TypeScript SDK

KYA-OS TypeScript SDK — @kya-os/mcp package documentation

@kya-os/mcp

The TypeScript reference implementation for KYA-OS. Identity, delegation, and cryptographic proofs for the Model Context Protocol.

Installation

npm install @kya-os/mcp

Requires Node.js 20+. Peer dependency on @modelcontextprotocol/sdk (optional, only needed for withKyaOs).

Core API

withKyaOs — One-Line Integration

The fastest path. Wraps an existing MCP server with identity, sessions, and proofs.

import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { withKyaOs, NodeCryptoProvider } from "@kya-os/mcp";

const server = new McpServer({ name: "my-server", version: "1.0.0" });
const kyaos = await withKyaOs(server, { crypto: new NodeCryptoProvider() });

// Your server now has:
// - A DID identity (kyaos.identity.did)
// - Handshake endpoint (_kyaos tool)
// - Proofs on every tool response
// - Session management with replay prevention

Default behavior is compatibility-first. withKyaOs auto-registers _kyaos as a tool so it appears in MCP Inspector and tool lists.

Options

await withKyaOs(server, {
  crypto: new NodeCryptoProvider(),
  handshakeExposure: "none",   // 'tool' (default) | 'none'
  autoSession: false,           // Skip automatic session creation
});

If your runtime has its own connection handshake, disable tool exposure and call the middleware directly:

const kyaos = await withKyaOs(server, {
  crypto: new NodeCryptoProvider(),
  handshakeExposure: "none",
  autoSession: false,
});

// In your runtime's connection hook:
await kyaos.handleKyaOs({
  action: "handshake",
  nonce: "client-generated-nonce",
  audience: kyaos.identity.did,
  timestamp: Math.floor(Date.now() / 1000),
  agentDid: "did:key:...optional...",
});

createKyaOsMiddleware — Low-Level Control

For when you need full control over identity lifecycle, session parameters, and tool wrapping.

import {
  createKyaOsMiddleware,
  generateIdentity,
  NodeCryptoProvider,
} from "@kya-os/mcp";

const crypto = new NodeCryptoProvider();
const identity = await generateIdentity(crypto);
const kyaos = createKyaOsMiddleware(
  { identity, session: { sessionTtlMinutes: 60 } },
  crypto
);

wrapWithProof — Automatic Proof Attachment

Wraps a tool handler so every response includes a detached JWS signature.

const search = kyaos.wrapWithProof("search", async (args) => ({
  content: [{ type: "text", text: `Results for: ${args["query"]}` }],
}));

wrapWithDelegation — Human Consent Required

Wraps a tool handler so it requires a valid delegation VC before executing.

const placeOrder = kyaos.wrapWithDelegation(
  "place_order",
  {
    scopeId: "orders:write",
    consentUrl: "https://example.com/consent",
  },
  kyaos.wrapWithProof("place_order", async (args) => ({
    content: [{ type: "text", text: `Order placed: ${args["item"]}` }],
  }))
);

If the agent doesn't have a valid delegation, the tool returns needs_authorization with the consent URL. The human approves, the agent gets a VC, and retries.

generateIdentity — Create a DID

Generates an Ed25519 key pair and derives a did:key identifier.

import { generateIdentity, NodeCryptoProvider } from "@kya-os/mcp";

const crypto = new NodeCryptoProvider();
const identity = await generateIdentity(crypto);

console.log(identity.did);
// did:key:z6Mk...

Modules

All available as subpath exports:

ImportWhat it does
@kya-os/mcpMain entry. withKyaOs, createKyaOsMiddleware, generateIdentity, providers.
@kya-os/mcp/delegationIssue and verify W3C Verifiable Credentials. DID resolution. StatusList2021 revocation. Cascading revocation.
@kya-os/mcp/proofGenerate and verify detached JWS proofs with canonical hashing (JCS + SHA-256).
@kya-os/mcp/sessionNonce-based handshake. Replay prevention. Session TTL management.
@kya-os/mcp/providersAbstract CryptoProvider, IdentityProvider, StorageProvider.
@kya-os/mcp/typesPure TypeScript interfaces. Zero runtime dependencies.

Extension Points

Every cryptographic operation, storage backend, and DID resolution method is abstracted behind interfaces you implement.

Custom Crypto Provider

import { CryptoProvider } from "@kya-os/mcp";

class KMSCryptoProvider extends CryptoProvider {
  async sign(data: Uint8Array, keyArn: string) {
    return kmsClient.sign({ KeyId: keyArn, Message: data });
  }
}

await withKyaOs(server, { crypto: new KMSCryptoProvider() });

Custom Nonce Cache

import { NonceCacheProvider } from "@kya-os/mcp";

class RedisNonceCacheProvider extends NonceCacheProvider {
  async hasNonce(nonce: string) {
    return redis.exists(`nonce:${nonce}`);
  }
  async addNonce(nonce: string, ttl: number) {
    redis.setex(`nonce:${nonce}`, ttl, "1");
  }
}

DID Resolution

Built-in support for did:key (self-resolving) and did:web (HTTP resolution). Add any custom method via DIDResolver.

Conformance Levels

Three levels, progressively deeper trust guarantees:

LevelWhat's required
Level 1 — Core CryptoEd25519 signatures, DID:key resolution, JCS canonicalization
Level 2 — Full SessionLevel 1 + nonce-based handshake, session management, replay prevention
Level 3 — Full DelegationLevel 2 + W3C VC issuance/verification, scope attenuation, StatusList2021, cascading revocation

Full details in CONFORMANCE.md.

Examples

ExampleWhat it shows
consent-basicHuman-in-the-loop consent: needs_authorization → consent page → delegation VC → execution
consent-fullProduction consent UI via @kya-os/consent
node-serverLow-level Server API with handshake, proof, and restricted tools
brave-searchReal MCP server (Brave Search) wrapped with KYA-OS
outbound-delegationForwarding delegation context to downstream services
verify-proofStandalone proof verification
context7-with-kyaosAdding KYA-OS to an existing server with withKyaOs