Agent CertAgent Cert
Reference

MCP Server.

Agent Cert exposes a Model Context Protocol server so any MCP-capable agent can certify decisions without writing a single line of HTTP code. One SSE endpoint, six tools, the same API-key authentication as the REST API.

Security note. The MCP endpoint enforces X-API-Key authentication on every request via an ASGI middleware. Requests without a valid key receive HTTP 401 immediately — no tool can be invoked anonymously. Each tool execution is scoped to the caller's account via a contextvar set during auth.

Endpoint

https://YOUR-BACKEND/mcp/sse

Authentication

Pass your API key as X-API-Key in the SSE connection headers. The middleware:

  1. Reads X-API-Key from the incoming SSE request.
  2. Hashes the key and looks up an active row in the api_keys table.
  3. Rejects with HTTP 401 if the key is missing, unknown, or revoked.
  4. On success, stores user_id in a contextvar so every tool query is scoped to your account.

Revoking your API key at /settings/api-keysimmediately disconnects any active MCP session using that key.

Tools

certify_decision

Submit an agent execution for evaluation and return a signed Decision Receipt. The MCP equivalent of POST /v1/receipts.

Parameters:

  • agent_id: string — your stable agent identifier
  • platform: string — "bedrock" | "copilot" | etc.
  • user_intent: string
  • agent_output: string
  • tools_used: string[]
  • retrieval_summary: string (optional)
  • policy_rules: string[] (optional ad-hoc rules)

get_receipt

Fetch a single Decision Receipt by ID.

Parameters: receipt_id: string

verify_receipt

Re-verify a receipt — recomputes hashes, validates the Ed25519 signature, returns the verification result.

Parameters: receipt_id: string

get_anchor_proof

Return the on-chain Solana anchor proof for a receipt — tx signature, explorer URL, network, and the hash-match result.

Parameters: receipt_id: string

list_my_receipts

List your most recent receipts. Admins see all receipts in the system; non-admins see only their own (enforced server-side).

Parameters: limit: integer (default 25)

check_credits

Return your current credit balance.

Parameters: none

Connecting from Copilot Studio

See the full walkthrough at Integrations → Microsoft Copilot Studio. Summary:

  1. In your Copilot Studio agent, open the Add a tool dialog and choose MCP.
  2. Server URL: https://YOUR-BACKEND/mcp/sse
  3. Auth: select API key, header name X-API-Key, value = your Agent Cert key from /welcome.
  4. Copilot Studio auto-discovers all six tools.
  5. Wire the certify_decision tool to your topic so every meaningful response generates a receipt.

Connecting from Claude Desktop

{
  "mcpServers": {
    "agent-cert": {
      "url": "https://YOUR-BACKEND/mcp/sse",
      "headers": {
        "X-API-Key": "ak_live_..."
      }
    }
  }
}

Connecting from a custom MCP client

Any client that supports MCP over SSE works. Pass the API key in the connection headers. The server speaks the standard MCP wire protocol — no custom extensions.

Troubleshooting

  • HTTP 401 on connect — API key missing, malformed, or revoked. Check X-API-Key spelling (case-insensitive but the value must match exactly).
  • Tools missing in client — the SSE handshake completed but tool discovery failed. Check the SSE event stream for protocol errors.
  • Insufficient credits during certify_decision — top up via the CERT bridge (see CERT & credits).