Hey everyone! 👋

Hey folks! After working with both approaches extensively, I wanted to share some thoughts on the practical tradeoffs between Function Calling and MCP when building real-world AI applications.

I assume most readers are already familiar with MCP and Function Calling, so I won't delve into the technical details:

Real-World Scenarios: Authentication & Session Management

For example,I am building Quaily, the AI-powered newsletter tools. I hope to post articles to quaily.com and of course, it requires authentication:

With MCP:

I can use a local program (aka. quail-cli) to handle the authentication and session management. So the login state naturally lives in the MCP server and the credentials never reach the LLM.

If the credentials are compromised, or expired, the MCP server can just force the user to login again.

There're clear separation between authentication and LLM processing.

With Function Calling:

Obviously I can't send token or other credentials to the LLM: so there are risks of session identifiers being memorized by the LLM,

So possible approaches:

  • use super short living tokens: generate tokens for may be 10 sec,
  • or even force each request to have a new token to prevent reuse.

However, all these things add complexity and still don't provide the same security guarantees as MCP's architectural approach. The fundamental issue remains: with function calling, you're passing potentially sensitive identifiers through a system you don't control.

The Business Implications

Not only the security, but also the business model. A business model basically is a collection of control points, and make money from the control points.

For example, in Quaily, the major control point is the access to the paid content, and the business model is subscription.

As I mentioned, the Function Calling is struggling to provide the same security guarantees as MCP's architectural approach. So it's may be great for building products fast, but harder to create service boundaries. However, MCP has the natural architecture for building access-controlled resource marketplaces -- especially for the application developers who want to build AI-powered applications but don't have the ability to build an infrastructure like OpenAI.

Making the Decision: Why MCP

Both approaches solving real problems today, but after extensive work with both approaches, I've become a strong advocate for MCP in almost all scenarios. Here's my perspective:

  • Security by Design: MCP's architecture fundamentally solves credential exposure issues that Function Calling struggles with
  • Future-Proof Systems: As your application grows, MCP's modular architecture scales more elegantly
  • Cleaner Boundaries: The separation between data access and LLM processing creates more maintainable systems
  • Ecosystem Building: MCP enables building networks of capabilities that can be shared across applications

What's your experience with either approach in production? Any particular challenges you've faced with handling state or security?

I'd love to hear your thoughts! Please share your comments below or DM me on X.