MCP Transport: Identity Layer for Model Context Protocol

Quick Start

Zero-Config Identity Transport

Connect AI agents using cryptographic identity in two steps. No API key management, no token rotation, no configuration files.

Client-side setup

import { MCPClientAdapter } from '@private.me/mcp-transport';
import { generateIdentity } from '@private.me/xlink';

const client = new MCPClientAdapter({
  implementation: { name: 'my-agent', version: '1.0' },
  capabilities: { tools: {} },
  transport: {
    identity: await generateIdentity(),
    peerDid: 'did:key:z6Mk...',
    policy: { maxCallsPerHour: 100 }
  }
});

await client.connect();
const tools = await client.listTools();
const result = await client.callTool('payment', { to: 'alice', amount: 100 });

Server-side setup

import { MCPServerAdapter } from '@private.me/mcp-transport';
import { generateIdentity } from '@private.me/xlink';

const server = new MCPServerAdapter({
  implementation: { name: 'payment-server', version: '1.0' },
  capabilities: { tools: { listChanged: true } },
  transport: {
    identity: await generateIdentity(),
    peerDid: 'did:key:z6Mk...'
  }
});

server.registerTool({
  name: 'payment',
  description: 'Send payment',
  inputSchema: { /* ... */ }
}, async (args) => {
  // Process payment
  return { success: true };
});

await server.start();

ZERO CONFIGURATION

No environment variables. No credential files. No secret management. Each agent generates its own Ed25519 keypair on first run. Identity persists across restarts. Peer discovery happens automatically via DID resolution.

The Problem

API Keys Fail at Agent Scale

Traditional API key authentication breaks down when orchestrating AI agents. A single expired token can cascade across 500 agents simultaneously. Shared credentials eliminate attribution. Monthly rotation requires coordinated downtime.

Approach	Failure Mode
API Keys	Shared secrets → One leak = system-wide compromise → Rotation requires coordinated shutdown
OAuth Tokens	Expiry at hour 3 of 4-hour workflow → Restart from zero → Tripled compute cost
MCP Transport	Per-message signatures → Non-reusable by design → Failure mode eliminated architecturally

Example: Cascading Failure

API architecture: Shared credential across fleet

// Every agent uses the same API key
const agents = await Promise.all(
  Array.from({ length: 500 }, (_, i) =>
    createAgent({
      id: `agent-${i}`,
      apiKey: process.env.API_KEY // Same key for all 500
    })
  )
);

// Problems:
//  One compromised agent → rotate key → 500 agents offline
//  Can't identify which agent made which request
//  Can't rate-limit per-agent (all share quota)

MCP Transport: Unique identity per agent

// Each agent generates unique cryptographic identity
const agents = await Promise.all(
  Array.from({ length: 500 }, async (_, i) => {
    const client = new MCPClientAdapter({
      implementation: { name: `agent-${i}`, version: '1.0' },
      capabilities: { tools: {} },
      transport: {
        identity: await generateIdentity(),
        peerDid: serverDid
      }
    });
    return client;
  })
);

// Benefits:
//  One compromised agent → remove from trust registry → 499 continue
//  Cryptographic attribution per message
//  Per-agent rate limits enforced independently

Benefits

Identity vs API Keys

0.36ms

Auth overhead per call

603×

Faster than OAuth refresh

Zero

Cascading failures

100%

Attribution

No Token Rotation

Each message uses a fresh Ed25519 signature that cannot be replayed. Private keys never leave the device. No long-lived credentials to rotate. Auditors care about risk reduction, not specific mechanisms.

Isolated Failures

One compromised agent does not affect 499 others. Remove the compromised identity from trust registry. No system-wide shutdown. No coordinated rotation. Failures stay isolated.

Cryptographic Attribution

Every message is signed with the sender's private key. Verify exactly which agent sent which request. Enforce per-agent rate limits. Audit trail with cryptographic proof.

Use Cases

Where MCP Transport Fits

🤖

AI Agents

Multi-Agent Orchestration

Coordinator spawns 100 worker agents. Each has unique identity. One fails, 99 continue. No shared secrets to leak.

Zero Cascades

🔗

Microservices

Service-to-Service Auth

Order service calls payment service using identity. No API keys to rotate. Attribution per request. Policy-based rate limits.

Policy Enforcement

📡

IoT

Device-to-Edge Communication

10,000 IoT devices authenticate to edge server. Per-device identity. Selective revocation. Custom rate limits per device.

Scale

🔐

Compliance

Audit Trail

Cryptographically signed logs. Every message traceable to sender. SOC 2 / ISO 27001 compliance without API key rotation policies.

Audit Ready

Purchasing ACIs

Purchase & Subscription

All Private.Me ACIs follow the same subscription model: 3-month trial, then tier-based pricing. Purchase programmatically via API or through the web interface.

