attest-mcp-remote
Remote MCP server (Streamable HTTP) for the Spazio Genesi digital-workattestation service. Zero install:add the URL as a connector in your MCP client and start verifying andattesting.
No file ever transits — by design. MCP has no reliable client→server filechannel, and this service doesn't want one: every tool works on the SHA-256fingerprint of the work. Agents with code execution compute it locally(sha256sum <file>), so the file never leaves the machine it lives on — noteven through this server. For local-file tooling use the stdio package@spazio-genesi/attest-mcp;for humans, the website (in-browserhashing, full privacy) or the Telegram bot @SGAttestBot.
Status
Work in progress (phase 2 ofP26): all 8 tools implemented and testedlocally (device flow validated end-to-end against an isolated imgauthinstance). Production deployment is the next phase.
Tools
| Tool | Auth | What it does |
|---|---|---|
service_status |
none | Health of worker / archive / signer / Bitcoin anchor |
check_anchor |
none | OpenTimestamps proof lookup for a fingerprint |
verify_attestation |
none | Verify the server HMAC signature of an attestation |
lookup_certificate |
none | Archive lookup + permanent links for a fingerprint |
authorize |
starts device flow | User approves once in the browser (anti-bot check) |
complete_authorization |
device flow | Claims the 24h session token (kept in session state, never echoed) |
attest_hash |
session token or API key header | Bind a fingerprint to a signed server timestamp |
create_certificate_pdf |
session-scoped | Generate + archive the certificate PDF, returns permanent links |
Credentials: either the zero-config device flow above, or anAuthorization: Bearer sg_k_… header on the connection (e.g. Claude Code:claude mcp add --transport http attest <url> --header "Authorization: Bearer sg_k_…").Self-service keys: https://imgauth.spaziogenesi.org/developer/keys
Develop
npm install
npm run dev # wrangler dev (default port 8787)
node test/smoke.mjs http://127.0.0.1:8787
test/smoke.mjs drives the Streamable HTTP transport end-to-end (initialize →tools/list → tools/call) against real, public production data (read-only).test/smoke-auth.mjs covers the credentialed flow and is a local-onlyharness: it needs an isolated imgauth wrangler dev (own --persist-tostate, SIGNER_URL emptied) because the user-approval step is simulated bywriting the local D1 directly — see the header comment in the file.
License
MIT — © Spazio Genesi ETS. This is a pure client of the publicimgauth API; it defines no APIcontract of its own.