SEP-2752 · HTTP Message Signing for MCP Client Authentication

Wallets authenticate by signing.
Agents should too.

Today

MCP authenticates clients with bearer tokens — OAuth access tokens, API keys, MCP-Session-Id. Any wallet-backed agent needs a separate, MCP-specific credential provisioned, stored, rotated, and revoked alongside its private key.

With SEP-2752

The agent signs each MCP request with its wallet key using RFC 9421 HTTP Message Signatures. The same Ed25519 / secp256k1 / P-256 key that signs an on-chain transaction signs the request to the broker. No bearer issued, no OAuth flow, no token rotation, no second credential to leak.

Signed request envelope

POST /mcp
Content-Digest: sha-256=:<digest>:
MCP-Protocol-Version: 2026-03-26
MCP-Session-Id: sess_abc123
Signature-Input: sig1=("@method" "@target-uri" "content-digest"
  "mcp-protocol-version" "mcp-session-id");
  created=...; nonce=...; keyid="<JWK thumbprint>"; tag="<client-id>"
Signature: sig1=:<sig>:

Properties

— Private key never leaves the client.
— Signature binds method, URI, body, session, protocol version.
— Replay window ≤ 5 minutes, single use per (tag, nonce).
— Stable tag identity survives key rotation.
— Complementary to PR #1932 (DPoP). DPoP for OAuth-bound flows; this for the rest.

→ PR #2752 → Issue #2753 → SEP-1415 (dormant predecessor)

Wallets authenticate by signing.Agents should too.

Wallets authenticate by signing.
Agents should too.