Security & Privacy

MCP3 is designed with security-by-default and privacy-preserving identity principles, enabling LLMs and agents to operate on contextual data that is verifiable, tamper-proof, and selectively disclosed.

1. Verifiable Context Integrity

All context objects (MCOs) are cryptographically signed to ensure authenticity and integrity.

• Standard: EIP-712 (typed structured data signing)

• Alternative: JSON Web Signature (JWS)

• Signer: User wallet or delegated signing key

2. Replay Protection & Expiry

• Each MCO includes a timestamp and optional expires_in

• Verifiers MUST reject contexts older than N seconds (default: 300s)

3. Selective Disclosure (Minimization)

• Scope-based filtering enforces data minimization

• Only requested fields are included in context

4. Zero-Knowledge Claims (Optional)

• Users may attach ZK-proofs rather than raw data for privacy-critical contexts

• Supported for age, token ownership, DAO membership, etc.

5. Delegated Signing & API Keys

• Applications may act on behalf of users using delegated signer keys

• Keys are scoped, revocable, and permissioned

6. Storage & Transport Security

7. Auditability & Transparency

• All context generation processes are auditable and verifiable by third parties

• Optionally integrated with Ethereum attestation registries (e.g. EAS)

8. Abuse Resistance

• Rate-limiting per subject/DID

• Proof-of-Humanity and ZK-rate limiting supported

9. Legal & Ethical Design

• GDPR / Data Minimization

• Web3 Ethos (user-owned identity, no centralized profiling)

• AI Alignment (transparency and user agency)

Summary Table