Yes, Attest Dev is free to use.

How do I install Attest Dev?

Attest Dev is a local plugin. Install it using npm package: @attest-dev/mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Attest Dev need?

Attest Dev requires the following credentials or environment variables: ATTEST_BASE_URL. You can find setup instructions on the server detail page.

What AI apps work with Attest Dev?

Attest Dev uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Attest Dev MCP Server

by Chudah1

Developer ToolsModerate7.2MCP RegistryLocal

Free

Server data from the Official MCP Registry

Credential enforcement middleware for MCP servers — verifies scoped tokens on every tool call

About

Credential enforcement middleware for MCP servers — verifies scoped tokens on every tool call

Security Report

7.2

Moderate7.2Low Risk

Valid MCP server (3 strong, 4 medium validity signals). 3 known CVEs in dependencies (0 critical, 2 high severity) ⚠️ Package registry links to a different repository than scanned source. Imported from the Official MCP Registry. 1 finding(s) downgraded by scanner intelligence.

11 files analyzed · 4 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

HTTP Network Access

Connects to external APIs or services over the internet.

What You'll Need

Set these up before or after installing:

Base URL of the Attest serverOptional

Environment variable: ATTEST_BASE_URL

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-chudah1-attest-mcp": {
      "env": {
        "ATTEST_BASE_URL": "your-attest-base-url-here"
      },
      "args": [
        "-y",
        "@attest-dev/mcp"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

Attest

Attest is the control plane for delegated agent actions. It gives orchestrators and sub-agents signed, scope-limited credentials tied to the original human instruction, so every handoff stays narrow, every tool call can be checked, the whole task tree can be revoked in one operation, and the resulting evidence can be verified later.

This repository also includes a standalone MCP server:

TypeScript MCP server — a real stdio Model Context Protocol server that exposes Attest tools like issue_credential, delegate_credential, list_tasks, get_audit_trail, get_evidence, and approval actions.
TypeScript MCP middleware — middleware for protecting your own MCP server with Attest.

Quickstart (TypeScript)

import { AttestClient, isScopeSubset } from '@attest-dev/sdk';

const client = new AttestClient({ baseUrl: 'http://localhost:8080', apiKey: 'dev' });

// 1. Issue a root credential for your orchestrator
const { token: rootToken, claims: root } = await client.issue({
  agent_id:    'orchestrator-v1',
  user_id:     'usr_alice',
  scope:       ['research:read', 'gmail:send'],
  instruction: 'Research our top 3 competitors and email a summary to the board',
});

// 2. Delegate a narrowed credential to a sub-agent
const { token: childToken, claims: child } = await client.delegate({
  parent_token: rootToken,
  child_agent:  'email-agent-v1',
  child_scope:  ['gmail:send'],        // subset of parent — enforced server-side
});

// 3. Verify offline (no network call after fetching JWKS once)
const jwks   = await client.fetchJWKS('org_abc123');
const result = await client.verify(childToken, jwks);
console.log(result.valid, result.warnings);

// 4. Revoke the entire task tree in one call
await client.revoke(root.jti);

// 5. Retrieve the tamper-evident audit chain
const chain = await client.audit(root.att_tid);
chain.events.forEach(e => console.log(e.event_type, e.jti, e.created_at));

Scope syntax

Scopes follow the pattern resource:action. Either field may be * as a wildcard.

Expression	Meaning
`gmail:send`	Send via Gmail only
`gmail:*`	All Gmail actions
`*:read`	Read access to any resource
`:`	Full access (root grants only)

Delegation enforces that the child scope is a strict subset of the parent scope. The utility isScopeSubset(parentScope, childScope) replicates this check client-side.

Getting started

Prerequisites: Docker and Docker Compose.

# Clone and start everything
git clone https://github.com/chudah1/attest-dev
cd attest-dev
docker compose up --build

# The server is now running at http://localhost:8080
# PostgreSQL at localhost:5432

# Issue your first credential (replace YOUR_API_KEY with the key from POST /v1/orgs)
curl -s -X POST http://localhost:8080/v1/credentials \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -d '{
    "agent_id":    "orchestrator-v1",
    "user_id":     "usr_alice",
    "scope":       ["research:read", "gmail:send"],
    "instruction": "Research competitors and email the board"
  }' | jq .

# Open the interactive demo
open demo/index.html

If you want to run the Go server outside Docker, point it at the Compose database:

docker compose up -d postgres
cd server
DATABASE_URL=postgres://attest:attest@localhost:5432/attest go run ./cmd/attest

API reference

Method	Path	Description
`POST`	`/v1/orgs`	Create an organization and get an API key
`POST`	`/v1/credentials`	Issue a root credential
`POST`	`/v1/credentials/delegate`	Delegate to a child agent
`DELETE`	`/v1/credentials/{jti}`	Revoke credential and all descendants
`GET`	`/v1/revoked/{jti}`	Check revocation status (public, no auth)
`GET`	`/v1/tasks/{tid}/audit`	Retrieve the audit chain for a task
`POST`	`/v1/audit/report`	Report an agent action to the audit log
`POST`	`/v1/audit/status`	Report agent lifecycle event (started/completed/failed)
`POST`	`/v1/approvals`	Request human-in-the-loop approval
`POST`	`/v1/approvals/{id}/grant`	Grant a pending HITL approval
`GET`	`/orgs/{orgId}/jwks.json`	Public key set for offline verification
`GET`	`/health`	Health check

Specification

The credential format is defined in spec/WCS-01.md (Attest Credential Standard, revision 01).

License

Apache 2.0 — see LICENSE.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

MarkItDown

Free

by Microsoft · Content & Media

Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption

mcp-creator-typescript

Free

by mcp-marketplace · Developer Tools

Scaffold, build, and publish TypeScript MCP servers to npm — conversationally

FinAgent

Free

by mcp-marketplace · Finance

Free stock data and market news for any MCP-compatible AI assistant.

Attest Dev MCP Server

About

Security Report

Findings (4)Action required

Permissions Required

What You'll Need

How to Install

Documentation

Attest

Quickstart (TypeScript)

Scope syntax

Getting started

API reference

Specification

License

Reviews

No reviews yet

More Developer Tools MCP Servers

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent

Attest Dev MCP Server

About

Security Report

Findings (4)Action required

Permissions Required

What You'll Need

How to Install

Documentation

Attest

Quickstart (TypeScript)

Scope syntax

Getting started

API reference

Specification

License

Reviews

No reviews yet

More Developer Tools MCP Servers

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent