Docs/Add Hardware-Backed Sign-In to Your Application/ MCP Credential Broker
View as .md

MCP Credential Broker

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

An MCP credential broker lets AI assistants obtain temporary cloud credentials on behalf of authenticated users. The broker validates the caller’s Vouch access token, then calls the Vouch credential APIs to get:

  • AWS – Temporary STS credentials via AssumeRoleWithWebIdentity
  • GitHub – Installation access tokens scoped to the user’s organization
  • SSH – Signed certificates tied to the user’s identity

All credentials are short-lived and trace back to a hardware-verified human identity.

Example

mcp/credential-broker – Complete working example extending the Python MCP remote server with AWS, GitHub, and SSH credential brokering tools.