Edge Verification Guide
How to implement MCP-I request verification logic at the edge, using middleware, CDN workers, or gateways
Edge Verification Guide
Key Takeaways
- Explains where and how MCP-I request verification should happen
- Shows how to validate identity, delegation, and credential scope at the network edge
- Demonstrates real-world verifier logic using Cloudflare Worker and proxy middleware
- Defines fallback behavior, error responses, and caching considerations
What Is an Edge Verifier?
An edge verifier is a network middleware or service component that intercepts agent requests before they hit your API or backend, and enforces MCP-I verification policies.
This includes:
- Identity resolution (DIDs)
- Credential validation (VC signatures, expiration, status)
- Delegation chain verification
- Revocation checks
- Reputation/policy enforcement
Enforcement Lifecycle
Loading diagram...
Example: Verifier Logic (Cloudflare Worker)
async function handleRequest(request) {
const mcpVC = request.headers.get("MCP-I-Credential");
const delegationId = request.headers.get("MCP-I-Delegation");
if (!mcpVC || !delegationId) {
return new Response("Missing MCP-I headers", { status: 400 });
}
const { valid, reason } = await verifyDelegation({
credentialId: delegationId,
vcJwt: mcpVC
});
if (!valid) {
return new Response("Delegation failed: " + reason, { status: 403 });
}
return fetch(request); // forward to origin
}
Caching and Performance
- Cache status lists (Bitstring or revocation registries) locally
- Refresh on token retry/failure
- Avoid storing full VCs in browser or header for long-lived sessions
- Use nonce/anti-replay checks for write endpoints
Failure Modes
| Reason | Response |
|---|---|
| Signature invalid | 403 Forbidden |
| Expired credential | 403 Expired |
| Revoked | 403 Revoked |
| Unknown DID | 404 Not Found |
| Unsupported method | 501 Not Implemented |
| Trust score too low | 403 Denied (reputation enforcement) |
Where This Fits in the Stack
The verifier does not replace:
- Identity provider (can wrap OAuth/SAML)
- Backend logic (enforces policies post-verification)
- VC issuance logic (Credential Service)
But should always sit in front of:
- Public APIs
- Agent/LLM endpoints
- Any MCP-I protected path
Related Files & Source
Edge-Delegation-Verification.mdCredential-Service.mdCore-Service.mdKYA_Provisional_Patent_Detailed_DylanHobbs.md
See Also
Advanced Enforcement Strategies
MCP-I verification at the edge can be extended to support more complex or hybrid deployments:
- mTLS Identity Passthrough: Use mutual TLS to forward client identity and resolve/verifier credentials in a private backend.
- Header Injection: Propagate identity context (e.g.,
X-Verified-Agent,X-Agent-Reputation) for downstream services to interpret. - Trust Registry Caching: Use a local trust registry index or delegation resolution cache to speed up repeated validations.
These strategies are particularly useful when integrating MCP-I into enterprise gateway environments or zero-trust edge platforms.
See also: Protocol Registry