Developer · 5 min read

MCP + Identity in 12 lines

Twelve lines of code. One environment variable. Your Claude Agent SDK app now carries a cryptographic delegation token bound to a verified human — and survives an Article 14 audit.

Enterprise AI teams have rallied around the Model Context Protocol — 78% report at least one MCP-backed agent in production as of this quarter, up from 31% a year earlier. Anthropic donated MCP to the Linux Foundation's Agentic AI Foundation, with Block, OpenAI, Google, Microsoft, AWS, and Cloudflare backing the move. The open registry now lists over 10,000 active MCP servers, and the Python and TypeScript SDKs see 97 million monthly downloads.

What MCP shipped fast: tool access. What MCP did not ship: identity. That gap is what Manav fills.

The 12-line integration

Drop this into a fresh Claude Agent SDK project. Replace the Manav identity reference with your own DID after running npx @manav/cli init.

// Add Manav delegation to any MCP-enabled Claude agent.
import { ClaudeAgent } from "@anthropic-ai/agent-sdk";
import { withManav } from "@manav/mcp-identity";

const agent = withManav(new ClaudeAgent({
 model: "claude-opus-4-7",
 mcpServers: ["filesystem", "github", "stripe"],
}), {
 humanDid: process.env.MANAV_HUMAN_DID,
 scope: ["repos:read", "stripe:invoice:write"],
 spendCap: { currency: "USD", amount: 500 },
 ttl: "8h",
});

await agent.run("Reconcile yesterday's invoices.");

Twelve lines (counting the import). What just happened:

withManav wraps the agent and intercepts every MCP tool call.
Each call attaches a delegation token signed by the human's Manav identity.
The token carries the scope, spend cap, and time-to-live you specified.
Receiving MCP servers verify the signature and enforce the scope locally.
Every action is appended to the human's tamper-evident audit log.
Revocation is instant — calling manav.revoke(agent.id) stops every MCP server from accepting the agent's tokens within 200ms.

Why MCP needed this

MCP standardized how an LLM talks to tools. It did not standardize who, on the human side, authorized that conversation. Production teams currently solve this in three ways, all bad:

API keys per agent. The agent gets a long-lived key. The audit log shows "the key did it." No human is bound. Article 14 fail.
User session passthrough. The agent borrows the user's session cookies. Better — but the session can't be scoped or rate-limited per-agent, and it dies when the user logs out (which doesn't happen often enough).
Custom OAuth dance. Each MCP server implements its own auth code flow. Works for one server. Breaks at three.

Manav's MCP-identity layer collapses these into one delegation primitive that every MCP server understands. It is the OAuth of agents — but designed from the start for the human-agent-tool topology that MCP creates.

What the audit log looks like

Each tool call leaves a structured record like this:

{
 "ts": "2026-05-03T14:22:01Z",
 "human": "did:manav:0x9a3f...",
 "agent": "agent:claude:opus-4-7:run-7d2e",
 "delegation": {
 "scope": ["stripe:invoice:write"],
 "spend_cap_remaining": "USD 412.50",
 "ttl_remaining": "6h 12m"
 },
 "tool": "stripe.create_invoice",
 "params_hash": "sha256:8f1e...",
 "signature": "ed25519:..."
}

This is the artifact your auditor wants. It proves: (1) which human authorized the action, (2) what scope they granted, (3) the cap was respected, (4) the call has not been tampered with. All four anchors required by the EU AI Act's Article 14.

Performance

The wrapper adds 4–8 ms per tool call (signature + scope check, no network round-trip in the hot path). Revocation propagates via signed nonces; MCP servers re-fetch the active set every 60 seconds and on every signature failure.

Common mistakes

Don't issue a single delegation for the whole agent run. Issue one per tool category. If your agent does both reads and writes, two delegations are safer than one.

Don't put high-magnitude caps in TTLs longer than your incident response time. An 8-hour, $50,000 delegation is a 4 a.m. wire transfer waiting to happen. Match TTLs to your team's mean time to respond.

Don't forget the human. The whole point is that MANAV_HUMAN_DID resolves to a real, verified person. Use a service-account DID for tests; never in production.

What to do next

Clone the reference repo at github.com/manav-protocol/mcp-identity-quickstart, run npm install && npx @manav/cli init, and you have a working delegation in under five minutes. The quickstart includes wired examples for the filesystem, GitHub, Stripe, and Slack MCP servers.

Common objections

Engineers push back on three things. Latency — the cache makes verification 18 µs hot-path, fine for any production system. Vendor lock-in — the protocol is open, the spec is published, the reference implementation is forkable. Adding another auth dance — the integration is twelve lines and middleware, not a new platform to manage.

Frequently asked questions

What is the runtime cost? Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.

Does it work with our existing agent framework? Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.

What happens to delegations when an engineer leaves? They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.

Where to start

Hands-on next: delegation tokens explained ships in twelve lines; ai act article 14 playbook adds the operational layer once you have the basics. Both link to working repos; clone, integrate, run the bench.

OAuth for humans took a decade. The agent equivalent is shipping in twelve lines.