GateSolutionsAssuranceProtocolProofDocsPricingRequest pilot
Model Context Protocol

A human signed yes before your agent acts.

EMILIA is the trust & accountability layer for AI agents, delivered as an MCP server. Verify receipts and passkey signoffs, and — the flagship — require a named human sign-off before an agent does anything irreversible. Formally verified. Apache-2.0.

Watch an agent get stopped →How it works
EMILIA MCP demo: an AI agent is blocked from releasing $50,000 until a named human signs off, then the payment proceeds with a verifiable receipt.
✓ RR-1 EnforcedReceipt Required conformance — verified in CI, not asserted.
Missing receipt 428 Receipt Required
Valid receipt action runs
Same receipt replay refused
Forged receipt refused
Conformance spec →10-minute guide →CI test →

Run the RR-1 gallery locally: FAST=1 node examples/mcp/payment-server.mjs

No receipt, no irreversible action.

Three tiny MCP servers, each with one dangerous tool that refuses to run without a receipt. Run any of them cold — fully offline, no key, no account. Each reads the public Action Risk Manifest and shows the whole loop: 428 refused → a named human signs the exact action → the tool runs → replay refused → forged receipt rejected.

node examples/mcp/payment-server.mjs    # release_payment   — refuses without a receipt
node examples/mcp/github-admin.mjs      # delete_repo       — refuses without a receipt
node examples/mcp/prod-deploy.mjs       # deploy_production — refuses without a receipt
node examples/mcp/supabase-admin.mjs    # run_destructive_sql — refuses without a receipt
node examples/mcp/linear-export.mjs     # export_customer_data — refuses without a receipt

Wrap your own dispatcher with withMcpGuard or a manifest-driven 428 gate — missing receipt → refused, never a silent pass.

Install

One line in any MCP client.

Works in Claude Desktop, Cursor, Cline, Continue, or your own loop. Public read tools need no key; set EP_API_KEY for write operations.

// Claude Desktop / any MCP client — add to your config:
{
  "mcpServers": {
    "emilia": {
      "command": "npx",
      "args": ["-y", "@emilia-protocol/mcp-server"]
    }
  }
}
The flagship: human sign-off

Most MCP servers connect data. This one makes an agent accountable.

01
Agent attempts an irreversible action
release a payment, change a record, deploy
02
EMILIA holds it
428 Receipt Required / signoff_required - the agent cannot proceed alone
03
A named human approves
the signed "yes", bound to the exact action
04
Action proceeds + a receipt is minted
offline-verifiable proof, forever

Reference server + client harness in the repo (mcp-server/passport-demo.mjs); demand side via @emilia-protocol/require-receipt and @emilia-protocol/mcp-guard add Receipt Required to an MCP server →

What you get today
ep_verify_receipt

Verify any EMILIA authorization receipt offline — signature + Merkle anchor.

ep_verify_signoff

Verify WebAuthn/passkey signoff assertions bound to the exact action.

Public connector tools are verification-only. Rich trust profiles, disputes, delegation, identity continuity, and write APIs require an authenticated EP API key.

Works with your stack
MCP client
npx -y @emilia-protocol/mcp-server
LangChain.js
withGuard() · @emilia-protocol/langchain
CrewAI / AutoGen
guard() decorator · examples/
Any Node service
@emilia-protocol/require-receipt -> 428
MCP tool guard
@emilia-protocol/mcp-guard → signoff + receipt
Verify in JS
@emilia-protocol/verify
Verify in Python
pip install emilia-verify

Authorization receipts verify offline in JavaScript and Python — minted anywhere, checked anywhere. See the 5-minute quickstart.

Find us
Official MCP RegistryGlamaSmitherymcp.soPulseMCPawesome-mcp-servers
Source →Agent Guard
FAQ

What does the EMILIA MCP server do?

It adds a trust and accountability layer to AI agents over the Model Context Protocol: agents can verify authorization receipts and passkey signoffs, and — the flagship — require a named human to sign off before any irreversible action (releasing a payment, changing a record, deploying). Rich trust-profile and policy-evaluation APIs require an authenticated EP API key.

How do I install it?

Add it to any MCP client (Claude Desktop, Cursor, Cline, Continue) in one line: command "npx" with args ["-y", "@emilia-protocol/mcp-server"]. Public verification tools need no key; set EP_API_KEY for rich trust APIs or write operations.

How is this different from permissions or OAuth?

Permissions gate access locally and leave no portable proof. EMILIA mints a signed, offline-verifiable authorization receipt bound to the exact action and the named human who approved it — a credential a counterparty can verify without calling home.

Is it open source?

Yes — Apache-2.0, and the policy engine is formally verified (26 TLA+ theorems in CI).

FURTHER READING

MCP Authorization Best Practices in 2026 — why scope-level OAuth stops short for tools that move money or trigger irreversible state, and what the next authorization layer adds.

EMILIA MCP — Human Sign-off for AI Agent Actions | EMILIA