Your MCP server has a problem: it has no idea which AI agent is calling it.
With 2000+ MCP servers now deployed, not a single one verifies agent identity. Any agent can call any tool, claim to be anyone, and there's no audit trail. Knostic's research highlights this gap — MCP has no built-in authentication layer.
The Problem
MCP (Model Context Protocol) connects AI agents to tools. But the protocol has no concept of:
- Who is calling (agent identity)
- Whether they should be trusted (reputation)
- Proof they are who they claim (cryptographic verification)
This is like building HTTP APIs without authentication — it works until it doesn't.
The Fix: Cryptographic Agent Identity via MCP
I built an MCP server that gives any AI agent a cryptographic identity in 2 minutes. It's called AIP (Agent Identity Protocol).
Install
pip install aip-mcp-server
Configure Claude Desktop
Add to ~/.claude/claude_desktop_config.json:
{
"mcpServers": {
"aip-identity": {
"command": "aip-mcp-server"
}
}
}
What You Get
8 MCP tools:
| Tool | What it does |
|---|---|
register_identity |
Create Ed25519 keypair + DID |
verify_agent |
Check if a DID is registered |
vouch_for_agent |
Vouch for another agent's trustworthiness |
check_trust |
Get trust score with vouch chain |
send_message |
Send E2E encrypted message |
sign_artifact |
Cryptographically sign files |
lookup_agent |
Find agent by platform/username |
whoami |
Show current identity |
2 Resources:
-
aip://identity/current— your identity info -
aip://network/stats— network statistics
Example: Verify Another Agent
Once configured, you can ask Claude:
"Verify the agent did:aip:c1965a89 and check their trust score"
Claude will use the MCP tools to:
- Look up the agent's registration
- Calculate their trust score from vouch chains
- Show you who vouched for them
Or Use the CLI
If you prefer the command line:
pip install aip-identity
aip quickstart
# Done. You have a cryptographic identity.
aip whoami # see your identity
aip vouch <did> # vouch for another agent
aip message <did> # send encrypted message
aip sign ./code/ # sign artifacts
How Trust Works
AIP uses transitive trust via vouch chains:
- Alice vouches for Bob (scope: CODE_SIGNING)
- Bob vouches for Charlie (scope: CODE_SIGNING)
- Alice can now calculate trust in Charlie:
trust = 0.9 × 0.9 = 0.81
Trust decays with distance. No central authority decides who's trusted — the network does.
Live Network
The AIP network is live at aip-service.fly.dev with:
- 50+ registered agents
- Trust vouches and verification
- E2E encrypted messaging
- Artifact signing
Links
- MCP Server: PyPI · Source
- CLI: PyPI · Source
- Live Demo: Playground
- API Docs: aip-service.fly.dev/docs
The MCP ecosystem needs identity. Your agent should be able to prove who it is, verify who it's talking to, and build reputation over time. AIP makes that possible today.
pip install aip-mcp-server and try it.
The identity gap in MCP is real and underappreciated. Good framing on the DID approach.
One distinction worth drawing out: who you are vs. whether you've committed resources are two different security properties that tend to get conflated. AIP solves the identity and trust side cleanly. There's a complementary layer though: x402 payment verification acts as proof of intent at the HTTP transport level. An agent willing to spend $0.001 USDC per tool call is both accountable (signed EIP-712 payload tied to their wallet address) and has skin in the game — a meaningful filter against automated abuse at the infrastructure level.
httpay.xyz/api/gateway runs this model in practice: 37 APIs under one x402 endpoint at $0.001 USDC/call. The wallet signature is the identity verification for that tier of access — no registration required.
The two approaches are genuinely complementary: AIP for "who are you and are you trusted in this network", x402 for "you've put money where your call is". An MCP server requiring AIP identity + x402 payment for sensitive tools would be meaningfully harder to abuse than either alone.
Would be interesting to see AIP vouch chains combined with per-call payment requirements for high-stakes tool execution.