Cloak exposes its KMS/HSM as an MCP server. Your agents can manage keys, sign, verify, encrypt, and decrypt — with humans setting policy upfront, scope-limited credentials per agent, and an audit trail for every operation.
The Cloak model is simple: a human sets a policy ("this agent can encrypt files for client X with read-only access"). The agent operates within that boundary. Every operation returns a signed receipt the human can verify later — without asking the agent what it did.
Sets the policy: who, what, for how long, with which key. The agent cannot escalate beyond this boundary.
Calls the MCP tool or REST endpoint. Cloak enforces the policy. The agent gets a result — and a receipt.
Signed audit receipt: actor, operation, timestamp, policy applied, cryptographic signature. Verifiable offline.
The Cloak KMS exposes nine HSM-backed primitives over MCP. Any MCP-compatible agent — Claude, Cursor, Codex, your own LLM app — can call these tools directly. The live tool catalog is at GET /kms/mcp/info.
{}[
{
"alias": "agent-signing-key",
"keyId": "0101",
"keyType": "RSA_2048",
"keyUsage": "SIGN",
"keyState": "ENABLED"
}
]
{
"alias": "agent-signing-key",
"keyId": "0101"
}
{
"alias": "agent-signing-key",
"keyId": "0101",
"keyType": "RSA_2048",
"publicKeyPem": "-----BEGIN PUBLIC KEY-----…"
}
{
"alias": "project-alpha-signing",
"label": "Project alpha",
"keyType": "ECC_SECP256R1",
"keyUsage": "SIGN"
}
{
"alias": "project-alpha-signing",
"keyId": "0102",
"keyType": "ECC_SECP256R1",
"keyUsage": "SIGN"
}
{
"alias": "project-alpha-signing",
"keyId": "0102"
}
{
"alias": "project-alpha-signing",
"keyId": "0102",
"deleted": true
}
{
"alias": "agent-signing-key",
"keyId": "0101",
"algorithm": "ECDSA_SHA_256",
"digestHex": "a4caf7bd…21083d95"
}
{
"alias": "agent-signing-key",
"keyId": "0101",
"algorithm": "ECDSA_SHA_256",
"signatureBase64": "MEYCIQDx9n…"
}
{
"alias": "agent-signing-key",
"keyId": "0101",
"algorithm": "ECDSA_SHA_256",
"digestHex": "a4caf7bd…21083d95",
"signatureBase64": "MEYCIQDx9n…"
}
{
"alias": "agent-signing-key",
"keyId": "0101",
"algorithm": "ECDSA_SHA_256",
"valid": true
}
{
"alias": "agent-encrypt-key",
"keyId": "0103",
"algorithm": "RSA_PKCS_OAEP",
"inputBase64": "SGVsbG8sIHdvcmxkIQ=="
}
{
"alias": "agent-encrypt-key",
"keyId": "0103",
"algorithm": "RSA_PKCS_OAEP",
"outputBase64": "k0wLZ3K3J9aQ…"
}
{
"alias": "agent-encrypt-key",
"keyId": "0103",
"algorithm": "RSA_PKCS_OAEP",
"inputBase64": "k0wLZ3K3J9aQ…"
}
{
"alias": "agent-encrypt-key",
"keyId": "0103",
"algorithm": "RSA_PKCS_OAEP",
"outputBase64": "SGVsbG8sIHdvcmxkIQ=="
}
{
"alias": "agent-derive-key",
"keyId": "0104",
"peerPublicKeyHex": "04…"
}
{
"alias": "agent-derive-key",
"keyId": "0104",
"algorithm": "ECDH",
"outputBase64": "shared-secret-bytes"
}
These compose the KMS primitives above into higher-level operations. They aren't shipped yet — track progress in the GitHub project board.
encrypt_file / cloak_file — file-level encrypt with policy + receipt (Cloak Files; client-side, plaintext stays on the agent's host)decrypt_file / uncloak_file — policy-bound file decrypt (Cloak Files; client-side)sign_pdf — AATL PDF signing (Batchsign)create_receipt — mint a verifiable receiptverify_receipt — check a receipt's signaturerotate_key — policy-bound key rotationrevoke_access — invalidate a recipient's access to a file
Add the Cloak MCP server to your mcp_config.json (Claude, Cursor, or any MCP host). Your agent immediately gets access to all nine tools — no additional SDK needed.
Set CLOAK_API_KEY to your API key from the console. Scope it to the specific products your agent needs — KMS only, Encrypt only, or all four.
{
"mcpServers": {
// Live today: Cloak KMS over HTTP
"cloakKms": {
"url": "https://kms.cloakapps.com/kms/mcp",
"headers": {
"Authorization": "Bearer $CLOAK_AGENT_TOKEN"
}
},
// Roadmap: Cloak Files as a local stdio server
// (plaintext never leaves the agent's host)
"cloakEncrypt": {
"command": "npx",
"args": ["-y", "@cloakapps/cloak-encrypt-mcp"]
}
}
}
list_tools to confirm.
Giving an AI agent access to cryptographic operations is a significant trust decision. Cloak makes that trust explicit and auditable.
A human creates a policy ("this agent may encrypt files for client A with read-only access, expiring in 30 days"). The agent cannot modify its own policy or escalate permissions — ever. Cloak enforces the boundary server-side.
On the Agent Business plan, set a maximum number of operations per agent per session. An agent that exceeds its budget is blocked until a human re-authorizes. Prevents runaway automation from consuming quota or generating unexpected receipts.
Every agent session is logged with a unique session ID that appears in every receipt. You can replay exactly what an agent did, in order, with timestamps — without trusting the agent's own logs or memory.
If an agent behaves unexpectedly, revoke its API key from the console. Ongoing sessions are terminated within seconds. Previously issued receipts remain valid — the revocation only stops future operations.
A finance agent receives a payment authorisation request, signs the PDF, encrypts the receipt, and logs everything — no human clicks required after initial policy setup. The sign_pdf and cloak_file tools below haven't shipped yet — today the same flow is buildable on top of kms_sign + your own envelope code.
Finance manager creates a Batchsign + Encrypt policy allowing the agent to sign payment docs up to $50,000 and encrypt them for the CFO. Policy is time-limited to the current quarter.
sign_pdfAgent receives a payment doc from the ERP, calls Batchsign to sign it with the AATL certificate. Gets back a signed PDF and a receipt.
cloak_fileWraps the signed PDF with Cloak Files, restricting access to the CFO's email, read-only. Gets back an encrypted file and another receipt.
The manager opens the console. Sees two receipts: one for signing, one for encryption. Both are cryptographically signed by Cloak. The agent's session ID ties them together. No gaps in the audit trail.
# Step 2: sign the payment doc signed = mcp.call_tool("sign_pdf", { "pdf_path": payment_doc_path, "signer_name": "Acme Corp Finance", "reason": "Payment authorised" }) sign_receipt = signed["receipt"] # Step 3: encrypt for CFO only protected = mcp.call_tool("cloak_file", { "file_path": signed["signed_path"], "policy": { "recipients": ["cfo@acme.com"], "permissions": "read-only" } }) enc_receipt = protected["receipt"] # Both receipts logged to ERP record erp.attach_receipts( payment_id, [sign_receipt, enc_receipt] )
Every MCP tool has an equivalent REST endpoint. If your agent framework doesn't support MCP, call the API directly — same behavior, same receipts. Base URL: https://api.cloakapps.com/v1
Free account. Full API and MCP access from day one. No credit card.
Governed by the OMMAU Charter — humans authorize, agents execute, receipts prove it.