MCP is everywhere right now. Every AI tool is adding MCP support. Claude Desktop, Cursor, Windsurf, VS Code - they all speak MCP. And it makes sense. A standard protocol for AI agents to call tools is exactly what we needed.
But here's the thing nobody's talking about: MCP tool calls are completely unsigned.
What do I mean by unsigned?
When Claude Desktop calls an MCP tool, the request is a JSON object over stdio. There's no signature. No integrity check. No way to prove after the fact that a specific tool was called with specific arguments at a specific time.
Think about that for a second. Your AI agent is calling tools that read files, execute code, query databases, make API calls - and there's zero cryptographic evidence of any of it.
The MCP spec itself doesn't include any signing mechanism. It wasn't designed for it. The protocol handles transport and schema, not accountability.
What can go wrong
Tool poisoning. An MCP server can expose a tool called read_file that actually does something completely different. There's no verification that a tool does what it claims. The agent trusts the tool name and description at face value.
Replay attacks. Someone captures a tool call and replays it later. Without timestamps or nonces in the protocol, there's no built-in replay protection.
Ghost actions. Your agent called 47 tools during a session. Something went wrong. Which call caused it? Without signed records, you're digging through logs that anyone could have edited.
Compliance gaps. The EU AI Act requires tamper-evident logging for AI systems. MCP tool calls that only exist as unsigned stdio traffic don't meet that bar.
Adding a governance layer with asqav-mcp
I built asqav-mcp to fix this. It's an MCP server that sits alongside your other MCP servers and adds governance capabilities - policy checks, cryptographic signing, and audit trail verification.
Every action gets signed with ML-DSA-65 (FIPS 204, the post-quantum signature standard NIST finalized). Each signature is bound to the agent identity, action type, payload, and an RFC 3161 timestamp. Change one bit and verification fails.
Setup for Claude Desktop
Add this to your claude_desktop_config.json:
{
"mcpServers": {
"asqav": {
"command": "asqav-mcp",
"env": {
"ASQAV_API_KEY": "sk_live_..."
}
}
}
}
That's it. Three lines of config (plus your API key). Claude now has access to sign_action, check_policy, and verify_signature tools.
For Claude Code it's even shorter:
pip install asqav-mcp
claude mcp add asqav -- asqav-mcp
What happens during a session
Once asqav-mcp is connected, your agent can sign actions as it works. A typical session might produce records like this:
sig_a1b2c3 agent:claude-desktop file:read /src/main.py 2026-04-06T14:23:01Z VALID
sig_d4e5f6 agent:claude-desktop code:execute test_suite 2026-04-06T14:23:15Z VALID
sig_g7h8i9 agent:claude-desktop api:call POST /deploy 2026-04-06T14:24:02Z VALID
sig_j0k1l2 agent:claude-desktop data:write config.production 2026-04-06T14:24:30Z VALID
Each row is a cryptographically signed record. The signature covers the agent ID, action type, payload, and timestamp. You can verify any individual signature independently, and the chain gives you a complete picture of what happened.
Policy enforcement before the action happens
Signing is retrospective - it records what happened. But you can also enforce rules in real-time:
"Check if action data:delete:production is allowed"
→ BLOCKED: Action 'data:delete:production' blocked by: no-prod-deletions
The agent checks before acting. If the policy says block, the action doesn't happen.
Why this matters now
MCP adoption is accelerating fast. Anthropic just shipped it, OpenAI adopted it, Google is following. Within a year, most AI agents will be calling tools through MCP.
Right now the ecosystem is in the "make it work" phase. Security and governance will come later. But the agents running today are already making real decisions - deploying code, modifying data, calling external APIs. The gap between what these agents can do and what's being recorded is growing every day.
Adding a signing layer now means you have audit trails from day one. When compliance requirements catch up (and they will), you're already covered.
Try it
pip install asqav-mcp
- asqav-mcp on GitHub - MCP server for Claude Desktop, Cursor, Claude Code
- asqav SDK - Python SDK with decorators, LangChain/CrewAI integrations
- Docs - full API reference and guides
- asqav.com - free tier covers signing, policies, and audit export
The MCP ecosystem is going to be huge. Let's make sure it's also accountable.
Top comments (0)