Name	Name	Last commit message	Last commit date
parent directory ..
README.md	README.md
approval-demo.ts	approval-demo.ts
issue-approval.ts	issue-approval.ts
issue-delegation.ts	issue-delegation.ts
node-crypto.ts	node-crypto.ts
server.ts	server.ts
tsconfig.json	tsconfig.json

`@kya-os/mcp` Example Server

A minimal MCP server demonstrating cryptographic identity, proof generation, and tool protection.

Quick Start

From the repository root (kya-os-mcp/):

# Install dependencies
pnpm install

# Start the server (SSE on port 3001)
npx tsx examples/node-server/server.ts

Then open MCP Inspector and connect:

Transport Type: SSE
URL: http://localhost:3001/sse

Demo Walkthrough

Once connected in the Inspector, go to Tools and try the following:

Call `greet` (open tool with proof)

Call greet with:

{
  "name": "DIF"
}

The response includes:

Tool result: Hello, DIF!
_meta.proof — a detached Ed25519 proof containing:
- jws — compact JWS signature over the canonical payload
- meta.did — agent DID that signed it
- meta.kid — key identifier
- meta.requestHash / meta.responseHash — SHA-256 hashes of the canonical request/response
- meta.sessionId — session binding
- meta.nonce — replay protection
- meta.ts — signature timestamp

Sessions are created automatically — no manual handshake step needed. In production, KYA-OS-aware clients handle the handshake transparently.

Call `restricted_greet` (protected tool)

Call restricted_greet with:

{
  "name": "Agent"
}

The server returns an KYA_NEEDS_AUTHORIZATION error with:

scopeId — the required delegation scope (greeting:restricted)
consentUrl — where the user approves the delegation
architecture — a 5-step explanation of the consent/delegation flow

This demonstrates how protected tools work in production:

Agent calls restricted tool
Server returns KYA_NEEDS_AUTHORIZATION with consent URL
User approves delegation at the consent URL
A Verifiable Credential (delegation) is issued
Agent presents the delegation credential on the next call

Alternative: Stdio Transport

For use with npx @modelcontextprotocol/inspector auto-connect:

npx @modelcontextprotocol/inspector npx tsx examples/node-server/server.ts --stdio

Or run the server directly on stdio:

npx tsx examples/node-server/server.ts --stdio

Verifying Proofs

Copy the proof JSON from the _meta response and verify it:

echo '<proof-json>' | npx tsx examples/verify-proof/verify.ts

Architecture

Client (Inspector)          Server (this example)
      |                            |
      |-- greet ------------------>|  Auto-session created (or reused)
      |                            |  Tool executes
      |                            |  ProofGenerator signs (request, response, session)
      |<-- result + _meta.proof ---|  Detached JWS over canonical payload
      |                            |
      |-- restricted_greet ------->|  Tool protection check
      |<-- NEEDS_AUTHORIZATION ----|  Returns scopeId + consentUrl + architecture
      |                            |

Tools

Tool	Description
`greet`	Returns a greeting with a detached Ed25519 proof via `_meta`
`restricted_greet`	Protected tool — returns `KYA_NEEDS_AUTHORIZATION` with delegation instructions

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

`@kya-os/mcp` Example Server

Quick Start

Demo Walkthrough

Call `greet` (open tool with proof)

Call `restricted_greet` (protected tool)

Alternative: Stdio Transport

Verifying Proofs

Architecture

Tools

FilesExpand file tree

node-server

Directory actions

More options

Directory actions

More options

Latest commit

History

node-server

Folders and files

parent directory

README.md

@kya-os/mcp Example Server

Quick Start

Demo Walkthrough

Call greet (open tool with proof)

Call restricted_greet (protected tool)

Alternative: Stdio Transport

Verifying Proofs

Architecture

Tools

`@kya-os/mcp` Example Server

Call `greet` (open tool with proof)

Call `restricted_greet` (protected tool)