MCP Agent Attestation Extension

Security research on the Model Context Protocol (MCP): there's no way to verify which agent or model is calling an MCP server. I identified the gap, designed an attestation layer, and built a proof-of-concept.

The problem

MCP lets clients and servers exchange tools and context. But there's no built-in agent or model provenance. A malicious client could spoof a trusted agent; a server has no way to know who's really calling. I wrote a threat analysis and sketched spoofing scenarios — the gap is real.

What I built

Attestation layer. JWT-based attestation with Ed25519 signatures and SPIFFE-compatible identifiers. JWKS distribution so servers can verify tokens without trusting a central authority.

Proof-of-concept. Python implementation with replay protection and an attack harness — 8 vectors testing different spoofing and tampering scenarios. Integrated with the MCP SDK; 140 tests to validate behavior.

Design doc. threat model, signature scheme, and integration points so others can extend or implement it.

What I learned

Provenance is hard. Even with JWTs and crypto, you have to decide what you're attesting to — the process, the model, the user? Each choice has different threat models and failure modes.

MCP is young. The protocol is evolving. Adding attestation now could influence how the ecosystem thinks about security. Research and prototypes matter before things ossify.

Attack harnesses clarify design. Building the harness forced me to think like an attacker. The 8 vectors exposed edge cases I wouldn't have seen from the defensive side alone.