Dokki Blog logo

Local vs Remote MCP Servers: Which Should You Use?

Choose a local MCP server when the capability belongs to one machine, uses local files or developer tools, and should run under that user’s operating-system boundary. Choose a remote MCP server when several users or agents need the same managed service, shared cloud data, centralized identity, revocation, updates, observability, and tenant governance.

The short answer

Choose a local MCP server when the capability depends on files, credentials, or tools on one device and should stay close to the user. Choose a remote server when a team needs centralized deployment, shared availability, managed updates, and consistent policy. The protocol model is similar; the operational and security boundaries differ.

MCP defines protocol behavior independently from transport.

A local server usually:

  • runs as a child process;

  • communicates over stdio;

  • serves one client connection;

  • is installed and executed on the user’s machine;

  • inherits local filesystem, process, and environment boundaries.

A remote server usually:

  • runs as an independent network service;

  • uses Streamable HTTP;

  • serves many clients;

  • requires network authentication and authorization;

  • is operated centrally.

A server can expose the same tools and resources over either transport. The choice changes trust, identity, operations, and failure modes.

The comparison

Local and remote MCP authority boundaries shown as two controlled rooms

Decision factor

Local MCP server

Remote MCP server

Typical transport

stdio

Streamable HTTP

Process owner

User or host application

Service operator

Clients

Usually one per process

Usually many

Data location

Local machine

Cloud or shared service

Installation

Per device

Connect to endpoint

Updates

Per installation

Central deployment

Identity

OS/process/user context

OAuth, API identity, tenant

Sharing

Limited

Designed for teams

Offline use

Possible

Usually network-dependent

Latency

Low for local data

Network-dependent

Scaling

One process per client

Horizontal service scaling

Audit

Device-specific

Centralized

Revocation

Remove config or local credential

Central token/connector revocation

Attack surface

Local code execution

Network service plus client surface

Best fit

IDEs, files, local tools

SaaS, team workspaces, shared systems

Neither is automatically safer. They expose different risks.

Choose based on where the authority lives

The most useful question is:

Where does the authoritative data or capability live?

Use local when authority is naturally local:

  • repository checkout;

  • local files;

  • desktop application;

  • developer environment;

  • local database;

  • device-specific hardware;

  • private on-device model;

  • temporary test fixture.

Use remote when authority is shared:

  • team workspace;

  • customer relationship system;

  • cloud database;

  • issue tracker;

  • organizational knowledge base;

  • billing service;

  • shared analytics;

  • hosted search index.

Copying shared authority onto every laptop to preserve a “local” design can create worse security and consistency.

Choose local for machine-specific work

A local server is a good fit when:

  1. the host must access files on the machine;

  2. the capability is useful only to that user;

  3. no team-wide service is needed;

  4. the host can safely launch and stop the process;

  5. offline operation matters;

  6. low local latency matters;

  7. the user accepts installing executable code.

Examples:

  • search the current repository;

  • inspect local Git history;

  • read an approved folder;

  • run a local formatter;

  • query a development database;

  • control a desktop-only application.

Choose remote for shared systems

A remote server is a good fit when:

  1. multiple users or agents need the same capability;

  2. data is already cloud-hosted;

  3. access must follow organization membership;

  4. credentials should not be distributed to each machine;

  5. updates must be centralized;

  6. audit and revocation matter;

  7. the server requires background jobs;

  8. the service must scale independently.

Examples:

  • shared workspace;

  • project management;

  • customer data;

  • team calendar;

  • organizational search;

  • publishing service;

  • production monitoring;

  • centrally governed agent tools.

Local stdio lifecycle

In stdio, the client launches the server process and communicates through standard input and output.

Typical lifecycle:

  1. user configures a package or executable;

  2. host launches it;

  3. server reads MCP messages from standard input;

  4. server writes MCP messages to standard output;

  5. logs go to standard error;

  6. host closes the process when finished.

The process boundary implicitly represents one connection. Explicit HTTP session IDs are not required.

Local advantages

  • simple protocol plumbing;

  • no public endpoint;

  • direct access to local data;

  • low latency;

  • natural per-user process isolation;

  • easy development;

  • full bidirectional connection.

Local disadvantages

  • code runs on the user’s machine;

  • installation and dependency supply chain;

  • version drift;

  • per-device updates;

  • difficult central monitoring;

  • local secrets and environment exposure;

  • one process per client;

  • inconsistent device configuration.

A malicious local server can read files or execute processes with the permissions of its operating-system identity.

Remote Streamable HTTP lifecycle

A remote server operates independently and exposes an MCP endpoint over HTTP.

