I Build MCP Servers

You develop or maintain MCP servers that AI agents connect to. This workflow audits your server configuration, creates a verifiable identity, and publishes your server to the OpenA2A Trust Registry so users can verify its integrity.

Time to complete: approximately 15 minutes.

Step 1: Audit Your Server Configuration

See how your MCP server looks to security scanners. This identifies configuration issues, missing permissions boundaries, and unsigned manifests before users find them.

opena2a mcp audit

MCP Server Audit
=================

Scanning MCP configurations...

Server: postgres-mcp (stdio)
  Config:     ~/.claude/claude_desktop_config.json
  Tools:      4 registered (query, insert, update, schema)
  Permissions: No boundaries defined
  Signature:  Not signed
  Transport:  stdio (local only)

Findings:
  WARN  No tool-level permission boundaries
  WARN  No input validation schema for 'query' tool
  FAIL  Server manifest not signed
  PASS  Transport restricted to local stdio
  PASS  No hardcoded credentials in config

3 findings. 1 auto-fixable with 'opena2a mcp sign'.

Step 2: Create a Cryptographic Identity

Sign your MCP server configuration with an Ed25519 key. This lets users verify that the configuration has not been tampered with and that it originates from you.

opena2a mcp sign

MCP Server Signing
===================

Generated Ed25519 key pair for: postgres-mcp
  Public key:   .opena2a/mcp-keys/postgres-mcp.pub
  Private key:  .opena2a/mcp-keys/postgres-mcp.key

Signed configurations:
  claude_desktop_config.json  SHA256:9f3a...c7d2
  mcp-manifest.json           SHA256:b1e4...a8f6

Signature file: .opena2a/mcp-signatures/postgres-mcp.sig

Users can verify with:
  opena2a mcp verify postgres-mcp

Step 3: Run Security Checks

HackMyAgent runs 147 security checks including MCP-specific controls for input validation, permission boundaries, and tool safety.

npx hackmyagent secure

HackMyAgent Security Scan
=========================

Scanning 147 checks across 8 categories...

MCP-specific results:
  PASS  MCP-001  Server transport security
  PASS  MCP-003  Config file permissions
  PASS  MCP-005  No credential exposure in tool args
  WARN  MCP-008  Missing rate limiting on 'query' tool
  PASS  MCP-011  Config signature valid
  FAIL  MCP-012  No input validation on 'query' tool

Overall: 145 PASS  |  1 FAIL  |  1 WARN

Run 'npx hackmyagent secure --fix' to apply auto-fixes.

Step 4: Publish to the OpenA2A Registry

Register your MCP server with the OpenA2A Trust Registry. This makes your server discoverable and allows users to verify its identity and security posture.

opena2a self-register

Registry Self-Registration
===========================

Registering: postgres-mcp
  Type:       MCP server
  Transport:  stdio
  Tools:      4
  Identity:   Ed25519 (SHA256:9f3a...c7d2)
  Scan score: 145/147

Published to: https://registry.opena2a.org/mcp/postgres-mcp
Trust profile: https://registry.opena2a.org/trust/postgres-mcp

Users can now run:
  ai-trust check postgres-mcp

Step 5: Verify Your Trust Score

Check how your server appears to users querying the trust registry.

ai-trust check postgres-mcp

Trust Profile: postgres-mcp
============================

Trust Score:    78/100
  Identity:     Verified (Ed25519)
  Security:     145/147 checks passing
  Supply Chain: Signed config, ABOM available
  Community:    12 verifications, 0 advisories

Improve to 92/100 by:
  +8  Fix MCP-012 (input validation)
  +6  Add tool-level permission boundaries

What You Now Have

A complete audit of your MCP server configuration
A cryptographic identity that users can verify
Security scan results with actionable remediation steps
A public trust profile on the OpenA2A Registry
A trust score with a clear path to improvement

Next Steps

Add trust verification to your CI/CD pipeline -- keep your trust score current on every release.
Recommend the developer workflow to your users -- help them secure the full agent environment.
Full MCP command reference -- all audit, sign, and verify options.