MCP Server
5-tool MCP server for verifying, inspecting, decoding, issuing, and bundling PEAC receipts. Works with any MCP client that supports the Model Context Protocol.
Package: @peac/mcp-server
Install
npm install -g @peac/mcp-server # or with pnpm pnpm add -g @peac/mcp-server
Tools
The server exposes 5 tools. Availability depends on the operating mode.
| Tool | Description | Mode |
|---|---|---|
peac_verify | Verify receipt signature and claims | Pure |
peac_inspect | Decode receipt metadata without verifying signature | Pure |
peac_decode | Raw JWS dump (header, payload, signature) | Pure |
peac_issue | Sign and issue a new receipt (requires issuer key) | Issuer |
peac_create_bundle | Create an evidence bundle (requires issuer key and bundle directory) | Issuer |
Operating Modes
Pure Mode (default)
- No keys required
- 3 tools available:
peac_verify,peac_inspect,peac_decode - Read-only receipt operations
Issuer Mode
- Requires
--issuer-keyand--issuer-idflags - All 5 tools available
- Can sign and issue new receipts
Transports
stdio (default)
Standard input/output transport. Line-buffered stdout fence (DD-58). Intended for desktop agents such as Claude Desktop and Cursor.
Streamable HTTP (v0.11.0+)
- Port 3000, localhost-only bind
- CORS deny-all
- Session-isolated
McpServer+ transport per client - Rate limiting and request size limits
Security
| Property | Decision | Description |
|---|---|---|
| No ambient key discovery | DD-52 | Keys are provided explicitly via flags; never read from environment or filesystem scanning |
| Static policy | DD-53 | Policy is fixed at startup; cannot be modified at runtime by tool callers |
| Structured outputs | DD-54 | All tool responses include _meta with serverVersion, policyHash, and protocolVersion |
| SSRF prevention | DD-55 | No implicit fetch; URLs are locator hints only |
| Session isolation | CVE-2026-25536 | Each HTTP client receives an isolated McpServer instance and transport |
Setup: Claude Desktop
Add the following to your Claude Desktop configuration file (claude_desktop_config.json):
{
"mcpServers": {
"peac": {
"command": "npx",
"args": ["-y", "@peac/mcp-server"]
}
}
}This starts the server in pure mode via stdio. To enable issuer mode, add "--issuer-key" and "--issuer-id" to the args array.
Setup: Cursor
Add to .mcp.json in your project root:
{
"mcpServers": {
"peac": {
"command": "npx",
"args": ["-y", "@peac/mcp-server"]
}
}
}Issuer Mode
To enable receipt issuance and bundle creation, provide an Ed25519 private key and issuer identifier:
npx @peac/mcp-server \ --issuer-key ./keys/issuer.jwk \ --issuer-id https://example.com
The --issuer-key flag accepts a path to a JWK file containing an Ed25519 private key. The --issuer-id is the issuer URI that appears in the iss claim of issued receipts.
Structured Output
Every tool response includes a _meta object for provenance tracking:
{
"_meta": {
"serverVersion": "0.11.2",
"policyHash": "sha256:...",
"protocolVersion": "peac-receipt/0.1"
}
}Links
Get Started
Run the MCP server locally with a single command. No configuration required for pure mode (verify, inspect, decode). Add issuer credentials to enable receipt issuance and evidence bundling.