Zero trust identity for autonomous AI agents. Every action signed. Every tool gated. Every agent verified. No identity, no trust.
Message integrity verification, replay protection, tool definition monitoring, and agent identity -- all with one URL change.
MCPSaaS implements the MCPS protocol, submitted as an IETF Internet-Draft and aligned with OWASP MCP Top 10 controls.
Every message is verified end-to-end. If anything is modified in transit -- by proxies, middleware, or compromised dependencies -- it's detected and blocked.
Every request is unique. Captured messages cannot be re-sent. Centralised tracking across all your agents with automatic expiry.
Tool definitions are fingerprinted at discovery. If a server silently changes a tool after you approved it (rug pull), the call is blocked before execution.
Every agent gets a verifiable identity with trust levels L0-L4. Servers set minimum trust requirements. No more anonymous tool calls.
Full structured logging in JSON and syslog (RFC 5424). Feed directly into Cribl, Splunk, Datadog, or any SIEM. Complete non-repudiation.
Change one URL in your MCP config. No SDK, no library, no key management. Your MCP server doesn't know we exist.
MCP (Model Context Protocol) is the standard for connecting AI agents to external tools. Adopted by Anthropic, OpenAI, Google, Microsoft, and AWS. But it was built for functionality, not security. Here's what's missing.
Every JSON-RPC message between agent and tool server travels without any integrity verification. Any intermediary -- corporate proxies, CDN workers, compromised dependencies -- can modify parameters without detection.
Captured MCP messages can be re-sent by an attacker to repeat sensitive operations. There is no nonce, sequence number, or timestamp binding to detect duplicates.
Tool definitions can change after initial approval. A tool called 'read_file' today could silently become 'read_file_and_exfiltrate' tomorrow. No hash-pinning, no mutation detection.
Agents authenticate with bearer tokens or API keys. A stolen token means full impersonation. There is no way to verify which specific agent made a request.
Transport security terminates at every hop. Corporate HTTPS inspection proxies (Zscaler, Palo Alto, Fortinet) routinely decrypt, inspect, and re-encrypt traffic. After termination, messages are plaintext.
OAuth proves who you are but doesn't protect what you send. A valid OAuth token with a modified message body is accepted without question. No message signing, no payload integrity.
MCP has the fastest-growing attack surface in AI infrastructure. Critical vulnerabilities including RCE (CVE-2025-6514, CVSS 9.6), authentication bypass, and unauthenticated API exposure.
Industry scans of 500+ MCP servers found that 38% lack any form of authentication. Anyone who can reach the endpoint can invoke any tool.
MCPSaaS closes every one of these gaps. One URL change. Zero code modifications.
See HowChange your MCP endpoint URL. That's it.
Existing security standards leave critical gaps in agent communication. MCPSaaS closes all of them.
| Requirement | TLS | OAuth | JWT | JWS | DPoP | mTLS | MCPS |
|---|---|---|---|---|---|---|---|
| Identity | Server only | Yes | Yes | No | Key bind | Both | Passport (L0-L4) |
| Message Integrity | No | No | Token only | Yes | No | No | Every message |
| Replay Protection | No | No | Expiry | No | Partial | No | Nonce + timestamp |
| Tool Integrity | No | No | No | No | No | No | SHA-256 hash-pin |
| Trust Levels | No | No | No | No | No | No | L0-L4 hierarchy |
| Revocation | CRL | Expiry | Expiry | No | No | CRL | Real-time |
| Non-repudiation | No | No | No | Yes | No | No | Yes |
TLS-terminating proxies can modify messages after decryption.
Cloudflare Workers or CDN scripts can intercept and modify MCP traffic.
Compromised npm dependencies can intercept from inside your MCP server.
Captured requests can be re-sent to repeat sensitive operations.
MCP servers can silently change tool definitions after approval.
Fake servers at hijacked domains proxy traffic while modifying it.
