Remote MCP Servers vs Local: How to Choose
Remote and local MCP servers differ in transport, auth, security surface, and what clients can use them. A practical decision guide with a comparison table and the cases where local stdio still wins.

TL;DR - Local MCP servers run as a process on your machine over stdio; remote MCP servers are hosted HTTPS endpoints using Streamable HTTP or SSE. - Remote wins on: zero install, ChatGPT compatibility, team-wide rollout, OAuth-based auth, and always-current versions. - Local wins on: filesystem access, private-network resources, zero added latency, no data leaving the machine, and offline use. - The auth story is the biggest practical difference — remote servers use OAuth 2.1 flows; local servers typically read keys from env vars or config files. - Most serious setups end up hybrid: local servers for machine access, remote servers for everything else.
---
The Same Protocol, Two Deployment Shapes
The Model Context Protocol deliberately separates *what a server does* (tools, resources, prompts) from *how you reach it* (transport). That's why the same conceptual server — say, GitHub access — can exist as both a local binary and a hosted endpoint. Understanding the transports is 80% of understanding the choice.
stdio (local). The client spawns the server as a child process and exchanges JSON-RPC messages over stdin/stdout. The server lives and dies with the client session. It runs with your user's permissions, on your machine, with access to your filesystem, your local network, and any environment variables you hand it.
Streamable HTTP / SSE (remote). The server is a web service. The client sends HTTP requests to a URL; streamed responses come back over Streamable HTTP (the current standard) or Server-Sent Events (the older pattern, still widely supported). The server runs on someone else's infrastructure — the vendor's, usually — and holds its own credentials to whatever it fronts.
Everything else in this article falls out of that split.
---
The Comparison Table
| Dimension | Local (stdio) | Remote (HTTP/SSE) |
|---|---|---|
| Install | Runtime + package per machine | None — paste a URL |
| Works with ChatGPT | ✗ | ✓ |
| Works with Claude Desktop | ✓ | ✓ |
| Works with Cursor / VS Code | ✓ | ✓ |
| Auth pattern | Env vars / config-file keys | OAuth 2.1 |
| Filesystem access | ✓ | ✗ (by design) |
| Private network / VPN resources | ✓ | Only if the server is deployed inside |
| Latency | Effectively zero | Network round-trip |
| Version management | You update it | Vendor updates it |
| Team rollout | Per-machine config | Share one URL |
| Works offline | ✓ | ✗ |
| Data leaves your machine | Only what the server sends | Every tool call |
---
When Remote Is the Right Call
You use ChatGPT anywhere in your stack. This one is binary: ChatGPT only supports remote MCP servers. A local stdio server on your laptop is unreachable from ChatGPT, full stop.
You're rolling out to a team. Local servers mean every developer maintains a JSON config, a Node or Python runtime, and a set of API keys. Remote servers mean sharing a URL and letting each person OAuth in with their own identity. The second model is the only one that survives contact with a 20-person team — and it's why vendors like Linear, Notion, and GitHub all moved their recommended setup to hosted endpoints.
You don't want to handle credentials. With a local server, *you* provision the API key, store it in a config file, and rotate it when someone leaves. With an OAuth-based remote server, the grant is scoped, revocable from the provider's dashboard, and never sits in plaintext on disk. OpenHelm's MCP servers take this to its logical end: OAuth 2.1 for the connection itself, credentials for downstream tools vaulted server-side, nothing for the user to paste anywhere.
The work happens elsewhere anyway. If the tool call triggers a cloud job — a sandboxed research run, a deployment, a database query against a hosted DB — a local hop adds nothing. OpenHelm's servers run every task in an isolated cloud sandbox regardless of where the call came from, so remote is the natural shape.
You want the current version, always. Remote servers update server-side. No "works on my machine because I haven't pulled in three months."
---
When Local stdio Still Wins
Remote-first does not mean remote-always. Four cases where a local server is clearly correct:
Filesystem and local-tool access. An agent that reads your working directory, runs your test suite, or drives a local database needs to be *on the machine*. This is unavoidable and fine — it's what stdio was designed for. (It's also how OpenHelm's desktop app works: jobs run locally against your checkout via your Claude Code subscription, no cloud in the loop.)
Private-network resources. If the data lives behind a VPN or on an internal network, a vendor-hosted server can't reach it. Your options are a local server, or deploying a remote server inside the perimeter — the second is real work and only worth it for team-wide access.
Hard data-residency requirements. With a local server, you can audit exactly what leaves the machine. With a remote server, every tool call and its arguments transit the vendor's infrastructure. For most SaaS data that's a non-issue (the data is already in the vendor's cloud); for regulated or air-gapped environments it can be disqualifying.
Latency-sensitive, high-frequency calls. A tool the model calls hundreds of times per session (say, symbol lookup in a codebase) benefits from zero network overhead.
---
The Auth Difference, Concretely
This is where the two shapes diverge most in day-to-day security posture.
A typical local server config looks like an API key in a JSON file:
{
"mcpServers": {
"some-tool": {
"command": "npx",
"args": ["-y", "some-mcp-server"],
"env": { "SOME_API_KEY": "sk-live-..." }
}
}
}That key is long-lived, unscoped by default, sitting in plaintext, and frequently ends up committed to dotfiles repos. Multiply by every server and every machine.
