The Missing Security Layer
for AI Agents
CRP is an open protocol for credential resolution in the MCP ecosystem. No more API keys in .env files.
The Problem
Credentials are the wild west
┌─────────────────────────────────┐
│ .env │
│ OPENAI_KEY=sk-abc123... │
│ STRIPE_KEY=sk_live_... │
│ DB_PASSWORD=hunter2 │
│ AWS_SECRET=AKIA... │
└───────────┬─────────────────────┘
│ copy-paste
┌───────┴───────┐
│ │
┌───▼───┐ ┌────▼────┐
│Agent A│ │Agent B │
│(no │ │(same │
│ audit)│ │ keys) │
└───┬───┘ └────┬────┘
│ │
▼ ▼
Never expires. Never rotated.
No audit trail. Shared freely.┌──────────┐
│ Agent │
└────┬─────┘
│ crp/resolve
┌────▼──────────┐
│ MCP Server │
│ (CRP-aware) │
└────┬──────────┘
│ capability negotiation
┌────▼──────────┐
│ CRP Provider │
│ (vault) │
└────┬──────────┘
│
┌────▼──────────────────────┐
│ Leased Credential │
│ ✓ Time-bounded (5 min) │
│ ✓ Scoped to operation │
│ ✓ Audited & logged │
│ ✓ Policy-checked │
│ ✓ Auto-revoked │
└───────────────────────────┘How It Works
Four primitives. One required.
CRP defines four operations. Only crp/resolve is required for Basic conformance — you can ship a working implementation in a weekend.
crp/resolveRequiredResolve a credential by service name. Returns a ready-to-use credential with type, token, and expiry.
{ "method": "crp/resolve",
"params": { "service": "openai" } }crp/listList available credential services. Lets agents discover what's available without guessing.
{ "method": "crp/list" }
→ { "services": ["openai", "stripe", "aws"] }crp/leaseAcquire a time-bounded lease on a credential. Enables fine-grained, revocable access.
{ "method": "crp/lease",
"params": { "service": "stripe",
"ttl": 300 } }crp/revokeExplicitly revoke a lease before expiry. Clean up when you're done — don't wait for timeout.
{ "method": "crp/revoke",
"params": { "leaseId": "ls_abc123" } }Conformance
Start small. Ship fast.
Three tiers so you can adopt CRP incrementally. Basic is a weekend project.
Basic
- ✓crp/resolve
- ✓Static credentials
- ✓Service-name lookup
- ✓Bearer token response
Standard
- ✓Everything in Basic
- ✓crp/list discovery
- ✓crp/lease with TTL
- ✓Credential rotation
Full
- ✓Everything in Standard
- ✓crp/revoke
- ✓Policy enforcement
- ✓Audit logging
- ✓Multi-vault backends
MCP Native
No spec fork required
CRP uses MCP's built-in extension point for capability negotiation. Servers advertise CRP support during initialization — no protocol changes needed.
// Server → Client (initialize response)
{
"capabilities": {
"experimental": {
"crp": {
"version": "0.3",
"conformance": "standard",
"methods": ["crp/resolve", "crp/list", "crp/lease"]
}
}
}
}Quick Start
Resolve your first credential
{
"jsonrpc": "2.0",
"id": 1,
"method": "crp/resolve",
"params": {
"service": "openai",
"reason": "Generate embeddings for user query"
}
}{
"jsonrpc": "2.0",
"id": 1,
"result": {
"service": "openai",
"credential": {
"type": "bearer",
"token": "sk-proj-..."
},
"expiresAt": "2025-01-15T10:05:00Z",
"leaseId": "ls_a1b2c3d4",
"metadata": {
"provider": "sanctum",
"policy": "embedding-only"
}
}
}That's it. The credential is scoped, time-bounded, and automatically tracked.
Ecosystem
Built for everyone
CRP is language-agnostic and implementation-neutral. Build your own provider, or use the reference implementation.
Reference Implementation
SanctumAI →Alternative implementations welcome. CRP is an open standard — build what you need.
Community
This protocol belongs to the community
CRP is developed in the open. Contributions, feedback, and alternative implementations are all welcome.