MCP Hub
Back to servers

agent-identity-protocol

A zero-trust security proxy for the Model Context Protocol that provides per-tool authorization, data loss prevention (DLP) scanning, and human-in-the-loop approval for AI agents.

GitHub
AI & MLDevelopment Tools
Stars
6
Forks
1
Updated
Jan 20, 2026
Validated
Jan 29, 2026
View Source
Claim this server

Agent Identity Protocol (AIP)

The Zero-Trust Identity Layer for MCP & Autonomous Agents

Go Report Card: A+ License: Apache 2.0 Build: Passing Security: Hardened Follow @ArangoGutworker Hacker News

The God Mode Problem

Today's AI agents operate with unrestricted access to your infrastructure. When you connect Claude, Cursor, or any MCP-compatible agent to your systems, it receives god mode—full access to every tool the server exposes.

Model safety isn't enough. Attacks like Indirect Prompt Injection—demonstrated by the GeminiJack vulnerability—have proven that adversarial instructions embedded in documents, emails, or data can hijack agent behavior. The model believes it's following your intent while executing the attacker's commands.

Your agent is one poisoned PDF away from rm -rf /.

"Authentication is for Users. AIP is for Agents."

AIP introduces policy-based authorization at the tool-call layer—the missing security primitive between your agents and your infrastructure.

Architecture

High-Level Flow

AIP operates as a transparent proxy between the AI client (Cursor, Claude, VS Code) and the MCP tool server. Every tool call passes through the policy engine before reaching the real tool.

graph LR
    subgraph Client["🤖 AI Client"]
        A[Cursor / Claude Desktop]
    end
    
    subgraph AIP["🛡️ AIP Proxy (Sidecar)"]
        B[Policy Engine]
        C[DLP Scanner]
        D[Audit Log]
    end
    
    subgraph Server["🔧 Real Tool"]
        E[Docker / Postgres / GitHub]
    end
    
    A -->|"tools/call"| B
    B -->|"✅ ALLOW"| E
    B -->|"🔴 DENY"| A
    B --> C
    C --> D
    E -->|"response"| C
    C -->|"filtered"| A
    
    style B fill:#22c55e,stroke:#16a34a,stroke-width:2px,color:#fff
    style AIP fill:#f0fdf4,stroke:#16a34a,stroke-width:3px

Defense-in-Depth: Attack Blocked

When an injected prompt attempts to execute a dangerous operation, AIP intercepts and blocks it before the tool ever receives the request.

sequenceDiagram
    participant Agent as 🤖 Agent (Hijacked)
    participant AIP as 🛡️ AIP Proxy
    participant Policy as 📋 agent.yaml
    participant Tool as 🔧 Real Tool

    Agent->>AIP: tools/call "delete_database"
    AIP->>Policy: Check allowed_tools
    Policy-->>AIP: ❌ Not in allowlist
    AIP->>AIP: 🔴 Decision: DENY
    AIP-->>Agent: Error: -32001 Permission Denied
    Note over Tool: ⚠️ Never receives request
    Note over AIP: 📝 Logged to audit trail

Why AIP?

FeatureStandard MCPAIP-Enabled MCP
Prompt Injection⚠️ Vulnerable — Executes any command✅ Protected — Blocks unauthorized intent
Data Exfiltration⚠️ Unrestricted internet access✅ Egress filtering + DLP redaction
Consent Fatigue⚠️ Click "Allow" 50 times per session✅ Policy-based autonomy
Audit Trail⚠️ None / stdio logs✅ Immutable JSONL structured logs
Privilege Model⚠️ All-or-nothing API keys✅ Per-tool, per-argument validation
Human-in-the-Loop⚠️ Not supported✅ Native OS approval dialogs

Quick Start

Secure any MCP tool server in one command:

# Secure your local Docker MCP
aip wrap docker --policy ./policies/read-only.yaml

Or protect your existing configuration:

# Start the AIP proxy with your policy
aip --target "python mcp_server.py" --policy ./agent.yaml

# Generate Cursor IDE configuration
aip --generate-cursor-config --policy ./agent.yaml --target "npx @mcp/server"

Example Policy

apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
  name: secure-agent
spec:
  mode: enforce
  allowed_tools:
    - read_file
    - list_directory
    - git_status
  tool_rules:
    - tool: write_file
      action: ask        # Human approval required
    - tool: exec_command
      action: block      # Never allowed
  dlp:
    patterns:
      - name: "AWS Key"
        regex: "AKIA[A-Z0-9]{16}"

Roadmap

We're building a standard, not just a tool.

  • v0.1: Localhost Proxy — The "Little Snitch" for AI Agents

    • Tool allowlist enforcement
    • Argument validation with regex
    • Human-in-the-Loop (macOS, Linux)
    • DLP output scanning
    • JSONL audit logging
    • Monitor mode

  • v0.2: Kubernetes Sidecar — The "Istio" for AI Agents

    • Helm chart
    • NetworkPolicy integration
    • Prometheus metrics

  • v1.0: OIDC / SPIFFE Federation — Enterprise Identity

    • Workload identity federation
    • Centralized policy management
    • Multi-tenant audit aggregation

Documentation

ResourceDescription
AIP SpecificationFormal protocol definition (v1alpha1)
Policy ReferenceComplete YAML schema
Go Proxy READMEReference implementation
Quickstart Guide5-minute tutorial
Why AIP?Threat model and design rationale
FAQCommon questions

Contributing

AIP is an open specification. We welcome:

  • Protocol feedback — Issues and PRs to the spec
  • New implementations — Build AIP in Rust, TypeScript, Python
  • Security research — Threat modeling, attack surface analysis
  • Documentation — Tutorials, examples, integrations

See CONTRIBUTING.md for guidelines.

License

Apache 2.0 — See LICENSE

Enterprise-friendly. Use it, fork it, build on it.

Security

For vulnerability reports, see SECURITY.md.

Stop trusting your agents. Start verifying them.

Reviews

No reviews yet

Sign in to write a review