A remote server connection is an OAuth 2.1 flow: the client discovers the authorization server, you approve scoped access in a browser, and the client holds a refreshable token. Revocation is a dashboard click. Modern remote servers also support Dynamic Client Registration, so clients can onboard without pre-shared secrets. If you're generating local configs anyway, our MCP config generator at least keeps the JSON correct — but the honest advice is: any server you can consume over OAuth, consume over OAuth.
One warning that applies to *both* shapes: tool outputs enter the model's context. A server that returns secrets in tool results has leaked them to the conversation regardless of transport. Vet what servers return, not just how you connect them.
---
Bridging: Using Remote Servers from stdio-Only Clients
Some clients (and older versions of others) only speak stdio. The standard bridge is mcp-remote, which runs locally as a stdio server and proxies to a remote endpoint:
npx mcp-remote https://mcp.openhelm.ai/main/mcpYou get the remote server's capabilities and OAuth flow with a local-shaped config. This is the documented fallback for every OpenHelm MCP server and works for most vendors' endpoints too.
---
Cost and Operations: the Part Nobody Prices In
The sticker price of both shapes is usually zero — most local servers are open source, and most remote servers are free features of products you already pay for. The real costs are operational, and they land differently.
Local servers cost you maintenance. Every server is a dependency with a runtime, a version, and a config entry, times every machine. In practice the failure modes are mundane: a Node upgrade breaks three servers, a teammate's config drifts from yours, an API key expires silently and the agent just stops mentioning that tool. Small individually; a real tax across a team. Budget an hour or two a month per developer for a local-heavy setup, or automate config distribution.
Remote servers cost you trust and latency. Operationally they're nearly free — the vendor runs them — but you've added a network dependency to every tool call (a vendor outage now degrades your agent) and you're trusting the vendor's uptime, rate limits, and data handling. Rate limits deserve specific attention: an agentic session can fire dozens of calls per minute, and some hosted servers throttle well below what an enthusiastic agent generates. Check the documented limits before building a workflow that assumes unlimited calls.
Task-execution servers shift cost to per-run compute. A server like OpenHelm's charges for the sandboxed work itself rather than the connection — which is the right model when one tool call does twenty minutes of browsing, and the wrong one for high-frequency trivial lookups. Match the pricing shape to the call shape.
---
A Sane Default Architecture
For an individual developer or a small team in 2026:
- Local: one filesystem/codebase server per machine where agents do local work — nothing else.
- Remote: official vendor servers (GitHub, Linear, Notion, etc.) for every SaaS product you use, connected via OAuth.
- Remote: one task-execution layer for long-running delegated work — sandboxed research, outreach, scheduled jobs. This is the role OpenHelm's five servers play; the best remote MCP servers list covers the wider field.
Review quarterly: the strong ecosystem trend is servers migrating from "clone this repo" to "add this URL," so a local server you tolerate today probably has a hosted replacement soon.
---
Frequently Asked Questions
What is a remote MCP server?
A remote MCP server is a hosted HTTPS endpoint that exposes MCP tools over Streamable HTTP or SSE transport. Instead of installing and running a process locally, you add the server's URL to your AI client (ChatGPT, Claude, Cursor), authenticate — usually via OAuth — and the client can call its tools over the network.
Are remote MCP servers less secure than local ones?
Different, not strictly less. Remote servers centralise credentials behind OAuth (better than keys in config files) but every tool call transits the network and the vendor's infrastructure. Local servers keep data on-machine but push credential management onto you and run with your user's full permissions. Threat-model both; don't assume either is free.
Can Claude Desktop use both local and remote MCP servers?
Yes. Claude Desktop supports local stdio servers via its config file and remote servers via connectors/custom connector URLs. It's one of the few clients where a fully hybrid setup is native.
Why doesn't ChatGPT support local MCP servers?
ChatGPT runs in OpenAI's cloud (and its apps are thin clients), so there's no sanctioned way for it to spawn and own a process on your machine. It can only reach servers that are network-accessible — i.e., remote ones.
Do I need to build my own remote MCP server to use one?
No. Most major vendors run official remote servers, and platforms like OpenHelm provide hosted task-execution servers you connect by URL. Building your own only makes sense for internal systems no vendor covers — in which case the Cloudflare Workers templates and the official SDKs are the usual starting points.
More from the blog
OpenHelm vs CrewAI vs AutoGPT: Deploying Autonomous AI Agents
Framework or platform? An honest comparison of CrewAI's Python multi-agent framework, the rebuilt AutoGPT Platform, and OpenHelm's managed agent jobs — with a clear-eyed look at what deployment actually costs.
Website Change Monitoring with AI Agents
Pixel-diff tools tell you a page changed; AI agents tell you whether it matters and act on it. How to build semantic website change monitoring with scheduled agent jobs, with an honest comparison to Visualping and Distill.
Stop doing the work around the work
OpenHelm connects to your tools, reads the context, and does the steps, so you sign off on the result instead of producing it. See how it covers an entire role’s weekly workload, check the pricing, or run it yourself with the free local app.