Proposal: Agent Identity and Delegation for MCP Tool Calls #2404

dreynow · 2026-03-15T03:52:11Z

dreynow
Mar 15, 2026

Problem

MCP has a robust authorization spec for the human-to-server relationship: OAuth 2.1 handles "which human authorized this client to access this server." This works well for the HTTP transport.

But there is no standard mechanism for agent-to-agent authorization in tool calls. When Agent A delegates a task to Agent B, and Agent B calls an MCP tool, the server has no way to answer:

Who is this agent? (not the human - the specific agent instance)
What is it authorized to do? (which tools, what cost limits, what resources)
Who granted that authority? (the delegation chain back to a human or root)

This gap is especially acute for:

stdio transport - The auth spec explicitly says stdio should "retrieve credentials from the environment." There is no per-call authorization.
Multi-agent systems - When agents delegate to sub-agents (CrewAI crews, LangGraph subgraphs, AutoGen teams), the sub-agent's authority should be verifiable and narrower than its parent's.
Tool approval propagation - Discussion #1203 describes nested agents needing approval from the original user. A delegation chain solves this - the proof carries the approval.

Today, MCP servers must fall back to API keys, environment variables, or custom headers. None of these support delegation, attenuation, or cryptographic verification.

Proposed Extension

Add an optional auth field to params._meta on tools/call requests:

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "search_contacts",
    "arguments": {
      "query": "Alice Smith"
    },
    "_meta": {
      "auth": {
        "type": "delegation-proof",
        "version": "1",
        "invoker_did": "did:agent:4a1b2c3d...",
        "invoker_public_key": "a1b2c3d4e5f6...",
        "proof": "<base64-encoded invocation proof>"
      }
    }
  }
}

Design principles:

Optional - Clients may omit _meta.auth. Servers choose whether to require, accept, or ignore it.
Transport-agnostic - Works on stdio, HTTP, and SSE because the proof travels with the message.
Self-contained - The proof includes the full delegation chain. No external lookups needed. The server verifies using only the data in the proof and its own root public key.
Complementary to OAuth - OAuth handles human-to-server auth. This handles agent-to-agent delegation. They work together.
Backward compatible - _meta is already part of the spec. Servers that don't understand auth ignore it. Clients that don't support it send calls without it.

How It Works

Setup (one-time)

A human or organization creates a root authority (Ed25519 keypair) and delegates to agents with constraints:

Root Authority (Human)
  |
  +-- delegates to Manager Agent: [search, resolve, merge], expires 2026-04-01
      |
      +-- delegates to Worker Agent: [search, resolve], max_cost: $5
          |
          +-- calls MCP tool with proof

Each delegation is signed by the issuer. Caveats (action scope, expiry, cost limits, resource patterns) accumulate and can only narrow - never widen.

Per-call flow

Agent creates an invocation proof containing: the action, the arguments, and the delegation chain
Agent signs the proof with its Ed25519 key
Client attaches the proof to params._meta.auth
Server extracts the proof, verifies every signature in the chain back to the root, checks all caveats, and executes or rejects

Server verification (5 lines)

TypeScript:

import { verifyMcpCall, McpProof } from "@kanoniv/agent-auth";

const { proof, cleanArgs } = McpProof.extract(args);
if (proof) {
  const result = verifyMcpCall(proof, rootIdentity);
  // result.invoker_did, result.chain, result.depth
}

Python:

from kanoniv_agent_auth import verify_mcp_call, extract_mcp_proof

proof, clean_args = extract_mcp_proof(args_json)
if proof:
    invoker_did, root_did, chain, depth = verify_mcp_call(proof, root_identity)

Rust:

use kanoniv_agent_auth::mcp::{McpProof, verify_mcp_call};

let (proof, clean_args) = McpProof::extract(&args);
if let Some(proof) = proof {
    let result = verify_mcp_call(&proof, &root_identity)?;
}

Caveat Types

Delegation proofs support constraints that are checked at verification time:

