◉ open security standard MIT licensed

Sign every
tool you ship.
Verify every
tool you call.

SchemaPin is an open standard for cryptographically pinning the tool schemas your AI agents read — so a tampered MCP server can't quietly redirect a payment, leak a secret, or rewrite its own contract. Five-minute install. ECDSA P-256. No central registry.

Get started in 5 minutes → Try the verifier

implemented in Rust Python JavaScript Go

specimen № 0042 ✓ verified

tool

send_payment(to, amount)

from agents.acme.dev

algECDSA P-256 sig0x9e2a…dd42 pin14 Feb 2026

~/agents

$ schemapin verify
✓ fetched .well-known
✓ pinned ECDSA key
✓ 7 tools verified
  └ 0 errors

signature size

64 bytes

ecdsa p-256 / der

runtime trust roots

0 · tofu only

"An agent that trusts a schema is an agent that trusts a stranger." — open the box.

§ what we're stopping

The agent reads a tool description and obeys. That's the attack surface.

T-01 observed

Description hijack

A compromised MCP server rewrites a tool description so the agent always sends to the attacker. Same name, new behavior.

T-02 common

Silent rotation

Vendor swaps parameter semantics without bumping the version. Old prompts now do new things.

T-03 emerging

Skill folder drift

A signed AgentSkill is forked, edited, redistributed. Downstream users have no provenance trail.

§ coverage map

Five threats × five mitigations.

Filled cells are full mitigations; outlined cells are partial. The protocol is small precisely because most cells fall to the same two primitives.

FULL PARTIAL NONE

§ quickstart

Pick your language.

Each reference implementation produces byte-identical signatures over the same canonicalized schema. Pick yours; the rest of the page assumes it.

javascript/verify.js

§ live verifier

Pin a domain. Inspect its key.

Open standalone /verify →

trace

// type a domain above

result

—

try one:

§ air-gapped

Pin once. Travel anywhere.

Trust bundles are portable, signed snapshots of pinned keys. Export from a connected machine, transport across an air gap, re-pin in one command. Bundles carry their own expiry and revocation.

$ schemapin bundle export > pins.bundlecollect pins → bundle

$ schemapin bundle import pins.bundleload on offline host

$ schemapin bundle verify pins.bundlecheck signature + expiry

BUNDLE.JSON ✓ sealed

{
  "version": "1.3",
  "issued":  "2026-04-30T11:09Z",
  "expires": "2026-07-29T11:09Z",
  "pins": [
    { "domain": "schemapin.org",
      "fpr": "9e:2a:f7:0c…" },
    { "domain": "agents.acme.dev",
      "fpr": "c4:11:8a:dd…" },
    { "domain": "rotated.demo",
      "fpr": "7a:c2:31:8f…",
      "rotated_from": "e1:88:0b:55…" }
  ],
  "signature": "30460221008c…ff03"
}

§ get started

Five minutes.
One signature per tool.
Then never again.

Read the quickstart → ★ Star on GitHub or $ pip install schemapin

Sign every
tool you ship.
Verify every
tool you call.

The agent reads a tool description and obeys. That's the attack surface.

Description hijack

Silent rotation

Skill folder drift

Four steps, repeated forever.

Five threats × five mitigations.

Nine pieces.

Pick your language.

Four commands. That's the whole CLI.

Pin a domain. Inspect its key.

Pin once. Travel anywhere.

The six things people ask first.

Five minutes.
One signature per tool.
Then never again.

Sign every tool you ship. Verify every tool you call.

The agent reads a tool description and obeys. That's the attack surface.

Description hijack

Silent rotation

Skill folder drift

Four steps, repeated forever.

Five threats × five mitigations.

Nine pieces.

Pick your language.

Four commands. That's the whole CLI.

Pin a domain. Inspect its key.

Pin once. Travel anywhere.

The six things people ask first.

Five minutes. One signature per tool. Then never again.

Sign every
tool you ship.
Verify every
tool you call.

Five minutes.
One signature per tool.
Then never again.