SentryError, issue, and performance dataProjects/orgs readable; remote HTTP; OAuth; can it mutate issues
NotionRead/write workspace pages and databasesWhich pages/DBs are shared; remote HTTP; OAuth; write capability

How to vet any MCP server

The point of the list is the method behind it. Whatever server you meet - one of these ten, a fork of one, or something not published here - the same three questions decide its risk, and they are the columns your inventory should fill for every entry.

  • Scopes. What data, files, actions, or infrastructure can this server actually reach, and is that broader than the task requires? A GitHub token with admin, a Postgres role with write on production, or an AWS role that can mutate clusters is where a manipulated prompt does real damage.
  • Transport. Does it run locally over stdio or as a remote HTTP endpoint? A remote endpoint is a network trust boundary that needs authentication and HTTPS; a local server avoids that but still runs with local access and can turn a parsing flaw into code execution.
  • Auth. Does it hold a static long-lived key or use OAuth with short-lived, scoped, audience-restricted tokens? This sets what a stolen credential is worth. The mechanics are in OAuth for MCP servers explained.

For the category-by-category version of this model - filesystem, git, database, SaaS, and browser servers read as security surfaces - the companion reference is the MCP servers developers use. To turn the three checks into a standing process rather than a one-time audit, follow how to build an MCP server registry. And because MCP servers are only one artifact your agents pull in, pair this with the sibling roundups on the top AI agent skills of 2026 and the top enterprise AI agents of 2026.

How Anomity inventories and governs MCP servers

Every check above assumes you can see the servers, and most organizations cannot list what is configured across their fleet. Anomity closes that gap. Its category is agentic endpoint security, built on one principle: you can't govern what you can't see. See how the inventory takes shape in the discovery capabilities.

A lightweight, unprivileged Endpoint Sensor runs on every managed endpoint (Windows, macOS, and Linux) and discovers eight AI artifact types: AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs. For each MCP server it records the source, the transport, the auth method, and the reach - so a Playwright stdio server, a GitHub OAuth connection, or an AWS role-backed server appears in your inventory automatically instead of by hand. The sensor sends metadata only over HTTPS to the Anomity Cloud; never source code, never prompts, and secrets are redacted on the endpoint.

At runtime, on agents that expose a hook (for example Claude Code's PreToolUse), Anomity evaluates each tool call before it runs and returns allow, deny, or log - so an over-scoped or manipulated call, such as an unexpected write to a database or an egress to an unknown host, can be denied rather than executed. See how that works in runtime governance. A server that changes transport or gains a new scope surfaces as a change event, violations route to your SIEM, Slack, email, and Jira, and every server added, changed, or removed lands in a queryable 90-day audit trail - the outcomes a security team can actually report on. Anomity is SOC 2 Type II and complements your EDR/XDR, DLP, network and gateway controls, and GRC program rather than replacing them, which is the model in our AI security framework and the product documentation. To make the inventory a living registry, pair it with how to build an MCP server registry.

You can't govern what you can't see.The Anomity principle

The bottom line

In 2026 the top MCP servers are infrastructure, not novelties - Playwright, GitHub, Context7, Filesystem, Slack, PostgreSQL, Figma, the AWS servers, Sentry, and Notion sit on real endpoints holding real access. The list is not a ranking; it is a reminder that each server is a specific door, and the same three questions govern all of them: what scopes does it hold, what transport does it use, and how does it authenticate. Answer those for every server, scope each to the task, prefer OAuth over static keys, and treat any browser or docs server as both an egress channel and an injection entry point. Then do it from a place you can see the whole fleet, because a server you have never inventoried is one you cannot check - compare the approaches if you are weighing your options. To see your own MCP server posture across every endpoint, book a 30-minute demo.

Frequently asked questions

What are the top MCP servers in 2026?

The ten this guide covers are the ones you will encounter across most 2026 developer setups: Playwright (browser automation), the official GitHub server (repos, issues, pull requests, Actions), Context7 (live documentation), the reference Filesystem server, Slack, PostgreSQL, Figma, the AWS server family (ECS, EKS, Serverless, Billing), Sentry, and Notion. There is no authoritative usage ranking of MCP servers, so treat this as a qualitative list of what teams actually run, not a leaderboard. For a broader category reference that is not tied to a named ten, see the MCP servers developers use.

Why does the 2026 list look different from a year ago?

Because MCP entered its infrastructure phase. Governance of the Model Context Protocol moved to the Linux Foundation, the Streamable HTTP transport made remote MCP servers practical to run as shared enterprise services rather than local experiments, and the public ecosystem passed 14,000 servers. The result is a shift from a few local stdio reference servers toward vendor-hosted, OAuth-backed remote servers for platforms like GitHub, Slack, Sentry, and Notion. The foundations are in the Model Context Protocol security explainer.

Is Playwright MCP safe to give an agent?

Safe is the wrong question. Playwright MCP is a legitimate, widely adopted server with 30,000+ GitHub stars, but it drives a real browser with whatever sessions that browser already holds and can reach any site the machine can. That makes it both an egress channel and a path for untrusted web content to enter the agent's context. Scope which sessions it inherits, treat returned page content as untrusted input, and govern the tool calls it makes rather than trusting the server itself.

How do I vet an MCP server that is not on this list?

Use the same three checks the list uses. First, scopes: exactly what data, files, or actions the server can reach, and whether that is broader than the task needs. Second, transport: whether it runs locally over stdio or as a remote HTTP endpoint, since a remote endpoint is a network trust boundary. Third, authentication: whether it uses a static long-lived key or OAuth with short-lived scoped tokens. The full model is in how to build an MCP server registry and OAuth for MCP servers explained.

Are remote HTTP MCP servers riskier than local stdio ones?

They move the risk rather than remove it. A remote Streamable HTTP server is a network trust boundary that must be authenticated and use HTTPS, and it can be reached by anything that can route to it. A local stdio server avoids that boundary but still runs on the endpoint with local access to files and credentials, and a parsing flaw in a local server can become local code execution. Inventory both, and judge each by scope, transport, and auth rather than assuming one form is inherently safe.

Which of these servers reach the most sensitive data?

The database, cloud, and SaaS servers. A PostgreSQL server is direct data access, the AWS server family can inspect and change cloud infrastructure, and Slack, Notion, and Figma reach internal conversations, knowledge, and designs. Playwright and Context7 are dangerous in a different way - they pull untrusted external content into the agent. Back database servers with least-privilege roles, back AWS servers with narrowly scoped IAM, and confirm the exact OAuth scopes on every SaaS connection.

How does Anomity govern the MCP servers on this list?

MCP servers are one of the eight AI artifact types Anomity's lightweight Endpoint Sensor discovers and inventories across every managed endpoint. For each server it records the source, transport, auth method, and reach, so a Playwright or AWS server appears in your inventory automatically instead of by hand. On agents that expose a hook, Anomity returns allow, deny, or log before a tool call runs, every added, changed, or removed server lands in a queryable 90-day audit trail, and violations route to your SIEM, Slack, email, and Jira. It sends metadata only over HTTPS, never source or prompts, with secrets redacted on the endpoint.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok