Sovereign MCP Gateway Back to Platform →
MCP Gateway Operational

Governance-Gated
Agent
Tools.

A Model Context Protocol server where every tool invocation passes through deterministic governance. 16 tools. Ed25519 commitment signing. Merkle-anchored audit trail.

AI agents connect via SSE transport and invoke tools for mail, file storage, VPN tunnels, and governance operations. Every action is pre-authorized through a five-gate evaluation, cryptographically committed, and anchored in the AGTS transparency log — before execution begins.

Connect an Agent See How It Works
Not an API — a governed protocol SSE + JSON-RPC 2.0 Works with Claude, GPT-4, any MCP client
Initialize Scroll
MCP Tools 0
Governance Gates 0
Signing Algorithm Ed25519
Unsupervised Actions ZERO

The Stakes

AI agents act on your behalf.
Who governs the actions?

When an AI agent sends an email, uploads a file, or creates a VPN tunnel, where is the audit trail? Current tool-calling infrastructure treats governance as an afterthought — log the call, hope for the best. The EU AI Act demands accountability for autonomous systems. MCP provides the transport. AGTS provides the governance.

Pre-Authorization

Every tool call passes five gates before execution.

The agent submits governance evidence — intent, action, value, recipient, context. The five-gate evaluator checks jurisdiction, compliance, rate limits, risk, and structural validity. Only an ADMIT verdict allows the tool to execute. DENY or REVIEW stops the action before any side-effect occurs.

Cryptographic Commitments

Every authorization is Ed25519-signed.

When governance ADMITs an action, the gateway produces a commitment: a canonical JSON envelope signed with Ed25519, hashed with SHA-256, and stored in KV. The commitment hash is the authorization token for the downstream tool. No valid commitment, no execution.

Merkle Anchoring

Every commitment anchored in the transparency log.

Governance envelopes are submitted as Merkle leaves to the AGTS transparency log. Inclusion proofs are available for any commitment. The signed tree head provides a tamper-evident root. Auditors can independently verify every agent action ever authorized.

Execution Reporting

Close the loop: executed, failed, or deviated.

After the tool runs, the agent reports execution outcome back to the gateway. The execution report links to the original authorization via commitment hash. Deviations between authorized and actual behavior are cryptographically recorded. The loop is closed — authorization and execution are bound.

01 — The Difference

Tool Calling vs.
Governed Tool Calling.

Standard MCP servers expose tools. Sovereign MCP governs them — cryptographic pre-authorization, signed commitments, Merkle-anchored audit, and execution accountability.

Standard MCP Server Sovereign MCP Gateway
Authorization API key or OAuth token. Authorization is binary: you have access or you don't. No per-invocation governance. Five-gate deterministic evaluation per tool call. Jurisdiction, compliance, rate-limit, risk, and structural gates. Each invocation individually authorized with a signed commitment.
Audit trail Application-level logging. Mutable. Stored in the provider's database. No cryptographic integrity guarantees. Ed25519-signed governance envelopes anchored as Merkle leaves in a transparency log. Tamper-evident. Independently verifiable via inclusion proofs and signed tree heads.
Execution link No formal link between "what was authorized" and "what was executed." Drift between intent and action is invisible. Execution reports cryptographically bound to their authorization commitment. Deviations (executed, failed, deviated) are recorded and auditable. The authorization-execution loop is closed.
Tool binding Tools are standalone endpoints. No mechanism to bind an authorization to a specific tool invocation. Optional tool_binding field restricts a commitment to a named tool. A commitment for send_sovereign_mail cannot authorize delete_file.
Transport SSE or stdio. JSON-RPC 2.0 messages. Standard MCP specification. Same SSE transport, same JSON-RPC 2.0 — fully MCP-compatible. Any client that speaks MCP (Claude Desktop, Cursor, custom agents) connects without modification.

02 — Governance Lifecycle

Four Steps.
Four Proofs.

Every governed tool invocation follows a cryptographic lifecycle. Each step produces a verifiable artifact anchored in the transparency log.

MCP Governance Lifecycle Pipeline 01 SUBMIT Agent sends governance evidence. Intent, action, value, recipient. 02 GATE Five-gate evaluation runs. ADMIT, DENY, or REVIEW. 03 EXECUTE Tool runs with commitment. Commitment hash is the auth token. 04 REPORT Execution outcome recorded. Loop closed: auth → execution. Every phase produces a verifiable artifact: governance envelope, signed commitment, execution result, and execution report — all Merkle-anchored.

