{ "schema_version": "v1", "name_for_human": "CNothing AuthAI KV", "name_for_model": "keyservice_authai_kv", "description_for_human": "Register a client public key, obtain one-time encrypted challenges, and read or write encrypted KV payloads without exposing plaintext to the AI.", "description_for_model": "CNothing AuthAI KV is a public MCP server for challenge-based AI-safe identity registration and encrypted KV storage. The AI should never request or handle private keys. Instead, it registers a client public key, receives an encrypted one-time challenge for the client backend, and forwards opaque auth, data, or query envelopes produced by that backend for kv save/read operations. Public discovery links also exist at /.well-known/mcp, /skills/index.json, /skill.md, and /getting-started.md.", "auth": { "type": "none" }, "api": { "type": "openapi", "url": "http://localhost:3021/openapi.json", "is_user_authenticated": false }, "server": { "type": "http", "base_url": "http://localhost:3021" }, "documentation": { "homepage": "https://cnothing.com", "skills_index": "https://cnothing.com/skills/index.json", "skills_text": "https://cnothing.com/skills.txt", "getting_started": "https://cnothing.com/getting-started.md", "primary_skill": "https://cnothing.com/skill.md", "standards": "https://cnothing.com/standards", "authentication_standard": "https://cnothing.com/standards/authentication/1.0", "registration_hub_standard": "https://cnothing.com/standards/registration-hub" }, "tools": [ { "name": "get_authai_public_key", "description": "Return the AuthAI public key metadata used by the trusted backend to encrypt auth, data, and query envelopes toward CNothing. Call this before registration or whenever the backend needs the active CNothing server key.", "input_schema": { "type": "object", "properties": {}, "examples": [{}] } }, { "name": "authai_register", "description": "Register a client public key and receive an encrypted one-time challenge for the client backend. The AI may relay challenge_for_client, but only the trusted backend should decrypt it.", "input_schema": { "type": "object", "required": ["client_public_key"], "properties": { "client_public_key": { "type": "string", "description": "PEM-encoded public key generated and held by the trusted backend." }, "client_key_alg": { "type": "string", "description": "Optional key algorithm profile such as RSA-OAEP-256/A256GCM." }, "client_key_id": { "type": "string", "description": "Optional backend-defined key identifier." }, "client_label": { "type": "string", "description": "Optional human label for the client identity." }, "metadata": { "type": "object", "description": "Optional non-secret metadata about the client." } }, "examples": [ { "client_public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----", "client_label": "signup-control-plane", "metadata": { "team": "growth-ops", "environment": "prod" } } ] } }, { "name": "authai_refresh", "description": "Consume a valid auth envelope and issue the next encrypted challenge for the client backend. Use this to continue a protected workflow without re-registering the client.", "input_schema": { "type": "object", "required": ["auth_envelope"], "properties": { "auth_envelope": { "type": "object", "description": "Opaque auth envelope produced by the trusted backend." } }, "examples": [ { "auth_envelope": { "v": "ksp1", "encrypted_key": "...", "iv": "...", "ciphertext": "...", "tag": "..." } } ] } }, { "name": "authai_key_holder_sign_challenge", "description": "Recommended flow: create a signature-based key-holder challenge. The target signs challenge_text with its private key.", "input_schema": { "type": "object", "required": ["target_public_key"], "properties": { "target_public_key": { "type": "string", "description": "PEM-encoded target public key." }, "target_key_id": { "type": "string", "description": "Optional target key identifier." }, "metadata": { "type": "object", "description": "Optional non-secret metadata for tracing." } }, "examples": [ { "target_public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----", "target_key_id": "partner-key-2026-04" } ] } }, { "name": "authai_key_holder_verify_signature", "description": "Recommended flow: verify signature proof with verification_id + challenge_text + signature + target_public_key.", "input_schema": { "type": "object", "required": ["verification_id", "challenge_text", "signature", "target_public_key"], "properties": { "verification_id": { "type": "string", "description": "Verification challenge id from authai_key_holder_sign_challenge." }, "challenge_text": { "type": "string", "description": "Exact challenge text returned by authai_key_holder_sign_challenge." }, "signature": { "type": "string", "description": "Base64 or base64url signature over challenge_text." }, "target_public_key": { "type": "string", "description": "PEM-encoded target public key used for signature verification." } }, "examples": [ { "verification_id": "4f2f4048-b9e8-4d65-aa71-d500f0ef8578", "challenge_text": "cnothing-key-holder-signature-challenge\n...", "signature": "base64-or-base64url-signature", "target_public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----" } ] } }, { "name": "authai_key_holder_challenge", "description": "Compatibility flow: create a key-holder verification challenge pair using ciphertext compare. Prefer signature verification for new integrations.", "input_schema": { "type": "object", "required": ["target_public_key"], "properties": { "target_public_key": { "type": "string", "description": "PEM-encoded target public key to be verified." }, "target_key_id": { "type": "string", "description": "Optional target key identifier." }, "metadata": { "type": "object", "description": "Optional non-secret metadata for verification tracing." } }, "examples": [ { "target_public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----", "target_key_id": "partner-key-2026-04" } ] } }, { "name": "authai_key_holder_verify", "description": "Compatibility flow: finalize verification by comparing responder_secret (S2) with S1 decrypted from challenge_for_authai.", "input_schema": { "type": "object", "required": ["verification_id", "responder_secret", "challenge_for_authai"], "properties": { "verification_id": { "type": "string", "description": "Verification challenge id returned by authai_key_holder_challenge." }, "responder_secret": { "type": "string", "description": "S2 value from the target party after decrypting challenge_for_target." }, "challenge_for_authai": { "type": "object", "description": "Ciphertext B encrypted with the CNothing public key." } }, "examples": [ { "verification_id": "c14f04a1-0a17-4b70-83df-df4f0c09e303", "responder_secret": "base64url-secret-from-target", "challenge_for_authai": { "v": "ksp1", "encrypted_key": "...", "iv": "...", "ciphertext": "...", "tag": "..." } } ] } }, { "name": "kv_save", "description": "Save one or more encrypted KV items for the authenticated client namespace. Recommended third-party integrations use private or blind mode so CNothing operators and AI layers do not see application plaintext.", "input_schema": { "type": "object", "required": ["auth_envelope", "data_envelope"], "properties": { "auth_envelope": { "type": "object", "description": "Opaque action-bound auth envelope for kv.save." }, "data_envelope": { "type": "object", "description": "Opaque ciphertext envelope containing the kv.save payload." } }, "examples": [ { "auth_envelope": { "v": "ksp1", "encrypted_key": "...", "iv": "...", "ciphertext": "...", "tag": "..." }, "data_envelope": { "v": "ksp1", "encrypted_key": "...", "iv": "...", "ciphertext": "...", "tag": "..." } } ] } }, { "name": "kv_read", "description": "Read encrypted KV items for the authenticated client namespace and return the result encrypted to the client public key by default, or to an optional recipient_public_key when provided.", "input_schema": { "type": "object", "required": ["auth_envelope", "query_envelope"], "properties": { "auth_envelope": { "type": "object", "description": "Opaque action-bound auth envelope for kv.read." }, "query_envelope": { "type": "object", "description": "Opaque ciphertext envelope containing the kv.read query." }, "recipient_public_key": { "type": "string", "description": "Optional PEM public key. If provided, kv.read.result is encrypted to this key instead of the registered client public key." } }, "examples": [ { "auth_envelope": { "v": "ksp1", "encrypted_key": "...", "iv": "...", "ciphertext": "...", "tag": "..." }, "query_envelope": { "v": "ksp1", "encrypted_key": "...", "iv": "...", "ciphertext": "...", "tag": "..." }, "recipient_public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----" } ] } } ] }