mcps-gateway

Cryptographic message-integrity layer for AI agent gateways.

Every "AI gateway" on the market today (Cloudflare AI Gateway, Solo.io agentgateway, Kong AI Gateway, Apigee X) is a reverse proxy with OAuth. They authenticate the caller and encrypt the transport. They do not sign individual messages, give agents cryptographic identity, or detect replay or tampering at the message layer.

mcps-gateway is the missing primitive.

What it provides

| Capability | Purpose | |---|---| | Per-message ECDSA P-256 signature | Verifies the agent that sent this exact tool call, not just the gateway it traversed | | Agent identity (AgentPass-compatible cert) | Cryptographic DevEUI-equivalent for AI agents | | Replay protection | Monotonic counter + freshness window catches captured-and-replayed frames | | Transport-agnostic | Works over HTTP, WebSocket, stdio, gRPC, LoRa, satellite | | Tamper-evident audit | Each verified call adds to a hash-chained log |

Where it plugs in

Drop in front of (or inside) any MCP server, agent gateway, or LLM proxy:

Agent ──signed call──> mcps-gateway ──verified──> MCP server / tool
                       ↓
                   tamper-evident audit

Companion packages:

• kong-plugin-mcps — Lua plugin for Kong / Kong AI Gateway
• apigee-mcps — JS-callout policy for Apigee X
• mcp-secure — core MCPS primitives (sign/verify)
• mcps-stdio — MCPS over stdio transport

Standards

• IETF: draft-sharif-mcps-secure-mcp
• OpenAPI: x-agent-trust (registry PR #67, merged)
• OWASP: MCP Security Cheat Sheet, Section 7

Status

v0.0.1 — placeholder release reserving the name. Standalone runtime (Node + Docker image) ships in next release. Production-ready MCPS sign/verify already shipping in mcp-secure.

Licence

BUSL-1.1 — Business Source License. Non-production use is free. Production / commercial use requires a paid licence.

Contact: [email protected]

CyberSecAI Ltd. Patents pending (GB2604808.2, GB2607128.2 and others).