MCPS -- MCP Secure. Cryptographic identity, message signing, and trust verification for the Model Context Protocol.
Project description
MCPS -- MCP Secure
Cryptographic identity, message signing, and trust verification for the Model Context Protocol.
The HTTPS of the agent era. MCP becomes MCPS.
Install
pip install mcp-secure
Quick Start
from mcp_secure import generate_key_pair, create_passport, sign_passport, verify_passport_signature
from mcp_secure import sign_message, verify_message, sign_tool, verify_tool
# Generate keys
keys = generate_key_pair()
# Create and sign a passport
passport = create_passport(
name="my-agent",
version="1.0.0",
public_key=keys["public_key"],
capabilities=["read", "write"],
)
# Trust Authority signs the passport
ta_keys = generate_key_pair()
signed = sign_passport(passport, ta_keys["private_key"])
assert verify_passport_signature(signed, ta_keys["public_key"])
# Sign MCP messages
envelope = sign_message(
{"jsonrpc": "2.0", "method": "tools/list", "id": 1},
signed["passport_id"],
keys["private_key"],
)
# Verify
result = verify_message(envelope, keys["public_key"])
assert result["valid"]
# Tool integrity
tool = {"name": "read_file", "description": "Read a file", "inputSchema": {"type": "object"}}
sig = sign_tool(tool, keys["private_key"])
assert verify_tool(tool, sig, keys["public_key"])
What MCPS Adds to MCP
| Feature | Description |
|---|---|
| Agent Passports | ECDSA P-256 signed identity credentials |
| Message Signing | Every JSON-RPC message wrapped in signed envelope |
| Tool Integrity | Signed tool definitions prevent poisoning |
| Replay Protection | Nonce + 5-min timestamp window |
| Revocation | Real-time passport revocation via Trust Authority |
| Trust Levels | L0 (unsigned) to L4 (audited) |
OWASP MCP Top 10
Mitigates 8/10 OWASP MCP vulnerabilities: tool poisoning, supply chain attacks, auth bypass, shadow servers, and more.
Links
- Website: mcp-secure.dev
- npm: mcp-secure
- Spec: SPEC.md
License
MIT -- CyberSecAI Ltd
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_secure-1.0.0.tar.gz.
File metadata
- Download URL: mcp_secure-1.0.0.tar.gz
- Upload date:
- Size: 8.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dbc2dce0e23d3ab90722e1de8f57f2021d3d243130311e9492626d1543f16a87
|
|
| MD5 |
079a1e50d45082bf13008eaa2db01fd9
|
|
| BLAKE2b-256 |
bcb470b35b238594cc64b27f67a93c488d3b67b7869406a44f9051e74d7f2a82
|
File details
Details for the file mcp_secure-1.0.0-py3-none-any.whl.
File metadata
- Download URL: mcp_secure-1.0.0-py3-none-any.whl
- Upload date:
- Size: 8.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ba131c88e2a05e2b26ba215e52a8a1feefedde154f21ee8944190c1101bfee55
|
|
| MD5 |
32a9066d6ee4198f3f2f7c96e56db0a9
|
|
| BLAKE2b-256 |
10010b7cdcfa7dbcebb3990f9d1fe2f54ba5a77d0575957cadd675861d1953aa
|
