Step-up Auth (AI Agent)
⚡ 4 min readBefore an AI agent runs a verified MCP tool, Transcodes requires step-up MFA (passkey, TOTP, hardware key, etc.). The human approves the action on auth.transcodes.io — the agent cannot bypass the gate.
How it works for agents
- Agent calls a verified tool (e.g.
retire_member,suspend_member,passcode_create) - MCP server creates a step-up session and returns an auth URL
- Human completes biometric verification on their device
- Agent polls the session; on
verified, the tool executes immediately
The same step-up primitive powers Admin step-up auth for end-users in your app. Here the actor requesting elevation is the AI agent; the human is the token holder approving it.
Host integration
| Host | Gate mechanism |
|---|---|
| Cursor / Claude / Codex | MCP server create_stepup_session + poll_stepup_session |
| Antigravity | Transcodes Guard plugin PreToolUse hook + MCP |
See Integration for host setup.
Verified MCP tools (examples)
Tools that require step-up before execution include:
retire_member,retire_role,retire_resourcesuspend_member,unsuspend_memberupdate_member_role,set_role_permissionspasscode_create
Policy is enforced server-side — agents must not refuse after verification succeeds.
Console configuration
Role-based step-up rules and session duration are configured in the Console Step-up Session panel. Full panel guide (archived): Step-up Session panel.
For SDK step-up in your own app UI, see Admin → Step-up Auth.
Next: RBAC · Audit Logs · Admin step-up