Model Context Protocol - Identity
Getting started with the Identity addendum to Model Context Protocol (MCP-I).
What is MCP-I?
Taking inspiration from the Model Context Protocol (MCP), MCP-I extends MCP with cryptographic identity and delegation. It enables AI agents to prove not only which user they represent, but also that they have explicit permission to act on the user's behalf. This capability allows agents to interact with services requiring strong assurance of user identity—whether for personalization, access control, or regulatory compliance.
Why MCP-I Matters: The 'Know Your Agent' problem
As AI agents become more prevalent and autonomous, the ability to verify their identity and authority becomes critical. AI Agents need a secure way to prove:
- Who they are (identity)
- Who authorized them (delegation)
- What they're allowed to do (scope)
- Whether they can be trusted (reputation)
MCP-I addresses these by providing:
- Secure Identity: Cryptographically verifiable identities for AI agents
- Delegation Chains: Clear provenance of authority from user to agent
- Verifiable Credentials: Tamper-proof attestations of permissions
- Audit Mechanisms: Comprehensive tracking of agent activities
- Interoperability: Standardized approach across platforms and vendors
- Regulatory Compliance: Alignment with emerging AI regulations
Key Entities in MCP-I
MCP-I defines several key entities that interact within its framework:
- User (Principal): The human or organization delegating authority to an agent
- Agent: The AI software acting on behalf of a user
- Service: The resource server providing tools, data, or capabilities
- Verifier / Edge Service: The component that verifies agent requests
What can MCP-I achieve?
With MCP-I, Agents can act on behalf of users, and do things such as
- Book a flight using your saved traveler profile.
- File your taxes with your real identity.
- Access your health records securely.
Previously, AI agents could not perform these tasks, as they could not prove which user they represented, or what permissions they'd been granted.
MCP-I makes this possible by requiring agents to:
- Prompt the user to verify identity (e.g., via OAuth, biometric KYC, or other flows) and receive a cryptographically signed identifier in return.
- Request delegation of authority from the user, specifying what actions are allowed and under what conditions.
- Transmit verifiable proof of both identity and delegation to services—either directly or through a trusted edge proxy that validates and forwards the request.
The Know Your Agent (KYA) Problem
Without standardized identity and delegation mechanisms, organizations face significant risks when integrating with AI agents, including unauthorized access, audit gaps, and compliance violations.
Cryptographic Foundations
MCP-I builds upon established web standards for decentralized identity with these key components:
- Verifiable Credentials (VCs): Signed, tamper-proof digital attestations of claims
- Decentralized Identifiers (DIDs): Cryptographic, verifiable identifiers for agents and users, and a component of VCs
- Delegation Credentials: VCs specifically used to delegate authority from one entity to another
Real-World Parallel
Think of MCP-I as an embassy system. The Principal is a citizen, the Agent is their ambassador, the Service is a foreign government, and the Verifier is the border control checking credentials.
Conformance Levels
MCP-I defines three levels of implementation to accommodate different security needs and adoption stages:
Level 1: Basic
- DID issuance at agent registration (optional verification)
- VC delegation or legacy identifiers (OIDC, JWT)
- Agent requests verified by Edge Proxy
- No revocation checks enforced
- Limited agent reputation tracking
Level 2: Standard
- DID issuance and mandatory DID verification
- Full VC delegation verification at request time
- Delegation revocation support (StatusList2021)
- Cryptographic proof required in agent requests
- Basic agent reputation tracking
- Optional visibility into agent identity for downstream services
Level 3: Enterprise
- Comprehensive DID and VC lifecycle management
- Immutable audit trails and detailed reputation management
- Credential-to-token bridging for OAuth 2.1 compatibility
- Behavioral anomaly detection in delegation usage
- Extensive revocation and selective disclosure capabilities
- Both the Agent and Recipient service are MCP-I Aware, enabling direct delegation chain resolution and agent reputation enforcement.
Adoption Strategy
Organizations can begin with Level 1 implementation to gain immediate benefits while planning migration to higher conformance levels as their security needs evolve.
Getting Started with MCP-I
To begin understanding and implementing MCP-I, we recommend:
- Explore the Architecture Overview to understand how the components fit together
- Learn about the Identity Layer and Delegation Layer
- Check the FAQ for answers to common questions
Next Steps
Continue to Architecture Overview to learn more about how MCP-I is structured and functions.