Every AI agent tool call arrives without verifiable identity. When an agent invokes an API or reads a data store. The receiving service has no cryptographic proof of which agent is calling, who authorized it, or what scope was granted. This identity gap means servers cannot distinguish a legitimate agent from a compromised one. Trusting an unverified agent with production data is an unacceptable risk.
Book a demo to see MCP-I in action and learn how cryptographic identity verification protects your agent infrastructure.
Model Context Protocol MCP-I security extends the standard MCP transport with a cryptographic preamble that carries a Decentralized Identifier (DID). A Verifiable Credential (VC) delegating specific scopes, and an Ed25519 signature chain linking every agent action to an authorized human. Developed by Vouched in collaboration with the Decentralized Identity Foundation (DIF). This open-standard identity layer lets services verify agent identity, delegation authority, and permission scope before executing any tool call.
Model Context Protocol MCP-I Security: The Identity Gap in AI Agent Communication
Base MCP provides a client-server transport for AI agents to access tools and data, but it has no native identity or authorization layer. A server receiving an MCP request cannot determine which agent sent it, who authorized the call, or what permissions the caller holds. This gap creates a confused-deputy attack surface where any agent with network access can invoke any tool.
The fundamental problem is structural. Anthropic released the Model Context Protocol in November 2024 to solve data silo access for AI assistants. MCP uses a client-server model where a host application connects to context servers through a standardized transport. This works well for read operations on development tools. However, the protocol specification explicitly omits identity and authorization semantics. The server has no mechanism to verify the caller's identity or determine whether the caller is authorized to perform the requested operation.
Bearer tokens are not identity
Current MCP deployments often rely on bearer tokens passed through the transport layer. A bearer token proves only that the caller possesses a shared secret. It does not prove caller identity, does not trace to an authorized human, and provides no mechanism for granular scope enforcement. If a token leaks, the attacker inherits full access until the token is revoked. For agentic systems that chain multiple tool calls across services, bearer-based auth creates an unmanageable attack surface. Every intermediate hop must be trusted with the raw secret.
Audit trail deficiencies
Without per-call identity, audit logs record that "an agent" accessed a resource but cannot attribute the action to a specific agent instance or its authorizing human. This blind spot makes compliance with regulations like HIPAA, SOC 2, and GDPR impractical. If a breach occurs, investigators cannot trace the action back to a specific delegation chain. The AI agent authentication model must provide cryptographic attestation for every call, not just session-level tokens.
What Is MCP-I? An Identity Layer for the Model Context Protocol
MCP-I is an open-source identity and delegation framework that prepends a cryptographic preamble to standard MCP messages. It uses W3C Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) signed with Ed25519 keys to bind each agent request to a verified human operator and an explicit set of authorized scopes. Vouched contributed MCP-I to DIF to establish an open standard.
MCP-I transforms every MCP message from an anonymous request into a verifiable claim. Rather than asking servers to trust the caller, MCP-I provides cryptographic proof of identity, delegation, and scope in a compact preamble. This approach requires no changes to the MCP transport itself. Servers that implement MCP-I can verify proofs locally without calling any central authority.
Cryptographic primitives: DIDs, VCs, and Ed25519
At the protocol level, MCP-I uses three core primitives:
did:keyformat to bind each agent and service to a unique Ed25519 public key. No central registry or certificate authority is required. The DID document is derived directly from the key material.- W3C Verifiable Credentials to encode delegation grants. A human operator signs a VC that specifies the agent's permitted actions, target resources, and expiration window. The agent includes this VC in every proof it presents.
- Ed25519 signature chains to link every tool call back to the authorizing human. Each proof carries a nonce, timestamp, and scope claim signed by the agent's private key, which was in turn granted by the human's signing key.
Proofs have a five-minute time-to-live. Short expiration windows prevent replay attacks without requiring centralized revocation infrastructure. A proof that exceeds its exp claim is rejected before any tool logic executes. Vouched's donation of MCP-I to DIF ensures the standard remains vendor-neutral and auditable by the broader security community.
Seamless integration via preamble
Because MCP-I operates as a cryptographic preamble rather than a protocol fork, teams can adopt it incrementally. An MCP server that does not implement MCP-I simply ignores the preamble and processes the standard message body. A server that implements MCP-I can enforce identity and scope checks before routing to the handler. This dual-mode compatibility means teams can deploy MCP-I on internal-facing services first and expand to public-facing endpoints as the agent ecosystem matures.
