AffixIOAFFIXIO
Contact

Documentation · Model Context Protocol

How to connect AffixIO MCP

Proof by AffixIO is a hosted Model Context Protocol (MCP) server for zero-knowledge verification, post-quantum attestation, and Merkle audit. One URL works across Claude.ai, Claude Desktop, Claude Code, and other MCP clients that support remote Streamable HTTP with OAuth.

What is the Model Context Protocol?

The Model Context Protocol (MCP) is an open standard for connecting AI assistants and agents to external tools and data sources. Instead of copying API docs into every chat, the client discovers tools, calls them with structured arguments, and receives typed results.

AffixIO publishes a remote MCP server so Claude and compatible vetted clients can run zk_prove, zk_verify, and Merkle lookups without you operating proof infrastructure locally. Proof generation runs on api.affix-io.com (Noir with Barretenberg). The MCP layer handles auth, tool routing, and formatted responses.

This guide covers public connection methods only. It does not describe internal keys, circuit bytecode, or proprietary rule engines.

Endpoint and transport

ItemValue
MCP server URLhttps://affix-io.com/mcp
TransportStreamable HTTP (remote MCP, no local binary required)
AuthenticationOAuth 2.0 with PKCE; Bearer token on MCP requests
OAuth discoveryGET /.well-known/oauth-authorization-server
Protected resource metadataGET /.well-known/oauth-protected-resource/mcp
AuthorisationGET /oauth/authorize
Token exchangePOST /oauth/token
Dynamic client registrationPOST /oauth/register (used by MCP clients during setup)
Upstream proof APIhttps://api.affix-io.com
Use the exact URL https://affix-io.com/mcp (no trailing path). Clients that support MCP remote connectors will discover OAuth endpoints automatically from the host.

Four ways to connect

All paths below use the same hosted endpoint. Pick the one that matches your client.

Ways to connect Proof by AffixIO MCP FOUR CONNECTION PATHS · SAME ENDPOINT https://affix-io.com/mcp Claude.ai Settings → Connectors Custom remote MCP URL OAuth in browser No local install Claude Desktop Integrations panel Add custom connector Streamable HTTP transport Same URL Claude Code Terminal one-liner claude mcp add --transport http Project scoped Other MCP clients Cursor and compatible Remote HTTP MCP server OAuth when prompted Open MCP standard

Four connection paths, one endpoint. Remote Streamable HTTP with OAuth on every path.

Claude.ai (web)

  1. Open SettingsConnectors (or Integrations).
  2. Choose Add connector or Custom connector.
  3. Paste https://affix-io.com/mcp.
  4. Complete OAuth when AffixIO prompts you.

Claude Desktop

  1. Open the Integrations or Connectors panel.
  2. Add a custom remote MCP connector.
  3. Enter https://affix-io.com/mcp.
  4. Sign in through the browser OAuth window.

Claude Code

From your project terminal:

claude mcp add --transport http affixio-proof https://affix-io.com/mcp

List connectors: claude mcp list. Remove: claude mcp remove affixio-proof.

Cursor and other MCP clients

Any client that supports remote MCP over HTTP with OAuth can use the same URL. Add https://affix-io.com/mcp in MCP server settings and complete authorisation when prompted. Menu labels vary by product; refer to your client’s MCP documentation.

https://affix-io.com/mcp

OAuth flow (what happens behind Connect)

Remote MCP clients follow standard OAuth 2.0. You approve access once; the client stores a Bearer token for subsequent tool calls.

AffixIO MCP OAuth connection flow Sequence from MCP client through OAuth authorisation to bearer token and MCP tool calls on affix-io.com/mcp. OAUTH + STREAMABLE HTTP MCP 1. MCP client Claude / Cursor add remote URL 2. Discover /.well-known/ oauth-authorization-server 3. Authorise /authorize + PKCE user approves 4. Token POST /token Bearer access token 5. MCP POST /mcp tool calls Behind the connector (public endpoints only) api.affix-io.com Noir prove / verify ML-DSA-65 PQC attestation Merkle audit tree generated · verified proof_requested events Shareable proof_ref zk_merkle_proof in chat no raw PII in proof bundle

Discovery, authorise, token, MCP tool calls. Proof work is forwarded to api.affix-io.com; Merkle events are anchored on success.

  1. Discovery. The client reads /.well-known/oauth-authorization-server on affix-io.com for authorisation and token endpoints.
  2. Registration. Many clients self-register via POST /oauth/register (dynamic client registration).
  3. Authorisation. You approve access at /oauth/authorize with PKCE. Claude uses callback https://claude.ai/api/mcp/auth_callback.
  4. Token. The client exchanges the code at POST /oauth/token and receives a Bearer access token.
  5. MCP session. Authenticated requests hit POST /mcp with JSON-RPC style MCP messages. Unauthenticated requests receive HTTP 401.

