EMILIA is the trust & accountability layer for AI agents, delivered as an MCP server. Verify receipts and passkey signoffs, and — the flagship — require a named human sign-off before an agent does anything irreversible. Formally verified. Apache-2.0.

Run the RR-1 gallery locally: FAST=1 node examples/mcp/payment-server.mjs
Three tiny MCP servers, each with one dangerous tool that refuses to run without a receipt. Run any of them cold — fully offline, no key, no account. Each reads the public Action Risk Manifest and shows the whole loop: 428 refused → a named human signs the exact action → the tool runs → replay refused → forged receipt rejected.
node examples/mcp/payment-server.mjs # release_payment — refuses without a receipt node examples/mcp/github-admin.mjs # delete_repo — refuses without a receipt node examples/mcp/prod-deploy.mjs # deploy_production — refuses without a receipt node examples/mcp/supabase-admin.mjs # run_destructive_sql — refuses without a receipt node examples/mcp/linear-export.mjs # export_customer_data — refuses without a receipt
Wrap your own dispatcher with withMcpGuard or a manifest-driven 428 gate — missing receipt → refused, never a silent pass.
Works in Claude Desktop, Cursor, Cline, Continue, or your own loop. Public read tools need no key; set EP_API_KEY for write operations.
// Claude Desktop / any MCP client — add to your config:
{
"mcpServers": {
"emilia": {
"command": "npx",
"args": ["-y", "@emilia-protocol/mcp-server"]
}
}
}Reference server + client harness in the repo (mcp-server/passport-demo.mjs); demand side via @emilia-protocol/require-receipt and @emilia-protocol/mcp-guard — add Receipt Required to an MCP server →
ep_verify_receiptVerify any EMILIA authorization receipt offline — signature + Merkle anchor.
ep_verify_signoffVerify WebAuthn/passkey signoff assertions bound to the exact action.
Public connector tools are verification-only. Rich trust profiles, disputes, delegation, identity continuity, and write APIs require an authenticated EP API key.
npx -y @emilia-protocol/mcp-serverwithGuard() · @emilia-protocol/langchainguard() decorator · examples/@emilia-protocol/require-receipt -> 428@emilia-protocol/mcp-guard → signoff + receipt@emilia-protocol/verifypip install emilia-verifyAuthorization receipts verify offline in JavaScript and Python — minted anywhere, checked anywhere. See the 5-minute quickstart.
It adds a trust and accountability layer to AI agents over the Model Context Protocol: agents can verify authorization receipts and passkey signoffs, and — the flagship — require a named human to sign off before any irreversible action (releasing a payment, changing a record, deploying). Rich trust-profile and policy-evaluation APIs require an authenticated EP API key.
Add it to any MCP client (Claude Desktop, Cursor, Cline, Continue) in one line: command "npx" with args ["-y", "@emilia-protocol/mcp-server"]. Public verification tools need no key; set EP_API_KEY for rich trust APIs or write operations.
Permissions gate access locally and leave no portable proof. EMILIA mints a signed, offline-verifiable authorization receipt bound to the exact action and the named human who approved it — a credential a counterparty can verify without calling home.
Yes — Apache-2.0, and the policy engine is formally verified (26 TLA+ theorems in CI).
MCP Authorization Best Practices in 2026 — why scope-level OAuth stops short for tools that move money or trigger irreversible state, and what the next authorization layer adds.