Attest Mcp

1STDIOregistry active

Summary

This is middleware that sits in front of your MCP server and checks short-lived tokens on every tool call. It's part of the Attest project, which issues scoped credentials to agents, gates risky mutations through policy or approval workflows, and logs signed receipts. The standalone MCP server exposes tools like issue_credential, delegate_credential, list_tasks, and get_audit_trail. The middleware package lets you wrap your own MCP endpoints so agents must present valid grants before executing actions like refunds or sending email. Scopes use resource:action syntax (gmail:send, *:read). Useful when you want cryptographic proof of what an agent did and want to enforce that a support bot can't escalate from read-only research to writing production data without an explicit grant.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Attest

Attest controls and proves risky AI actions before they hit production systems. It gives agents signed, scope-limited credentials, routes high-risk mutations through policy and optional approval, issues short-lived execution grants, and leaves signed receipts that can be verified later.

This repository also includes a standalone MCP server:

TypeScript MCP server — a real stdio Model Context Protocol server that exposes Attest tools like issue_credential, delegate_credential, list_tasks, get_audit_trail, get_evidence, and approval actions.
TypeScript MCP middleware — middleware for protecting your own MCP server with Attest.

Quickstart (TypeScript)

import { AttestClient } from '@attest-dev/sdk';

const client = new AttestClient({ baseUrl: 'http://localhost:8080', apiKey: 'dev' });

// 1. Issue a root credential for your agent workflow
const root = await client.issue({
  agent_id: 'support-bot',
  user_id: 'alice@acme.com',
  scope: ['refund:execute', 'credit:execute'],
  instruction: 'Review support incidents and safely process eligible refunds.',
});

// 2. Request a risky action before touching the target system
const action = await client.requestAction({
  action_type: 'refund',
  target_system: 'stripe',
  target_object: 'order_ORD-4821',
  action_payload: {
    amount_cents: 4799,
    currency: 'USD',
    reason: 'damaged_item',
  },
  agent_id: 'support-bot',
  sponsor_user_id: 'alice@acme.com',
  att_tid: root.claims.att_tid,
});

if (action.status !== 'approved' || !action.grant?.token) {
  throw new Error(`refund needs approval: ${action.status}`);
}

// 3. Execute with the short-lived grant, then record the receipt
const receipt = await client.executeAction(action.id, {
  outcome: 'success',
  provider_ref: 're_abc123',
  response_payload: { stripe_status: 'succeeded' },
});
console.log(receipt.signed_packet_hash);

// 4. Fetch the immutable receipt later
const confirmed = await client.getReceipt(action.id);
console.log(confirmed.outcome, confirmed.provider_ref);

Scope syntax

Scopes follow the pattern resource:action. Either field may be * as a wildcard.

Expression	Meaning
`gmail:send`	Send via Gmail only
`gmail:*`	All Gmail actions
`*:read`	Read access to any resource
`:`	Full access (root grants only)

Delegation still enforces that child scope is a strict subset of the parent scope. The Action API builds on top of that delegation substrate to gate risky writes.

Getting started

Prerequisites: Docker and Docker Compose.

# Clone and start everything
git clone https://github.com/chudah1/attest-dev
cd attest-dev
docker compose up --build

# The server is now running at http://localhost:8080
# PostgreSQL at localhost:5432

# Issue your first credential (replace YOUR_API_KEY with the key from POST /v1/orgs)
curl -s -X POST http://localhost:8080/v1/credentials \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -d '{
    "agent_id":    "orchestrator-v1",
    "user_id":     "usr_alice",
    "scope":       ["research:read", "gmail:send"],
    "instruction": "Research competitors and email the board"
  }' | jq .

# Open the interactive demo
open demo/index.html

If you want to run the Go server outside Docker, point it at the Compose database:

docker compose up -d postgres
cd server
DATABASE_URL=postgres://attest:attest@localhost:5432/attest go run ./cmd/attest

API reference

Method	Path	Description
`POST`	`/v1/orgs`	Create an organization and get an API key
`POST`	`/v1/credentials`	Issue a root credential
`POST`	`/v1/credentials/delegate`	Delegate to a child agent
`GET`	`/v1/actions`	List action requests
`POST`	`/v1/actions/request`	Create an action request and run policy
`GET`	`/v1/actions/{id}`	Fetch an action request
`POST`	`/v1/actions/{id}/approve`	Approve a pending action
`POST`	`/v1/actions/{id}/deny`	Deny a pending action
`POST`	`/v1/actions/{id}/execute`	Record execution and mint a receipt
`GET`	`/v1/actions/{id}/receipt`	Fetch the signed execution receipt
`DELETE`	`/v1/credentials/{jti}`	Revoke credential and all descendants
`GET`	`/v1/revoked/{jti}`	Check revocation status (public, no auth)
`GET`	`/v1/tasks/{tid}/audit`	Retrieve the audit chain for a task
`POST`	`/v1/audit/report`	Report an agent action to the audit log
`POST`	`/v1/audit/status`	Report agent lifecycle event (started/completed/failed)
`POST`	`/v1/approvals`	Request human-in-the-loop approval
`POST`	`/v1/approvals/{id}/grant`	Grant a pending HITL approval
`GET`	`/orgs/{orgId}/jwks.json`	Public key set for offline verification
`GET`	`/health`	Health check

Specification

The credential format is defined in spec/WCS-01.md (Attest Credential Standard, revision 01).