Caveat	Example	Description
`action_scope`	`["search", "resolve"]`	Restrict to specific tool names
`expires_at`	`"2026-04-01T00:00:00Z"`	Time-limited delegation
`max_cost`	`5.0`	Cost ceiling per invocation
`resource`	`"entity:customer:*"`	Glob pattern on resource
`context`	`{"session_id": "abc"}`	Must match specific context
`custom`	`{"org": "acme"}`	Arbitrary key/value

Caveats accumulate through the chain. A sub-agent inherits all parent caveats plus any additional restrictions. This means delegation can only narrow authority, never widen it.

Security Properties

Cryptographic identity - Agents have Ed25519 keypairs and did:agent: identifiers. No central registry required.
Tamper-proof - Caveats are extracted from signed payloads, not outer fields. Modifying caveats after signing breaks verification.
Chain depth limit - Maximum 32 delegations to prevent DoS via deeply nested chains.
Revocation hook - Verification accepts a callback is_revoked(delegation_hash) -> bool. Implementations can plug in any revocation backend.
No trust in intermediaries - Every signature in the chain is independently verified. A compromised intermediate agent cannot forge its parent's authority.
Fail-closed - Missing required fields (e.g., cost when max_cost caveat is present) result in rejection, not silent bypass.

What This Does NOT Do

Replace OAuth - OAuth handles the human-to-server relationship. This handles agent-to-agent delegation. Use both.
Mandate a specific DID method - The reference implementation uses did:agent: but the proof format is DID-method-agnostic.
Require server changes to MCP core - This uses the existing _meta field. No protocol-level changes needed.
Force servers to verify - Auth is optional. Servers choose their enforcement level (required, optional, or disabled).

Reference Implementation

An MIT-licensed library implementing this proposal is available in three languages:

Rust: kanoniv-agent-auth (v0.2.0, 137 tests)
TypeScript: @kanoniv/agent-auth (v0.2.0, 80 tests)
Python: kanoniv-agent-auth (v0.2.0, 48 tests)

All three produce byte-identical proofs and can cross-verify (sign in Python, verify in Rust).

Source: github.com/kanoniv/agent-auth

Related Discussions

#64 - Authentication - Original auth discussion; mentions DIDs and cryptographic proofs
#804 - Gateway-Based Authorization Model - JWT assertions for identity propagation (18 upvotes)
#1203 - Tool Approval Propagation - Nested agent approval chains (unanswered)
#234 - Multi-user Authorization - Multi-tenant auth patterns
#1228 - Extra fixed parameters - Passing client context to servers without LLM involvement

dreynow · 2026-03-15T04:04:24Z

dreynow
Mar 15, 2026
Author

@pcarleton @pja-ant Would love your thoughts on this, it sits at the intersection of auth and the agents working group. Happy to answer any questions or iterate on the design.

0 replies

SonAIengine · 2026-03-16T02:05:14Z

SonAIengine
Mar 16, 2026

we've hacked around this before with manual allowlists, but it breaks down once you get deep nesting — you lose track of what each agent in the chain can actually do. revocation's the killer though: if a parent agent goes rogue mid-request, how do you unwind that delegation?

0 replies

dreynow · 2026-03-16T02:37:33Z

dreynow
Mar 16, 2026
Author

Good questions, both are exactly what motivated the design.

On deep nesting: Each delegation in the chain can only attenuate (narrow) the parent's permissions, never widen them. So if Agent A delegates ["resolve", "merge"] to Agent B, and B delegates to C, C can get at most ["resolve", "merge"], but B could narrow it to just ["resolve"]. Verification walks the full chain and intersects caveats at each step, so you always know the effective permissions at any depth without tracking them manually. The chain itself is the audit trail.

A (root) -> B (resolve, merge, max $100) -> C (resolve only, max $25)

On mid-request revocation: Revocation is checked at verification time, not delegation time. Each proof includes the full chain, and verify_mcp_call() checks every link against a revocation list before returning a verdict. If you revoke B's delegation while C is mid-request, C's next tool call fails immediately, no unwinding needed because no action executes without a fresh verification pass.

