Is Emilia Protocol free?

Yes, Emilia Protocol is free to use.

How do I install Emilia Protocol?

Emilia Protocol is a local plugin. Install it using npm package: @emilia-protocol/mcp-server and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Emilia Protocol need?

Emilia Protocol requires the following credentials or environment variables: EP_API_KEY. You can find setup instructions on the server detail page.

What AI apps work with Emilia Protocol?

Emilia Protocol uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Emilia Protocol MCP Server

by Emiliaprotocol

Developer ToolsModerate5.2MCP RegistryLocal

Free

Server data from the Official MCP Registry

Trust & human sign-off for AI agents: approval required before irreversible agent actions

About

Trust & human sign-off for AI agents: approval required before irreversible agent actions

Security Report

5.2

Moderate5.2Moderate Risk

This MCP server implements a trust and authorization protocol with extensive tooling for pre-action verification, receipts, and policy enforcement. The code is well-structured with appropriate permissions for its developer tools category, but contains moderate concerns: unauthenticated network calls for read operations, potential for sensitive data leakage in auto-receipt middleware, and missing input validation on several dangerous operations (policy evaluation, delegation creation). The server's core design is sound and aligns with its purpose, but implementation details require hardening. Package verification found 1 issue (1 critical, 0 high severity).

4 files analyzed · 11 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

process_spawn

Check that this permission is expected for this type of plugin.

Unverified package source

We couldn't verify that the installable package matches the reviewed source code. Proceed with caution.

What You'll Need

Set these up before or after installing:

Optional API key for write operations (registering entities, submitting receipts). Public read tools work without it.Required

Environment variable: EP_API_KEY

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-emiliaprotocol-mcp-server": {
      "env": {
        "EP_API_KEY": "your-ep-api-key-here"
      },
      "args": [
        "-y",
        "emilia-protocol"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

EMILIA Protocol

The engine without brakes

For fifty years, software security answered one question: who is allowed in? Firewalls, OAuth, and passwords — all built to verify a human identity at the door.

That era is ending. The dominant users of software are no longer humans; they're autonomous AI agents. Agents don't just log in — they write code, call tools, and change reality on the fly. Every CISO knows a single bad prompt can make an agent wipe a production database or wire money to the wrong account. So they're blocking deployment — sitting on billions in AI budget they can't spend because their compliance teams can't answer one question:

Who approved that action?

The crisis of our generation isn't authentication. It's authorization at the moment of action: how do you prove that what an agent is about to do is exactly what a named human authorized — before it executes?

EMILIA is the seatbelt for the agentic era.

Decision logs are testimony. EMILIA produces receipts.

Try it in 30 seconds

# Issue a receipt offline — no API key, no backend needed
npx @emilia-protocol/issue demo

# Add EMILIA to Claude / Cursor / Cline
npx -y @emilia-protocol/mcp-server

Try a real Face ID signoff → Approve an $82,000 wire with your own passkey. See what VERIFIED looks like. Forge the receipt. See it fail.

Verify any receipt in your browser — paste it in, nothing is uploaded.

How it works — four acts

EMILIA crash test — an autonomous agent tries to wire $82,000; the policy engine holds it, a named human signs off on their own device, the receipt verifies offline, and a forged copy fails.

Run it yourself: node examples/crash-test.mjs — fully offline, no API key.

  [ INTENT ]          [ DECISION ]           [ CEREMONY ]           [ RECEIPT ]
  Agent calls a     Policy-bound, hash-    Named human signs     Signed, offline-
  tool via MCP   →  pinned: allow /     →  the EXACT action  →  verifiable proof.
                    allow-with-signoff /   on their own          Tamper it:
                    deny  (+observe        device (passkey).      fails by design.
                    mode: zero change      What they saw =
                    to production)         what they signed.

Act I — Interception (MCP-native). No rewrites. EMILIA hooks the tool call at the Model Context Protocol boundary — the moment an agent tries to delete a file or move capital, the action is caught mid-air.

Act II — Decision (policy-bound, deterministic). The action is checked against a hash-pinned policy: allow, allow-with-signoff, or deny. Plus an observe mode that changes nothing in production and reports what would have been held. Deterministic, auditable — not a black-box risk score.

Act III — The ceremony (device-bound human signoff). When policy requires a human, EMILIA runs a WebAuthn / passkey signoff bound to the exact action — Face ID / Touch ID on the operator's own device. What the human saw is what they signed. No script can forge it; no autonomous loop can skip it.

Act IV — The receipt (the evidence). The result is a signed authorization receipt that anyone can verify offline, with open-source code, no backend, no vendor trust. Tamper it and verification fails by construction. Optionally anchor it for public timestamping — the core needs no blockchain.

