Generate keys, create agent passports, sign messages, verify signatures. Everything runs in your browser using Web Crypto API. No server calls. No install.
1. Keys
→
2. Passport
→
3. Sign
→
4. Verify
→
5. Tool Integrity
1
Generate ECDSA P-256 Key Pair
MCPS uses ECDSA with the P-256 curve (same as TLS, WebAuthn, Apple). The private key stays with the agent. The public key goes into the passport.
2
Create Agent Passport
An agent passport is a signed identity credential. It contains the agent's name, capabilities, public key, trust level, issuer, and expiry. The Trust Authority signs it.
3
Sign an MCP Message
Every JSON-RPC message gets wrapped in a signed envelope with a nonce (replay protection) and timestamp (5-min window). The agent signs with its private key.
4
Verify Signature
The receiving MCP server verifies the signature using the agent's public key from the passport. If the message was tampered with, verification fails.
5
Tool Integrity Binding
Tool definitions are signed by the server. If an attacker poisons a tool description (changes parameters, adds hidden instructions), the hash won't match.