Typical lifecycle:

  1. client discovers or configures the endpoint;

  2. client authenticates;

  3. protocol initialization begins;

  4. client sends HTTP requests;

  5. server replies directly or streams messages where supported;

  6. session headers are managed if the selected mode uses sessions;

  7. server enforces user and tenant scope;

  8. operator monitors and updates the service.

Remote advantages

  • one managed deployment;

  • team sharing;

  • central authentication;

  • immediate revocation;

  • centralized logs;

  • consistent schemas and behavior;

  • easier connection from many devices;

  • integration with cloud services;

  • organizational governance.

Remote disadvantages

  • network and service dependency;

  • larger attack surface;

  • OAuth and tenant-isolation complexity;

  • scaling and session design;

  • service cost;

  • latency;

  • regional and compliance concerns;

  • centralized outage impact.

Security is different, not lower or higher

A local device key contrasted with centrally governed remote identity

Local security questions

  • Do you trust the package and maintainer?

  • Is the version pinned?

  • What files can the process read?

  • Which environment variables are inherited?

  • Can it run commands?

  • Can it access the network?

  • Which working directory does it use?

  • How is it removed?

  • Where does it store state?

  • Can another local user modify it?

Remote security questions

  • How is the server authenticated?

  • How are tokens validated?

  • Is the audience correct?

  • How is tenant scope enforced?

  • Can tokens be revoked?

  • Does it use HTTPS?

  • Are Origin and Host validated?

  • Is DNS rebinding addressed?

  • How are sessions protected?

  • How are requests audited?

  • What data leaves the organization?

  • Which region processes it?

Local avoids a public service but adds local code-execution risk. Remote avoids distributed installation but adds service and network risk.

Identity and authorization

Local identity

A local server often acts with:

  • the user’s OS identity;

  • a local application credential;

  • environment variables;

  • a personal API token;

  • a repository-specific configuration.

This can be convenient but overly broad. The server may inherit more access than the MCP tool intends.

Remote identity

A remote server can act with:

  • per-user OAuth;

  • workspace connector;

  • service account;

  • workload identity;

  • tenant-bound access token.

Remote identity can support precise centralized authorization, but only if every request enforces it.

Do not use one global administrator credential for all users.

Updates and compatibility

Local updates

Each machine may run a different version.

Controls:

  • pin versions;

  • distribute through a trusted channel;

  • record checksums;

  • test upgrade paths;

  • manage browser/runtime dependencies;

  • remove deprecated versions.

Remote updates

The operator can update all users at once.

Controls:

  • version capabilities and schemas;

  • use staged rollout;

  • preserve compatibility;

  • announce breaking changes;

  • support rollback;

  • record client versions;

  • monitor error changes.

Central updates reduce drift but increase blast radius when a deployment is bad.

State and sessions

Local state

State can be tied to:

  • server process;

  • local files;

  • host session;

  • user-data directory;

  • local database.

The state disappears or persists according to the server, not merely because transport is stdio.

Remote state

State can be:

  • stateless per request;

  • bound to a transport session;

  • stored in a shared database;

  • cached;

  • represented by durable jobs.

Stateful remote sessions can complicate load balancing and horizontal scaling. The MCP roadmap has identified transport scalability and explicit session behavior as active production concerns.

Design against the current stable specification and SDK behavior rather than future roadmap assumptions.

Performance and latency

Local is usually faster for local data because no network round trip is required.

Remote may be faster for cloud systems because:

  • the server runs near the data;

  • connections and indexes are pooled;

  • large data need not move to the client;

  • processing can use shared infrastructure.

Measure the full workflow. A local proxy that repeatedly downloads cloud data may be slower than a remote server located next to it.

Reliability

Local failure modes

  • executable missing;

  • dependency mismatch;

  • wrong working directory;

  • corrupted profile;

  • process crash;

  • stdout log corruption;

  • device sleep;

  • local firewall;

  • user-specific configuration.

Remote failure modes

  • DNS;

  • TLS;

  • authentication provider;

  • network;

  • load balancer;

  • server outage;

  • session store;

  • downstream service;

  • rate limit;

  • multi-region inconsistency.

Remote services need health checks, monitoring, retries, idempotency, and incident response. Local services need diagnostics that users can understand.

Cost

Local shifts cost to:

  • user compute;

  • device installation;

  • support;

  • version management;

  • local security review.

Remote shifts cost to:

  • hosting;

  • bandwidth;

  • identity;

  • observability;

  • on-call operations;

  • compliance;

  • multi-tenant security.

Do not compare only server bills. Include operational and support cost.

