Why We Brought MCP-I to DIF (and Why DIF Said Yes)

Alex Keisner, Head of Know Your Agent @ Vouched
Dylan Hobbs, KYA Principal Founding Engineer @ Vouched

As AI agents become a fixture of daily digital life, a deceptively simple question is becoming one of the hardest problems on the internet: who is actually on the other side of this interaction?

For decades, the identity question was straightforward enough. A person logged in, a service checked their credentials, and a session began. The human was the actor, and the service knew it. That model is rapidly breaking down. Today, a growing share of online interactions is being initiated not by humans typing at keyboards, but by AI agents acting on their behalf - booking travel, scheduling appointments, placing orders, managing accounts.

When an AI agent shows up at a digital front door, the service on the other side faces a genuinely new set of questions: Which agent is this? Who sent it? And did that person actually authorize it to do what it's trying to do?

These are questions the current infrastructure of the internet was not built to answer.

The Gap That MCP Left Open

Vouched, whose work began in human identity verification, recognized the identity gap for Agentic AI early on.  Rather than building a proprietary solution, the team set out to apply its knowledge to an open solution that could benefit the entire industry. The result is the Model Context Protocol - Identity (MCP-I): an extension to MCP that adds a complete identity and delegation layer for AI agents.

Today, Vouched is formally donating MCP-I to the Decentralized Identity Foundation (DIF), an organization dedicated to decentralized identity-related specifications and open-source code development. At DIF, the MCP-I specifications will be further developed as a community-driven open standard under the Trusted AI Agents Working Group, through a dedicated MCP-I task force.

The Problem, Precisely Stated

To understand why MCP-I matters, it helps to understand what "identity" actually means in an agentic context. It is not a single question but four:

1. Who is the agent? An AI agent needs a verifiable, stable identity of its own—not just a session token or an API key, but a cryptographically anchored identifier that can be confirmed independently via verifiable presentation.
2. Who authorized the agent? The agent is acting on behalf of a human principal. The service needs to know who that person is, ideally with the same confidence it would have if the person were interacting directly.
3. What is the agent permitted to do? Authorization is not binary. A person might grant their travel agent AI permission to search and book flights, but not to modify their payment methods. The scope of delegation matters.
4. Can the agent be trusted? Beyond credentials, there is the question of reputation: whether this agent, in this context, has a track record of behaving as it claims to.

MCP-I addresses all four. It defines a framework in which agents carry cryptographically verifiable identities, delegation is represented as tamper-evident credentials with explicit scope, and the entire chain from human principal to agent action can be verified by any service that the agent approaches.

Why DIDs and VCs—and Why We Started “Backwards”

It is worth being direct about something: Vouched did not begin with a commitment to Decentralized Identifiers or Verifiable Credentials. The team began with the problem.

The first step was to look at the requirements: cryptographic verifiability, decentralized infrastructure control, tamper-resistance, and interoperability across platforms and organizations that have no prior relationship. The technologies that matched the requirements areDIDs and VCs. These are the tools the identity community has spent years developing precisely for problems like this one. The fit is not coincidental; it is the result of those standards being built to solve hard problems in trust infrastructure.

That convergence is also what makes DIF the right home for MCP-I. DIF exists at the intersection of open standards and practical implementation. Its community includes the people who built DIDs and VCs, who understand the hard-won lessons behind them, and who are best positioned to extend MCP-I into a robust, broadly adopted standard.

How MCP-I Works

At its core, MCP-I defines a clear set of actors and the protocols that bind them together:

• The User (Principal) is the human who owns the delegation - the person who instructs their AI agent to go do something on their behalf. 
• The Agent is the AI software carrying out the task.
• The Service is the resource the agent is trying to access. 
• The Verifier - often an edge proxy - is the component that checks credentials against policy at runtime before requests are passed through to the service.

When an agent wants to act on a user's behalf, MCP-I requires it to present proof of all three identity dimensions: 

• Its own identity (a DID anchored to the agent).
• The user's identity (a Verifiable Credential linking the human principal to the request).
• The delegation (a machine-readable policy credential specifying what the agent is authorized to do, issued by the user, and scoped to the task at hand).

Think of it like a power of attorney. A person grants their attorney authority to act on their behalf for a specific purpose—for example, to close on a real estate transaction. The title company has never met the attorney before, and may never interact with them again, but the notarized document is sufficient: it names the principal, identifies who is authorized to act, and defines exactly what they are permitted to do. The attorney cannot exceed that scope, the principal can revoke it at any time, and the document can be verified independently by any party without advance coordination. MCP-I works the same way. The delegation credential is the notarized document, the agent is the attorney, and any service they approach can verify the chain of authority on the spot.

