We Built the Missing Security Layer for AI Agent Payments

The Problem Nobody Talks About

The Model Context Protocol has 57 million weekly downloads. Stripe, Visa, Mastercard, PayPal, Adyen, and Coinbase all have MCP servers. FactSet has 800+ institutional users on theirs. AI agents are making payments, querying financial data, and executing trades.

None of these messages are signed. None of these agents are verified. None of these transactions have cryptographic proof of who initiated them.

MCP was designed for functionality. Security was left as an exercise for the reader. After auditing the ecosystem and finding systemic vulnerabilities across multiple implementations -- including both official SDKs -- we decided to build what should have existed from day one.

What We Built

Everything runs on one cryptographic stack: ECDSA P-256 + SHA-256. Zero external dependencies. Every component is open source.

MCPS -- Per-Message Signing

Every JSON-RPC message between an agent and an MCP server gets signed:

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": { "name": "transfer", "arguments": {"amount": 500} },
  "id": 1,
  "_mcps": {
    "sig": "<ECDSA signature>",
    "kid": "agent-key-2026",
    "ts": 1712160000,
    "seq": 42,
    "toolHash": "<SHA-256 of tool definition>"
  }
}

What this gives you:

• Message integrity -- tamper with the payload, the signature breaks
• Replay protection -- monotonic sequence counter + timestamp window
• Tool integrity -- hash the tool definition at discovery, verify it hasn't changed at invocation. Stops tool poisoning attacks where a compromised server modifies tool descriptions to inject malicious instructions
• Audit trail -- every message is attributable and verifiable after the fact

Sub-2ms overhead per sign+verify. You don't notice it. The typical MCP tool call takes 50-5000ms -- the signing is noise.

npm: mcp-secure

AgentSign -- Zero Trust Identity Engine

Before an agent can transact, it needs to prove who it is. AgentSign provides:

• Identity certificates -- cryptographically bound to the agent's key pair
• Execution chains -- signed record of every action the agent takes
• Runtime attestation -- is the agent still running the code it was approved to run?
• Trust scoring -- continuous behavioural assessment, not a one-time check
• Tamper detection -- if anything changes, the chain breaks

Think of it as a certificate authority for AI agents. The agent carries a signed passport that any server can verify offline, without calling home to a central authority.

AgentPass -- Trust Levels + AML Compliance

Not every agent should have the same access. AgentPass implements graduated trust:

Level	Access	Example
L0	Blocked	Unknown agent, no verification
L1	Read only	New agent, basic identity confirmed
L2	Read + limited write	Verified agent, spending limits apply
L3	Full transactional	Trusted agent, AML screened, behavioural baseline established
L4	Administrative	Highest trust, full execute + admin

Every agent transaction is screened against 75,784 live sanctions entries (UK HMT + OFAC SDN). An agent trying to send money to a sanctioned entity gets blocked before the request ever hits the payment processor.

This isn't theoretical. The screening runs on every request in production.

The Interactive Playground

Rather than explain all of this in docs, we built an interactive demo that walks you through the full flow:

playground.cybersecai.co.uk

Eight steps:

1. Register -- Agent registers with the trust engine
2. Sign -- Message gets ECDSA signed
3. Verify -- Server verifies the signature
4. RAG Query -- Signed document retrieval (integrity-verified at every step)
5. Block -- L0 agent attempts a restricted operation, gets denied
6. Upgrade -- Agent's trust level increases based on behaviour
7. Retry -- Same operation succeeds at higher trust level
8. Audit -- Full cryptographic audit trail of everything that happened

Click through it. Every step shows real signatures, real verification, real trust decisions.

Why This Matters for Payments

Visa launched the Trusted Agent Protocol. Mastercard shipped Verifiable Intent and Agent Pay. FIS introduced Know Your Agent. Google published AP2. Stripe, PayPal, Adyen, and Coinbase all have MCP servers.

They've built the payment rails for agents. What's missing is the security engine that sits on top.

Visa TAP answers: "Is this request authentic?" (HTTP signature verification)

Mastercard Verifiable Intent answers: "Did the human consent?" (tamper-resistant intent record)

MCPS + AgentSign + AgentPass answer: "Should this agent be trusted, and can we prove everything it did?"

These are complementary layers, not competing ones. Authentication, consent, and trust are three different problems.

The Standards Trail

This isn't a weekend project. It's backed by formal standards work:

• Multiple IETF Internet-Drafts submitted on agent payment trust, secure MCP transport, and agent identity
• OWASP MCP Security Cheat Sheet -- covers the exact threat model these tools address
• OpenAPI extension proposed for agent authentication (x-agent-auth)
• CIS MCP Security Benchmark -- contributing to formal compliance controls
• Patent supported -- multiple UK patent applications filed covering agent identity, trust scoring, and financial authorisation

The Technical Choices

Why ECDSA P-256? 128-bit equivalent security, hardware-accelerated on every modern CPU, supported by Web Crypto API, Node.js, Python, Swift, and Go. Same curve as Apple's Secure Enclave and most TLS certificates.

Why zero dependencies? Every dependency is an attack surface. The MCP ecosystem already has unbounded resource allocation vulnerabilities in multiple packages. Our tools use Node.js built-in crypto module and nothing else.

Why per-message, not per-session? Sessions can be hijacked. Proxies and middleware can modify messages in transit. TLS terminates at the load balancer. Per-message signing survives all of these.

Why graduated trust? Because a brand-new agent and a six-month-old agent with a clean transaction history should not have the same access. Static authentication is binary -- you're in or you're out. Trust scoring is continuous.

Try It

• Playground: playground.cybersecai.co.uk
• npm: mcp-secure (per-message signing), model-secure (model file signing), stripe-mcps (Stripe + trust), agentsign (identity engine)
• IETF: draft-sharif-agent-payment-trust
• Paper: doi.org/10.5281/zenodo.19409366
• OWASP: MCP Security Cheat Sheet

The MCP ecosystem is growing faster than its security infrastructure. 57 million weekly downloads and counting. Every one of those messages is unsigned, every agent is unverified, and every transaction is unattested.

We're fixing that, one signed message at a time.

---

Raza Sharif, CEO, CyberSecAI Ltd
London, UK
contact@agentsign.dev | cybersecai.co.uk