Agent Authenticator: TOTP for MCP agents

Agent Authenticator came out of a narrow operational problem at Forge Nord. Agents could complete login flows and continue once authenticated, but a TOTP prompt still forced the loop back to a human.

The obvious workaround is to give the model the TOTP seed and let it generate codes directly. That solves the immediate problem and creates a different one: a long-lived secret is now sitting in model-facing context.

The interface we wanted was narrower. The agent should be able to ask for the current code. It should not be able to retrieve the seed.

Interface

• local-first operation
• a small MCP interface instead of an ad-hoc helper script
• encrypted storage at rest
• defaults that do not widen the attack surface by accident

The result is Agent Authenticator: a small MCP server with an encrypted local vault for TOTP seeds and a minimal tool surface around it.

Release work

The internal version was useful, but not ready to publish. The public release focused on the parts that matter once other teams start running it.

• key handling that stays out of standard output
• atomic vault writes under a full transaction lock
• loopback-only HTTP unless remote bind is explicitly enabled
• CI, release artifacts, and security documentation

The scope stays narrow on purpose. This is not a general secrets product. It is a TOTP bridge for MCP-based workflows that need one.

Operating note

The useful design question here was not “how do we let the model do more?” It was “what is the smallest capability we can expose without handing over the underlying secret?”

That pattern shows up repeatedly in agent infrastructure: expose the narrow operation, not the reusable credential behind it.