MCP server

The agent drives. You approve.

The whole suite is designed for an agent-driven workflow. sign-cli is the most concrete expression of that: every CLI command is exposed as an MCP tool over stdio, so any MCP-aware client (Claude Code, Cursor, Codex) can drive sending, tracking, and verification — while the actual signing remains gated behind a per-signer human gesture.

The guardrail — Agents can send documents and track status, but they can't sign. Every signature requires a per-signer token tied to that signer's email, with a TTL. The agent never sees the token. The human does. That asymmetry is the whole architecture.

Start the server

stdio MCP server

# Boots the MCP server on stdio. Wire it into any MCP-aware client.
npx sign-cli mcp

Wire it into Claude Code

Add to your ~/.config/claude-code/settings.json (or the project-level .claude/settings.json):

.claude/settings.json

{
  "mcpServers": {
    "sign-cli": {
      "command": "npx",
      "args": ["-y", "sign-cli", "mcp"]
    }
  }
}

After that, every sign-cli command shows up as an MCP tool inside Claude Code. Ask the agent to "send the contract.pdf to alice@acme.com and bob@beta.com via SignWell" and it will call the right MCP tool with the right arguments.

Wire it into Cursor

Cursor's MCP config lives at ~/.cursor/mcp.json:

~/.cursor/mcp.json

{
  "mcpServers": {
    "sign-cli": {
      "command": "npx",
      "args": ["-y", "sign-cli", "mcp"],
      "env": {}
    }
  }
}

Available tools

Every shell command has a 1:1 MCP tool. The most useful ones:

Tool	What it does
send_document	Send a PDF to one or more signers via the chosen provider. Returns per-signer tokens.
verify_pdf	Verify a signed PDF + receipt bundle. Confirms the audit chain and timestamp anchor.
get_status	Check the signing status of a previously-sent document.
list_audit_events	List all hash-chained events for a given document — useful for replay or post-mortem.
list_providers	List configured signing providers and their status.

What the agent can't do

Sign on a human's behalf. The signing step requires an explicit per-signer token. Tokens are scoped to one signer's email and expire after a configurable TTL.
Modify past audit events. The audit chain is hash-chained; tampering breaks verification.
Bypass the timestamp anchor. RFC 3161 anchors are external — the agent can't forge one.

Why this matters

Most "agent-friendly" SaaS products are agent-friendly in the sense that they have an API. They aren't agent-safe. The MCP boundary here is designed so an agent can do all the operational work (sending, tracking, verifying, reporting) while the actual legal commitment — the signature — stays gated behind a human gesture.

That's a meaningful architectural choice for anyone deploying agents into ops workflows. You get the productivity wins of automation without the legal liability of a hallucinating model accidentally executing a contract.