MCPS is now an IETF Internet-Draft.Read the spec
draft-sharif-mcps-secure-mcp-00

MCPS: Cryptographic Security Layer for MCP

The first IETF Internet-Draft to define cryptographic identity, per-message signing, and trust verification for the Model Context Protocol.

Status
Standards Track
Author
R. Sharif, CyberSecAI Ltd
Revision
-00 (March 2026)
Algorithm
ECDSA P-256 (FIPS 186-5)
View on IETF Datatracker → Reference Implementation

The Problem

MCP (Model Context Protocol) enables AI agents to call external tools, read resources, and chain actions across services. But it has no authentication layer. Any agent can call any tool. There is no way to verify who issued a request, whether a tool definition was tampered with, or if a message is a replay.

12 major agent frameworks -- LangChain, CrewAI, AutoGen, OpenAI Agents SDK, and more -- have the same gap. Over 600,000 GitHub stars of agent infrastructure, all running without cryptographic identity.

What MCPS Adds

🔒

Agent Passports

Signed identity documents carried by every agent. Offline-verifiable. Includes trust level, capabilities, and issuer chain.

Message Signing

Every JSON-RPC message signed with ECDSA P-256 over canonical JSON. SHA-256 message hash prevents double-canonicalization.

🛡

Tool Integrity

Tool definitions bound to their author origin. Tamper-evident. Clients verify tool hashes before execution.

🔁

Replay Protection

Nonce-based replay prevention with configurable TTL. Transcript binding ensures session integrity across multi-step operations.

🏢

Trust Hierarchy

Multi-level trust with issuer chains. Trust Authorities issue passports. Chain verification with depth limits and scope enforcement.

🔄

Key Rotation

Graceful key rotation with previous_key_hash continuity. No identity loss. Revocation support via multiple mechanisms.

Design Principles

Non-invasive. MCPS works as a layer on top of MCP, not a fork. Existing MCP servers continue to work -- MCPS adds optional security fields to the JSON-RPC envelope.

Standards-based. ECDSA P-256 (FIPS 186-5), SHA-256, JWK (RFC 7517), IEEE P1363 signature format (RFC 7518 Section 3.4), TLS channel binding (RFC 9266).

Zero dependencies. The reference implementations (Node.js and Python) use only built-in crypto libraries. Under 10KB.

Complementary to OAuth. OAuth authenticates sessions. MCPS signs individual messages and verifies agent identity. They work together -- MCPS adds the layer OAuth cannot: per-message integrity and artifact provenance.

Timeline

March 2026
IETF Internet-Draft submitted to Datatracker (draft-sharif-mcps-secure-mcp-00). 43 pages, Standards Track.
March 2026
SEP v3 submitted to MCP repository (PR #2395). Full review by MCP core team.
March 2026
Reference implementations published: npm (mcp-secure) and PyPI (mcp-secure). 128 tests passing.
March 2026
Submitted to OWASP MCP Top 10, OWASP Agentic AI, and OpenSSF Sandbox.

Reference Implementations

Both implementations are zero-dependency, use only built-in crypto, and pass comprehensive test suites:

Node.js

npm install mcp-secure

75 tests passing. 6.2KB. Node 16+.

Python

pip install mcp-secure

53 tests passing. 8.1KB. Python 3.8+.

Get Involved

MCPS is open for review, feedback, and contribution. The specification is available on the IETF Datatracker and the reference implementations are on GitHub.

IETF Datatracker npm PyPI GitHub