Getting Started
Secure your first MCP server in under 3 minutes
This guide will walk you through installing the CLI, scanning a local server, and creating your first signature.
Prerequisites
- Go 1.23+ installed (for building from source, or download precompiled binary)
- An MCP server to test with (e.g.,
npx @modelcontextprotocol/server-filesystem)
1. Install the CLI
go install github.com/mcptrust/mcptrust/cmd/mcptrust@latestVerify installation:
mcptrust --version2. Generate Keys
Create an Ed25519 keypair. This is your "Authority" identity.
mcptrust keygen
# Created private.key (KEEP SECRET!)
# Created public.key (Share with verifiers)[!WARNING] Never commit
private.keyto git! Add it to your.gitignoreimmediately.
3. Lock a Server
Let's lock the filesystem server. Run:
mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"This will:
- Start the server.
- Query its capabilities.
- Write
mcp-lock.jsonto your current directory.
4. Approve (Sign)
Sign the lockfile to approve this state.
mcptrust sign
# Created mcp-lock.json.sig5. Verify
Now, anyone with public.key can verify that the lockfile is trusted and hasn't changed.
mcptrust verify
# ✅ Signature VerifiedNext Steps
- Learn about Core Concepts like Capability Identity.
- Set up Drift Detection in CI.