03 — Connect Your Agent

Three Steps.
Any MCP Client.

Claude Desktop, Cursor, or any agent that speaks MCP — point it at the gateway endpoint and start invoking governed tools. No SDK to install. No custom integration code.

Step 1 — Configure

Add the gateway to your MCP client.

Add the AGTS MCP server to your client configuration. The gateway URL and your auth token are all that's needed.

{
  "mcpServers": {
    "agts": {
      "url": "https://agts-mcp.obligationsign.com/mcp/sse",
      "headers": {
        "Authorization": "Bearer YOUR_TOKEN"
      }
    }
  }
}
Step 2 — Govern

Submit governance before acting.

Your agent calls submit_governance with intent and evidence. The five-gate evaluator returns ADMIT with a signed commitment hash — or DENY/REVIEW.

tools/call: submit_governance
{
  "subject_id": "task-42",
  "evidence": {
    "intent": "send quarterly report",
    "action": "send_sovereign_mail",
    "recipient": "cfo@acme.com"
  },
  "tool_binding": "send_sovereign_mail"
}
Step 3 — Execute

Call the tool with the commitment.

Pass the commitment hash to the downstream tool. The gateway verifies the commitment is valid and the tool binding matches, then executes. Or skip step 2 — tools auto-submit governance internally.

tools/call: send_sovereign_mail
{
  "commitment_hash": "a1b2c3...",
  "from": "agent@acme.com",
  "to": "cfo@acme.com",
  "subject": "Q1 Report",
  "body": "Attached is the report."
}
Endpoint Reference

GET /mcp/sse — SSE event stream (tool results, notifications)

POST /mcp/messages — JSON-RPC 2.0 tool calls (tools/call, tools/list)

GET /health — Gateway health check

GET /verify?commitment={hash} — Public commitment verification (no auth)

Authentication

Bearer token — pass your API token in the Authorization header

Verification — commitment verification at /verify requires no authentication

Get startedcreate an account to receive your gateway credentials

The gateway is fully MCP-compatible. If your client supports the MCP specification, it connects without any custom code, plugins, or adapters. Claude Desktop, Cursor, and programmatic agents using the MCP SDK all work out of the box.

04 — 16 Tools

Four Domains.
Sixteen Governed Tools.

Every tool is available via MCP's standard tools/call method. Every tool that mutates state requires a governance commitment — either explicit (agent calls submit_governance first) or implicit (auto-submitted internally).

Governance Core — 3 Tools
submit_governance

Submit evidence for five-gate evaluation. Returns ADMIT with a signed commitment hash, or DENY/REVIEW with gate failure details. The commitment hash authorizes downstream tool execution.

verify_commitment

Verify any commitment by hash or leaf hash. Returns the full governance envelope, gate results, Ed25519 signature, and Merkle inclusion proof from the transparency log.

report_execution

Close the authorization-execution loop. Report whether the action was executed, failed, or deviated from the original authorization. Linked to the commitment via hash.

Sovereign Mail — 4 Tools
send_sovereign_mail

Send a governed email with optional attachments. Governance pre-authorization required. Every sent message produces a Merkle leaf in the transparency log.

list_inbox

List inbox messages with pagination. Read-only — no governance commitment required. Returns message metadata, sender, subject, and timestamps.

read_message

Read a specific message by ID. Returns full message body, headers, attachments, and governance metadata. Read-only access.

lookup_recipient_keys

Look up a recipient's public keys from the key registry. Used for client-side encryption before sending. Returns ECDH P-384 public key and key fingerprint.

Sovereign Drive — 5 Tools
upload_file

Upload a file to governed encrypted storage. Supports base64 content or URL fetch. Client-side encryption with salt/IV metadata. Governance commitment required.

list_files

List files owned by the user. Returns file metadata, sizes, upload timestamps, and folder paths. Read-only access — no governance required.

download_file

Download a file by ID. Returns base64-encoded content with encryption metadata for client-side decryption. Read-only access.

share_file

Share a file with another user. Governance commitment required. Supports read/write permissions with ECDH key wrapping for zero-knowledge file sharing.

delete_file

Permanently delete a file. Governance commitment required. The deletion event is recorded in the transparency log — the absence of a file is provable.

