← All Articles

MCP Signet: Cryptographic Action Signing for Tool Calls

A new proposal for the MCP servers repository introduces Signet, a middleware layer that cryptographically signs tool call requests and responses—enabling non-repudiable audit trails for AI agent actions.

Why This Matters

As AI agents gain the ability to take real-world actions—sending emails, making purchases, modifying files—organizations need strong audit guarantees. Who authorized this action? When exactly did it happen? Has the record been tampered with?

Traditional logging can answer some of these questions, but logs can be modified. Signet proposes cryptographic signatures that create non-repudiable records: if an action was signed, you can prove it happened exactly as recorded, and you can prove who authorized it.

How It Works

Signet operates as middleware that intercepts MCP tool calls at two points:

1. Request signing: Before a tool call is executed, the request parameters are canonicalized and signed with the agent's private key.
2. Response attestation: After execution, the response (including any side effects) is signed by the server, creating a complete audit record.

{
  "tool_call": {
    "name": "send_email",
    "arguments": {
      "to": "alice@example.com",
      "subject": "Meeting tomorrow",
      "body": "..."
    }
  },
  "signet": {
    "request_signature": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFZDI1NTE5In0...",
    "signer": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
    "timestamp": "2026-03-30T11:37:25Z",
    "nonce": "abc123"
  }
}

The signature covers:

• Tool name and arguments (canonicalized JSON)
• Timestamp (prevents replay attacks)
• Nonce (prevents duplicate processing)
• Signer identity (DID or public key)

Technical Design

Signet supports multiple signature algorithms, with Ed25519 as the default for its performance characteristics:

signet:
  algorithm: Ed25519
  key_source: env:SIGNET_PRIVATE_KEY
  require_signatures: true
  allowed_signers:
    - did:key:z6Mk...  # Allowed agent identities

Key design decisions from the PR:

• DID-based identities: Signers are identified using Decentralized Identifiers, enabling interoperability with existing identity systems.
• Optional enforcement: Servers can run in "log-only" mode (sign but don't require signatures) or "strict" mode (reject unsigned requests).
• Detached signatures: Signatures are carried in a separate field, not modifying the original tool call structure.

Use Cases

The PR outlines several scenarios where Signet adds value:

• Financial services: Compliance requirements for non-repudiable records of automated trading or account modifications.
• Healthcare: HIPAA audit trails for AI systems accessing patient records.
• Enterprise IT: SOC 2 evidence for automated infrastructure changes.
• Legal: Chain of custody for AI-generated or AI-modified documents.

Current Status

PR #3759 was opened on March 30, 2026 and is currently under review. The implementation includes:

• Core signing middleware (TypeScript)
• Ed25519 and secp256k1 signature support
• Configuration schema
• Integration tests

Open questions from the PR discussion include key management recommendations, performance impact benchmarks, and whether response attestation should be mandatory or optional.

Implications

If merged, Signet would be one of the first community servers focused purely on security infrastructure rather than external service integration. It signals growing enterprise interest in MCP as a production-grade protocol, not just a developer convenience.

The DID-based identity model also aligns with emerging standards in the agent identity space, potentially enabling cross-protocol signature verification with systems like A2A and UCP.