MCP Auth & Security - NEUS

Auth-Required Behavior
Eligibility-Safe Behavior
Auth-Required Responses
Related Docs
Related

Auth-Required Behavior

When a hosted MCP tool needs authentication:

neus_me resolves the current principal through GET /api/v1/auth/me when auth is present.
Private proof access stays behind NEUS auth boundaries; public MCP tools remain eligibility-safe.

Do not expect public MCP tools to expose private proof payloads or internal credentials.

Eligibility-Safe Behavior

Gate checks are eligibility-safe. They do not enumerate receipts.
Private proof payloads are not exposed through the public MCP tools.
Sponsor grants can be forwarded through neus_proofs_check.
x402 payment-required responses are passed through in a structured way instead of being swallowed.

Auth-Required Responses

When a tool needs authentication and none is present, the server can return:

status: "auth_required" with a hosted login URL for the user to complete sign-in.
Use the returned URL to hand off to https://neus.network/verify.

Authentication - API auth patterns and signing.
VerifyGate - Widget gating and hosted checkout.
Verifiable Agents - Agent identity and delegation.
Partner Setup - Domain verification and sponsor grants.

MCP Overview

What the server is for.

Tools

Tool reference and eligibility semantics.

Setup

Hosted client config.

API Authentication

HTTP auth and signing.

Setup MCP Tools Overview

⌘I