Model Context Protocol

ASTIS MCP

AI-native cryptography for agents

One MCP server that lets Claude Code, Cursor, Windsurf, and every other AI coding agent build correct ASTIS integrations at dev time — and call ASTIS for real crypto operations at runtime, with the same zero-knowledge guarantees as your own backend.

Connect your AI agentmcp.astis.io

First commercial KMS on the Model Context Protocol — no AWS / GCP / Azure / Vault / Skyflow equivalent today.

Two modes, one server

ASTIS MCP serves both your developers and the AI agents you let act on your behalf in production.

Dev-time

For developers in Claude Code, Cursor, Windsurf

Your engineers ship correct ASTIS integrations on the first try. The MCP server hands their AI agent ready-to-paste code, accurate endpoint contracts, and a static validator — instead of the agent guessing from out-of-date docs.

No quota or billing
Scope: mcp:use
Read-only: never touches production data
Phase 6

Runtime

For AI agents acting on your behalf in prod

Give your production AI agent narrow, audited access to sign, verify, unseal envelopes, and tokenize PII via ASTIS. Same zero-knowledge edge, separate scope family, separate audit trail. You stay in control.

Per-tool opt-in via portal
Scopes: mcp:runtime:*
Separate scope from base sign/verify/unseal

8 tools, no surprises

Every tool has a clear contract, declared scope, and audit hook. No hidden side-effects.

Dev-time tools

generate_client

Generate a working integration in your stack — Go+Gin, Node, Python, Java — with all crypto correctness baked in. No copy-pasting from docs.

explain_endpoint

Get the zero-knowledge posture, required scopes, sealed-envelope contract, and audit fields for any ASTIS endpoint without leaving the IDE.

validate_request

Static-check your code before you run it. Catches missing scopes, wrong field names, sealed envelopes built incorrectly.

threat_model

Generate a threat model for your specific integration — what an attacker can and cannot do given your code path.

Runtime tools

runtime_sign

AI agent signs a payload via ASTIS at runtime. Worker hashes locally, ASTIS edge never sees the plaintext.

requires: sign + mcp:runtime:sign
runtime_verify

AI agent verifies a signature via ASTIS at runtime. Returns notation-linked audit ID.

requires: verify + mcp:runtime:verify
runtime_unseal_capsule

AI agent unseals a sealed-envelope capsule to recover a session key. Worker performs PGP wrap of the inner request and AES-GCM unwrap of the response.

requires: envelopes:unwrap + mcp:runtime:unseal
runtime_tokenize

AI agent tokenizes/detokenizes PII via FPE. Privacy-preserving — agent gets a token, not plaintext. Coming Phase 6.5.

requires: fpe + mcp:runtime:tokenize

Trust model

Letting an AI agent act on your behalf is a security decision. Here is exactly what you are signing up for.

Opt-in by default

Every runtime scope is disabled until your admin explicitly grants it on a per-API-key basis. AI agents start with zero powers.

Same zero-knowledge edge

The MCP worker hashes payloads locally before forwarding. ASTIS edge sees the same hash + sealed envelope it sees from your own backend — agents do not change the trust model.

Two-scope requirement

Runtime tools require BOTH the data-plane scope (sign, verify, unwrap, fpe) AND a separate mcp:runtime:* scope. You can revoke agent access without revoking your own backend.

Every call audited

Each runtime tool emits a notation-linked audit event with the agent identity, source, and ASTIS audit ID. Full export via /v1/audit per RFC-016.

Honest disclosure

When you grant a runtime scope, plaintext flows from ASTIS to your AI agent and from your agent to its LLM provider. ASTIS edge stays zero-knowledge — but the privacy boundary moves to your agent and its model provider. Each runtime scope must be assigned explicitly in the portal — base scopes (sign / verify / envelopes:unwrap) do not auto-grant agent access.

How it fits together

ASTIS MCP is a thin Cloudflare Worker that brokers between your agent and the existing api-gateway. No new attack surface.

AI agent
Bearer + JSON-RPC
mcp.astis.io
CF Worker — global edge, zero infra
↓ scope check + tool dispatch
api-gateway
existing public API — same scopes, same audit
↓ sealed envelope (RFC-008)
CVS / sKey
crypto + key custody — never sees plaintext

Connect your agent

Three lines of config. Pick your agent.

Claude Code
# .mcp.json (project-scoped)
{
  "mcpServers": {
    "astis": {
      "type": "http",
      "url": "https://mcp.astis.io/v1/mcp",
      "headers": { "Authorization": "Bearer ${ASTIS_API_KEY}" }
    }
  }
}
Cursor / Windsurf / any MCP-compatible client
# ~/.cursor/mcp.json — same JSON shape works for Windsurf, Continue, Cline
{
  "mcpServers": {
    "astis": {
      "type": "http",
      "url": "https://mcp.astis.io/v1/mcp",
      "headers": { "Authorization": "Bearer ${ASTIS_API_KEY}" }
    }
  }
}

Need an API key?

Sign in at portal.astis.io, generate a key with the mcp:use scope for dev-time use. Runtime scopes (mcp:runtime:*) must be enabled separately on the same key — see portal scope descriptions for the disclosure.

Ready to give your agents real crypto?

Connect once, ship faster, never paste a wrong sealed envelope again.

Get an API keyTalk to engineering
PrivacyTermsSecurity