AffixIOAFFIXIO
Contact

At a glance

Product
Proof by AffixIO MCP server
Endpoint
affix-io.com/mcp with OAuth 2.0 PKCE
Tools
prove, verify, merkle, qr_mint
Clients
Claude Desktop, Cursor, MCP-compatible hosts
Attestation
PQC ML-DSA on supported paths
Field report
WP-040 MCP connector walkthrough

The gap

Agents cannot verify what they cannot call

Claude, Cursor, and custom agent runtimes expose tools through MCP. Verification APIs that live only in OpenAPI docs never reach the agent's tool list.

Without native prove and verify tools, agents guess eligibility from context or skip the gate entirely.

The AffixIO MCP connector puts cryptographic YES and NO at the agent boundary, with the same circuits as production.

4
Core MCP tools: prove, verify, merkle, and qr_mint. Same semantics as the REST API.
PKCE
OAuth 2.0 PKCE auth flow. No long-lived API keys in client config files.
/mcp
Single endpoint for Claude Desktop, Cursor, and any MCP-compatible runtime.

Architecture

Raw API vs MCP connector

REST-only integration
  • Agent never discovers verify endpoints
  • Custom tool wrappers per client
  • API keys stored in agent config
  • Schema drift between docs and tools
  • No standard auth flow for desktop clients
AffixIO MCP server
  • Native tools in Claude and Cursor
  • OAuth PKCE, no static secrets
  • Typed tool schemas auto-discovered
  • Same circuits as sandbox and production
  • Merkle and QR tools included
Connect and verify
# Cursor / Claude Desktop MCP config { "mcpServers": { "affixio": { "url": "https://www.affix-io.com/mcp" } } } # After OAuth PKCE completes, call verify via MCP curl -X POST https://api.affix-io.com/v1/circuit/verify \ -H "Authorization: Bearer $TOKEN" \ -d '{"circuit_id":"age_18","proof":"..."}' → {"decision":"YES","merkle":{"proof_id":"a3f8..."}}

MCP tools

What the connector exposes

prove

Generate a cryptographic proof from witness inputs and circuit ID.

affixio.prove

verify

Check a proof at the boundary. Returns signed YES or NO.

affixio.verify

merkle

Verify audit inclusion for a proof digest in the Merkle tree.

affixio.merkle

qr_mint

Mint a scannable QR ticket proof for offline gate verification.

affixio.qr_mint

Capabilities

What agents can enforce

Auth

OAuth PKCE

Standard desktop auth flow. Tokens scoped to your organisation.

Circuits

Full catalogue

Age, ticket, payment, and agent authorisation circuits available as MCP tools.

Audit

Merkle inclusion

Every verify call can append to the audit tree via the merkle tool.

Schema

Typed inputs

MCP tool schemas match REST API parameters. No guesswork for the agent.

Updates

Version tracking

Connector schema changes published on the updates page.

Clients

Multi-runtime

Works in Claude Desktop, Cursor, and custom MCP hosts.

Integration

Four steps to a connected agent

01

Add MCP server

Point your client at affix-io.com/mcp in MCP config.

02

Complete OAuth

Run the PKCE flow. Token stored by the MCP client, not in plaintext config.

03

Call prove

Agent generates proof from witness inputs via the prove tool.

04

Gate with verify

Agent calls verify before acting. YES proceeds, NO stops.

Where it applies

MCP verification scenarios

Cursor coding agents

Verify policy before deploying, exporting secrets, or modifying production config.

Claude Desktop

Authorise tool calls with signed eligibility proofs at the MCP boundary.

Agentic payments

Prove transfer authorisation before an agent initiates a payment.

Data export gates

Verify policy allows export before the agent reads sensitive records.

Ticket workflows

Mint and verify QR proofs from within an agent conversation.

Custom runtimes

Any MCP host can call the same prove and verify tools.

MCP as a verification boundary for AI clients

Model Context Protocol connects AI assistants to tools. Without a verification layer, any prompt that reaches an MCP server can trigger real-world effects: payments, ticket minting, data export. Proof by AffixIO exposes prove, verify, Merkle audit, and QR mint as MCP tools with OAuth 2.0 PKCE for Claude, Cursor, and compatible clients.

This is not a chat logging product. Each tool call can be gated by AffixIO verification infrastructure before execution, producing signed evidence suitable for security and compliance review.

Deployment path

  1. Read MCP connect guide and release notes.
  2. Register OAuth client and test in sandbox-shaped endpoints.
  3. Scope which MCP tools require KYA gates in your runtime.
  4. Export Merkle proofs for audit samples before production traffic.

Related: agent authorisation, AI agents FAQ, shadow AI guide. Reviewed 12 July 2026.

Frequently asked questions

What is the AffixIO MCP connector?

Proof by AffixIO is an MCP server at affix-io.com/mcp. It exposes prove, verify, Merkle, and QR mint tools via OAuth 2.0 PKCE.

How do I connect Cursor or Claude?

Add the MCP server URL to your client config, complete OAuth PKCE, and the tools appear in your agent tool list. See the MCP connect guide.

Which MCP tools are available?

prove, verify, merkle, and qr_mint. Same semantics as the REST API.

Is the MCP connector production-ready?

Yes. It runs on the same infrastructure as sandbox and production. Updates are on the connector updates page.

Connect your first MCP client

Add Proof by AffixIO to Claude or Cursor in five minutes. Full walkthrough in the connect guide.