MCP Secure -- The HTTPS of the Agent Era

Open Source -- MIT Licensed

Cryptographic identity, message signing, and trust verification for the Model Context Protocol.

MCP is HTTP. MCPS is HTTPS.

$ npm install mcp-secure Copied!

$ pip install mcp-secure Copied!

6/6

EU AI Act Articles Covered

8/10

OWASP MCP Risks Mitigated

CVE-2025-6514 -- CVSS 9.6

No Identity

Any agent can connect to any MCP server. No way to verify who is calling. No passports, no certificates, no trust.

OWASP MCP Top 10

No Message Signing

JSON-RPC messages travel unsigned. Man-in-the-middle attacks can modify tool calls, inject parameters, or replay requests.

82% Vulnerable

No Tool Integrity

Tool definitions can be tampered with after registration. Tool poisoning and rug pulls are trivial. 82% of MCP servers have path traversal vulnerabilities.

Enterprise Blocker

No Revocation

Compromised agents cannot be revoked. No mechanism to blacklist bad actors. No audit trail. Enterprise calls MCP a "non-starter."

Agent Passports

ECDSA P-256 signed identity credentials. Every agent gets a cryptographic passport that proves who they are.

Message Signing

Every JSON-RPC message wrapped in a signed envelope. Nonce + timestamp prevents replay attacks.

Tool Integrity

Signed tool definitions prevent poisoning and rug pulls. Detect tampering before execution.

Real-Time Revocation

Revoke compromised agents instantly via Trust Authority. Blacklist bad actors across the network.

Trust Levels (L0-L4)

From unsigned (L0) to audited (L4). Enforce minimum trust levels per server. Progressive trust.

On-Premise

Run your own Trust Authority. All verification stays local. Nothing phones home. Full enterprise control.

const mcps = require('mcp-secure');


const keys = mcps.generateKeyPair();
const passport = mcps.createPassport({
  name: 'my-agent',
  version: '1.0.0',
  publicKey: keys.publicKey,
});


const signed = mcps.signPassport(passport, taPrivateKey);


const envelope = mcps.signMessage(mcpMessage, passport.passport_id, keys.privateKey);


const result = mcps.verifyMessage(envelope, keys.publicKey);

from mcp_secure import generate_key_pair, create_passport, sign_passport
from mcp_secure import sign_message, verify_message


keys = generate_key_pair()
passport = create_passport(
    name="my-agent",
    version="1.0.0",
    public_key=keys["public_key"],
)


signed = sign_passport(passport, ta_private_key)


envelope = sign_message(mcp_message, passport["passport_id"], keys["private_key"])


result = verify_message(envelope, keys["public_key"])

Level	Name	Meaning	Requirements
0	Unsigned	Plain MCP, no MCPS	None
1	Identified	Passport presented	Valid passport with public key
2	Verified	Passport verified + not revoked	Trust Authority confirmation
3	Scanned	Verified + passed security scan	OWASP agentic AI scan
4	Audited	Scanned + manual audit	Trust Authority manual review

✓

MCP01

Token Mismanagement -- Passport-based identity

✓

MCP03

Tool Poisoning -- Tool integrity signatures

✓

MCP04

Supply Chain -- Signed tool definitions

✓

MCP06

Intent Subversion -- Signed messages

✓

MCP07

Insufficient Auth -- Passport verification

✓

MCP08

Lack of Audit -- Signed audit trail

✓

MCP09

Shadow Servers -- Only passported agents

✓

MCP10

Context Injection -- Envelope isolation

Requirement	Article	What MCPS Provides	Status
Record-keeping	Article 12	signMessage() creates ECDSA-signed, tamper-evident audit trail on every tool call. Cryptographic proof of what happened.	COVERED
Transparency	Article 13	Agent Passports declare identity, capabilities, and owner. Machine-readable transparency for every agent.	COVERED
Human oversight	Article 14	Trust levels L0-L4 enforce human-set policies. Agents cannot self-escalate. Cryptographic gate, not prompting.	COVERED
Cybersecurity	Article 15	Per-message ECDSA signing, nonce + timestamp replay protection, TLS channel binding. Protocol-level security.	COVERED
AI identification	Article 50	createPassport() gives every agent a cryptographic identity. Servers know they are talking to an AI agent, not a human.	COVERED
Provider obligations	Article 16	signTool() pins tool definitions. If a tool changes (rug pull), the signature breaks. Supply chain integrity.	COVERED

No other protocol-level solution covers Articles 12, 13, 14, 15, 16, and 50 in a single install.
OAuth handles auth. TLS handles transport. MCPS handles everything in between.

