Edge Verification Guide

How to implement MCP-I request verification logic at the edge, using middleware, CDN workers, or gateways

Edge Verification Guide


What Is an Edge Verifier?

An edge verifier is a network middleware or service component that intercepts agent requests before they hit your API or backend, and enforces MCP-I verification policies.

This includes:

  • Identity resolution (DIDs)
  • Credential validation (VC signatures, expiration, status)
  • Delegation chain verification
  • Revocation checks
  • Reputation/policy enforcement

Enforcement Lifecycle

Loading diagram...

Example: Verifier Logic (Cloudflare Worker)

async function handleRequest(request) {
  const mcpVC = request.headers.get("MCP-I-Credential");
  const delegationId = request.headers.get("MCP-I-Delegation");

  if (!mcpVC || !delegationId) {
    return new Response("Missing MCP-I headers", { status: 400 });
  }

  const { valid, reason } = await verifyDelegation({
    credentialId: delegationId,
    vcJwt: mcpVC
  });

  if (!valid) {
    return new Response("Delegation failed: " + reason, { status: 403 });
  }

  return fetch(request); // forward to origin
}

Caching and Performance

  • Cache status lists (Bitstring or revocation registries) locally
  • Refresh on token retry/failure
  • Avoid storing full VCs in browser or header for long-lived sessions
  • Use nonce/anti-replay checks for write endpoints

Failure Modes

ReasonResponse
Signature invalid403 Forbidden
Expired credential403 Expired
Revoked403 Revoked
Unknown DID404 Not Found
Unsupported method501 Not Implemented
Trust score too low403 Denied (reputation enforcement)

Where This Fits in the Stack

The verifier does not replace:

  • Identity provider (can wrap OAuth/SAML)
  • Backend logic (enforces policies post-verification)
  • VC issuance logic (Credential Service)

But should always sit in front of:

  • Public APIs
  • Agent/LLM endpoints
  • Any MCP-I protected path

  • Edge-Delegation-Verification.md
  • Credential-Service.md
  • Core-Service.md
  • KYA_Provisional_Patent_Detailed_DylanHobbs.md

See Also

Advanced Enforcement Strategies

MCP-I verification at the edge can be extended to support more complex or hybrid deployments:

  • mTLS Identity Passthrough: Use mutual TLS to forward client identity and resolve/verifier credentials in a private backend.
  • Header Injection: Propagate identity context (e.g., X-Verified-Agent, X-Agent-Reputation) for downstream services to interpret.
  • Trust Registry Caching: Use a local trust registry index or delegation resolution cache to speed up repeated validations.

These strategies are particularly useful when integrating MCP-I into enterprise gateway environments or zero-trust edge platforms.

See also: Protocol Registry