What is MCP, and how agents use it to notify you and ask for approval
MCP is an open standard that lets an AI agent call external tools. Two of those tools can notify a human and ask one, then wait.
The Model Context Protocol (MCP) is an open standard that lets an AI agent call external tools through one consistent interface. Two of those tools can be "notify a human" and "ask a human and wait," which is how an agent reaches you on your phone and pauses for a yes or no before it does something you would want to see first.
MCP was introduced by Anthropic in November 2024 and has since been adopted by OpenAI and Google as a common way to connect agents to tools and data (Anthropic, Wikipedia). Instead of every app inventing its own glue, an agent speaks one protocol, and any tool that speaks it back becomes callable.
Key takeaways
- MCP is an open standard for connecting AI agents to external tools and data, introduced by Anthropic in late 2024 and now adopted across the major model vendors.
- A tool is just a function the agent can call. "Notify a human" and "ask a human and wait" are tools like any other, which is how approval and human-in-the-loop fit into the protocol.
- Pushary publishes its server on the official MCP registry, so an agent can ping you and ask for a decision over the same standard it already uses to read files or query a database.
What MCP actually is
MCP defines a host (the agent), clients inside that host, and servers that expose capabilities. Each server offers tools, resources, or prompts. A tool is a named function with a schema the agent can call and read a result back from. Example tools the official material lists include database access, calculators, and code repository access (modelcontextprotocol.io spec).
The point of the standard is that the agent does not need a custom integration per tool. It speaks MCP, the server speaks MCP, and the two connect. Once that handshake is shared, any team can publish a server and any agent can call it.
Notify and ask are just tools
Once you see a tool as a function the agent can call, the human-in-the-loop part stops being special. A server can expose a tool whose job is to send a push notification. It can expose another whose job is to ask a question and block until a person answers. The agent calls them the same way it would call a file read.
The MCP spec also has a dedicated primitive for this called elicitation, where a server pauses a tool and requests structured input from the user before continuing, all inside one session (modelcontextprotocol.io elicitation, The New Stack). One stated rule in the spec is worth keeping: elicitation is not a channel for credentials or sensitive data.
Pushary takes the tool route. The agent calls ask_user, which stores the question and sends a push to your phone, then calls wait_for_answer, which blocks until you tap an answer. A send_notification tool covers the fire-and-forget case, like telling you a long run finished. See MCP notifications for the surface and the quickstart to wire it up.
Why a ping is only the floor
Reaching you is the easy part now. The model vendors ship native notification hooks, so a bare ping is parity. The decision that matters is what the agent is allowed to do without asking at all.
That is where a tool call alone falls short. On the CLI agents (Claude Code, Codex, Gemini CLI, Cursor, Hermes), Pushary runs a hook that enforces a permission policy before a tool executes. The policy matches on the command and its arguments, so git status runs untouched and git push --force stops and asks. A read-only floor auto-approves proven safe commands, a list decided from 1,721 real production questions, not a guess. Every decision lands in an audit trail with the source of the answer recorded. That policy plus audit layer is the part a notification cannot replace. The control panel page covers the full surface.
On the registry
Pushary's MCP server is published on the official MCP registry as io.github.Pushary/pushary. The registry launched in preview in September 2025 as the official catalog for publicly available MCP servers, backed by Anthropic, GitHub, PulseMCP, and Microsoft (MCP registry blog, registry.modelcontextprotocol.io). Being listed there means an agent finds the notify-and-ask tools through the same standard it uses for everything else.
One honest limit: enforced gating needs a hook to block at. The Claude Desktop connector has no hook, so there it can notify and ask but cannot stop a tool. That is a property of where Desktop runs, not a setting.
Common questions
What does MCP stand for?
Model Context Protocol. It is an open standard, introduced by Anthropic in November 2024, for connecting AI agents to external tools and data through one interface instead of a separate integration per tool.
Can an MCP tool ask a human for approval?
Yes. A tool is a function the agent calls, so a server can expose one that sends a notification and another that asks a question and waits for the answer. The spec also defines elicitation, a primitive for a server to request user input mid-execution.
Is notifying me through MCP the same as gating what the agent can do?
No. A notification tells you something happened or asks for a yes or no. Enforced gating runs before the tool executes and can block it. That needs a hook, which the CLI agents have and Claude Desktop does not.
Any agent can reach you now. The one you can actually govern is what's worth paying for. See pricing to put the policy and audit layer on your agents.