Why developers use it

You want agents that actually do things — but you're paralyzed by runaway loops, API over-spend, and accidental data destruction. EMILIA gives you a plug-and-play MCP server + a thin SDK wrapper. Apply a policy hash, and irreversible tool calls gain a cryptographically hardened, NIST-AI-RMF-mapped approval-and-evidence layer — without building approval workflows or audit infrastructure from scratch.

# langchain-emilia — wrap any LangChain tool with an EP gate
from langchain_emilia import EmiliaGateClient

gate = EmiliaGateClient(base_url="https://www.emiliaprotocol.ai", api_key="...")
safe_tool = gate.wrap(your_destructive_tool)

pip install langchain-emilia   # PyPI
npm install @emilia-protocol/verify  # npm

Your agent can't outrun its leash.

Why enterprises need it

Every platform shift mints a new security primitive: the web got SSL, the cloud got Okta / IAM, the agent economy needs action-level trust. Enterprises are sitting on AI budgets that compliance won't let them spend — EMILIA is the key that unlocks them, by turning unpredictable agents into audit-ready infrastructure that maps primitive-by-primitive to NIST AI RMF, EU AI Act, and SOC 2 CC6/7 controls.

The managed layer (GovGuard / FinGuard) extends the open standard with sector-specific policy packs, observe-mode pilots, and audit-ready evidence packages — with no procurement required to start.

The standard

EMILIA is an open standard, not a product moat. The core is Apache-2.0 and tracked as an IETF Internet-Draft.


IETF Internet-Draft	draft-schrock-ep-authorization-receipts-01
Cross-language verifiers	JavaScript · Python · Go — all three proven to agree on adversarial conformance vectors, every push (`npm run conformance`). That is the IETF bar for a real standard: multiple independent interoperable implementations.
Formal verification	26 TLA+ safety properties (0 errors) · 35 Alloy facts, 22 assertions — both run in CI
MCP registries	Official MCP registry · Glama (Grade A, Official badge) · Smithery
License	Apache-2.0

Three independent implementations proven to agree — see CONFORMANCE.md, or verify a receipt yourself at emiliaprotocol.ai/verify.

The EP stack

Eye observes. Handshake verifies. Signoff owns. Commit seals.

Layer	What it does
EP Eye	Observes and classifies agent behavior (OBSERVE → SHADOW → ENFORCE)
EP Handshake	Cryptographic consent ceremony with 7-property binding
EP Signoff	Named human ownership — WebAuthn / passkey Class A, device-bound; multi-party quorum (M-of-N / ordered — the two-person rule) for the highest-stakes actions
EP Commit	Atomic, immutable action close with Merkle-chained receipts

Proof points

Metric	Value
Automated tests	3,672+ across 142 files
TLA+ safety properties	26 verified (T1–T26), 0 errors — see PROOF_STATUS.md
Alloy relational assertions	35 facts + 22 assertions across two models — verified in CI
Red-team cases cataloged	85 — RED_TEAM_CASES.md
Security findings remediated	31
Conformance (7/7)	`node conformance/ep-conformance-test.js https://www.emiliaprotocol.ai`
Cross-language conformance	receipts · device signoffs · multi-party quorum — JS / Python / Go verifiers agree (`node conformance/run.mjs`)
Handshake create p95	575ms at 50 VUs — PERFORMANCE_PROOF.md

EP Core objects

EP standardizes three interoperable objects that any conforming implementation can produce and verify:

Object	What it is
Trust Receipt	A portable, signed record of an authorization event — what happened
Trust Profile	A standardized summary of observable trust state — what is known
Trust Decision	A policy-evaluated result with reasons and appeal path — what to do now

EP Extensions (Handshake, Signoff, Commit, Delegation) add stronger enforcement where systems must constrain execution. The product layers (GovGuard / FinGuard) are built on top — not the protocol itself.

Quickstart in five calls

Create policy
Initiate handshake
Present evidence
Verify
Signoff and consume

90-second demo · Quickstart · Agent walkthrough · IETF Draft · Discord

What EP is — and is not

EP is authorization at the moment of action, not an identity system, not a wallet, not a reputation score.

Is: a trust standard for binding actor identity, authority, policy, and exact action context before execution
Is not: a replacement for OAuth / OIDC (those answer who are you — EP answers who approved this exact action)
Is not: a proprietary product (the core is Apache-2.0 and IETF-tracked)
Is not: a blockchain (the receipt is the hero; optional public timestamping is a footnote)

See CONFORMANCE.md · SECURITY.md · THREAT_MODEL.md · GOVERNANCE.md

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Emilia Protocol MCP Server

About

Security Report

Findings (11)Action required

Permissions Required

What You'll Need

How to Install

Documentation

EMILIA Protocol

The engine without brakes

Try it in 30 seconds

How it works — four acts

Why developers use it

Why enterprises need it

The standard

The EP stack

Proof points

EP Core objects

Quickstart in five calls

What EP is — and is not

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent

mcp-creator-typescript