AI agents call tools on your behalf. But today, there's no way to know who called, whether they were allowed to, or what actually happened. MCP-I fixes that.

• Every server gets a cryptographic identity (DID) — no accounts, no API keys, no central registry
• Every tool call gets a signed proof — a tamper-evident receipt the agent can't forge or deny
• Protected tools require human consent — per-tool authorization via W3C Delegation Credentials
• The AI never knows — identity, proofs, and consent happen transparently in the protocol layer

npm install @mcp-i/core

Migrate Any MCP Server in 2 Lines

Before — a standard MCP server with no identity or proofs:

import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';

const server = new McpServer({ name: 'my-server', version: '1.0.0' });

server.registerTool('greet', { description: 'Say hello' }, async (args) => ({
  content: [{ type: 'text', text: `Hello, ${args.name}!` }],
}));

After — every tool response now carries a signed cryptographic proof:

import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { withMCPI, NodeCryptoProvider } from '@mcp-i/core';  // +1 line

const server = new McpServer({ name: 'my-server', version: '1.0.0' });
await withMCPI(server, { crypto: new NodeCryptoProvider() }); // +1 line

server.registerTool('greet', { description: 'Say hello' }, async (args) => ({
  content: [{ type: 'text', text: `Hello, ${args.name}!` }],
}));

That's it. withMCPI auto-generates an Ed25519 identity, registers the _mcpi protocol tool, and wraps the transport so every tool response includes a detached JWS proof in _meta — invisible to the LLM, verifiable by anyone.

See the full working example: examples/context7-with-mcpi — a real MCP server (Context7) migrated with exactly 2 lines of code.

Protect Tools with Human Consent

Some tools shouldn't run without a human saying "yes." MCP-I adds per-tool authorization using W3C Verifiable Credentials:

const checkout = mcpi.wrapWithDelegation(
  'checkout',
  { scopeId: 'cart:write', consentUrl: 'https://example.com/consent' },
  mcpi.wrapWithProof('checkout', async (args) => ({
    content: [{ type: 'text', text: `Order placed: ${args.item}` }],
  })),
);

When an agent calls checkout without a delegation credential, it gets back a needs_authorization response with a consent URL. The human approves, a scoped credential is issued, and the agent retries — now authorized.

Try it yourself: examples/consent-basic walks through the full consent flow end-to-end.

See It in Action

git clone https://github.com/modelcontextprotocol-identity/mcp-i-core.git
cd mcp-i-core && npm install
bash scripts/demo.sh

This starts all example servers and opens MCP Inspector. Connect to any server, call a tool, and inspect the proof in _meta:

| Port | Example | What it demonstrates | |------|---------|---------------------| | 3001 | node-server | Proofs + restricted tools (low-level API) | | 3002 | consent-basic | Human consent flow with built-in UI | | 3003 | consent-full | Production consent UI (@kya-os/consent) | | 3004 | context7-with-mcpi | 2-line migration of a real MCP server |

Also available: outbound-delegation (gateway pattern), verify-proof (standalone verification), statuslist (revocation lifecycle).

What's Under the Hood

| Capability | How it works | |-----------|-------------| | Cryptographic identity | Ed25519 key pairs, did:key and did:web resolution | | Signed proofs | Detached JWS over JCS-canonicalized request/response hashes | | Delegation credentials | W3C Verifiable Credentials with scope constraints | | Revocation | StatusList2021 bitstring with cascading revocation | | Replay prevention | Nonce-based handshake with timestamp skew validation | | Extensible | Bring your own KMS, HSM, nonce cache (Redis, DynamoDB, KV), or DID method |

Links

• Spec | DIF TAAWG | npm
• CONTRIBUTING.md | CONFORMANCE.md | SECURITY.md | GOVERNANCE.md

License

MIT