How MCP-I Uses Cryptographic Proofs for Agent Verification
Each MCP-I proof is a signed JSON object containing the agent's did:key, the delegating human's DID, the authorized scopes as a JSON-LD proof set, a nonce, and an expiration timestamp. The receiving service verifies the Ed25519 signature, checks the scope grant, and validates the proof window before routing the call.
The verification flow follows a deterministic sequence that any MCP-I-compatible middleware can implement:
- Extract the preamble from the MCP message header before the standard JSON-RPC payload.
- Resolve the agent DID from the
issfield of the proof to derive its Ed25519 public key. - Verify the Ed25519 signature against the proof body using the resolved public key.
- Validate temporal bounds , check
nbf(not before) andexp(expiration) against the current system time with a configurable clock skew tolerance (default 30 seconds). - Resolve the delegator DID from the embedded Verifiable Credential's
issuerfield. - Verify the scope grant , confirm the requested tool and parameters fall within the VC's
credentialSubject.scopeconstraints. - Check agent reputation (optional) , evaluate the agent's history through Vouched's Agent Checkpoint for behavioral signals.
- Route or reject , pass the verified agent identity and scopes to the handler, or return a 401 or 403 with the specific error code.
This verification sequence operates entirely on the service side with no external API calls for the cryptographic checks. The DID resolution and signature verification are local operations that complete in microseconds. Vouched's Agent Checkpoint packages this logic as a middleware library that integrates with Express.js and other Node.js frameworks.
Trustless Delegation: How MCP-I Replaces Bearer Tokens with Cryptographic Authority
Bearer tokens grant access to whoever holds them, regardless of identity or intent. MCP-I replaces this model with cryptographic delegation. An agent proves it holds a Verifiable Credential signed by an authorized human, scoped to specific operations, and bound to a short time window. The service verifies the proof locally without any shared secret.
The delegation chain in MCP-I functions as a digital power of attorney. A human operator signs a Verifiable Credential that grants an agent the authority to perform specific operations (read, write, execute) on specific resources for a defined period. The agent presents this VC with each tool call, signed by its own Ed25519 key to prove possession of the delegated authority. The service verifies both signatures: the agent's proof of possession and the human's delegation grant.
| Property | Bearer Tokens / OAuth | MCP-I Cryptographic Delegation |
|---|---|---|
| Identity proof | None (bearer-only) | Ed25519 + DID verification |
| Scope granularity | Fixed at token issuance | Per-call Verifiable Credential |
| Revocation model | Centralized blacklist | Short TTL + local expiry verification |
| Human-to-agent link | Not provable per call | Signed VC delegation chain |
| Audit trail | Token-level only | Per-call cryptographic attestation |
The key advantage of cryptographic delegation is that the service never needs to store shared secrets. It derives trust from the public key material embedded in the DID document and the signature chain linking each call to an authorized human. AI agent authentication shifts from possession-based models to proof-based models.
How Know Your Agent (KYA) Answers the Four Identity Questions
KYA is Vouched's framework for verifying autonomous agents by answering four questions: who is the agent. Who authorized it, what is it allowed to do, and when can it act. MCP-I implements these checks through DID-based agent identity, VC-based delegation proofs, scope-constrained permissions, and time-bound credentials with five-minute expiration windows.
Who is the agent?
Every MCP-I agent has a unique did:key derived from its Ed25519 public key. This identifier is self-certifying. No central registry or CA is needed because the DID document is computed from the key material. An agent proves its identity by signing the request with its private key, and the service verifies the signature against the DID.
Who authorized the agent?
The Verifiable Credential embedded in each MCP-I proof carries an issuer field identifying the human or organizational actor that delegated authority. Vouched's platform provides the identity verification infrastructure to establish the link between the human identity and their signing key through established KYC workflows. The four actors in the KYA model are the User (human), the Agent (software), the Service (resource provider), and the Verifier (identity proofing authority).
What can the agent do?
Scope constraints are encoded in the VC's credentialSubject.scope as a JSON-LD proof set. An agent might be granted read:transactions but not write:transactions, or execute:analytics but not execute:payments. These granular permissions prevent the confused-deputy escalation that plagues bearer-token architectures.
When can the agent act?