Pricing

Standard pricing: $5/month Basic • $10/month Middle • $15/month Enterprise

Tier	Price	Features
Basic	$5/month	MCP transport, identity auth, connection pooling
Middle	$10/month	Everything in Basic + advanced policies, custom registries
Enterprise	$15/month	Everything in Middle + air-gapped deployment + white-label

FREE TRIAL

3-month trial included. No credit card required. Full feature access during trial period.

Subscribe via Web

Visit the subscription page with the product parameter:

https://private.me/subscribe?product=mcp-transport

Start Free Trial

Purchase via API

Programmatic subscription via REST API. Requires customer account token.

API Purchase Request

POST /api/purchase
Content-Type: application/json

{
  "product": "mcp-transport",
  "tier": "basic",
  "email": "customer@example.com",
  "customerId": "cus_abc123"
}

Success Response (201 Created)

{
  "subscriptionId": "sub_xyz789",
  "status": "active",
  "trialEnd": "2026-07-28T00:00:00Z",
  "product": "mcp-transport",
  "tier": "basic"
}

Error Handling

All errors follow RFC 7807 (Problem Details for HTTP APIs) with structured field validation.

Validation Error (400 Bad Request)

{
  "type": "https://private.me/errors/validation-failed",
  "title": "Validation Failed",
  "status": 400,
  "detail": "Request validation failed",
  "instance": "/api/purchase",
  "fields": {
    "email": "Invalid email format",
    "tier": "Must be one of: basic, middle, enterprise"
  }
}

IDEMPOTENCY

Include X-Idempotency-Key header for safe retries. Duplicate requests return X-Idempotency-Replay: true with original response. Keys expire after 24 hours.

API Reference

Core Classes

XLinkTransport(options: XLinkTransportOptions)

Core transport implementation for MCP JSON-RPC 2.0 protocol. Handles message signing, policy enforcement, and audit logging.

MCPClientAdapter(config: MCPClientConfig)

High-level client wrapper with xLink transport. Provides connect(), disconnect(), listTools(), callTool() methods.

MCPServerAdapter(config: MCPServerConfig)

High-level server wrapper with xLink transport. Register tool handlers via registerTool(). Automatic request validation.

PolicyEnforcer(constraints: PolicyConstraints)

Policy validation engine. Enforce method allowlists, rate limits, and custom validation rules.

AuditLogger(identity: AgentIdentity)

Cryptographically signed audit trail. Logs every call with timestamp, method, parameters, and Ed25519 signature.

Policy Enforcement

Control agent behavior with declarative policies. Enforce method allowlists, rate limits, and custom validation.

Policy configuration

const transport = new XLinkTransport({
  identity: myIdentity,
  peerDid: serverDid,
  policy: {
    allow: ['tools/call', 'tools/list'],
    deny: ['admin/*'],
    maxCallsPerHour: 100,
    maxCallsPerDay: 1000,
    customValidator: async (message) => {
      // Custom business logic
      return ok(undefined);
    }
  }
});

Integration

Adding to Existing Projects

Installation

npm install @private.me/mcp-transport

MCP Transport works with any JSON-RPC 2.0 compatible system. Drop-in replacement for HTTP/WebSocket transports.

Before: HTTP transport

const client = new MCPClient({
  transport: new HttpTransport('https://api.example.com')
});

After: Identity transport

const client = new MCPClientAdapter({
  implementation: { name: 'my-client', version: '1.0' },
  capabilities: { tools: {} },
  transport: {
    identity: await generateIdentity(),
    peerDid: 'did:key:z6Mk...'
  }
});

BACKWARD COMPATIBLE

Implements full MCP specification. Existing tool handlers work without modification. Gradual migration path: run both transports side-by-side, shift traffic over time.

Security

Cryptographic Design

Algorithm	Ed25519 (FIPS 186-5)
Key Derivation	PBKDF2-HMAC-SHA256 (600K iterations)
Message Signing	Detached signatures, tamper-evident
Replay Protection	Nonce-based, time-windowed
Shared Secrets	None (each agent has unique identity)

Threat Model

MCP Transport protects against credential theft, replay attacks, and cascading failures. Does NOT protect against compromised endpoints or malicious tool implementations.

SECURITY BOUNDARIES

Identity-based auth eliminates shared secret risks. Server compromise still requires standard defense-in-depth (least privilege, network segmentation, monitoring). MCP Transport is one layer in a complete security stack.

Performance

Benchmarks

0.36ms

Ed25519 signature verification

2,700+

Calls/second per connection

91ms

vs 54,853ms OAuth refresh

603×

Speedup

Benchmarks measured on 2024 Apple M3 Pro. Ed25519 signature verification adds 0.36ms overhead per call. Connection pooling and health checks are automatic.

ZERO LATENCY SPIKES

No token refresh interruptions. No cascading restarts. Predictable performance regardless of call count. Long-running workflows complete without mid-execution failures.