How MCPSaaS maps to each OWASP MCP risk control.
| Risk | OWASP MCP Control | MCPSaaS | How |
|---|---|---|---|
| MCP-01 | Tool Poisoning -- Malicious instructions in tool descriptions | Covered | Tool definitions hash-pinned at discovery. Any mutation detected and blocked before execution. |
| MCP-02 | Excessive Agency -- Agent performs unintended actions | Partial | Audit trail logs every tool call with full parameters. Anomaly detection via dashboard. |
| MCP-03 | Data Exfiltration -- Sensitive data sent via tool calls | Partial | Full audit of all parameters in transit. Syslog integration for SIEM alerting. |
| MCP-04 | Tool Rug Pulls -- Tool definitions changed post-approval | Covered | SHA-256 hash-pinning. Tool definition verified against pinned hash before every execution. |
| MCP-05 | Prompt Injection via Tools -- Injected instructions in tool responses | Partial | Response integrity verification. Signed responses from MCPS-enabled servers. |
| MCP-06 | Cross-Server Shadowing -- Tool name collisions across servers | Partial | Per-server tool pinning with server-specific hashes. Namespace isolation via proxy. |
| MCP-07 | Insufficient Auth -- Weak identity verification | Covered | Agent passports with trust levels L0-L4. Servers set minimum trust requirements. |
| MCP-08 | No Message Integrity -- Unsigned messages in transit | Covered | Every message signed with ECDSA P-256 via MCPS. Tampered messages rejected. |
| MCP-09 | Supply Chain Risks -- Compromised MCP packages | Partial | Tool integrity monitoring detects post-install mutations. Zero dependency signing chain. |
| MCP-10 | Logging Gaps -- No audit trail for agent actions | Covered | Full structured audit in JSON + RFC 5424 syslog. Every request/response logged with non-repudiation. |
6 of 10 risks fully covered. 4 partially covered with detection and monitoring.
MCPSaaS is the only managed service that maps directly to the OWASP MCP Top 10. View the full OWASP MCP Top 10.
MCPSaaS supports local key generation and GCP Cloud KMS for enterprise key management.
| Feature | Local (Free) | GCP KMS (Pro/Enterprise) |
|---|---|---|
| Key Generation | ECDSA P-256 on server | ECDSA P-256 in Cloud KMS |
| Key Storage | Encrypted volume | Google-managed, never exported |
| Key Rotation | Manual via API | Automatic with grace period |
| Audit | MCPSaaS audit log | MCPSaaS + Cloud Audit Logs |
| Compliance | SOC2 | SOC2 + FIPS 140-2 Level 1 |
| BYOK | N/A | Bring Your Own Key supported |
Everything you need to secure your MCP connections.
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/signup | Create account |
| POST | /api/login | Get API key |
| GET | /api/dashboard | Dashboard stats |
| POST | /api/proxies | Create proxy endpoint |
| GET | /api/proxies | List proxy endpoints |
| GET | /api/audit | Audit log (JSON) |
| GET | /api/audit/syslog | Audit log (RFC 5424 syslog) |
| POST | /api/keys/rotate | Rotate API key |
| GET | /proxy/:id | Proxy endpoint (use in MCP config) |
MCPSaaS implements the MCPS protocol as defined in IETF Internet-Draft draft-sharif-mcps-secure-mcp.
| Layer | Control | Standard |
|---|---|---|
| Message Signing | ECDSA P-256 per-message signatures | NIST FIPS 186-5 |
| Canonicalization | Deterministic JSON serialization | RFC 8785 (JCS) |
| Replay Protection | Nonce + timestamp window | MCPS SEP-2395 |
| Tool Integrity | SHA-256 hash-pinning | MCPS SEP-2395 |
| Agent Identity | Cryptographic passports (L0-L4) | MCPS SEP-2395 |
| Audit Output | Structured JSON + syslog | RFC 5424 |
Start free. Scale as you grow.
Real-time overview of your MCP security posture.
No activity yet. Configure a proxy endpoint to start.