What can you do with this server?

The attest-mcp-server is a control plane for AI agents, providing scoped credential management, immutable audit logging, and human-in-the-loop approvals. Credential Management * Issue credentials — Create root signed JWTs scoped to a human user and instruction * Delegate credentials — Create narrower child credentials from a parent, enforcing child scopes are a strict subset * Revoke credentials — Revoke a credential and cascade revocation to all descendants * Verify credentials — Check validity using the org's JWKS * Check revocation — Look up revocation status by credential ID (JTI) Task & Audit Visibility * List tasks — Retrieve recent task trees with optional filters by user, agent, or status * Get audit trail — Fetch the full chronological audit event chain for a task tree * Get evidence — Retrieve a signed, portable evidence packet for compliance or incident review Audit Logging * Report action — Append a tool execution outcome (success/failure/error/skipped) to the audit log * Report status — Record agent lifecycle events (started/completed/failed) Human-in-the-Loop Approvals * Request approval — Create a pending approval challenge for high-risk delegations requiring human sign-off * Get approval — Check the status of a pending approval challenge * Grant approval — Approve a challenge via OIDC identity token, minting an authorized child credential * Deny approval — Reject a pending approval without issuing any credential

Which integrations are available for this server?

Allows authorization and auditing of actions targeting Gmail, such as sending emails, by issuing scoped credentials and recording signed execution receipts. Allows authorization and auditing of risky actions targeting Stripe, such as processing refunds or credits, by issuing scoped credentials and recording signed execution receipts.

attest-mcp-server

by chudah1

Overview Schema Related Servers Score Discussions(1)

Attest

License: Apache 2.0

Attest controls and proves risky AI actions before they hit production systems. It gives agents signed, scope-limited credentials, routes high-risk mutations through policy and optional approval, issues short-lived execution grants, and leaves signed receipts that can be verified later.

This repository also includes a standalone MCP server:

TypeScript MCP server — a real stdio Model Context Protocol server that exposes Attest tools like issue_credential, delegate_credential, list_tasks, get_audit_trail, get_evidence, and approval actions.
TypeScript MCP middleware — middleware for protecting your own MCP server with Attest.

Quickstart (TypeScript)

import { AttestClient } from '@attest-dev/sdk';

const client = new AttestClient({ baseUrl: 'http://localhost:8080', apiKey: 'dev' });

// 1. Issue a root credential for your agent workflow
const root = await client.issue({
  agent_id: 'support-bot',
  user_id: 'alice@acme.com',
  scope: ['refund:execute', 'credit:execute'],
  instruction: 'Review support incidents and safely process eligible refunds.',
});

// 2. Request a risky action before touching the target system
const action = await client.requestAction({
  action_type: 'refund',
  target_system: 'stripe',
  target_object: 'order_ORD-4821',
  action_payload: {
    amount_cents: 4799,
    currency: 'USD',
    reason: 'damaged_item',
  },
  agent_id: 'support-bot',
  sponsor_user_id: 'alice@acme.com',
  att_tid: root.claims.att_tid,
});

if (action.status !== 'approved' || !action.grant?.token) {
  throw new Error(`refund needs approval: ${action.status}`);
}

// 3. Execute with the short-lived grant, then record the receipt
const receipt = await client.executeAction(action.id, {
  outcome: 'success',
  provider_ref: 're_abc123',
  response_payload: { stripe_status: 'succeeded' },
});
console.log(receipt.signed_packet_hash);

// 4. Fetch the immutable receipt later
const confirmed = await client.getReceipt(action.id);
console.log(confirmed.outcome, confirmed.provider_ref);

Related MCP server: Zendesk MCP Server by CData

Scope syntax

Scopes follow the pattern resource:action. Either field may be * as a wildcard.

Expression	Meaning
`gmail:send`	Send via Gmail only
`gmail:*`	All Gmail actions
`*:read`	Read access to any resource
`:`	Full access (root grants only)

Delegation still enforces that child scope is a strict subset of the parent scope. The Action API builds on top of that delegation substrate to gate risky writes.

Getting started

Prerequisites: Docker and Docker Compose.

# Clone and start everything
git clone https://github.com/chudah1/attest-dev
cd attest-dev
docker compose up --build

# The server is now running at http://localhost:8080
# PostgreSQL at localhost:5432

# Issue your first credential (replace YOUR_API_KEY with the key from POST /v1/orgs)
curl -s -X POST http://localhost:8080/v1/credentials \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -d '{
    "agent_id":    "orchestrator-v1",
    "user_id":     "usr_alice",
    "scope":       ["research:read", "gmail:send"],
    "instruction": "Research competitors and email the board"
  }' | jq .

# Open the interactive demo
open demo/index.html

If you want to run the Go server outside Docker, point it at the Compose database:

docker compose up -d postgres
cd server
DATABASE_URL=postgres://attest:attest@localhost:5432/attest go run ./cmd/attest

API reference

Method	Path	Description
`POST`	`/v1/orgs`	Create an organization and get an API key
`POST`	`/v1/credentials`	Issue a root credential
`POST`	`/v1/credentials/delegate`	Delegate to a child agent
`GET`	`/v1/actions`	List action requests
`POST`	`/v1/actions/request`	Create an action request and run policy
`GET`	`/v1/actions/{id}`	Fetch an action request
`POST`	`/v1/actions/{id}/approve`	Approve a pending action
`POST`	`/v1/actions/{id}/deny`	Deny a pending action
`POST`	`/v1/actions/{id}/execute`	Record execution and mint a receipt
`GET`	`/v1/actions/{id}/receipt`	Fetch the signed execution receipt
`DELETE`	`/v1/credentials/{jti}`	Revoke credential and all descendants
`GET`	`/v1/revoked/{jti}`	Check revocation status (public, no auth)
`GET`	`/v1/tasks/{tid}/audit`	Retrieve the audit chain for a task
`POST`	`/v1/audit/report`	Report an agent action to the audit log
`POST`	`/v1/audit/status`	Report agent lifecycle event (started/completed/failed)
`POST`	`/v1/approvals`	Request human-in-the-loop approval
`POST`	`/v1/approvals/{id}/grant`	Grant a pending HITL approval
`GET`	`/orgs/{orgId}/jwks.json`	Public key set for offline verification
`GET`	`/health`	Health check

Specification

The credential format is defined in spec/WCS-01.md (Attest Credential Standard, revision 01).

License

Apache 2.0 — see LICENSE.

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Related Servers

Tools

View all tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/chudah1/attest-dev'

If you have feedback or need assistance with the MCP directory API, please join our Discord server