Credential Resolution Protocol — The Open Standard for AI Agent Credential Access
Open Standard — CC-BY-4.0

The Missing Security Layer
for AI Agents

CRP is an open protocol for credential resolution in the MCP ecosystem. No more API keys in .env files.

Read the Spec →Get Started →

The Problem

Credentials are the wild west

Today
┌─────────────────────────────────┐
│  .env                           │
│  OPENAI_KEY=sk-abc123...        │
│  STRIPE_KEY=sk_live_...         │
│  DB_PASSWORD=hunter2            │
│  AWS_SECRET=AKIA...             │
└───────────┬─────────────────────┘
            │ copy-paste
    ┌───────┴───────┐
    │               │
┌───▼───┐     ┌────▼────┐
│Agent A│     │Agent B  │
│(no    │     │(same    │
│ audit)│     │ keys)   │
└───┬───┘     └────┬────┘
    │              │
    ▼              ▼
  Never expires. Never rotated.
  No audit trail. Shared freely.
With CRP
┌──────────┐
│  Agent   │
└────┬─────┘
     │ crp/resolve
┌────▼──────────┐
│  MCP Server   │
│  (CRP-aware)  │
└────┬──────────┘
     │ capability negotiation
┌────▼──────────┐
│  CRP Provider │
│  (vault)      │
└────┬──────────┘
     │
┌────▼──────────────────────┐
│  Leased Credential        │
│  ✓ Time-bounded (5 min)   │
│  ✓ Scoped to operation    │
│  ✓ Audited & logged       │
│  ✓ Policy-checked         │
│  ✓ Auto-revoked           │
└───────────────────────────┘

How It Works

Four primitives. One required.

CRP defines four operations. Only crp/resolve is required — you can ship a working implementation in a weekend.

crp/resolveRequired

Request a credential for a named service. Returns the credential with type, value, and a time-bounded lease.

{ "method": "crp/resolve",
  "params": {
    "service": "openai",
    "credentialType": "api_key",
    "scopes": ["chat.completions"] } }
crp/list

Discover available credential services and scopes. Lets agents discover what's available without guessing.

{ "method": "crp/list" }
→ { "services": ["openai", "stripe", "aws"] }
crp/lease

Extend or release a credential lease. Enables fine-grained, renewable, time-bounded access.

{ "method": "crp/lease",
  "params": { "leaseId": "lease-abc123",
    "action": "renew" } }
crp/revoke

Emergency credential revocation. Immediately invalidate a credential when compromise is detected.

{ "method": "crp/revoke",
  "params": { "leaseId": "lease-abc123",
    "reason": "credential exposed" } }

Security Model

Security by design, not by hope

Every credential flows through three enforced guarantees. No exceptions.

Lease-Based Delivery

Every credential comes with a lease — a time-bounded grant that expires automatically. No permanent credential exposure. Leases can be renewed if still needed, or revoked immediately if compromise is detected. TTLs are enforced server-side.

📋

Audit by Default

Every crp/resolve, lease renewal, and revocation is logged with timestamp, consumer identity, service, and outcome. Providers MUST NOT log credential values — only the metadata. Standard conformance requires structured audit events.

🛡

Policy Integration

Providers evaluate policy rules before resolving any credential. Policies control which consumers can access which services, under what conditions. Denied requests return -33003 policy_denied with enough detail to understand the denial without revealing policy internals.

Zero-logging of secrets: Consumers MUST NOT log credential values. Providers MUST NOT log credential values. This applies to application logs, debug output, error messages, and crash reports. Credential material is ephemeral — use it, then forget it.

Comparison

Why not just use…

CRP isn't a vault. It's the protocol layer that sits between agents and vaults — open, agent-native, and MCP-integrated.

Environment Variables

No leases, no audit, no policy

Static secrets pasted into .env files. Never expire, never rotate, shared freely across agents. Zero visibility into who used what.

