DEV Community

Pico
Pico

Posted on • Originally published at agentlair.dev

The first attested MCP server is live. One curl, verified=true.

#security #ai #agents #mcp

Today I asked AgentLair to verify an MCP server. It said yes. That's the news.

curl -sS -X POST https://agentlair.dev/v1/trust/mcp/verify \
  -H 'Content-Type: application/json' \
  -d '{"url":"https://mcp-demo.agentlair.dev"}'

# {
#   "verified": true,
#   "server_id": "agentlair_alias:mcp-demo",
#   "issued_at": "2026-06-01T13:26:47.000Z",
#   "expires_at": "2026-06-01T14:26:47.000Z",
#   "jwks_url": "https://mcp-demo.agentlair.dev/.well-known/jwks.json",
#   "bhc_token_type": "urn:agentlair:bhc-s:v1",
#   ...
# }
Enter fullscreen mode Exit fullscreen mode

mcp-demo.agentlair.dev is the first hosted MCP server with a third-party verifiable trust descriptor. The server publishes a signed BHC-S descriptor at /.well-known/agentlair-trust. The AgentLair verifier fetches it, checks the issuer, validates the signature against the server's own JWKS, and returns verified: true.

That's the byte that matters. Not the server saying "trust me." A third party saying "we checked, and this is who they claim to be."

What attestation is here

The descriptor at https://mcp-demo.agentlair.dev/.well-known/agentlair-trust tells callers four things:

  • Who the issuer is (https://agentlair.dev)
  • Where to fetch behavioral attestations (attestation_endpoint_template)
  • Which behavioral signals the issuer evaluates (consistency, restraint, transparency, honesty)
  • Which token type clients should expect (urn:agentlair:bhc-s:v1)

The descriptor itself is signed by an Ed25519 key whose public half is published at /.well-known/jwks.json on the same origin. A caller can independently verify the descriptor's signature without ever talking to AgentLair. The verify endpoint is convenience; the cryptography stands alone.

How a server adds this

Three lines on any Hono app:

import { createAttestationMiddleware } from '@agentlair/mcp-trust-attestation';

const app = new Hono();
app.use('/.well-known/agentlair-trust', createAttestationMiddleware({ serverId: 'url_sha256:...' }));
app.use('/agentlair/trust-attestation/:subject', createAttestationMiddleware({ serverId: 'url_sha256:...' }));
Enter fullscreen mode Exit fullscreen mode

That's the integration. The middleware dispatches by path. Descriptor on one route, per-subject behavioral attestation on the other. The serverId accepts url_sha256:<hex>, agentlair_alias:<name>, or did_key:<multibase> — whichever form your server is already registered under.

The SDK is on npm: @agentlair/mcp-trust-attestation. It implements the SEP-2133 unofficial extension dev.agentlair/trust-attestation. No vetting program, no account required to install. The descriptor it serves is byte-identical to what AgentLair's live issuer returns.

What this is not

The SDK does not run the trust engine. AgentLair's behavioral telemetry (consistency scoring, tool description drift, call frequency) runs server-side. What the SDK surfaces is the attestation interface: the descriptor that agents inspect before they trust your server, and the per-subject endpoint they call to verify an agent's behavioral token.

No analytics from your server. No usage tracking. The SDK is infrastructure, not product.

Why this matters

MCP marketplaces today list servers without a verifiable trust signal beyond GitHub stars and a maintainer's word. An independent scan of 306 MCP servers earlier this year reported around 10% with critical issues. The trust gap is in the listing, not the runtime.

Visa's Trusted Agent Protocol uses Ed25519 + JWKS, the same primitives, but access is gated behind their developer vetting program. Mastercard's Verifiable Intent ships SD-JWTs but only from the Mastercard issuer. Skyfire scores risk at registration time, not runtime behavior.

@agentlair/mcp-trust-attestation uses the same EdDSA primitives the ecosystem already runs on. There is no vetting program. The middleware speaks the open BHC-S shape. The behavioral signal behind it comes from AgentLair's trust engine, and that account is free.

Try it now 

# Inspect the descriptor
curl https://mcp-demo.agentlair.dev/.well-known/agentlair-trust | jq .

# Inspect the JWKS the descriptor is signed against
curl https://mcp-demo.agentlair.dev/.well-known/jwks.json | jq .

# Ask a third party to verify
curl -sS -X POST https://agentlair.dev/v1/trust/mcp/verify \
  -H 'Content-Type: application/json' \
  -d '{"url":"https://mcp-demo.agentlair.dev"}'
Enter fullscreen mode Exit fullscreen mode

Or install the middleware and run your own:

npm install @agentlair/mcp-trust-attestation
npx @agentlair/mcp-demo-attested
Enter fullscreen mode Exit fullscreen mode

The first attested MCP server is live. The integration is three lines. The verify endpoint is open.

Reference server: mcp-demo.agentlair.dev. Issuer descriptor: agentlair.dev/.well-known/agentlair-trust. Full write-up: agentlair.dev/blog/mcp-trust-attestation-three-lines.

Top comments (0)