Compatibility & Legacy

How MCP-I interoperates with legacy identity systems and supports progressive adoption.

Compatibility & Legacy


Key Design Principles

  • Incremental Adoption: Start with agent identity (Level 1), add user delegation later
  • Interoperability: Can be layered on top of existing API gateways, identity providers, or edge infrastructure
  • Backwards-Compatible: Works with JWTs, session cookies, legacy user IDs
  • Schema-Agnostic: Supports any VC schema your verifier is configured to understand

Bridging Legacy Identity

Legacy ModelCompatible Pattern
OAuth2 (Access Token)Map token scope → DelegationCredential.scope
SAML AssertionExtract user attributes → Include in VC claims
API KeyReplace with scoped DID-based credential
Session CookieTreat session as a short-lived credential wrapper
User ID MappingLink userId ↔ DID via mapping registry or SDK method

You can create a Verifiable Credential that wraps or translates your existing identity claims.


Working With JWTs

You can issue VCs that:

  • Embed a JWT as a claim
  • Assert VC with a JWT signature
  • Map sub, aud, and exp fields to standard VC structure

This allows you to plug MCP-I into existing backend logic without full rewrites.


Legacy Identity Mapping

MCP-I supports customer-to-DID mapping through:

  • SDK utilities like getDidByCustomerId(...)
  • DID-User Registries
  • Alias claims in identity credentials

This enables support for users who authenticate through traditional identity systems (Auth0, Firebase, etc.)


Legacy Agent Compatibility

You can issue credentials or wrap identifiers for:

  • HTTP clients (API tokens)
  • CLI tools (machine identity)
  • Non-MCP-aware agents (via proxies or signed headers)

The edge verifier can validate these and convert them to a valid DelegationCredential.



Upgrade Flow Diagram

Loading diagram...

This shows how an existing identity record can be bridged into MCP-I without breaking legacy systems.

PhaseAction
Step 1Give agents static DIDs (Level 1)
Step 2Link users to DIDs (mapping or DID issuance)
Step 3Introduce delegation VCs
Step 4Enable revocation and audit logs
Step 5Gradually deprecate legacy tokens/cookies in favor of scoped VCs

MCP-I is designed to gracefully extend legacy environments without requiring a full rewrite. Many teams may continue using OAuth, OIDC, or JWT-based systems.

SDK-Based Fallback Example

The KYA-OS SDK supports interoperability between DIDs and customer-facing IDs:

const legacyUserId = "user_123";
const userDid = await kyaOsClient.ensureUserHasDid(legacyUserId);

This allows you to treat legacy IDs as DID-compatible without changing your underlying user database.


DID Introduction Pathways

When bridging a legacy system to MCP-I:

  • Issue a DID for each user on demand (lazy creation)
  • Use delegation credentials to scope access without touching existing auth logic
  • Introduce audit-backed revocation gradually using Edge Verification Guide

For full setup examples, see the Quick Start Guide.