Thanks to visit codestin.com
Credit goes to capisc.io

Open source. Self-hostable. Apache 2.0.

NEW
Open Source
RFC-006 & RFC-007

Secure Your MCP Tools.
Trust No Agent Blindly.

MCP Guard protects Model Context Protocol tool servers with trust-level requirements and structured evidence logging.

Your MCP servers expose powerful tools—file systems, databases, APIs. But MCP doesn't define who can call them. MCP Guard does.

Trust Levels 0–4|@guard Decorator|Evidence Logging|Server Identity
Get StartedView on GitHub
pip install capiscio-mcp

MCP's Security Gap

Model Context Protocol defines how tools communicate, but not who can use them. That's a problem when your tools access sensitive resources.

No Caller Identity

MCP doesn't specify how to verify which agent is calling a tool.

Risk: Any agent can claim to be "finance-agent"

🚫

No Authorization

MCP doesn't define access control for tools based on agent identity.

Risk: All agents have equal access to all tools

📝

No Audit Trail

MCP doesn't specify how to log tool invocations for compliance.

Risk: No way to investigate incidents or prove compliance

MCP Guard: The Missing Security Layer

Three capabilities that harden MCP tool servers

Trust-Level Access Control
Require minimum trust levels for sensitive tools
@guard(min_trust_level=2)
async def read_database(query: str):
    # Only Trust Level 2+ agents
    pass
Structured Audit Events
Atomic evidence record for every decision
  • Tool name & parameter hash (PII-safe)
  • Caller identity (DID, badge, level)
  • Decision, reason, timestamp
Server Identity Verification
Verify MCP servers before connecting
result = await verify_server(
    server_did="did:web:...",
    server_badge="eyJhbGc..."
)
# VERIFIED_PRINCIPAL ✓

Trust Levels: Right Access for Right Identity

Progressive trust from self-signed to continuous validation

LevelNameDescriptionUse Case
0Self-Signed (SS)did:key issuer, cryptographic identity onlyDevelopment, testing
1Registered (REG)Account registration with registryInternal agents, development
2Domain Validated (DV)DNS or HTTP domain ownership proofProduction B2B agents
3Org Validated (OV)DV + organization existence verificationHigh-trust production
4Extended Validated (EV)OV + manual review + legal agreementRegulated industries

Two Lines to Secure Your Tools

Decorator-based protection for any MCP tool. Works with MCP SDK integrations that pass caller credentials.

pip install capiscio-mcpProtect incoming tool calls
from capiscio_mcp import guard

@guard(min_trust_level=2)
async def read_database(query: str) -> list[dict]:
    """Only agents with Trust Level 2+ can execute this tool."""
    # Your database logic here
    return results

@guard(min_trust_level=3)
async def write_database(table: str, data: dict) -> None:
    """Trust Level 3+ required for write operations."""
    # Write logic here
    pass

Every Invocation. Every Decision. Logged.

Structured audit events for compliance and incident response

Allowed Invocation

{
  "event.name": "capiscio.tool_invocation",
  "id": "ev_abc123...",
  "timestamp": "2026-01-15T10:30:00Z",
  "capiscio.target": "read_database",
  "capiscio.decision": "ALLOW",
  "capiscio.tool.params_hash": "sha256:9f86d...",
  "capiscio.agent.did": "did:web:agent.example.com",
  "capiscio.badge.jti": "badge_xyz789",
  "capiscio.auth.level": "badge",
  "trust_level": 2,
  "capiscio.policy_version": "v1.0"
}

Denied Invocation

{
  "event.name": "capiscio.tool_invocation",
  "id": "ev_def456...",
  "timestamp": "2026-01-15T10:31:00Z",
  "capiscio.target": "write_database",
  "capiscio.decision": "DENY",
  "capiscio.deny_reason": "TOOL_TRUST_INSUFFICIENT",
  "capiscio.tool.params_hash": "sha256:a1b2c...",
  "capiscio.agent.did": "did:web:agent.example.com",
  "capiscio.auth.level": "badge",
  "trust_level": 1,
  "capiscio.policy_version": "v1.0"
}

Evidence is PII-safe: parameter values are hashed client-side, never sent to core. Supports auditability workflows for SOC 2 / HIPAA / GDPR programs.

MCP Guard vs Agent Guard

Different protocols, same security principles

AspectAgent GuardMCP Guard
ProtocolA2A (Agent-to-Agent)MCP (Model Context Protocol)
TransportHTTP headersJSON-RPC _meta
Use CaseAgent→Agent callsAgent→Tool server calls
Packagecapiscio-sdkcapiscio-mcp
RFCRFC-002, RFC-003RFC-006, RFC-007

Use Agent Guard when...

Your agents call other agents over HTTP/HTTPS using the A2A protocol. Protects agent-to-agent communication.

Use MCP Guard when...

Your agents call MCP tool servers (file systems, databases, APIs). Protects tool invocations from unauthorized agents.

The CapiscIO Stack

Use Case
Tool
Validate agent cards & endpoints
CLI
Block bad A2A traffic (Python)
Agent Guard SDK
Block bad A2A traffic (Any HTTP)
Go Sidecar (Core)
Protect MCP tool servers
MCP Guard ← You are here
A2A Protocol Security

Also building A2A agents?

MCP Guard protects your tool servers. Agent Guard protects agent-to-agent communication over HTTP.

  • Ed25519 signatures - Verify caller identity
  • SHA-256 body hash - Detect tampering
  • 60s freshness window - Block replay attacks
Explore Agent Guard
# A2A protection
$ pip install capiscio-sdk
from capiscio_sdk import SimpleGuard
guard = SimpleGuard(app)
✓ A2A requests now protected

Ready to Secure Your MCP Tools?

Start protecting your MCP tool servers today. Free, open source, and built for production teams.

View PricingStar on GitHub
pip install capiscio-mcp

Frequently Asked Questions

Everything you need to know