The identity verification layer for the agentic economy
The Verified Intent Gateway is an MCP server deployed on Cloudflare’s global edge network. It provides real-time identity verification for AI agents — answering three questions in a single call: who authorized this agent, what is it allowed to do, and can you verify that independently.
Enterprise AI agent platforms like NVIDIA NemoClaw solve deployment, orchestration, and runtime governance. They provide the hooks for security and compliance. What they explicitly delegate to external providers is identity — verifying that an agent is who it claims to be, that it operates within authorized boundaries, and that the authorization traces back to a real organization with real accountability. The Verified Intent Gateway fills that gap.
A single MCP tool call to the gateway returns a complete, cryptographically verified authorization chain:
Every link is SHA-256 hashed. Every document carries a serial number. Every derivation is traceable. The chain is walkable from any starting point — a verifier receiving an L3 payment presentation can trace authorization all the way back to the organizational identity root.
Verify a registered agent’s complete governance and credential chain. Returns VI credential status (L1 active, L2 constraints, L3 history) and Identity Architecture governance chain (Passport, Soul Document, Constitution) in a single response.
Public endpointSubmit paired L3a (payment) and L3b (checkout) presentations for full-chain verification. Validates L1 issuer signature, L2 sd_hash binding, L3 cross-binding, constraint satisfaction, and temporal validity.
AuthenticatedReal-time health check. Returns gateway operational status, connected VI server info, and infrastructure details.
Public endpointThe gateway proxies verification requests to the VI server at the edge. Clients never connect directly to the VI server for verification — the gateway handles authentication, audit logging, and response formatting.
The gateway implements the MCP-first identity gateway pattern — a central checkpoint that validates agent credentials before exposing tools. It speaks standard JSON-RPC 2.0 over HTTP, which means any MCP client can connect. NemoClaw’s streamable-http transport with authentication — the production deployment pattern in the NeMo Agent Toolkit documentation — is exactly what the gateway serves.
NemoClaw’s three-level governance hook architecture (swarm, identity, plugin) calls out to external identity providers at every stage: agent registration, credential provisioning, pre-start validation, and tool authorization. The gateway answers all of these. An identity-level resolve hook calls verify_agent_chain to confirm credential validity before the agent boots. A plugin-level hook calls verify_presentation before authorizing a transaction.
hooks: preStart: | # Verify agent credentials via gateway CHAIN=$(curl -s -X POST https://verified-intent-gateway.daniel-4d9.workers.dev/mcp \ -H "Authorization: Bearer $GATEWAY_KEY" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"verify_agent_chain","arguments":{"agent_id":"1"}},"id":1}') echo "$CHAIN" | jq -e '.result.content[0].text | fromjson | .verified' || exit 1
The upgrade slots are marked in the codebase. Each module swaps independently — the gateway’s core routing and tool registry don’t change.