Source

arXiv:2603.24775 — "AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A" (March 25, 2026)

Finding

AIP introduces Invocation-Bound Capability Tokens (IBCTs): short-lived JWT/Biscuit tokens that bind:

• Caller identity (agent ID + signing key)
• Delegated capability (specific tool + argument constraints)
• Invocation scope (single-use or session-scoped)

A scan of ~2,000 public MCP servers found all lacked authentication — any client can call any tool without identity verification. A2A also lacks a standard delegation mechanism: agents can impersonate each other's tool calls.

Applicability to Zeph

zeph-mcp and zeph-a2a have no identity propagation:

• MCP: tool calls arrive without caller identity — trust level assigned per-server, not per-caller
• A2A: agent invocations carry no verifiable delegation token

Note: #2497 (SMCP hardening) and #2496 (threat modeling) address tool poisoning and shadowing attacks but neither covers the identity/delegation gap this paper targets.

Implementation sketch:

• Add caller_token: Option<Ibct> to ToolCall in zeph-mcp
• McpManager: validate IBCT signature + scope before routing tool invocations
• A2A client: attach delegation token when invoking sub-agents; A2A server: verify token
• Config: [mcp.identity] require_tokens = false (off by default for backward compat with existing servers)

Priority rationale

P2: the scan result (0/2000 servers authenticate callers) confirms this is a systemic gap. The IBCT mechanism is lightweight enough to implement incrementally without breaking existing server compatibility.