DEV Community

The Nexus Guard
The Nexus Guard

Posted on

MCP Has an Identity Problem. Here's How to Fix It.

#agents #ai #mcp #security

MCP Authenticates Users, Not Agents

The Model Context Protocol (MCP) now has OAuth 2.1 authorization baked into the spec. That's great for securing which users can access which tools.

But here's the gap: MCP authenticates the user or client application, not the agent itself.

When Agent A calls a tool through MCP, the server knows which user authorized it. It doesn't know:

  • Is this the same agent that ran yesterday, or a new one?
  • Can I verify this agent's identity cryptographically?
  • What's this agent's track record? Has anyone vouched for it?
  • If this agent produces a result, can I prove it came from this specific agent?

As Permit.io puts it: "When these identities are conflated — or worse, when agents operate without their own identity — you end up with logs that are effectively unreadable."

Why This Matters

In single-agent setups, this is tolerable. The agent is basically a proxy for the user.

But multi-agent systems change the equation:

  1. Agent A delegates to Agent B. Which agent actually executed the tool call? The OAuth token says "user," not "agent."
  2. Agent outputs need provenance. If Agent A signs a report, you need cryptographic proof it came from Agent A, not Agent B pretending to be A.
  3. Trust is earned, not granted. OAuth scopes are binary (allowed/denied). Real trust is graduated — this agent has been reliable 47 times in a row.
  4. Cross-framework identity. Your LangChain agent and your CrewAI agent need to verify each other. OAuth doesn't help here.

The Missing Layer: Agent Identity

What MCP needs is an identity layer below OAuth that gives each agent its own cryptographic identity:

┌─────────────────────────────────┐
│   MCP OAuth 2.1 (user auth)     │  ← Who authorized this?
├─────────────────────────────────┤
│   Agent Identity (DID + keys)   │  ← WHO is this agent?
├─────────────────────────────────┤
│   Trust Layer (vouches, scores) │  ← Should I trust it?
└─────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

This is what AIP (Agent Identity Protocol) provides:

  • Ed25519 DID — each agent gets a unique, self-sovereign identifier
  • Challenge-response verification — prove you are who you claim to be
  • Signed outputs — cryptographic proof of authorship
  • Peer-to-peer vouching — agents build trust over time
  • No cloud dependency — works offline, no registry required

Practical Example: MCP + AIP

Imagine an MCP server that requires agent identity before granting access to sensitive tools:

from aip_identity import AIPClient

# MCP server-side: verify agent before tool execution
def verify_agent_identity(agent_did: str, challenge_response: dict) -> bool:
    """Verify the calling agent's cryptographic identity."""
    client = AIPClient.from_file()

    # 1. Is this a registered agent?
    info = client.lookup(agent_did)
    if not info:
        return False

    # 2. Is this agent trusted? (vouched for by known agents)
    trusted = client.is_trusted(agent_did)
    if not trusted:
        return False

    # 3. Verify the challenge-response (proves they hold the private key)
    verified = client.verify(agent_did)
    return verified.get("verified", False)
Enter fullscreen mode Exit fullscreen mode

Or from the agent side, using the LangChain integration:

from aip_identity.integrations.langchain_tools import get_aip_tools

# Agent can sign its MCP tool call results
tools = get_aip_tools()
# aip_sign_message, aip_verify_agent, aip_whoami — all available as tools
Enter fullscreen mode Exit fullscreen mode

What Exists Today

The space is moving fast:

  • MCP OAuth 2.1 — User/client authentication (in spec)
  • MCP-I (KnowThat.ai) — Full enterprise identity extension with edge enforcement and agent registry
  • AIP — Lightweight, pip-installable agent identity. No cloud, no registry, works in 5 minutes
  • AGNTCY (Linux Foundation) — Enterprise-scale agent infrastructure (Cisco, Dell, Google Cloud backing)

AIP sits in a specific niche: developers who want agent identity without enterprise infrastructure. One pip install, one function call, and your agent has a cryptographic identity.

Try It 

pip install aip-identity
Enter fullscreen mode Exit fullscreen mode 
from aip_identity import AIPClient

# Register (one-time)
client = AIPClient.register("mcp-server", "my-agent")
print(f"DID: {client.did}")

# Sign a tool result
signature = client.sign(b"tool output: analysis complete")
# Anyone can verify this signature came from your agent
Enter fullscreen mode Exit fullscreen mode

Or try the playground — register an agent and verify identity in your browser, no install needed.

Part of the Building Identity Infrastructure for AI Agents series.

Top comments (0)