MCP Needs an Approval Button

The Model Context Protocol (MCP) lacks a cryptographically verified human approval mechanism, leaving systems vulnerable to unauthorized changes. Without a mandatory approval button, agents can execute irreversible actions like purchasing tickets, deleting folders, destroying databases, or approving pull requests without user consent.

MCP needs an approval button MCP is cool but it needs a verified human in the loop approval button. Here's what I mean in a picture. The reason this is important is because there must be a cryptographically verified way for the server to guarantee that it showed you the payload and that you the human have approved it. If the MCP is set up in such a way that the specific method is gated behind human, there is no way for the agent to make changes on your behalf no matter how hard it tries. Examples of what can be achieved - transactions like purchasing flight tickets - irreversible changes to a system like say deleting some folder - destroying an DynamoDb table - approving a Github PR