Introduction

Welcome to the MCPTrust documentation.

MCPTrust represents a fundamental shift in how we think about Model Context Protocol (MCP) security. Instead of trying to filter or sandbox execution at runtime—which is complex, slow, and error-prone—MCPTrust moves verification to the supply chain.

View on GitHub • Requires Go 1.23+

The Core Problem

MCP servers are powerful. They can read files, execute commands, and access databases. When you install an MCP server (e.g., via npx or Docker), you are granting it trusted access to your machine or infrastructure.

However, MCP servers are mutable:

  • The underlying code can change (e.g., a new npm version).
  • The tool definitions (schema) can change.
  • The "description" prompts can change, altering how LLMs use them.

This leads to Silent Drift: you tested the server last week, but today it has new, dangerous capabilities that your agent assumes are safe.

The Solution: Lockfiles & Signatures

MCPTrust introduces mcp-lock.json, a machine-readable snapshot of an MCP server's declared capabilities.

  1. Scan a server to see what tools it exposes.
  2. Lock that state into a mcp-lock.json file.
  3. Sign the lockfile with an offline Ed25519 key (mcp-lock.json.sig) OR using Sigstore (Keyless).
  4. Verify the artifacts in CI or production before deploying.

Integrity: Signed lockfile tamper detection

Authenticity: Approval by keyholder

Getting Started

Check out the Quickstart guide to install the CLI and lock your first server in under 3 minutes.

Adoption Pattern

We recommend a progressive adoption strategy:

  1. Local Dev: Developers lock servers and commit mcp-lock.json.
  2. CI Gate: Run mcptrust policy check in CI. This is the most critical gate to prevent unsafe tools from entering your codebase.
  3. Release: Sign the lockfile before deployment.