tether-name-mcp-server

MCP server for tether.name — AI agent identity verification.

This server wraps the tether-name SDK, letting any MCP-compatible AI agent verify its identity through Tether without writing integration code.

What is Tether?

Tether is an identity verification service for AI agents. Agents hold their own RSA private keys and prove their identity by signing cryptographic challenges — no custodial risk, no passwords.

Quick Start

npx tether-name-mcp-server

Configuration

The server reads from environment variables:

| Variable | Required | Description | |---------------------------|-----------------------|------------------------------------------------------| | TETHER_AGENT_ID | For sign/submit/verify tools | Your Tether agent ID | | TETHER_PRIVATE_KEY_PATH | For sign/submit/verify tools | Path to your RSA private key (PEM or DER) | | TETHER_API_KEY | For management tools | Management bearer token (API key or JWT) | | TETHER_API_URL | Optional | Override API base URL for key-lifecycle tools (list_agent_keys, rotate_agent_key, revoke_agent_key) |

verify_identity, request_challenge, sign_challenge, submit_proof, create_agent, list_agents, delete_agent, update_agent_identity, and list_domains use the SDK default API URL (https://api.tether.name).

MCP Client Setup

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "tether": {
      "command": "npx",
      "args": [
        "-y",
        "tether-name-mcp-server"
      ],
      "env": {
        "TETHER_AGENT_ID": "your-agent-id",
        "TETHER_PRIVATE_KEY_PATH": "/path/to/private-key.pem",
        "TETHER_API_KEY": "sk-tether-name-..."
      }
    }
  }
}

TETHER_API_KEY is only needed for management tools (create_agent, list_agents, delete_agent, update_agent_identity, list_domains, list_agent_keys, rotate_agent_key, revoke_agent_key).

request_challenge does not require agent key env vars. verify_identity, sign_challenge, and submit_proof require both TETHER_AGENT_ID and TETHER_PRIVATE_KEY_PATH.

Cursor

Add to .cursor/mcp.json in your project:

{
  "mcpServers": {
    "tether": {
      "command": "npx",
      "args": [
        "-y",
        "tether-name-mcp-server"
      ],
      "env": {
        "TETHER_AGENT_ID": "your-agent-id",
        "TETHER_PRIVATE_KEY_PATH": "/path/to/private-key.pem"
      }
    }
  }
}

VS Code

Add to your VS Code settings or .vscode/mcp.json:

{
  "mcp": {
    "servers": {
      "tether": {
        "command": "npx",
        "args": [
          "-y",
          "tether-name-mcp-server"
        ],
        "env": {
          "TETHER_AGENT_ID": "your-agent-id",
          "TETHER_PRIVATE_KEY_PATH": "/path/to/private-key.pem"
        }
      }
    }
  }
}

Tools

Verification

| Tool | Description | |-----------------------|--------------------------------------------------------------------------------------------| | verify_identity | Complete verification flow in one call — requests a challenge, signs it, and submits proof | | request_challenge | Request a new challenge string from the Tether API | | sign_challenge | Sign a challenge string with the configured RSA private key | | submit_proof | Submit a signed proof for a challenge | | get_agent_info | Show the currently configured agent ID and key path |

Agent Management

These tools require TETHER_API_KEY to be set (it can be an API key or JWT bearer token).

| Tool | Description | |-----------------------|--------------------------------------------------------------------------------------------| | create_agent | Create a new agent (with optional domain assignment via domainId) | | list_agents | List all agents for the authenticated account | | delete_agent | Delete an agent by ID | | update_agent_identity | Update whether verification shows a verified domain (domainId) or account email | | list_domains | List all registered domains | | list_agent_keys | List key lifecycle entries (active, grace, revoked) for an agent | | rotate_agent_key | Rotate an agent key (requires step-up: stepUpCode or challenge + proof) | | revoke_agent_key | Revoke a key (requires step-up: stepUpCode or challenge + proof) |

For automation with API keys, prefer challenge+proof step-up.

How It Works

1. The agent calls verify_identity
2. The MCP server requests a challenge from api.tether.name
3. The challenge is signed locally using the agent's private key (the key never leaves the machine)
4. The signed proof is submitted back to Tether for verification
5. The result includes the agent's verified name and a public verification URL

For more granular control, use request_challenge, sign_challenge, and submit_proof individually.

Security

• Non-custodial: Your private key stays on your machine. The MCP server reads it from a local file path — it's never transmitted.
• No passwords: Identity is proven through RSA challenge-response, not stored secrets.
• Local execution: The server runs as a local subprocess via STDIO. No remote server holds your keys.

Publishing

Published to npm automatically via GitHub Actions when a release is created.

Version checklist

Update the version in:

1. package.json → "version"
2. src/index.ts → version in McpServer constructor

Steps

1. Update version numbers above (they must match)
2. Commit and push to main
3. Create a GitHub release with a matching tag (e.g. v1.0.0)
4. CI builds and publishes to npm automatically

Manual publish (if needed)

npm run build
npm publish --access public

Links

• tether.name — Agent identity verification
• tether-name SDK — Node.js SDK
• MCP Protocol — Model Context Protocol

License

MIT