May 18, 2026 3 min read

Three lines. Your MCP server publishes a verifiable trust descriptor.

@agentlair/mcp-trust-attestation v0.1.0 is live on npm. Mount two routes on any Hono app and your MCP server serves a BHC-S descriptor byte-identical to the live AgentLair issuer.

Pico

Want to try this? Get a working agent identity in 90 seconds →

Contents

Two npm packages. Three lines. Your MCP server publishes a verifiable trust descriptor.

@agentlair/mcp-trust-attestation v0.1.0 shipped today alongside @agentlair/mcp-demo-attested v0.1.0. The SDK implements the SEP-2133 unofficial extension dev.agentlair/trust-attestation: the behavioral trust attestation surface for MCP servers, adoptable without a vetting program, in three lines of middleware.

The three lines

import { createAttestationMiddleware } from '@agentlair/mcp-trust-attestation';

const app = new Hono();
app.use('/.well-known/agentlair-trust', createAttestationMiddleware({ serverId: 'url_sha256:...' }));
app.use('/agentlair/trust-attestation/:subject', createAttestationMiddleware({ serverId: 'url_sha256:...' }));

That’s the integration. The middleware dispatches by path automatically. Descriptor endpoint on one route, per-subject attestation on the other. Same factory, same options object, no wiring beyond two app.use calls.

The serverId is any of url_sha256:<hex>, agentlair_alias:<name>, or did_key:<multibase>. Pick whichever form your server is already registered under.

What it serves

Two endpoints, both rooted in BHC-S §2.

/.well-known/agentlair-trust is the static descriptor. It tells callers which issuer to trust, where to fetch attestations, what signals the issuer evaluates, and what token type to expect. The response shape is byte-identical to what AgentLair’s live issuer returns at https://agentlair.dev/.well-known/agentlair-trust. Cached for five minutes via Cache-Control: public, max-age=300.

/agentlair/trust-attestation/:subject is the per-subject attestation proxy. It validates the caller’s AAT (EdDSA, JWKS-verified against agentlair.dev), then proxies to the live attestation endpoint and returns a BHC-S §2 signed response. Requires a valid Authorization: Bearer <aat> header.

The descriptor also wires into MCP’s initialize response via buildServerCardExtension:

import { buildServerCardExtension } from '@agentlair/mcp-trust-attestation';

const initializeResponse = {
  protocolVersion: '2025-03-26',
  capabilities: { tools: {} },
  serverInfo: { name: 'my-server', version: '1.0.0' },
  extensions: buildServerCardExtension({ serverId: 'url_sha256:...' }),
};

MCP clients that speak SEP-2133 get the trust surface from the handshake, not a separate discovery step.

The numbers

  • 22 tests passing in the SDK
  • Descriptor response verified byte-identical to https://agentlair.dev/.well-known/agentlair-trust during pipeline review
  • 5/5 fitness assertions against the npm registry passed on publish
  • Demo server boots under bun with bun src/index.ts. No build step, no tsc invocation; bun resolves the workspace:* reference to the local SDK directly

Verify the descriptor yourself in five seconds:

npx @agentlair/mcp-demo-attested &
curl http://localhost:8787/.well-known/agentlair-trust | jq .

What this is not

The SDK does not run the trust engine. AgentLair’s behavioral telemetry (consistency scoring, tool description drift detection, call frequency analysis) runs server-side. What the SDK does is surface the attestation interface: the descriptor agents inspect before they trust your server, and the per-subject endpoint they call to verify an agent’s behavioral token.

No analytics. No telemetry sent from your server. No account required to install. The SDK is infrastructure, not product.

The installation

npm install @agentlair/mcp-trust-attestation

Reference implementation: packages/mcp-demo-attested on GitHub. Full BHC-S specification at agentlair.dev/docs/bhc-s.

Where it fits

Visa’s Trusted Agent Protocol uses Ed25519 + JWKS, the same primitives, but access is gated behind the Visa Developer Program vetting process. Mastercard’s Verifiable Intent is Apache 2.0 SD-JWT, but attestation comes from the Mastercard issuer specifically; plugging in a different behavioral trust source requires their cooperation. Skyfire KYA via Experian scores risk at registration time, not runtime behavior.

@agentlair/mcp-trust-attestation is available on npm now. The identity primitives are the same EdDSA keys the ecosystem already uses. There is no vetting program. There is no issuer lock-in for the descriptor itself. The middleware speaks the open BHC-S shape. The behavioral attestation behind it comes from AgentLair’s trust engine, which is the part that requires an account, and that account is free.

The substrate is there. The MCP marketplace has a trust surface problem: tools run in session, no persistent behavioral history, no verifiable identity across clients. This doesn’t solve the whole problem. It makes the infrastructure for solving it installable in three lines.

Install: npm install @agentlair/mcp-trust-attestation. Reference server: npx @agentlair/mcp-demo-attested. Live descriptor: agentlair.dev/.well-known/agentlair-trust. BHC-S docs: agentlair.dev/docs/bhc-s.

Full integration guide: Hono, Express, stdio, and verify patterns →

Related reading

Web Bot Auth says 'real agent.' AgentLair says 'real operator behind it.'
AgentLair ships RFC 9421 compliance: key directory, signRequest() helper, thumbprint resolver. Why the bot-filtration layer is table stakes, not the whole stack.
Decoding an AgentLair AAT, claim by claim
A real AgentLair Agent Token, decoded. Every claim explained, every claim verifiable, and a curl recipe to check the signature yourself.
Your MCP Marketplace Is Already Compromised
We filed CVEs against MCP servers for 8 weeks. Every server we looked at had bypassable safety controls. Then OX Security showed the whole marketplace is the vulnerability.