Privacy and data residency

Local can keep data on-device if the server does not call external services. Verify network behavior; “local server” does not imply local processing.

Remote can support:

  • central retention policy;

  • regional deployment;

  • organization-wide DLP;

  • managed audit;

  • contractual controls.

It also means data crosses a network boundary and may enter another operator’s infrastructure.

Document:

  • data collected;

  • processing region;

  • retention;

  • subprocessors;

  • model provider;

  • logs;

  • deletion;

  • export.

Hybrid patterns

You do not have to choose one transport for everything.

Local adapter to remote service

A local server accesses local state and calls a remote API. Useful but creates two security boundaries.

Remote server plus local helper

A central service handles identity and shared data while a local helper performs device-specific operations.

Same server with both transports

A project can support stdio for local installation and Streamable HTTP for hosted use. Keep capability semantics aligned and document differences.

Separate local and remote servers

Often safer: a local repository server and a remote workspace server have independent scopes. The host coordinates them.

Avoid one hybrid server that gains the union of every permission.

Decision tree

Three deployment paths leading to local, remote, and hybrid MCP patterns

Use local if all are true:

  • capability belongs to one machine;

  • one user or host needs it;

  • local installation is acceptable;

  • central audit is unnecessary;

  • local permissions can be safely restricted.

Use remote if any are central:

  • team sharing;

  • cloud authority;

  • central identity;

  • revocation;

  • consistent updates;

  • multi-device access;

  • background work;

  • tenant governance;

  • central audit.

Use a hybrid architecture when the workflow genuinely spans local and shared authority, while keeping permissions separate.

Example: developer repository

Use local:

  • repository exists on the device;

  • the user needs current uncommitted files;

  • latency matters;

  • no other user should see the checkout.

Controls:

  • repository root only;

  • read-only by default;

  • explicit write tools;

  • no unrestricted shell;

  • limited network.

Example: team workspace

Use remote:

  • several people and agents share documents;

  • permissions change with membership;

  • work must be reviewable;

  • access needs centralized revocation;

  • the service publishes or runs background jobs.

Controls:

  • workspace-scoped token;

  • tenant filtering;

  • role enforcement;

  • audit;

  • approval for public actions;

  • connector revocation.

Dokki uses a workspace-scoped MCP connection so an external client can work inside one assigned workspace and can be cut off by revoking that connection.

Example: browser automation

Choose based on state.

Use local when a supervised user deliberately wants the agent to use a local browser or test profile.

Use remote when running isolated browser workers for repeatable testing or research, with dedicated accounts and centrally controlled egress.

Never share a personal persistent browser profile among remote agents.

Migration from local to remote

A prototype often begins with stdio. Before hosting it:

  1. replace implicit OS trust with explicit identity;

  2. add OAuth or another appropriate authentication layer;

  3. derive tenant scope from identity;

  4. remove local filesystem assumptions;

  5. handle concurrency;

  6. define session behavior;

  7. add rate limits;

  8. validate Origin and Host;

  9. use HTTPS;

  10. add audit and revocation;

  11. make mutations idempotent;

  12. test horizontal scaling;

  13. document data processing.

Changing transport alone does not make a local tool production-ready.

Migration from remote to local

A remote service may need a local edition for data residency or developer workflows.

Before distributing:

  • minimize package dependencies;

  • remove cloud-only assumptions;

  • separate logs from stdout;

  • limit files and network;

  • pin runtime versions;

  • define credential storage;

  • provide update and uninstall paths;

  • test major operating systems;

  • document what remains remote.

Frequently asked questions

Is a local MCP server more private?

Only if data and processing remain local. A locally launched server can still send data to remote APIs. Inspect its code, network behavior, configuration, and privacy documentation.

Can a remote MCP server access local files?

Not directly unless the client intentionally supplies content or a separate local component exposes it. Avoid transferring broad local data to reproduce local access remotely.

Can several clients use one local stdio server?

Stdio is normally one client per launched process. Each client generally starts its own server instance.

Can several clients use one remote server?

Yes. Remote servers are designed to handle many connections, but must enforce identity, tenant isolation, quotas, and session behavior.

Which option is easier to build?

Stdio is simpler for a prototype. Remote operation adds authentication, HTTP security, multi-tenancy, scaling, observability, and incident response.

Which option should a SaaS product offer?

Usually a remote server for centrally governed customer data. A local companion can be added when the product needs device-specific files or applications.

Can one package support both?

Yes. The Registry and SDK ecosystem can describe or implement local packages and remote endpoints. Keep versions, capabilities, and permission differences explicit.

Sources