{{ message }}
Should MCP tool responses carry verification metadata? #2964
Locked
FoundryNet
started this conversation in
Ideas - General
Replies: 5 comments
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment

Uh oh!
There was an error while loading. Please reload this page.
-
Summary
Today an MCP tool response is trusted implicitly: the client receives content and has no
standard, structured way to answer "what produced this, when, and can I check it later?"
As agents increasingly chain tool calls — and as one agent's output becomes another's
input — it's worth asking whether the protocol should define an optional place for
tool results to carry verification metadata.
This is a question, not a finished proposal. I'd like to gauge whether the maintainers and
community see this as in-scope for the spec, out-of-scope (better left to implementations),
or already solved by something I've missed.
The gap
A tool result is currently
contentplus anisErrorflag. There's no standardized,machine-readable channel for a server to assert things like:
tampering or drift if the same result is replayed or cached
Servers can stuff this into ad-hoc fields today, but because it's non-standard, no client
or downstream agent can rely on it. That's the part a spec could fix: a defined, optional
shape that tooling can recognize.
Why it matters now
protocol-level way to confirm the output's origin or that it wasn't altered in transit.
consumer tell a fresh result from a stale or substituted one.
answer reconstructively. A structured, optional field makes it answerable by design.
What I am explicitly NOT proposing
that don't care ignore it. Zero impact on the simple case.
shape and semantics of an optional metadata field; how a server signs or anchors it (if
at all) is an implementation choice.
specific tool produced a specific result at a specific time.
Sketch (for discussion only)
A possible shape — an optional
verificationobject on a tool result:{ "content": [ /* ... */ ], "isError": false, "verification": { // OPTIONAL — absence means "unverified", same as today "producer": "server-name@1.4.2", "produced_at": "2026-06-22T17:00:00Z", "input_hash": "sha256:…", "output_hash": "sha256:…", "signature": "…" // optional; scheme left to the implementation } }Open questions I'd genuinely like input on:
during initialization (so clients opt in to receiving it)?
producer+produced_at+output_hashcovers most value; signatures are a separable layer.)
Happy to write this up as a more formal SEP if there's appetite. Mostly I want to find out
whether the problem resonates before investing in a proposal.
Beta Was this translation helpful? Give feedback.
All reactions