@pcarleton - would you be willing to sponsor this SEP? It adds a per-call, passkey-backed approval flow for sensitive MCP tool calls, bound to the specific arguments being approved.

I thought you’d be a good fit given your MCP security/authorization work. Reference implementation: https://github.com/pinialt/mcp-verified-approval

Cross-referencing related work: Discussion #2404 (“Agent Identity and Delegation for MCP Tool Calls”) is adjacent to this SEP, but at a different layer.
#2404 is about which agent is making a call and what delegation chain authorizes it. This SEP is about whether the human approved this specific call with these specific arguments. Both compose additively with OAuth and both attach evidence to params._meta on tools/call.
I think they’re complementary rather than competing, and it may be worth keeping the tools/call evidence story in mind holistically. Happy to coordinate with @dreynow if useful.

Hi @pinialt — this SEP is really interesting, especially the note that #2404 and SEP-2672 are complementary and both attach evidence to params._meta on tools/call.

One protocol-shape question: should params._meta eventually have a small common “evidence container” convention so delegation evidence, per-call approval evidence, and later audit/receipt records can compose cleanly?

For later audit, it seems useful to reconstruct a chain like:

agent identity/delegation → exact tool name + argument digest → human approval evidence → final decision/audit record

Is that kind of evidence chain in scope for this SEP, or better left to a future cross-SEP convention?

Thanks @0pen7ech , good question, and the observation about the params._meta evidence neighborhood is correct.

This SEP's evidence shape (§4.5, §5.6) is method-discriminated to make future expansion additive within its own namespace. Composition with future approval methods is already designed in.

Cross-SEP convention - a shared evidence-container spanning delegation (#2404), per-call approval, and future audit records - is a different scope. It probably belongs either in a separate cross-cutting SEP about _meta conventions, or in MCP's extension guidelines, rather than any individual proposal.

The chain you sketched (delegation → tool+args digest → human approval → audit) is the right framing. For this SEP I'd keep convention work out of scope, but the design assumes a future convention could include this proposal's evidence shape.