Integrations
Agent integrations
Put a signed, verifiable verdict on every action your agent takes, at the action boundary, with no code change. @fidacy/mcp is a Model Context Protocol server any MCP-native host loads over stdio, so OpenClaw, Hermes, the Claude Code agent, and anything else that speaks MCP can call it. The verdict is the same neutral, EdDSA-signed seal anyone can check against the public JWKS. No trust in us required.
npx -y @fidacy/mcp. Set FIDACY_ENGINE_API_KEY for verdicts. The key never appears in logs or errors.Install the server
Add one server to your MCP host config. It speaks MCP over stdio. The only thing you need to start issuing verdicts is an engine key:
{
"mcpServers": {
"fidacy": {
"command": "npx",
"args": ["-y", "@fidacy/mcp"],
"env": {
"FIDACY_ENGINE_URL": "https://api.fidacy.com",
"FIDACY_ENGINE_API_KEY": "fky_test_…"
}
}
}
}Use a fky_test_… key while you build (sandbox, never counts as live), then swap to fky_live_…. Mint one at app.fidacy.com scoped to assess:write.
To also gate real payments, point the firewall tools at a firewall-core service you run by adding three env vars to the same server:
"FIDACY_MODE": "http", "FIDACY_API_URL": "https://your-core.example.com", "FIDACY_API_KEY": "…" // the MCP -> core shared secret
assess_action stays dormant until you set the engine key. The server boots fine with either one, both, or neither.The four tools
One install exposes four tools. assess_action calls the engine; the rest call your firewall core.
- ·
assess_action: returns a signed trust verdict (approve / review / deny) on a proposed action. The proof is a JWS, verifiable by anyone against the public JWKS. - ·
request_payment: gates a payment against a signed mandate. ALLOW mints a short-lived Ed25519 grant; DENY returns the violated rule. No money moves here. - ·
verify_mandate: returns the active mandate for a subject, the rules the agent is bound to. - ·
get_audit_proof: returns the append-only, hash-chained audit proof for a decision.
Moving the money is a separate, deliberate step. The companion @fidacy/executor exposes one tool, execute_payment, that you couple to your PSP. It refuses anything without a valid grant bound to that exact request, so a hijacked agent cannot pay past it.
OpenClaw
OpenClaw runs tools and actions (files, browser, code, messages, payments) on your behalf, and it loads MCP servers natively. Add the fidacyserver above to OpenClaw's MCP config and the agent gets the four tools directly. Have the agent call assess_action before it runs a tool: it returns the signed verdict, and you act on decision.
// the agent calls the assess_action tool; the host returns structuredContent:
{
"decision": "approve", // approve | review | deny
"score": 0.12,
"assessmentId": "…",
"riskPayloadJws": "eyJ…", // the signed, verifiable proof
"signingKeyId": "…",
"outcome": { /* signals, reasons */ }
}
// approve -> run the action; review -> step up to a human; deny -> blockHermes
Hermes pays on its own (L402 over Lightning, on-chain) and speaks MCP. Point it at the same fidacy server with the firewall env set, and have it call request_payment before it settles an invoice. The decision proves who authorized the payment and that it was not forged, and any bank, counterparty, or auditor verifies it in seconds against the public JWKS.
// the agent calls request_payment before settling; the core returns: // ALLOW -> a short-lived Ed25519 grant bound to this exact payment // DENY -> the violated rule, no grant issued // then @fidacy/executor's execute_payment refuses anything without a // valid grant bound to that request, so a hijacked agent cannot pay past it.
Claude Code (any MCP agent)
The same server drops into the Claude Code agent, Cursor, or any MCP-native host: add the fidacy entry to the host's mcpServers config and the agent gets assess_action (and the firewall tools when configured). With no engine key, assess_action stays dormant and the server still boots, so it never leaks a secret. The same pattern wires into any agent runtime.
What you get back
- ·
decision: approve / review / deny, plus a numericscore. - ·
riskPayloadJws: the EdDSA-signed verdict, verifiable against the public JWKS with no call back to Fidacy. - ·
outcome: the signals and reasons behind the verdict, when it is not an approve.
review, never approve.The verifier packages are open source (Apache-2.0): @fidacy/sdk and @fidacy/verify. Verify any verdict yourself, anywhere, with no account.