Model Context Protocol Secure.

A cryptographically grounded extension to the Model Context Protocol. Per-message signing, agent identity binding, replay protection, tamper-evident audit. Open specification — multiple production adopters.

IETF draft-sharif-attp · OWASP MCP Cheat Sheet § 7 · AISVS 1.0 contributor · CIS MCP Benchmark draft

The gap MCPS closes

The Model Context Protocol lets AI agents call external tools, screen counterparties, move money, and make compliance decisions on behalf of regulated businesses. The protocol does not, by itself, answer the four questions any auditor, regulator, or incident responder will ask:

Which agent made this call?
What is that agent authorised to do, and at what assurance level?
Was the message altered in transit, or replayed from earlier traffic?
Can the audit trail be trusted, end to end, on both sides?

MCPS is the layer that answers all four. It is an open specification, not a product.

What the protocol provides

Per-message signing. Every request and response is cryptographically signed at the message layer — not just the transport layer. Modifications in transit are detectable.
Agent identity binding. Each call carries a cryptographic agent passport asserting agent ID, controlling principal, and trust level (L0–L4). Calls without identity, or below the required level, are rejected before the tool is invoked.
Replay protection. Nonce plus monotonic timestamp window, validated server-side. Both in-memory and durable backends are specified; in-memory implementations are required to enforce a TTL matching the persistence window.
Tamper-evident audit log. Hash-chained, append-only. Every entry binds to the previous by SHA-256. A modified entry breaks the chain.
Downgrade resistance. A server in strict mode MUST fail closed on signature verification failure. Silent fallback to unsigned is a protocol error.

MCPS addresses 8 of the 10 risks in the OWASP MCP Top 10, including tool/context poisoning, response tampering, intent subversion, insufficient authentication, and lack of auditability.

Adopters

moov-io · Watchman

The first open-source sanctions screening API to implement MCPS. AI agents present a cryptographic passport before they can query OFAC, EU, UK, or other global lists. Every response is message-layer signed and recorded in a tamper-evident audit log.

moov.io →

Add your integration

If you are implementing MCPS in production, or evaluating it for a regulated workload, get in touch.

Standards alignment

IETF draft-sharif-attp — Agent Trust Transport Protocol. MCPS is the MCP binding.

OWASP MCP Security Cheat Sheet § 7. AISVS 1.0 contributor (controls 10.2.13, 10.4.11, 10.6.4).

CIS MCP Security Benchmark draft v1.0 — 22 controls across six domains, mapping to CIS Controls v8.1.

EU AI Act Articles 12 (record-keeping), 14 (human oversight), 15 (accuracy / robustness / cybersecurity), 50 (transparency obligations).

Reference implementation

A signed MCPS request looks like a normal MCP call with five additional headers. Servers verify the passport, trust level, signature, nonce, and timestamp before dispatching the tool.

# Signed MCP tool call
curl -X POST https://watchman.example/mcp/v1/tools/call \
  -H "MCPS-Signature: ed25519=…"                  \
  -H "MCPS-Agent-Id: agent_a5ddf3ac824335de"      \
  -H "MCPS-Trust-Level: L3"                       \
  -H "MCPS-Nonce: 7f9c2b41a3…"                    \
  -H "MCPS-Timestamp: 2026-05-11T11:30:00Z"       \
  -d '{"name":"search_entities","arguments":{"q":"…"}}'

# Server verifies passport → trust level → signature → nonce → timestamp.
# Response is itself MCPS-signed; client verifies before trusting.
# Hash-chained audit entry appended on both ends.

A live end-to-end demonstration is available — agent onboarding, identity verification, signed sanctions screening, and the audit chain — at the reference demo.

Contribute

MCPS is developed in the open. The specification is on the IETF datatracker; reference implementations are published as they reach production maturity.

Read the spec: draft-sharif-attp
Production adopters: get in touch about being listed