Your first tool call

After connecting, ask Claude to list tools or run a simple proof. A safe starting pattern:

  1. Call zk_list_circuits to see available circuit ids.
  2. Call zk_scenario_match with a plain-language scenario to get suggested circuit and fields.
  3. Call zk_prove with synthetic test data (not real PII).
  4. Call zk_merkle_proof with the returned digest to fetch an inclusion proof.

Example: yes/no circuit (synthetic)

In chat, you might say: “Use zk_prove with circuit yesno and fields condition_greater1, condition_greater2, condition_greater3 all set to 1. Set request_attestation true.”

Core starter circuits:

  • yesno — three boolean conditions (each 0 or 1).
  • health_age — age and threshold integers.
  • kyc — five rule fields (rule1 through rule5).

Responses include proof_ref (short audit token), proof_digest, and optional merkle_root when anchored.

MCP tool reference (public names)

Tool names and descriptions are exposed through MCP tools/list. Grouped overview:

AffixIO MCP tool groups MCP TOOL GROUPS (PUBLIC NAMES) Prove and verify zk_prove zk_verify zk_identity_verify zk_batch_prove circuits: yesno, health_age, kyc + catalogue Post-quantum (PQC) zk_attest zk_attest_verify ML-DSA-65 (NIST FIPS 204) request_attestation on zk_prove harvest-now-decrypt-later aware Merkle audit zk_merkle_proof zk_merkle_verify zk_proof_trace zk_governance_stats GET /v1/merkle/root is public on API QR, barcode, offline tickets zk_make_qr · zk_make_barcode · zk_make_proof_qr zk_issue_ticket · zk_verify_ticket · zk_consume_ticket zk_migrate_qr Gate-ready compact-v3 tickets with embedded proof Discovery helpers zk_list_circuits · zk_scenario_match · zk_health zk_audit_feed · zk_eligibility Use zk_scenario_match before your first zk_prove call Engine: Noir + Barretenberg on api.affix-io.com

Public tool groups exposed by Proof by AffixIO. Exact schemas are returned by the live server at connect time.

Prove and verify

zk_prove zk_verify zk_identity_verify zk_batch_prove zk_eligibility

zk_prove accepts circuit_id, fields, optional labels and summary, and request_attestation for PQC signing.

Post-quantum attestation

zk_attest zk_attest_verify

Standalone ML-DSA-65 sign and verify paths. Also available inline on prove via request_attestation: true.

Merkle audit

zk_merkle_proof zk_merkle_verify zk_proof_trace zk_governance_stats zk_audit_feed

Leaves record lifecycle events including generated, verified, and proof_requested. Public root: GET https://api.affix-io.com/v1/merkle/root.

QR, barcode, offline tickets

zk_make_qr zk_make_barcode zk_make_proof_qr zk_issue_ticket zk_verify_ticket zk_consume_ticket zk_migrate_qr zk_barcode_symbologies

Discovery and health

zk_list_circuits zk_scenario_match zk_health

Post-quantum cryptography (PQC) over MCP

Long-lived proof bundles face harvest-now-decrypt-later risk if they rely only on classical signatures. AffixIO attaches optional ML-DSA-65 attestation (NIST FIPS 204 lattice signatures) on prove and verify outcomes.

From MCP, set request_attestation: true on zk_prove or call zk_attest / zk_attest_verify directly. Responses can include signed_at, payload_digest, mldsa_signature_b64, and algorithm ML-DSA-65.

For procurement context see post-quantum attestation field note, WP-036 PQC sandbox, and WP-041 US federal PQC executive order.

Merkle audit from chat

When a proof is generated or verified through the API, AffixIO can append a leaf to the audit Merkle tree. MCP tools let you pull inclusion proofs without retrieving source data.

  • zk_merkle_proof — fetch inclusion steps for a digest (records a proof_requested audit event).
  • zk_merkle_verify — check a leaf hash and proof path against a root.
  • zk_governance_stats — summary counts from the audit layer.

Browser alternative: Merkle verifier tool. API reference: integration patterns and OpenAPI.

Data handling in AI clients

Do not paste PII into Claude or other LLM chats. Use policy identifiers, hashed references, or synthetic test data only. AffixIO evaluates eligibility without requiring raw identity fields in the chat context. For production, call the API from your own boundary and keep sensitive fields on your side.

The MCP connector is designed for governance workflows: yes/no outcomes, audit references, and shareable proof bundles. Store proof_ref in your logs; avoid retaining raw proof hex or source payloads unless your policy requires it.

Troubleshooting

HTTP 401 on /mcp

OAuth is required. Reconnect the connector and complete authorisation. A 401 means the request reached MCP but lacked a valid Bearer token (not an IP block).

Connector fails during discovery

Confirm the URL is exactly https://affix-io.com/mcp. Check status and that your network allows HTTPS to affix-io.com.

Tool returns circuit_unavailable

The circuit id may not be compiled on the current API node. Run zk_list_circuits and pick a listed id, or see circuit catalogue.

rate_limited from upstream

The MCP connector key on api.affix-io.com is limited to 50 requests per second. Other demo keys remain at 10. Space out large batch jobs or use a dedicated API key for production.

Install from homepage Open sandbox WP-040 field report