One control plane for A2A agents and MCP servers
Your AI ecosystem is growing. Agents calling agents. Tools invoking tools. Who's keeping track?
CapiscIO Platform is where you register every workload, issue cryptographic trust badges, enforce revocation, and query cross-protocol telemetry. All organized by org. Whether it's an A2A agent or an MCP tool server, you manage trust from one place.
Free: CLI + Guards with local identities. Developer: $79/mo for 10 hosted identities.
The 3 AM scenario you're trying to avoid
It's not hypothetical. AI agents are already in production. The question is: do you have visibility?
"An agent is exfiltrating customer data. Which one? We don't know."
Your security team gets an alert. Something is calling your internal APIs at 3 AM. It's authenticated. It's authorized. But you can't trace it back to a specific agent. You can't revoke it without breaking everything. You don't even know if it's an A2A agent or an MCP tool server.
With Platform: "Agent ag_7x2k. Registered 3 months ago. Revoked in seconds."
Every agent and MCP server has a unique ID in your registry. You see when it was registered, who owns it, what org it belongs to, and its current badge status. Revocation is one API call (and can be managed in the dashboard). Your event history shows what happened and when.
Why "unified" isn't just marketing
A2A agents call MCP servers. MCP servers invoke other agents. Your trust model can't have protocol boundaries.
Without Platform
- • Spreadsheet tracking
- • Manual key rotation
- • Slack for revocation
- • Different team owns it
- • Separate access logs
- • No correlation to agents
With Platform
capiscio-sdkcapiscio-mcpWhat Platform gives you today
Not roadmap. Not "coming soon." Live and deployed.
Unified Registry
Every A2A agent and MCP server gets a unique ID, belongs to an org, and has a public status endpoint. No more spreadsheets.
- Create, read, update, delete via REST API
- Dashboard for visual management
- Public status endpoints for verification
Trust Badges
Cryptographic proof that an agent or server is who they claim to be. Issue via Proof of Possession (PoP) or Domain Validation (DV).
- Same badge system for agents and servers
- Unified revocation list
- Short-lived badges with re-issuance
Cross-Protocol Telemetry
Platform ingests events from your Guard deployments. See A2A and MCP traffic in one view, organized by org.
- Metrics dashboard by org
- A2A + MCP events in one timeline
- Query event history via API
Multi-Tenant Organizations
Create orgs, invite team members, assign roles. Every workload belongs to an org with its own API keys and org-scoped visibility.
- Role-based access control
- Org-scoped API keys
- Team invitations
One Registry Key, Both Protocols
Generate a key in Platform. Use it with capiscio-sdk for A2A agents or capiscio-mcp for MCP servers. Same header, same auth, unified access.
Security teams, this is for you
Zero trust for AI workloads. Revocation that actually works. Evidence you can take to incident response.
Verify Before Trust
Every agent and server has a public status endpoint. Query badge status, check revocation, verify identity before allowing access.
Instant Revocation
Compromised agent? One API call (or dashboard click) to revoke. Verification checks the revocation list so you can stop trust without waiting for key rotation cycles.
Audit-Ready Logs
Badge status, revocations, and event history are available via API endpoints. Answer incident-response and audit questions with concrete data.
Compliance questions Platform helps answer:
- "What AI agents have access to production data?"
- "When was this agent last verified?"
- "Show me all revocations in the last 90 days"
- "Who owns this MCP server?"
- "What was the cross-protocol call pattern on date X?"
- "Show the last 90 days of activity for org Y"
From zero to first badge in under 5 minutes
No credit card. No sales call. Just sign up and start.
Create org & get key
Sign up at app.capisc.io. Create an org. Generate a registry key.
Register your workload
Via dashboard or API. Agent or MCP server, same flow.
Issue first badge
Complete PoP or DV flow. Badge issued. Now you're verified.
Or explore the quickstart guide first
Built for how your team actually works
Different roles, different views, same source of truth.
Security & GRC
You need to know what's running, who owns it, and how to kill it if something goes wrong.
- • View all agents/servers across orgs
- • Issue and revoke badges
- • Review event history and badge status
- • Monitor revocation list
Platform Engineering
You need to integrate this into your stack without creating another operational burden.
- • REST API for everything
- • Configure event ingestion
- • Manage orgs and keys
- • Cross-protocol metrics
Developers
You need to register your agent or server and get a badge without reading a 50-page doc.
- • SDK for A2A (capiscio-sdk)
- • SDK for MCP (capiscio-mcp)
- • Same key for both
- • Public status endpoints
Platform + Guards = Complete coverage
Platform is the control plane. Guards enforce at runtime. Events flow back for unified visibility.
Agent Guard
Verify identity, integrity, and freshness for every A2A request. Drop-in SDK for your agents.
- • Request signing & verification
- • Replay protection
- • Badge-aware trust decisions
MCP Guard
Enforce trust levels on every tool invocation. Same registry, same badges, unified in Platform.
- • Per-tool trust requirements
- • Argument validation
- • Automatic badge checks
Guards work standalone. Platform integration is opt-in. Configure event ingestion when you're ready.
The Trust Layer is Free
Enterprise assurance when your compliance team asks for it.
Ready to unify your AI trust layer?
Stop managing agents and MCP servers separately. One control plane. One badge system. Event retention from day one.