Every proof carries an exp claim set to five minutes from issuance. The service rejects expired proofs before evaluating any scopes. This short window minimizes the blast radius of a compromised agent. An attacker who captures a signed proof cannot replay it after the five-minute window closes.
Implementing MCP-I Verification with Agent Checkpoint
Vouched's Agent Checkpoint middleware provides a drop-in verification layer for Node.js services. The @kya-os/bouncer-middleware package exposes a createBouncerMiddleware() function that extracts MCP-I proofs from incoming requests, validates signatures and scopes, and enforces reputation thresholds.
Middleware integration
The Express.js middleware integrates in four lines:
import { createBouncerMiddleware } from '@kya-os/bouncer-middleware';
const bouncer = createBouncerMiddleware({
minReputation: 0.7,
requiredScopes: ['read:customer-data']
});
app.use('/api/protected', bouncer);
The createBouncerMiddleware function accepts a configuration object for reputation thresholds and required scope constraints. When a request arrives without a valid MCP-I proof, the middleware returns a 401 MISSING_PROOF response before any application code executes. When a proof is present but invalid (expired, wrong scope, bad signature), the middleware returns a 403 with a specific error code.
Verification handshake sequence
When an MCP-I agent calls a protected endpoint, the verification follows this sequence:
- The agent requests a nonce from the service to prevent replay across sessions.
- The agent constructs a proof object: agent DID, delegating human DID, scope claim, nonce,
nbf, andexp. - The agent signs the proof with its Ed25519 private key and attaches it as the MCP-I preamble header.
- Agent Checkpoint extracts the preamble, resolves the
did:keyto the agent's public key, and verifies the signature. - The middleware validates the delegation VC: issuer signature, scope constraints, and temporal bounds.
- Agent reputation is evaluated against the configured threshold.
- On success, the verified identity and scope context are attached to the request object for downstream handlers.
- On failure, the appropriate HTTP status and error code are returned without executing the handler.
Handling verification errors
| Error Code | HTTP Status | Cause |
|---|---|---|
| MISSING_PROOF | 401 | No MCP-I preamble found in the request headers |
| INVALID_PROOF | 403 | Signature verification failed or payload is malformed |
| EXPIRED_PROOF | 403 | Proof exp timestamp is in the past |
| SCOPE_VIOLATION | 403 | Requested operation exceeds the VC's authorized scopes |
| REPUTATION_FAILURE | 403 | Agent reputation score is below the configured threshold |
The error response body includes a structured JSON payload with the error code, a human-readable message, and the proof_id for debugging. Services can log these events for audit and alerting purposes.
Frequently Asked Questions
What problem does MCP-I solve that MCP alone cannot?
Base MCP provides a transport protocol for AI agents to access tools and data but defines no identity, authentication, or authorization semantics. Without MCP-I, a server receiving an MCP request cannot verify the caller's identity or determine whether the requested operation is authorized. MCP-I fills this gap by adding a cryptographic preamble for proof-based verification.
Does MCP-I require changes to the MCP transport?
No. MCP-I operates as a cryptographic preamble prepended to standard MCP JSON-RPC messages. The underlying transport remains unchanged. Servers that do not implement MCP-I ignore the preamble and process the standard message body. This dual-mode compatibility allows incremental adoption without forking the protocol.
How does MCP-I handle proof revocation?
MCP-I uses short-lived proofs with a five-minute TTL rather than centralized revocation lists. If a human operator needs to revoke an agent's authority, they simply stop issuing new proofs. Existing proofs expire within five minutes without requiring a revocation endpoint. This design avoids the complexity of certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responders.
Can MCP-I work with existing OAuth and OpenID Connect infrastructure?
Yes. MCP-I can integrate with existing identity providers by wrapping OIDC tokens or JWTs in the Verifiable Credential format. The agent presents the existing token as a VC, signed with the agent's Ed25519 key. And the service verifies both the original token's validity and the agent's proof of possession. This allows teams to adopt MCP-I without replacing their existing identity infrastructure.
Ready to Secure Your Agent Infrastructure
Model Context Protocol MCP-I security solves the identity gap in agent communication by replacing bearer-based trust with cryptographic proofs. Every agent call carries a verifiable chain of delegation from the authorized human to the specific operation being executed. Services verify proofs locally without external API calls, and short-lived credentials eliminate the need for centralized revocation.
Book a demo with Vouched to see how Agent Checkpoint and KYA integrate with your existing MCP infrastructure.