License

Apache 2.0 — see LICENSE.

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Configuration

ATTEST_BASE_URL

Base URL of the Attest server

Registryactive

Package@attest-dev/mcp

TransportSTDIO

UpdatedApr 11, 2026

View on GitHub

Attest

This repository also includes a standalone MCP server:

TypeScript MCP server — a real stdio Model Context Protocol server that exposes Attest tools like issue_credential, delegate_credential, list_tasks, get_audit_trail, get_evidence, and approval actions.
TypeScript MCP middleware — middleware for protecting your own MCP server with Attest.

Quickstart (TypeScript)

import { AttestClient } from '@attest-dev/sdk';

const client = new AttestClient({ baseUrl: 'http://localhost:8080', apiKey: 'dev' });

// 1. Issue a root credential for your agent workflow
const root = await client.issue({
  agent_id: 'support-bot',
  user_id: 'alice@acme.com',
  scope: ['refund:execute', 'credit:execute'],
  instruction: 'Review support incidents and safely process eligible refunds.',
});

// 2. Request a risky action before touching the target system
const action = await client.requestAction({
  action_type: 'refund',
  target_system: 'stripe',
  target_object: 'order_ORD-4821',
  action_payload: {
    amount_cents: 4799,
    currency: 'USD',
    reason: 'damaged_item',
  },
  agent_id: 'support-bot',
  sponsor_user_id: 'alice@acme.com',
  att_tid: root.claims.att_tid,
});

if (action.status !== 'approved' || !action.grant?.token) {
  throw new Error(`refund needs approval: ${action.status}`);
}

// 3. Execute with the short-lived grant, then record the receipt
const receipt = await client.executeAction(action.id, {
  outcome: 'success',
  provider_ref: 're_abc123',
  response_payload: { stripe_status: 'succeeded' },
});
console.log(receipt.signed_packet_hash);

// 4. Fetch the immutable receipt later
const confirmed = await client.getReceipt(action.id);
console.log(confirmed.outcome, confirmed.provider_ref);

Scope syntax

Scopes follow the pattern resource:action. Either field may be * as a wildcard.

Expression	Meaning
`gmail:send`	Send via Gmail only
`gmail:*`	All Gmail actions
`*:read`	Read access to any resource
`:`	Full access (root grants only)

Delegation still enforces that child scope is a strict subset of the parent scope. The Action API builds on top of that delegation substrate to gate risky writes.

Getting started

Prerequisites: Docker and Docker Compose.

# Clone and start everything
git clone https://github.com/chudah1/attest-dev
cd attest-dev
docker compose up --build

# The server is now running at http://localhost:8080
# PostgreSQL at localhost:5432

# Issue your first credential (replace YOUR_API_KEY with the key from POST /v1/orgs)
curl -s -X POST http://localhost:8080/v1/credentials \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -d '{
    "agent_id":    "orchestrator-v1",
    "user_id":     "usr_alice",
    "scope":       ["research:read", "gmail:send"],
    "instruction": "Research competitors and email the board"
  }' | jq .

# Open the interactive demo
open demo/index.html

If you want to run the Go server outside Docker, point it at the Compose database:

docker compose up -d postgres
cd server
DATABASE_URL=postgres://attest:attest@localhost:5432/attest go run ./cmd/attest

API reference

Method	Path	Description
`POST`	`/v1/orgs`	Create an organization and get an API key
`POST`	`/v1/credentials`	Issue a root credential
`POST`	`/v1/credentials/delegate`	Delegate to a child agent
`GET`	`/v1/actions`	List action requests
`POST`	`/v1/actions/request`	Create an action request and run policy
`GET`	`/v1/actions/{id}`	Fetch an action request
`POST`	`/v1/actions/{id}/approve`	Approve a pending action
`POST`	`/v1/actions/{id}/deny`	Deny a pending action
`POST`	`/v1/actions/{id}/execute`	Record execution and mint a receipt
`GET`	`/v1/actions/{id}/receipt`	Fetch the signed execution receipt
`DELETE`	`/v1/credentials/{jti}`	Revoke credential and all descendants
`GET`	`/v1/revoked/{jti}`	Check revocation status (public, no auth)
`GET`	`/v1/tasks/{tid}/audit`	Retrieve the audit chain for a task
`POST`	`/v1/audit/report`	Report an agent action to the audit log
`POST`	`/v1/audit/status`	Report agent lifecycle event (started/completed/failed)
`POST`	`/v1/approvals`	Request human-in-the-loop approval
`POST`	`/v1/approvals/{id}/grant`	Grant a pending HITL approval
`GET`	`/orgs/{orgId}/jwks.json`	Public key set for offline verification
`GET`	`/health`	Health check

Specification

The credential format is defined in spec/WCS-01.md (Attest Credential Standard, revision 01).

License

Apache 2.0 — see LICENSE.