EMILIA Protocol MCP Server
officialRequire a named human's offline-verifiable approval before an AI agent takes an irreversible action — payment release, record change, deploy. Two-person rule, Ed25519 Trust Receipts, IETF-drafted, Apache-2.0.
Documentation
EMILIA Protocol
The engine without brakes
For fifty years, software security answered one question: who is allowed in? Firewalls, OAuth, and passwords — all built to verify a human identity at the door.
That era is ending. The dominant users of software are no longer humans; they're autonomous AI agents. Agents don't just log in — they write code, call tools, and change reality on the fly. Every CISO knows a single bad prompt can make an agent wipe a production database or wire money to the wrong account. So they're blocking deployment — sitting on billions in AI budget they can't spend because their compliance teams can't answer one question:
Who approved that action?
The crisis of our generation isn't authentication. It's authorization at the moment of action: how do you prove that what an agent is about to do is exactly what a named human authorized — before it executes?
EMILIA is the seatbelt for the agentic era.
Decision logs are testimony. EMILIA produces receipts.
Try it in 30 seconds
# Issue a receipt offline — no API key, no backend needed
npx @emilia-protocol/issue demo
# Add EMILIA to Claude / Cursor / Cline
npx -y @emilia-protocol/mcp-server
Try a real Face ID signoff → Approve an $82,000 wire with your own passkey. See what VERIFIED looks like. Forge the receipt. See it fail.
Verify any receipt in your browser — paste it in, nothing is uploaded.
How it works — four acts
Run it yourself:
node examples/crash-test.mjs— fully offline, no API key.
[ INTENT ] [ DECISION ] [ CEREMONY ] [ RECEIPT ]
Agent calls a Policy-bound, hash- Named human signs Signed, offline-
tool via MCP → pinned: allow / → the EXACT action → verifiable proof.
allow-with-signoff / on their own Tamper it:
deny (+observe device (passkey). fails by design.
mode: zero change What they saw =
to production) what they signed.
Act I — Interception (MCP-native). No rewrites. EMILIA hooks the tool call at the Model Context Protocol boundary — the moment an agent tries to delete a file or move capital, the action is caught mid-air.
Act II — Decision (policy-bound, deterministic). The action is checked against a hash-pinned policy: allow, allow-with-signoff, or deny. Plus an observe mode that changes nothing in production and reports what would have been held. Deterministic, auditable — not a black-box risk score.
Act III — The ceremony (device-bound human signoff). When policy requires a human, EMILIA runs a WebAuthn / passkey signoff bound to the exact action — Face ID / Touch ID on the operator's own device. What the human saw is what they signed. No script can forge it; no autonomous loop can skip it.
Act IV — The receipt (the evidence). The result is a signed authorization receipt that anyone can verify offline, with open-source code, no backend, no vendor trust. Tamper it and verification fails by construction. Optionally anchor it for public timestamping — the core needs no blockchain.
Why developers use it
You want agents that actually do things — but you're paralyzed by runaway loops, API over-spend, and accidental data destruction. EMILIA gives you a plug-and-play MCP server + a thin SDK wrapper. Apply a policy hash, and irreversible tool calls gain a cryptographically hardened, NIST-AI-RMF-mapped approval-and-evidence layer — without building approval workflows or audit infrastructure from scratch.
# langchain-emilia — wrap any LangChain tool with an EP gate
from langchain_emilia import EmiliaGateClient
gate = EmiliaGateClient(base_url="https://www.emiliaprotocol.ai", api_key="...")
safe_tool = gate.wrap(your_destructive_tool)
pip install langchain-emilia # PyPI
npm install @emilia-protocol/verify # npm
Your agent can't outrun its leash.
Why enterprises need it
Every platform shift mints a new security primitive: the web got SSL, the cloud got Okta / IAM, the agent economy needs action-level trust. Enterprises are sitting on AI budgets that compliance won't let them spend — EMILIA is the key that unlocks them, by turning unpredictable agents into audit-ready infrastructure that maps primitive-by-primitive to NIST AI RMF, EU AI Act, and SOC 2 CC6/7 controls.
