Manav.id
Developer4 min read

The Manav MCP server: full reference

Manav MCP server reference

The Manav MCP server is the canonical bridge between any MCP host (Claude, Cursor, your in-house agent) and the Manav identity protocol. One npx away. Three tools. Seven resources. Zero magic.

Install

npx -y @manav/mcp-server@latest

# or as a long-running process
docker run -d \
 -e MANAV_HUMAN_DID=$MANAV_HUMAN_DID \
 -e MANAV_DEVICE_KEY=/keys/device.key \
 -p 7332:7332 \
 ghcr.io/manav-id/mcp-server:1.4

Then add to your MCP host's config:

{
 "mcpServers": {
 "manav": {
 "command": "npx",
 "args": ["-y", "@manav/mcp-server@latest"],
 "env": { "MANAV_HUMAN_DID": "did:manav:0x..." }
 }
 }
}

Tools the server exposes

delegation.issue — issue a scoped, time-bound delegation to an agent. Inputs: scope (array), ttl (duration), magnitude_cap (object), agent_did. Returns: delegation_id, presentation_token. delegation.revoke — pull the cord. Inputs: delegation_id. Returns: revocation_epoch. attest.work — sign an artifact as authored, supervised, or directed. Inputs: artifact_uri, role, witness_dids. Returns: attestation_id, audit_url.

Resources the server exposes

Read-only context the host can surface to the model: manav://human/profile, manav://human/trust-score, manav://delegations/active, manav://delegations/history?days=7, manav://attestations/recent, manav://policy/scope-vocabulary, manav://audit/last-100. Each resource is fetched on demand, cached locally, and signed at read so the model can cite the source.

The security model

The MCP server holds the human's device-bound private key only on the user's machine. The server never sends the private key over the wire. Tool calls that issue or revoke delegations require a local approval gesture — touch the YubiKey, approve the OS prompt, or tap the phone in the case of mobile hosts. The host (Claude, Cursor) cannot trick the server into issuing a delegation in the background.

Approval modes

Three settings. Always-prompt — every issue/revoke needs a gesture. Default. Allowlist — agents on the user's allowlist may run within a narrow scope without per-call prompting; everything else still prompts. Deny-by-default — every action requires a gesture, plus a 5-second rate limit. Use in regulated environments.

What the host sees

The host model only ever sees the resources marked readable by the user and the tool returns of explicit calls. It does not see the private key, the device's secure-enclave handle, or the unsigned form of a delegation. This means the server is safe to use with any MCP host — even a hosted, untrusted one — because the worst the host can do is request actions, and the user must approve them.

Reference implementation

Open-source at github.com/manav-id/mcp-server. TypeScript. Apache-licensed. Test coverage above 90%. Issues welcome; PRs reviewed within a business day.

Common objections

Engineers push back on three things. Latency — the cache makes verification 18 µs hot-path, fine for any production system. Vendor lock-in — the protocol is open, the spec is published, the reference implementation is forkable. Adding another auth dance — the integration is twelve lines and middleware, not a new platform to manage.

Frequently asked questions

What is the runtime cost? Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.

Does it work with our existing agent framework? Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.

What happens to delegations when an engineer leaves? They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.

Where to start

Hands-on next: mcp identity 12 lines ships in twelve lines; cross platform agent identity adds the operational layer once you have the basics. Both link to working repos; clone, integrate, run the bench.

What ships in the first PR

The first PR a developer opens against the Manav MCP server reveals the integration shape. The PR adds a single MCP tool: a verification call that checks an action against the user's active delegation. The diff is roughly forty lines of integration code and an audit-log row. The PR is reviewable in fifteen minutes by an engineer who has never read the protocol spec. We optimized for that reviewability. The MCP server is intentionally small in surface area; the cryptographic complexity is in the verification path, not in the developer-facing tool. Once the first PR ships, subsequent PRs add scope coverage — magnitude caps, witness requirements, role declarations — incrementally. The integration that follows this pattern reaches production in one quarter. The integration that tries to ship the entire delegation surface in a single PR slips into the next quarter as code review becomes the bottleneck. The architecture rewards incremental adoption.

The MCP server is identity for agent hosts the way nginx is reverse-proxy for the web. Boring. Universal. Quietly indispensable.

Keep reading

Developer

MCP + Identity in 12 lines
Developer

Cross-platform reference architecture
Developer

Delegation tokens explained