HashiCorp Vault

Great vault, no agent protocol

Excellent secrets engine — but no MCP integration, no agent-native interface. CRP can use Vault as a backend while providing a standard agent-facing API.

1Password MCP Server

Vendor-locked, no lease model

Exposes 1Password items via MCP tools, but returns static secrets with no time-bounding, no policy enforcement, and no interop with other vaults.

AWS Secrets Manager

Cloud-only, not agent-native

Rotation and audit for AWS workloads — but requires IAM, doesn't speak MCP, and can't serve as a universal agent credential layer. CRP can wrap it as a backend.

CRP is the open standard — agent-native, MCP-integrated, lease-based, vendor-neutral. Use any vault as a backend. Ship any provider.

Conformance

Start small. Ship fast.

Three tiers so you can adopt CRP incrementally. Basic is a weekend project.

A weekend

Basic

  • crp/resolve
  • Lease-based delivery
  • Service-name lookup
  • Credential type + value response
A week

Standard

  • Everything in Basic
  • crp/list discovery
  • crp/lease renewal
  • Audit logging
Production-ready

Full

  • Everything in Standard
  • crp/revoke
  • Policy enforcement
  • Anomaly detection
  • Multi-vault backends

MCP Native

No spec fork required

CRP uses MCP's built-in experimental capability for negotiation. Servers advertise CRP support during initialization — no protocol changes needed.

Capability Negotiation
// Server → Client (initialize response)
{
  "capabilities": {
    "experimental": {
      "crp": {
        "version": "0.1",
        "provider": "sanctum-local",
        "features": ["resolve", "lease", "revoke", "list"]
      }
    }
  }
}

Quick Start

Resolve your first credential

1. Request — crp/resolve
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "crp/resolve",
  "params": {
    "service": "openai",
    "credentialType": "api_key",
    "scopes": ["chat.completions"],
    "context": {
      "consumer": "coding-assistant-v2",
      "purpose": "Generate code completion"
    }
  }
}
2. Response — leased credential returned
{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {
    "credential": {
      "type": "api_key",
      "value": "sk-...",
      "service": "openai"
    },
    "lease": {
      "id": "lease-abc123",
      "expiresAt": "2026-02-13T23:30:00Z",
      "renewable": true
    }
  }
}

That's it. The credential is scoped, time-bounded, and automatically tracked.

Error Handling

Structured error codes

CRP reserves the -33xxx range for protocol-specific errors. Standard JSON-RPC codes apply for parse/transport errors.

-33001version_mismatch
CRP version incompatible
-33002service_not_found
Requested service identifier is unknown
-33003policy_denied
Policy evaluation denied the request
-33004lease_not_found
Lease ID does not exist or has expired
-33005lease_expired
Lease has expired and cannot be renewed
-33006lease_not_renewable
Lease does not support renewal
-33007credential_unavailable
Credential exists but cannot be resolved
-33008rate_limited
Too many requests; retry after delay
-33009scope_unavailable
Requested scope does not exist for this service
-33010provider_error
Internal provider error
-33011feature_not_supported
Requested CRP feature not supported
-33012revocation_failed
Revocation could not be completed
Example error response
{
  "jsonrpc": "2.0",
  "id": 1,
  "error": {
    "code": -33003,
    "message": "policy_denied",
    "data": {
      "service": "stripe",
      "detail": "Consumer not authorized for production credentials"
    }
  }
}

Ecosystem

Built for everyone

CRP is language-agnostic and implementation-neutral. Build your own provider, or use the reference implementation.

Rust
Reference — crates.io
Python
Published on PyPI
Node.js
Published on npm
Go
Published on GitHub

Reference Implementation

SanctumAI →

Alternative implementations welcome. CRP is an open standard — build what you need.

Community

This protocol belongs to the community

CRP is developed in the open. Contributions, feedback, and alternative implementations are all welcome.

CRP Spec RepositoryMCP Discussion →