Hosting your own MCP server in production is a small but real operations job. Five managed providers now offer to do it for you, with varying trade-offs on isolation, observability, networking, and price. Here is the head-to-head plus the build-vs-buy decision matrix.
What managed MCP hosting actually does
A useful provider gives you:
- A runtime that runs your MCP server image (Docker or WASM).
- Per-tenant isolation strong enough that one bad server cannot affect another.
- An HTTP+SSE endpoint your agent host connects to.
- Observability of tool calls, errors, latency.
- Auth integration with your IdP.
- Egress controls (the DLP layer).
A provider that gives you only "Docker as a service" is not enough.
The 5 contenders
1. Anthropic Hosted Tools
First-party. Tightest integration with Claude Desktop and Claude Code. Limited to MCP servers built in supported runtimes.
- Strengths: zero plumbing for Claude users; integrated billing.
- Weaknesses: vendor lock-in; not yet multi-cloud.
2. Cloudflare Workers MCP
Edge-hosted, fast cold starts, generous free tier. Built on Workers + Durable Objects.
- Strengths: edge latency; cheap; tight with Cloudflare data products.
- Weaknesses: WebAssembly-only; some Node ecosystem missing.
3. Modal MCP
GPU-aware host. If your MCP server runs inference (image gen, embedding, OCR), Modal is the natural pick.
- Strengths: GPU support; Python-native; good autoscaling.
- Weaknesses: more expensive; Python-leaning.
4. Vercel MCP
Functions-style hosting; tight with Next.js apps.
- Strengths: trivial deploy; familiar to Vercel users.
- Weaknesses: stateless model fights with stateful MCP servers.
5. Smithery Hosted
Operated by the marketplace; most listings can be one-click hosted.
- Strengths: instant for catalogued servers; payment built in.
- Weaknesses: less control; isolation is shared by default.
Comparison
| Provider | Isolation | Cold start | GPU | Observability | Per-tenant scope |
|---|---|---|---|---|---|
| Anthropic Hosted | Strong | Low | No | Built-in | Yes |
| Cloudflare Workers | Strong (V8 isolate) | Lowest | No | Workers Analytics | Yes |
| Modal | Container | Medium | Yes | Built-in | Yes |
| Vercel | Container | Medium | No | Vercel Observability | Yes |
| Smithery | Shared by default | Low | No | Basic | Limited |
Build vs buy decision matrix
Build when:
- You need data residency in a region none of these covers.
- The server runs against internal-only services unreachable from the internet.
- Compliance demands you operate the runtime yourself.
- You already have a strong infra team and the volume to amortise.
Buy when:
- You ship MCP as a product and need fast iteration.
- The MCP server runs against public APIs anyway.
- You are below 50 servers in production.
- You want billing in someone else's hands.
For most teams, the answer is buy for everything outside your security perimeter, build for everything inside.
Networking patterns
Three configurations show up most often:
- Public endpoint, OAuth-gated — the simplest; fits most SaaS-side servers.
- Private endpoint via VPN / PrivateLink — for servers that touch internal data.
- Hybrid — managed runtime, but MCP server connects out to your VPN for data.
All five providers support at least the first two.
Cost ballpark
| Volume | Build (you operate) | Buy (managed) |
|---|---|---|
| 5 servers, 100k calls/mo | $200 + 1 day/mo | $50–150 |
| 30 servers, 5M calls/mo | $1500 + 0.25 FTE | $800–2500 |
| 100 servers, 50M calls/mo | $8000 + 1 FTE | $5k–20k |
Crossover where managed becomes more expensive than DIY is around 100 servers / 50M calls — large but not implausible for an enterprise.
What to look for in any provider
- Per-server isolation (not just per-tenant).
- Bring-your-own-image support.
- IdP integration that maps to your existing groups.
- Egress controls per server.
- Audit log export to your SIEM.
- A clear migration story when you outgrow them.
Common mistakes
- Picking by price alone — isolation matters more.
- Ignoring egress — the cheap option that lets a compromised server exfiltrate is not the cheap option.
- Vendor lock-in via auth — if the provider is the only IdP integration, you cannot leave.
- No own observability — relying solely on the provider's UI is fine until you need to investigate.
Where this is heading
Two shifts to watch: standardised MCP-runtime APIs so providers become interchangeable, and managed offerings appearing inside hyperscalers (AWS, GCP, Azure all working on this). Build the abstractions now, swap providers later.