Scan Your Server Read the IETF Spec

Synchronous

ATTP

Agent-to-Server. Like HTTP but every request and response is signed. No insecure mode. Trust-gated access. Built-in audit trail.

attp://api.example.com/v1/data

IETF Draft

Asynchronous

ATP

Agent-to-Agent. Store-and-forward messaging. The agent IS the payload. Cryptographic identity verified at every relay hop.

atp://relay.example.com:4567

IETF Draft

6 IETF Internet-Drafts submitted. 8 UK patents filed. OWASP endorsed. OpenAPI registered.
HTTP was built for humans. ATTP is built for agents. Secure by default.

FAIL 13 agents

WARN 17 agents

PASS 9 agents

Agent	Category	Stars	Verdict	Risk	Key Findings
Open Interpreter	Code Agent	57K+	FAIL	80	exec(), os.system(), child_process, no sandbox
OpenHands	Code Agent	69K+	FAIL	70	subprocess, exec, shell commands, file write
AutoGPT	Autonomous	182K+	FAIL	65	exec(), os.system(), no sandbox
Goose	Code Agent	32K+	FAIL	65	Shell exec core, pkg install, no sandbox
Devika	Code Agent	19K+	FAIL	65	exec(), subprocess, browser automation
Browser Use	Browser Agent	80K+	FAIL	60	Arbitrary browser control, JS injection
BabyAGI	Autonomous	20K+	FAIL	55	exec(), eval(), supply chain
GPT Engineer	Code Agent	53K+	FAIL	55	exec(), subprocess, supply chain
AgentGPT	Autonomous	32K+	FAIL	55	eval(), no sandbox, supply chain
MetaGPT	Multi-Agent	48K+	FAIL	50	subprocess shell=True, no sandbox
ChatDev	Multi-Agent	27K+	FAIL	50	exec(), subprocess
SuperAGI	Autonomous	15K+	FAIL	50	subprocess shell=True, excessive agency
CAMEL	Multi-Agent	6K+	FAIL	40	eval(), supply chain
n8n	Workflow	178K+	WARN	26	Code execution nodes, shell commands, spawn()
LangChain	Framework	100K+	WARN	26	Supply chain, prompt injection vectors
SWE-agent	Code Agent	18K+	WARN	26	Docker exec, subprocess, shell commands
CrewAI	Multi-Agent	45K+	WARN	23	Supply chain, excessive permissions
Microsoft AutoGen	Multi-Agent	50K+	WARN	23	Code execution patterns, supply chain
TaskWeaver	Code Agent	5K+	WARN	23	Eval patterns, no sandbox
Langflow	Agent Builder	145K+	WARN	23	Inherits LangChain exec patterns
Aider	Code Agent	41K+	WARN	23	subprocess for git/tests, shell execution
Dify	Agent Platform	132K+	WARN	21	Sandboxed code exec, tool calling
Crawl4AI	Web Agent	61K+	WARN	21	Playwright subprocess, arbitrary URL fetch
Semantic Kernel	Framework	23K+	WARN	18	Supply chain, output handling
Smolagents	Framework	15K+	WARN	18	Code execution, supply chain
Composio	Agent Tooling	27K+	WARN	18	Sandboxed exec, shell tools
Letta	Stateful Agent	21K+	WARN	18	Tool execution, subprocess
OpenAI Agents SDK	Framework	19K+	WARN	11	Supply chain, excessive agency config
Haystack	Framework	18K+	WARN	11	Supply chain, output handling
Swarm	Multi-Agent	18K+	WARN	11	Excessive agency, supply chain
LlamaIndex	Framework	38K+	PASS	3	Minor supply chain note
Google ADK	Framework	15K+	PASS	3	Minor supply chain note
Amazon Bedrock Agents	Cloud Agent	--	PASS	3	Minor supply chain note
Vercel AI SDK	SDK	12K+	PASS	0	No issues detected
Anthropic Claude SDK	SDK	8K+	PASS	0	No issues detected
Phidata	Framework	18K+	PASS	0	No issues detected
Instructor	SDK	9K+	PASS	0	No issues detected
Mastra	Framework	10K+	PASS	0	No issues detected
AgentSign SDK	Identity SDK	OSS	PASS	0	No issues detected

Point-in-time static analysis. Not a certification. Scanned March 2026 by AgentSign.

 docker run -p 8080:8080 agentsign/server

Secure your agents today.

Zero dependencies. Node.js + Python. MIT licensed.