Human-in-the-loop consent flow for @kya-os/mcp. An AI agent calls a protected tool, the human approves via a consent page, and the agent retries with a signed delegation credential.
Agent calls checkout → needs_authorization → Human approves → Agent retries with VC → Tool executes
# 1. Generate a persistent identity (optional — ephemeral if skipped)
npm run generate-identity
# 2. Start the server (MCP + consent server, shared identity)
npm start
# 3. Connect via MCP Inspector
npx @modelcontextprotocol/inspector
# → Connect to http://localhost:3002/sse| File | Purpose |
|---|---|
src/server.ts |
MCP server with browse (public) and checkout (protected) tools |
src/consent-server.ts |
HTTP consent page + VC issuance endpoint |
src/delegation-issuer.ts |
Shared factory for creating a DelegationCredentialIssuer from identity config |
scripts/generate-identity.ts |
Persist a DID to .kya-os/identity.json so it survives restarts |
public/consent.html |
Consent UI served during the authorization flow |
- Call
browsewith{ "category": "electronics" }— works immediately, proof attached - Call
checkoutwith{ "item": "laptop" }— returnsneeds_authorizationwith a consent link - Open the consent URL in your browser and click Approve
- Retry
checkoutwith the same arguments — the delegation is applied automatically - Order confirmed — proof attached to response
| Section | What's demonstrated |
|---|---|
| §4 Delegation | W3C VC issuance, scope constraints, expiry |
| §5 Proof | Detached JWS proof on every tool response |
| §6 Authorization | needs_authorization → consent → delegation verification |
This example generates ephemeral keys by default. To persist across restarts:
npm run generate-identityThis writes a did:key identity to .kya-os/identity.json. The server loads it automatically on startup.