A Claude Code plugin that adds AIP-signed identity to outgoing MCP tool calls.
Wraps a single upstream HTTP MCP server with an Ed25519-signed JWT (CompactToken). Every tool call Claude makes through the proxy carries a verifiable identity claim that upstream services and policy proxies (like AIP Gateway) can verify, scope-check, and audit.
Claude Code aip-proxy (this plugin) Upstream MCP server
─────────── ─────────────────────── ──────────────────
│ │ │
│ tools/call │ │
├───────────────────────────▶│ │
│ │ HTTP POST + Authorization: │
│ │ Bearer <AIP CompactToken> │
│ ├─────────────────────────────▶│
│ │ │ Verify token
│ │ │ Check scope
│ │ │ Audit ✓
│ │ 200 OK │
│ │◀─────────────────────────────┤
│ result │ │
│◀───────────────────────────┤ │
The primary install path is the Claude Code marketplace, not npm:
claude plugin marketplace add sunilp/aip-claude-code
claude plugin install aip-claude-code@aip-claude-codeConfigure on first run with the upstream MCP URL:
claude plugin config aip-claude-code upstreamUrl=https://your-mcp.example.com/mcpOptional: tighten scope and TTL.
claude plugin config aip-claude-code scope=tool:search,tool:read tokenTtlSeconds=120The npm package exists for distribution and version pinning. It is not a standalone Node library; the binaries require Claude Code's plugin runtime to set up environment variables.
/aip:keygenCopy the printed publicKey (z-prefixed multibase) and add it to your upstream MCP server's or AIP Gateway's trust list.
Once installed, an mcp__aip-proxy__aip_forward tool is available in your sessions. Claude can call upstream tools through it; each call carries an AIP token. The plugin's aip-tool-auth skill explains usage.
/aip:status # identity + audit entry count
/aip:audit # tail the audit log (last 20)
/aip:audit --n=100Audit log lives at ${CLAUDE_PLUGIN_DATA}/audit.jsonl.
| Layer | Where it runs |
|---|---|
| MCP stdio server | bin/aip-mcp-proxy.mjs (spawned by Claude Code) |
| Sign + forward | Per tool call, signed CompactToken (EdDSA) attached as Authorization: Bearer |
| Audit hooks | PreToolUse + PostToolUse, JSONL append |
| Slash commands | bin/aip-cli.mjs invoked by /aip:* |
{
"iss": "aip:key:ed25519:<your-multibase-pubkey>",
"sub": "https://upstream.example.com/mcp",
"scope": ["tool:*"],
"max_depth": 0,
"iat": 1714000000,
"exp": 1714000300
}
Signed with EdDSA. Verifiable by anyone holding your multibase public key.
- Compact mode only (single-hop). Chained mode (multi-hop delegation via Biscuit) is v0.2.
- One upstream MCP server per install. Multi-upstream is v0.2.
- Local JSONL audit only.
- No web-of-trust, no policy enforcement at the hook layer (hooks are audit-only).
git clone https://github.com/sunilp/aip-claude-code
cd aip-claude-code
npm install
npm test # 27 tests across identity, audit log, sign, proxy, hooks, CLI, e2e
npm run build # produces bin/*.mjs- Spec and quickstart: https://sunilprakash.com/aip/
- IETF Internet-Draft: https://datatracker.ietf.org/doc/draft-prakash-aip/
- arXiv paper: https://arxiv.org/abs/2603.24775
- TypeScript SDK: https://github.com/sunilp/aip-node
- Reference implementation: https://github.com/sunilp/aip
- Drop-in policy proxy: https://github.com/sunilp/aip-gateway
Apache-2.0