Skip to content

SEP: HTTP Message Signing for MCP Client Authentication#2752

Open
njdawn wants to merge 4 commits into
modelcontextprotocol:mainfrom
njdawn:feature/sep-http-message-signing
Open

SEP: HTTP Message Signing for MCP Client Authentication#2752
njdawn wants to merge 4 commits into
modelcontextprotocol:mainfrom
njdawn:feature/sep-http-message-signing

Conversation

@njdawn
Copy link
Copy Markdown

@njdawn njdawn commented May 19, 2026

Summary

Adds a draft SEP proposing RFC 9421 HTTP Message Signatures as an optional, additive proof-of-possession client-authentication mechanism for MCP. It supersedes the dormant SEP-1415 with the technical-feedback fixes from that thread, and is complementary to (not in competition with) SEP-1932 (DPoP).

Why this proposal

MCP currently authenticates clients with bearer tokens (OAuth access tokens, API keys, MCP-Session-Id). That model has well-known structural weaknesses that the rest of the web has been migrating away from:

  1. Secrets are re-exposed to the server on every request. A signed request, by contrast, never sends the private key — the server sees only signatures it cannot replay or repurpose.
  2. No protection against TLS-terminating intermediaries. CDNs, reverse proxies, and corporate egress inspection see bearers in plaintext. A signed request is verifiable end-to-end above TLS termination.
  3. No request integrity. Bearer auth says nothing about the body; a signature over (@method, @target-uri, content-digest, mcp-protocol-version, mcp-session-id) binds the credential to this specific request.
  4. No replay protection. Captured bearers are valid until rotation; created + nonce collapse that window to single-digit minutes.
  5. No verifiable client identity. The signature tag provides a stable, unforgeable client identifier across key rotations.
  6. Principle of least exposure. Stops handing clients access tokens really intended for server↔resource-server communication.

The acute use case is wallet-based and high-stakes authentication — MCP servers brokering on-chain transactions, payments, secret stores, or production database writes. A leaked bearer in those settings drains a wallet or exfiltrates secrets with no recovery. Proof-of-possession lets the wallet key itself become the natural MCP client credential.

What's different from SEP-1415

The 1415 thread surfaced a series of RFC-compliance issues that this draft addresses explicitly, with citations:

Issue from 1415 thread Raised by Resolution in this SEP
alg parameter creates substitution-attack risk @jricher Prohibited (§2.2). Algorithm derived from JWK kty + crv per RFC 9421 §7.3.5
created listed as a signed component @jricher, @dadrus Corrected — created is a signature parameter (§2.2), not a component
Custom JSON-RPC error envelope for algorithm negotiation @dadrus Replaced with standard Accept-Signature response header (§3.3)
Server-side full-signature cache @dadrus Replaced with (tag, nonce) cache (§2.3)
No init-less story (vs SEP-1372) @fsiyavud Signature-Agent header (draft-meunier-http-message-signatures-directory) for first contact (§2.6.1)
MCP-Protocol-Version not in signature @fsiyavud Required signed component (§2.1)
No stable identity across key rotation @dadrus RFC 9421 tag parameter as stable client ID (§2.5); signatures/rotateKey method (§3.4)
Ambiguity about session-bound vs stateless @spacewander Both flows specified: cnf in clientInfo for sessioned, Signature-Agent for stateless (§2.6)

Relationship to in-flight work

Status

  • Filed without a sponsor; seeking sponsor per the PR-based SEP workflow.
  • Reference implementations (server-side Rust middleware on rmcp; client-side TypeScript fetch wrapper on the official SDK) planned and will be linked once a sponsor advances this to In-Review.

Checklist

  • I have read the MCP Documentation
  • SEP follows the format defined in SEP-1850
  • Sponsor assigned (seeking)
  • Reference implementation linked (planned, see §Reference implementation)

cc: potential reviewers from the closed 1415 thread who provided technical feedback: @dickhardt @jricher @dadrus @fsiyavud @spacewander @covia-dev — your input shaped this draft.

njdawn and others added 2 commits May 19, 2026 15:42
@njdawn @claude
SEP: HTTP Message Signing for MCP Client Authentication
126bd87 
Adds a draft SEP proposing RFC 9421 HTTP Message Signatures as an
optional, additive proof-of-possession client-authentication mechanism
for MCP. Supersedes the dormant SEP-1415 with technical-feedback fixes:
correct RFC 9421 component/parameter semantics, prohibition of the
`alg` parameter, Accept-Signature negotiation, nonce-based replay
protection, Signature-Agent key distribution for init-less mode, and a
stable-identity `tag` that survives key rotation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@njdawn @claude
Rename SEP to assigned PR number 2752
d1053c8 
Per SEP-1850, rename the file from 0000- to 2752- now that the PR
number is known, and update the header to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@njdawn njdawn mentioned this pull request May 19, 2026
Open
@njdawn @claude
Fix CI: prettier formatting + regenerated SEP docs
dddc50c 
- Reformatted the SEP markdown per prettier (italics, table spacing).
- Ran `npm run generate:seps` to produce docs/seps/2752-*.mdx and
  update docs/seps/index.mdx + docs/docs.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@njdawn njdawn requested review from a team as code owners May 19, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@njdawn