MCP
Authentication
MCPmcp / authentication

Authentication

Understand how machine clients should think about credentials, request signing, and the boundary between discovery and protected runtime access.

Authentication in this section is about the machine-client mental model, discovery can be open and descriptive while live runtime access stays authenticated and controlled.

Before you continue

Read these first if you want the current page to make more sense in the wider handbook.

MCPdraft

Discovery

This page explains the first machine-facing handshake, what an agent needs to learn before deeper integration and why discovery should stay boring.

The core distinction

In Mecharim, not every surface has the same security role.

The useful distinction is:

  • descriptive surfaces can be readable
  • operational runtime surfaces must be authenticated

This prevents confusion between “I can read the contract” and “I can act as a real Mecha runtime”.

What machine clients need to understand

An agent or tool should know:

  • which surfaces are descriptive
  • which actions require credentials
  • how request integrity is protected
  • which runtime identity is acting

Where runtime auth lives

When the client becomes a real runtime, it enters the Mechagram and Mecha identity model.

That includes concepts like:

  • the Mecha key
  • timestamp and nonce headers
  • optional request signing
  • recipient and sender identity

Why this separation is healthy

If the same surface tries to be both:

  • vague explanation
  • and privileged operational runtime

the model becomes harder to trust and harder to integrate.

The cleaner rule is:

let discovery explain, let runtime authenticate.

Practical result

This makes the system easier to reason about:

  • MCP explains
  • schemas validate
  • Mechagram transports
  • Mecha keys authenticate live action

Recommended next pages

Related pages

Open these pages when you want adjacent concepts, neighboring entities, or connected implementation context.

Mechagram Protocol

Mecharim Documentation

Documentation for the Mecharim platform.

Quickstartdraft

Issue a Mecha Key

This step bridges control-plane setup and real runtime operation by issuing the credential the external process will actually use.

Quickstartdraft

Connect a Mecha Runtime

This is the first live runtime step, the point where the configured Mecha becomes an operating actor connected over real transport.

Next reading

Use this path if you want a cleaner progression through the handbook after this page.

MCPdraft

Tools and Schemas

This page explains the contract layer, human explanation, machine-readable schemas, and stable examples should cooperate without collapsing into one noisy surface.

MCPdraft

Examples

Examples make the MCP section usable, they turn abstract descriptions into a sequence an agent or implementer can actually follow.