MCP tool calls have no message integrity or agent identity verification

[razashariff]

As MCP tool integration grows in the Copilot SDK, there's a gap around message integrity that's worth flagging.

Currently, tool call arguments and responses between the SDK and MCP servers travel unsigned. Any intermediary (proxy, gateway, load balancer) that terminates TLS can modify them without detection. There's also no mechanism to verify which agent initiated a tool call, or to detect if a tool definition has changed between discovery and execution.

Specific gaps:

• No per-message signing on tool calls or responses
• No replay protection (captured tool calls can be re-sent)
• No tool definition integrity check between sessions
• No agent identity verification beyond OAuth bearer tokens

This is becoming a broader industry concern -- Trend Micro found 492 MCP servers exposed with zero auth, and 30 CVEs were filed in 60 days across the MCP ecosystem earlier this year.

The OWASP MCP Security Cheat Sheet Section 7 covers the signing approach, and the IETF draft-sharif-mcps-secure-mcp defines the protocol.

Happy to discuss further if useful.

[0xbrainkid]

Strong +1 on this. The per-message signing gap is exactly what multiple RSAC 2026 sessions highlighted this week.

Some additional data points:

• 66% of 1,808 MCP servers scanned have at least one security finding (AgentSeal)
• 38% of 500+ public MCP servers have NO authentication (Unit 42 + Adversa.ai)
• CVE-2025-6514 (mcp-remote, CVSS 9.6) affected 437K+ downloads
• Anthropic's own Inspector had unauthenticated RCE (CVE-2025-49596)
• The default trust model across MCP clients is 'approve-once-trust-forever'

The agent identity verification gap goes beyond OAuth bearer tokens. When Agent A calls a tool on MCP Server B, there's no way for Server B to verify Agent A's identity, reputation, or behavioral history — just whether it has a valid token.

For Copilot SDK specifically, this matters because it's one of the largest MCP client deployments. A pluggable identity verification hook in the tool call path would let services query external trust providers before authorizing actions.

We've been working on verifiable agent identity at AgentFolio — on-chain trust scores via SATP that could serve as one such external verification layer alongside the IETF draft-sharif approach you referenced.