mcp-server-insumer

MCP server for InsumerAPI — condition-based access infrastructure. Send a wallet and conditions, get a signed boolean across 33 chains. No balances exposed, no identity required, no trust in the API provider needed.

Enables AI agents (Claude Desktop, Cursor, Windsurf, and any MCP-compatible client) to add condition-based access to any workflow — verify on-chain conditions, discover merchants, generate signed discount codes, and onboard new merchants.

In production: DJD Agent Score (Coinbase x402 ecosystem) uses InsumerAPI for AI agent wallet trust scoring. Case study.

Also available as: LangChain (26 tools, PyPI) | langchain-community (26 tools, PR #549) | ElizaOS (10 actions, npm) | OpenAI GPT (GPT Store) | insumer-verify (client-side verification, npm)

Full AI Agent Verification API guide — covers all 33 chains, trust profiles, commerce protocols, and signature verification.

Quick Start

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "insumer": {
      "command": "npx",
      "args": ["-y", "mcp-server-insumer"],
      "env": {
        "INSUMER_API_KEY": "insr_live_..."
      }
    }
  }
}

Cursor / Windsurf

Add to your MCP settings:

{
  "insumer": {
    "command": "npx",
    "args": ["-y", "mcp-server-insumer"],
    "env": {
      "INSUMER_API_KEY": "insr_live_..."
    }
  }
}

Get an API Key

Option A — Let your agent do it: Start the server without a key. Your AI agent can call the insumer_setup tool with your email to generate a free key instantly. Add it to your config and restart.

Option B — Terminal (no browser needed):

curl -s -X POST https://api.insumermodel.com/v1/keys/create \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "appName": "MCP Server", "tier": "free"}'

Returns an insr_live_... key with 100 reads/day and 10 verification credits. One free key per email.

Option C — Browser: Go to insumermodel.com/developers and generate a free key instantly.

Set it as INSUMER_API_KEY in your config.

What You Get Back

When your agent calls insumer_attest, you get an ECDSA-signed attestation:

{
  "ok": true,
  "data": {
    "attestation": {
      "id": "ATST-A7C3E1B2D4F56789",
      "pass": true,
      "results": [
        {
          "condition": 0,
          "met": true,
          "label": "USDC >= 1000 on Ethereum",
          "type": "token_balance",
          "chainId": 1,
          "evaluatedCondition": {
            "chainId": 1,
            "contractAddress": "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
            "decimals": 6,
            "operator": "gte",
            "threshold": 1000,
            "type": "token_balance"
          },
          "conditionHash": "0x554251734232c8b43062f1cf2bb51b76650d13268104d74c645f4893e67ef69c",
          "blockNumber": "0x1799043",
          "blockTimestamp": "2026-03-26T20:04:23.000Z"
        }
      ],
      "passCount": 1,
      "failCount": 0,
      "attestedAt": "2026-02-28T12:34:57.000Z",
      "expiresAt": "2026-02-28T13:04:57.000Z"
    },
    "sig": "dmNJKqnGZ9f47qpWax9gxgw1DhUKHKHrbLspTop8NWzYhv2fNpVAt1gAuhUfU4xPsgXTCdrmTXI4vEE50dcfEA==",
    "kid": "insumer-attest-v1"
  },
  "meta": {
    "version": "1.0",
    "timestamp": "2026-02-28T12:34:57.000Z",
    "creditsRemaining": 99,
    "creditsCharged": 1
  }
}

The sig is an ECDSA P-256 signature over {id, pass, results, attestedAt}. The kid identifies which key signed it. The conditionHash is a SHA-256 of the exact condition logic that was evaluated.

No balances. No amounts. Just a cryptographically signed true/false.

For XRPL conditions, results include ledgerIndex, ledgerHash (validated ledger hash), and trustLineState: { frozen: boolean } instead of blockNumber/blockTimestamp. Native XRP conditions include ledgerIndex and ledgerHash but not trustLineState. Frozen trust lines cause met: false.

Wallet Auth (JWT)

Add format: "jwt" to the insumer_attest tool parameters to receive the attestation as a standard JWT bearer token:

{
  "wallet": "0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045",
  "conditions": [ ... ],
  "format": "jwt"
}

The response includes an additional jwt field containing an ES256-signed JWT. This token is verifiable by any standard JWT library via the JWKS endpoint at GET /v1/jwks — making it compatible with Kong, Nginx, Cloudflare Access, AWS API Gateway, and other middleware that accepts JWT bearer tokens.

Verify the Response

Your agent gets the attestation. Your application should verify it. Install insumer-verify:

npm install insumer-verify

import { verifyAttestation } from "insumer-verify";

// attestationResponse = the full API envelope {ok, data: {attestation, sig, kid}, meta}
// Do NOT pass attestationResponse.data — the function expects the outer envelope
const result = await verifyAttestation(attestationResponse, {
  jwksUrl: "https://insumermodel.com/.well-known/jwks.json",
  maxAge: 120, // reject if block data is older than 2 minutes
});

if (result.valid) {
  // Signature verified, condition hashes match, not expired
  const pass = attestationResponse.data.attestation.pass;
  console.log(`Attestation ${pass ? "passed" : "failed"} all conditions`);
} else {
  console.log("Verification failed:", result.checks);
}

This runs 4 independent checks: ECDSA signature, condition hash integrity, block freshness, and attestation expiry. Zero runtime dependencies, uses Web Crypto API.

Tools (27)

Setup (free, no auth)

Key Discovery (free)

On-Chain Verification (cost credits)

Discovery (free)

Credits & Keys

Merchant Onboarding (owner-only)

Domain Verification (owner-only)

Commerce Protocol Integration

Pricing

Tiers: Free (100 reads/day, 10 credits) | Pro $29/mo (1,000 credits/mo, 10,000/day) | Enterprise $99/mo (5,000 credits/mo, 100,000/day)

Volume discounts: $5–$99 = $0.04/call (25 credits/$1) · $100–$499 = $0.03 (33/$1, 25% off) · $500+ = $0.02 (50/$1, 50% off)

Platform wallets:

• EVM (USDC/USDT): 0xAd982CB19aCCa2923Df8F687C0614a7700255a23

• Solana (USDC/USDT): 6a1mLjefhvSJX1sEX8PTnionbE9DqoYjU6F6bNkT4Ydr

• Bitcoin: bc1qg7qnerdhlmdn899zemtez5tcx2a2snc0dt9dt0

Supported payment chains: Ethereum, Base, Polygon, Arbitrum, Optimism, BNB Chain, Avalanche, Solana, Bitcoin. Tokens sent on unsupported chains cannot be recovered. All purchases are final and non-refundable. Full pricing →

Handling rpc_failure Errors

If the API cannot reach one or more blockchain data sources after retries, endpoints that produce signed attestations (insumer_attest, insumer_trust, insumer_trust_batch) return ok: false with error code rpc_failure. No signature, no JWT, no credits charged. This is a retryable error — the MCP client should retry after a short delay (2-5 seconds).

Important: rpc_failure is NOT a verification failure. Do not treat it as pass: false. It means the data source was temporarily unavailable and the API refused to sign an unverified result.

Supported Chains (33)

30 EVM chains + Solana + XRP Ledger + Bitcoin. Includes Ethereum, Base, Polygon, Arbitrum, Optimism, BNB Chain, Avalanche, and 23 more. Full list →

Development

npm install
npm run build

# Test with MCP Inspector
npx @modelcontextprotocol/inspector node build/index.js

License

MIT