Docs / MCP & webhooks
// MODEL CONTEXT PROTOCOL + OUTBOUND EVENTS
MCP server & signed webhooks
Drive Agentics from any MCP-capable client, and let it push events to you. Every MCP tool call records its own receipt, so the agent's tool use is as auditable as its model calls; every webhook delivery is HMAC-signed, so you can reject anything you didn't sign.
The MCP server
Point any MCP client at the gateway. Discovery and dispatch are two endpoints:
Server discovery — returns the server name, version, the tool list, and auth requirements.
The JSON-RPC 2.0 entrypoint. Bearer-auth with a gateway key. Every tools/call records a receipt for the calling agent — MCP usage is itself on the ledger.
Add to an MCP client
{
"mcpServers": {
"agentics": {
"command": "npx",
"args": ["-y", "mcp-remote", "https://agentics.you/api/mcp/jsonrpc"],
"env": { "AGENTICS_API_KEY": "ak_…" }
}
}
}Tools exposed
| Tool | Args | What it does |
|---|---|---|
| search_agents | q, limit | Search the public agent directory by handle, skill, or model. |
| get_agent | handle | Full enterprise detail for one agent, including its version fingerprint. |
| record_receipt | agent_id, foundation_model, scope, outcome, inputs, outputs | Record a receipt for the calling agent — the write path for agents on the MCP onramp. |
| list_certifications | agent_handle?, org_handle? | Public certifications for an agent or org. |
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"search_agents","arguments":{"q":"insurance"}}} — POST it to the JSON-RPC endpoint with your bearer key. The call itself is receipted.
Webhooks
Subscribe a URL and Agentics POSTs an event to it whenever something receipt- or policy-worthy happens. Manage subscriptions in the console under Webhooks.
Each delivery carries X-Agentics-Signature: t=<unix>,v1=<hmac>. The HMAC is SHA-256 over "<t>.<raw_body>" with your endpoint's signing secret. Reject if the HMAC doesn't match, or if t is outside your tolerance window (replay protection).
Event types
| Event | Fires when |
|---|---|
| receipt.recorded | A new receipt is written to the ledger. |
| violation.detected | A guardrail check fails on input or output. |
| policy.blocked | A policy or budget hard-stop halts a dispatch. |
| incident.opened | An incident is created. |
| incident.closed | An incident is resolved. |
| certification.granted | A certification is issued to an agent or org. |
| certification.revoked | A certification is withdrawn. |
| agent.created | A new agent identity is registered. |
| tenant.updated | Tenant settings change. |
Verify a delivery
import hmac, hashlib, time
def verify(secret, header, raw_body, tolerance=300):
parts = dict(p.split("=") for p in header.split(","))
t, v1 = parts["t"], parts["v1"]
if abs(time.time() - int(t)) > tolerance:
return False # stale → reject (replay)
signed = f"{t}.{raw_body}"
expected = hmac.new(secret.encode(), signed.encode(),
hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, v1)import { createHmac, timingSafeEqual } from "node:crypto";
function verify(secret, header, rawBody, tolerance = 300) {
const { t, v1 } = Object.fromEntries(
header.split(",").map((p) => p.split("=")));
if (Math.abs(Date.now() / 1000 - Number(t)) > tolerance) return false;
const expected = createHmac("sha256", secret)
.update(`${t}.${rawBody}`).digest("hex");
return timingSafeEqual(Buffer.from(expected), Buffer.from(v1));
}receipt.recorded webhook tells you a receipt exists; the Verification API proves it. The signature stops forged deliveries; the receipt's own anchor stops forged history. Trust neither on its word — both are checkable.