The implementation is live across Rust, TypeScript, and Python if you want to try it: https://github.com/kanoniv/agent-auth

0 replies

tomjwxf · 2026-03-26T02:34:40Z

tomjwxf
Mar 26, 2026

Great proposal. Agent identity and delegation is one of the most critical missing pieces in MCP right now.

I've been working on a production implementation of exactly this. ScopeBlind Passport provides a portable, signed agent identity that works today:

Identity: Each agent gets an Ed25519 keypair + a signed manifest (name, capabilities, trust tier)
Delegation: The Passport supports DPoP proof-of-possession (RFC 9449), so an agent can prove it owns its key on every request — enabling delegation chains where Agent A can prove it was authorized by Operator B
Verification: Any server can verify the Passport signature offline — no central auth, no OIDC dependency

For the "delegation" part specifically: we use a binding receipt that links the agent's Ed25519 identity key to a P-256 DPoP key. The operator signs this binding, creating a verifiable chain: Operator → Agent Identity → Per-Request DPoP Proof.

The enforcement layer is protect-mcp — a stdio proxy that evaluates the agent's Passport at session start and assigns tool-level access based on the trust tier. Every tool call produces a signed decision receipt.

Would love to align on the identity schema if there's interest in standardizing this at the spec level.

0 replies

0xbrainkid · 2026-03-28T17:05:23Z

0xbrainkid
Mar 28, 2026

Strong proposal. The delegation chain design is exactly right — attenuation-only is the correct security model for nested agent systems.

We've been working on the complementary layer: cross-organizational agent identity. MCP's OAuth 2.1 handles human→server auth, this proposal handles agent→agent delegation within a system, but neither addresses: how does Server X verify that Agent Y from Organization Z is who it claims to be when there's no shared IdP?

At RSAC 2026 last week, 200+ vendors launched agent identity products. Every single one assumes a shared admin or control plane. Zero handle the cross-org case — Agent A (running on Org 1's infra) calling a tool hosted by Org 2, where Org 2 has no prior relationship with Org 1.

The Solana Agent Trust Protocol (SATP) addresses this by anchoring agent identity on-chain:

Ed25519 keypair per agent (same cryptographic primitive as proposed here)
On-chain trust score derived from verifiable actions (not self-asserted)
Cross-org verification without shared IdP — any party can verify independently
Composable with delegation chains — SATP identity as the iss in delegation tokens

The two-layer model: this proposal for intra-system delegation (who authorized this agent to act) + SATP for cross-system identity (is this agent who it claims to be, and should I trust it).

The auth.identity.issuer field in the proposed spec is the natural integration point — it could reference an on-chain SATP identity for cross-org scenarios while falling back to org-internal issuers for single-org deployments.

Happy to collaborate on composability.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proposal: Agent Identity and Delegation for MCP Tool Calls #2404

Uh oh!

{{title}}

Uh oh!

Replies: 5 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Proposal: Agent Identity and Delegation for MCP Tool Calls #2404

Uh oh!

dreynow Mar 15, 2026

Problem

Proposed Extension

How It Works

Setup (one-time)

Per-call flow

Server verification (5 lines)

Caveat Types

Security Properties

What This Does NOT Do

Reference Implementation

Related Discussions

Replies: 5 comments

Uh oh!

dreynow Mar 15, 2026 Author

Uh oh!

SonAIengine Mar 16, 2026

Uh oh!

dreynow Mar 16, 2026 Author

Uh oh!

tomjwxf Mar 26, 2026

Uh oh!

0xbrainkid Mar 28, 2026

dreynow
Mar 15, 2026

dreynow
Mar 15, 2026
Author

SonAIengine
Mar 16, 2026

dreynow
Mar 16, 2026
Author

tomjwxf
Mar 26, 2026

0xbrainkid
Mar 28, 2026