The managed layer (GovGuard / FinGuard) extends the open standard with sector-specific policy packs, observe-mode pilots, and audit-ready evidence packages — with no procurement required to start.
The standard
EMILIA is an open standard, not a product moat. The core is Apache-2.0 and tracked as an IETF Internet-Draft.
| IETF Internet-Drafts | Posted: authorization-receipts · quorum. Staged in standards/: authorization-evidence-chain (EP-AEC, composition) · evidence-record (EP-EVIDENCE-RECORD, long-term retention). Field map: landscape survey. |
| Cross-language verifiers | JavaScript · Python · Go — all three proven to agree on adversarial conformance vectors, every push (npm run conformance). That is the IETF bar for a real standard: multiple independent interoperable implementations. |
| Formal verification | 26 TLA+ safety properties (0 errors) · 35 Alloy facts, 22 assertions — both run in CI |
| MCP registries | Official MCP registry · Glama (Grade A, Official badge) · Smithery |
| License | Apache-2.0 |
Three independent implementations proven to agree — see CONFORMANCE.md, or verify a receipt yourself at emiliaprotocol.ai/verify.
The EP stack
Eye observes. Handshake verifies. Signoff owns. Commit seals.
| Layer | What it does |
|---|---|
| EP Eye | Observes and classifies agent behavior (OBSERVE → SHADOW → ENFORCE) |
| EP Handshake | Cryptographic consent ceremony with 7-property binding |
| EP Signoff | Named human ownership — WebAuthn / passkey Class A, device-bound; multi-party quorum (M-of-N / ordered — the two-person rule) for the highest-stakes actions |
| EP Commit | Atomic, immutable action close with Merkle-chained receipts |
Proof points
| Metric | Value |
|---|---|
| Automated tests | 3,672+ across 142 files |
| TLA+ safety properties | 26 verified (T1–T26), 0 errors — see PROOF_STATUS.md |
| Alloy relational assertions | 35 facts + 22 assertions across two models — verified in CI |
| Red-team cases cataloged | 85 — RED_TEAM_CASES.md |
| Security findings remediated | 31 |
| Conformance (7/7) | node conformance/ep-conformance-test.js https://www.emiliaprotocol.ai |
| Cross-language conformance | 8 suites — receipts · device signoffs · multi-party quorum · revocation · time-attestation · trust-receipt · provenance · evidence-record — JS / Python / Go verifiers agree (node conformance/run.mjs) |
| Handshake create p95 | 575ms at 50 VUs — PERFORMANCE_PROOF.md |
EP Core objects
EP standardizes three interoperable objects that any conforming implementation can produce and verify:
| Object | What it is |
|---|---|
| Trust Receipt | A portable, signed record of an authorization event — what happened |
| Trust Profile | A standardized summary of observable trust state — what is known |
| Trust Decision | A policy-evaluated result with reasons and appeal path — what to do now |
EP Extensions (Handshake, Signoff, Commit, Delegation) add stronger enforcement where systems must constrain execution. The product layers (GovGuard / FinGuard) are built on top — not the protocol itself.
Quickstart in five calls
- Create policy
- Initiate handshake
- Present evidence
- Verify
- Signoff and consume
90-second demo · Quickstart · Agent walkthrough · IETF Draft · Discord
What EP is — and is not
EP is authorization at the moment of action, not an identity system, not a wallet, not a reputation score.
- Is: a trust standard for binding actor identity, authority, policy, and exact action context before execution
- Is not: a replacement for OAuth / OIDC (those answer who are you — EP answers who approved this exact action)
- Is not: a proprietary product (the core is Apache-2.0 and IETF-tracked)
- Is not: a blockchain (the receipt is the hero; optional public timestamping is a footnote)
See CONFORMANCE.md · SECURITY.md · THREAT_MODEL.md · GOVERNANCE.md