This matters more than it sounds. Your compliance team will eventually ask "who approved the deletion of those customer records?" Your auditors will want to know who signed off on that production deploy. Your incident response playbook assumes a human made a decision somewhere. With vanilla MCP, the answer is "the AI did it because the AI was told it could"... which is not an answer that satisfies a SOX auditor, a HIPAA compliance review, or your own postmortem.
The solution I landed on: WebAuthn co-signing. You put @require_approval() on the sensitive FastMCP tools. When an agent tries to call one, execution blocks, a URL gets surfaced, and the human approves by tapping a hardware security key (YubiKey, etc.) or their device's built-in biometrics (Touch ID, Windows Hello). The signature is tied to that specific request, with a counter that prevents replay and gets stored in an append-only audit log. Then the tool runs.
It's two repos: a lightweight Python SDK (pip install cosig) and CoSig Cloud, a self-hosted Next.js + FastAPI backend you run on your own infrastructure. Nothing phones home. Your audit logs stay yours.
This is alpha, v0.2.0a1. APIs will change and a security review is recommended before production use. But the core flow works and there's a demo linked below showing it end-to-end.
I'd especially like to hear from people building MCP servers for regulated industries, or anyone who's already thought through the "who authorized this AI action" problem and landed somewhere different.
SDK: https://github.com/skyforest/cosig Backend: https://github.com/skyforest/cosig-cloud Demo: https://www.youtube.com/watch?v=7AeMJ3ViV5E