Skip to main content
Installation

How Do I Install An MCP Server In VS Code?

Current VS Code MCP setup, workspace vs user configs, trust prompts, input variables, and sandboxing.

Short answer

VS Code now has first-class MCP support. You can add servers in the workspace file .vscode/mcp.json, in your user profile via the Command Palette, through the MCP gallery, or through install links that target the built-in MCP flow.

It is also the most explicit mainstream client about trust and sandboxing, which makes it a good reference point for teams that care about least privilege.

Recommended path

  1. 01

    Choose workspace or user scope

    Workspace config lives in .vscode/mcp.json. User config is opened with MCP: Open User Configuration from the Command Palette.

  2. 02

    Add a stdio or remote server definition

    Use the servers object in mcp.json. Prefer input variables or env files instead of hardcoding API keys.

  3. 03

    Review trust and start the server

    VS Code asks for trust when a new server is started for the first time unless you bypass that by starting it directly from the config file.

Minimal config example 

{
  "servers": {
    "aescut": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@aeptus/aescut", "--skip-install"]
    }
  }
}

Why VS Code is worth studying even if you use another client

Microsoft’s current docs are unusually detailed about how MCP configuration really works: separate scopes, input variables for secrets, remote user configuration, auto-start, reset-trust commands, and optional sandboxing for local stdio servers on macOS and Linux.

That documentation surfaces a good security instinct: installation should not be a black box. Users need to know where the server runs and which controls wrap it.

Practical pitfalls

  • Putting a server in user scope when you meant it to run on a remote workspace or dev container.
  • Hardcoding API keys instead of using input variables or an env file.
  • Forgetting that auto-start is experimental and changes how quickly a bad configuration becomes active.

Sources and further reading

Related questions

Aescut MCP

How do I install the Aescut MCP server?

What the Aescut installer actually does today, when to use the generic bundle, and how to wire the MCP manually.

Security And Trust

What permissions do skills have?

File access, network access, shell execution, and what really determines the blast radius.

Security And Trust

What should I check before installing a skill?

A practical pre-install checklist for skills and MCP servers.