MCP (Model Context Protocol) Integration

Cryptographically verify and monitor MCP servers with AIM. Get complete visibility into which MCP servers your agents connect to, with automatic attestation and drift detection.

What You'll Get

  • Automatic discovery of MCP servers from Claude Desktop config
  • Cryptographic attestation of MCP server identity (Ed25519)
  • Capability drift detection
  • MCP trust scoring based on attestations
  • Complete audit trail of MCP connections

Auto-Discovery from Claude Desktop

AIM automatically discovers MCP servers configured in your Claude Desktop:

Config Location:

~/.claude/claude_desktop_config.json

AIM scans this file automatically to discover installed MCP servers like filesystem-mcp, postgres-mcp, github-mcp, etc.

Step-by-Step MCP Integration

Follow these steps to sign, verify, and monitor MCP servers with AIM. This process establishes cryptographic trust between your agents and the MCP servers they connect to.

1. Sign an MCP Server

Signing binds your agent identity to an MCP server, creating a verifiable attestation that proves you trust this server. Use the CLI or the SDK.

# Via CLI - sign an MCP server from your config
opena2a mcp sign --server filesystem-mcp

# Output:
# Signed filesystem-mcp with identity ed25519:a3f8c2...
# Attestation ID: att_7f3b2a1e
# Confidence score: 72% -> 85% (+13)

2. Verify MCP Servers

Verification checks whether an MCP server has valid attestations and whether its capabilities match the expected baseline. The detect command finds MCP servers in your Claude Desktop configuration and reports their trust status.

# Detect all MCP servers and their trust status
opena2a detect

# Output:
# MCP Servers Found: 3
# [PASS] filesystem-mcp  confidence: 94%  attestations: 12
# [WARN] github-mcp      confidence: 45%  attestations: 0
# [PASS] postgres-mcp    confidence: 78%  attestations: 5

Cryptographic Attestation

AIM cryptographically verifies every MCP server your agents connect to:

from aim_sdk import secure
from aim_sdk.integrations.mcp import attest_mcp_server

client = secure("my-agent")

# Attest MCP server with auto-discovery
result = attest_mcp_server(
    aim_client=client,
    server_id="your-mcp-server-uuid",
    mcp_url="npx -y @modelcontextprotocol/server-filesystem /tmp",
    mcp_name="filesystem",
    auto_discover=True  # Auto-discover capabilities via MCP protocol
)

print(f"Success: {result['success']}")
print(f"MCP Confidence Score: {result['mcp_confidence_score']}%")
print(f"Total Attestations: {result['attestation_count']}")

How Detect Finds MCP Servers

The opena2a detect command scans multiple locations for MCP server configurations:

  • Claude Desktop config: ~/.claude/claude_desktop_config.json -- primary source for MCP server definitions
  • Project-level configs: .mcp.json or mcp.config.json in the current directory
  • Claude Code settings: ~/.claude/settings.json for MCP servers configured in the IDE
  • Environment variables: MCP server URLs passed via MCP_SERVER_* environment variables

For each discovered server, detect checks the AIM registry for existing attestations, computes a confidence score, and flags servers that have no attestations or show capability drift from their last known baseline.

What AIM Tracks

  • MCP Server Identity: Ed25519 public key verification
  • Capabilities: Which capabilities the MCP claims to have
  • Capability Drift: Detection when capabilities change unexpectedly
  • Connection Count: How many agents connect to this MCP
  • Trust Score: 8-factor weighted algorithm based on attestations and behavior
  • Last Verified: Timestamp of most recent attestation

Next Steps

MCP Server Management

Learn how to register and manage MCP servers

Security Dashboard

Monitor all MCP connections and attestations

Need Help?