Sovereign VPN — 4 Tools
create_tunnel

Create a governed VPN tunnel. Full attestation handshake with ECDH P-384 key exchange. Governance commitment required. Produces SESSION_BIRTH Merkle leaf.

tunnel_status

Check tunnel session status. Returns chain length, bytes transferred, DNS query count, duration, and current governance verdict. Read-only.

disconnect_tunnel

Gracefully disconnect a tunnel session. Governance commitment required. Produces SESSION_DEATH Merkle leaf with terminal chain hash and traffic totals.

dns_query

Perform a governed DNS query through the encrypted DoH proxy. Each query is hashed and appended to the session's DNS chain. Auditable query trail.

05 — Architecture

Edge-Native.
Globally Distributed.

The MCP Gateway runs on edge workers with KV for commitment storage and object storage for governance artifacts. Service bindings connect to the full AGTS worker mesh: protocol, log, billing, monitor, mail, drive, and tunnel workers.

SSE Transport

Server-Sent Events over HTTPS.

MCP clients connect to /mcp/sse for the event stream and send tool calls to /mcp/messages. Standard MCP SSE transport — any compliant client works without modification.

Service Mesh

Worker-to-worker bindings.

Service bindings connect the MCP gateway to downstream workers with zero-latency RPC. Mail, drive, tunnel, protocol, log, billing, and monitor workers are bound at the edge. No public network hops between services.

KV + R2 Storage

Commitment store at the edge.

Governance commitments stored in edge KV for sub-millisecond lookup. Governance envelopes and artifacts archived in object storage. Both globally replicated. No central database bottleneck.

Ed25519 Signing

Every commitment signed at the edge.

Ed25519 private key stored as an encrypted secret. The Web Crypto API signs governance envelopes in the worker runtime — no external HSM call for standard operations. Signature verification is public and stateless.

Transparency Log

Merkle tree — append-only.

Governance envelopes are submitted as leaves to the AGTS log worker. The log maintains a Merkle hash tree with signed tree heads. Inclusion proofs are available for any leaf. The tree is append-only — history cannot be rewritten.

Verification

Public, stateless, instant.

Any commitment can be verified at /verify?commitment={hash}. Returns the governance envelope, signature, gate results, and Merkle proof. No authentication required. Verification is a public good.

06 — Verdicts

Every Tool Call Gets a Verdict.
Before It Executes.

The five-gate evaluator produces a deterministic verdict for every governance submission. The verdict determines whether the tool executes.

ADMIT

All five gates passed. A signed commitment is created with the governance envelope, Ed25519 signature, and commitment hash. The tool is authorized to execute.

REVIEW

One or more gates flagged for human review. The tool does not execute. The agent receives the specific gate failures and can resubmit with additional evidence or escalate to a human operator.

DENY

One or more gates failed definitively. The tool does not execute. The denial is recorded in the transparency log. The agent cannot bypass the verdict — the governance layer is not advisory.

Business Impact

AI Agents Need
Governance Infrastructure.

EU AI Act
High-Risk AI Systems

Article 14 requires human oversight of high-risk AI. The MCP gateway's REVIEW verdict enables human-in-the-loop governance. Every agent action is logged, signed, and auditable — the accountability infrastructure the regulation demands.

DORA
Digital Operational Resilience

Financial institutions deploying AI agents need continuous accountability for autonomous operations. Governance commitments provide the cryptographic evidence trail DORA requires — not periodic audits, but per-action proofs.

SOC 2
Trust Services Criteria

SOC 2 requires demonstrable controls over processing integrity and confidentiality. The MCP gateway's five-gate evaluation, signed commitments, and Merkle-anchored audit trail satisfy these criteria with cryptographic rather than procedural evidence.

AI Agent Developers

Connect any MCP-compatible agent to governed tools. No custom governance code required — the gateway handles pre-authorization, commitment signing, and audit. Your agent calls tools; the gateway proves what happened and why it was allowed.

Enterprise Compliance Teams

Every agent action produces independently verifiable cryptographic evidence. Governance envelopes can be exported, audited, and submitted as compliance artifacts. The transparency log provides a tamper-evident record of every authorized and executed action.

Every Tool Call.
Every Commitment.
Independently Verifiable.

Connect your agent. Submit governance. Watch it gate, sign, execute, and anchor. Sixteen tools. One governance layer. One transparency log.

Connect an Agent
Verify a Commitment