This last point matters enormously in a cross-domain context. When a consumer sends their AI agent of choice, whether that is Claude, ChatGPT, or any other, to interact with a merchant, a healthcare provider, or a financial institution, the service has no prior relationship with that agent. It cannot rely on a pre-registered client ID or a shared secret. MCP-I gives services a way to verify the agent's identity and authority on the spot, without any advance coordination, using open standards.

This summary represents the tip of the iceberg—current DID methods, delegation schemas, and more are part of the full v1 spec found at the MCP-I documentation page.

A Framework Built for Real-World Adoption

MCP-I makes identity and delegation verifiable; services still apply risk policy, monitoring, and abuse defenses using audit and reputation signals. MCP-I defines three conformance levels to accommodate different security requirements and adoption stages:

• Level 1 allows organizations to get started quickly using basic DID issuance and legacy identifiers like OIDC and JWT, getting immediate benefit while building toward fuller compliance.
• Level 2 adds mandatory DID verification, full credential delegation verification at request time, and revocation support. Services can opt-in to receiving identity headers or direct handshake flows.
• Level 3 is the enterprise tier including comprehensive credential lifecycle management, immutable audit trails and the ability for both the agent and the receiving service to be fully MCP-I aware.

This tiered approach reflects a practical reality: the ecosystem will not adopt a new identity and authorization framework all at once. Organizations need an on-ramp. MCP-I provides one.

Early application of the framework has already been demonstrated in agentic commerce. An e-commerce merchant has used MCP-I-aligned tooling to enable AI agents to complete purchases on behalf of consumers - with full verification of which agent is acting, who the human buyer is, and that the necessary permissions have been granted. The result is commerce that is both more seamless for users and more secure for the merchant.

What Happens Next at DIF

When Vouched approached DIF, the organization was well prepared to receive the contribution. It is common for DIF to accept specifications and code contributions from members who recognize the importance of having open standards for widespread adoption. Furthermore, DIF members had already created a new Trusted AI Agents Working Group (TAAWG) because of the critical nature of Agentic AI identity. In other words, DIF had a group ready and willing to fine tune and trial MCP-I. 

Vouched is making a significant contribution to DIF with its MCP-I protocol and participation in our Trusted AI Agents Working group. Often we see people despairing that it will become impossible to trust our own eyes because of the miracles of AI, but they forget the days when we couldn't sort spam out of our email boxes. Today, spam still makes up half of the email traffic, but it doesn't reach your inbox. In the same way, we will reach a time when you can tell legitimate AI Agents from fakes, and the contribution of MCP-I is a step in that direction. At a time when many companies are turning towards proprietary solutions, Vouched has recognized the importance of open source and open standards for the industry. Interoperability of Agents needs to go beyond their ability to communicate and allow them to also know which agents are trustworthy. MCP-I is a major step in that direction and we are excited to collaborate on this effort to deploy Agentic AI safely.

- Grace Rachmany, Executive Director @ Decentralized Identity Foundation

MCP-I joins DIF not as a finished artifact but as a starting point for community co-development. The Trusted AI Agents Working Group will provide the home for this work, and the newly formed MCP-I task force will drive the specification forward. This work directly supports the WG’s published focus on identity, authority, and governance for privacy-preserving, secure agents and participants from across the identity, AI, and developer communities are encouraged to engage.

For DIF members and the broader decentralized identity community, MCP-I represents a concrete and timely application of the standards they have been building. DIDs and VCs, long proven in the context of human identity, now have a well-defined path to relevance in the agentic era. DIF is set up for rapid iteration and co-development, and we plan to take advantage of that culture for this cutting-edge work. 

For developers building AI agents and the services that receive them, MCP-I offers a path to interoperability and trust that no one has to build from scratch. The framework is open, documented, and designed to work across organizational boundaries without requiring prior coordination.

For the humans at the center of all of this—the people sending their AI agents out into the world to act on their behalf—MCP-I is the infrastructure that makes it possible to remain in control: to delegate with precision, to revoke at will, and to trust that the services their agents interact with know exactly who sent them and why.

The identity layer for the agentic web is an open problem. MCP-I is the universal solution, and it now belongs to the community.