# How to integrate Signpath MCP with Mastra AI ```json { "title": "How to integrate Signpath MCP with Mastra AI", "toolkit": "Signpath", "toolkit_slug": "signpath", "framework": "Mastra AI", "framework_slug": "mastra-ai", "url": "https://composio.dev/toolkits/signpath/framework/mastra-ai", "markdown_url": "https://composio.dev/toolkits/signpath/framework/mastra-ai.md", "updated_at": "2026-05-12T10:26:12.005Z" } ``` ## Introduction This guide walks you through connecting Signpath to Mastra AI using the Composio tool router. By the end, you'll have a working Signpath agent that can list all available code signing certificates, show all projects for your organization, get details of current signing policies through natural language commands. This guide will help you understand how to give your Mastra AI agent real control over a Signpath account through Composio's Signpath MCP server. Before we dive in, let's take a quick look at the key ideas and tools involved. ## Also integrate Signpath with - [OpenAI Agents SDK](https://composio.dev/toolkits/signpath/framework/open-ai-agents-sdk) - [Claude Agent SDK](https://composio.dev/toolkits/signpath/framework/claude-agents-sdk) - [Claude Code](https://composio.dev/toolkits/signpath/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/signpath/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/signpath/framework/codex) - [OpenClaw](https://composio.dev/toolkits/signpath/framework/openclaw) - [Hermes](https://composio.dev/toolkits/signpath/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/signpath/framework/cli) - [Google ADK](https://composio.dev/toolkits/signpath/framework/google-adk) - [LangChain](https://composio.dev/toolkits/signpath/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/signpath/framework/ai-sdk) - [LlamaIndex](https://composio.dev/toolkits/signpath/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/signpath/framework/crew-ai) ## TL;DR Here's what you'll learn: - Set up your environment so Mastra, OpenAI, and Composio work together - Create a Tool Router session in Composio that exposes Signpath tools - Connect Mastra's MCP client to the Composio generated MCP URL - Fetch Signpath tool definitions and attach them as a toolset - Build a Mastra agent that can reason, call tools, and return structured results - Run an interactive CLI where you can chat with your Signpath agent ## What is Mastra AI? Mastra AI is a TypeScript framework for building AI agents with tool support. It provides a clean API for creating agents that can use external services through MCP. Key features include: - MCP Client: Built-in support for Model Context Protocol servers - Toolsets: Organize tools into logical groups - Step Callbacks: Monitor and debug agent execution - OpenAI Integration: Works with OpenAI models via @ai-sdk/openai ## What is the Signpath MCP server, and what's possible with it? The Signpath MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Signpath account. It provides structured and secure access to your code signing workflows, so your agent can list certificates, retrieve project details, access signing policies, and check system metadata automatically on your behalf. - Certificate management and discovery: Quickly list all available code signing certificates within your organization, making it easy for your agent to select the right certificate for each workflow. - Automated project listing and tracking: Let your agent fetch and paginate through all Signpath projects, helping you organize, monitor, and automate signing across multiple software projects. - Signing policy insights and selection: Effortlessly retrieve detailed information about your organization’s signing policies, so your agent can ensure every artifact is signed according to security best practices. - System information and environment awareness: Instantly access Signpath system details, including product info, API version, and environment metadata, to keep your agent up to date with the latest platform capabilities. ## Supported Tools | Tool slug | Name | Description | |---|---|---| | `SIGNPATH_GET_HEALTH_CHECK` | Get Health Check | Tool to check if the SignPath API is healthy and operational. Use this to verify API availability before performing other operations. | | `SIGNPATH_LIST_CERTIFICATES` | List Certificates | Retrieve all certificates available in a SignPath organization. Use this to discover certificate IDs needed for signing operations. Requires a valid organization_id which can be obtained from your SignPath account settings. | | `SIGNPATH_LIST_PROJECTS` | List Projects | Tool to list all projects for an organization. Use after confirming the organization ID to retrieve and paginate project records. | | `SIGNPATH_RETRIEVE_SIGNING_POLICY_DETAILS` | Retrieve Signing Policy Details | Retrieve signing policy details for code signing operations. Returns certificate info, RSA key parameters, and policy metadata for the authenticated user's accessible signing policies. Without filters, returns all policies where the user is assigned as Submitter. | | `SIGNPATH_RETRIEVE_SYSTEM_INFO` | Retrieve System Info | Retrieves SignPath system information including the application version and the web UI base URL. Use this tool to verify the SignPath installation version or to obtain the web interface URL. | ## Supported Triggers None listed. ## Creating MCP Server - Stand-alone vs Composio SDK The Signpath MCP server is an implementation of the Model Context Protocol that connects your AI agent to Signpath. It provides structured and secure access so your agent can perform Signpath operations on your behalf through a secure, permission-based interface. With Composio's managed implementation, you don't have to create your own developer app. For production, if you're building an end product, we recommend using your own credentials. The managed server helps you prototype fast and go from 0-1 faster. ## Step-by-step Guide ### 1. Prerequisites Before starting, make sure you have: - Node.js 18 or higher - A Composio account with an active API key - An OpenAI API key - Basic familiarity with TypeScript ### 1. Getting API Keys for OpenAI and Composio OpenAI API Key - Go to the [OpenAI dashboard](https://platform.openai.com/settings/organization/api-keys) and create an API key. - You need credits or a connected billing setup to use the models. - Store the key somewhere safe. Composio API Key - Log in to the [Composio dashboard](https://dashboard.composio.dev?utm_source=toolkits&utm_medium=framework_docs). - Go to Settings and copy your API key. - This key lets your Mastra agent talk to Composio and reach Signpath through MCP. ### 2. Install dependencies Install the required packages. What's happening: - @composio/core is the Composio SDK for creating MCP sessions - @mastra/core provides the Agent class - @mastra/mcp is Mastra's MCP client - @ai-sdk/openai is the model wrapper for OpenAI - dotenv loads environment variables from .env ```bash npm install @composio/core @mastra/core @mastra/mcp @ai-sdk/openai dotenv ``` ### 3. Set up environment variables Create a .env file in your project root. What's happening: - COMPOSIO_API_KEY authenticates your requests to Composio - COMPOSIO_USER_ID tells Composio which user this session belongs to - OPENAI_API_KEY lets the Mastra agent call OpenAI models ```bash COMPOSIO_API_KEY=your_composio_api_key_here COMPOSIO_USER_ID=your_user_id_here OPENAI_API_KEY=your_openai_api_key_here ``` ### 4. Import libraries and validate environment What's happening: - dotenv/config auto loads your .env so process.env.* is available - openai gives you a Mastra compatible model wrapper - Agent is the Mastra agent that will call tools and produce answers - MCPClient connects Mastra to your Composio MCP server - Composio is used to create a Tool Router session ```typescript import "dotenv/config"; import { openai } from "@ai-sdk/openai"; import { Agent } from "@mastra/core/agent"; import { MCPClient } from "@mastra/mcp"; import { Composio } from "@composio/core"; import * as readline from "readline"; import type { AiMessageType } from "@mastra/core/agent"; const openaiAPIKey = process.env.OPENAI_API_KEY; const composioAPIKey = process.env.COMPOSIO_API_KEY; const composioUserID = process.env.COMPOSIO_USER_ID; if (!openaiAPIKey) throw new Error("OPENAI_API_KEY is not set"); if (!composioAPIKey) throw new Error("COMPOSIO_API_KEY is not set"); if (!composioUserID) throw new Error("COMPOSIO_USER_ID is not set"); const composio = new Composio({ apiKey: composioAPIKey as string, }); ``` ### 5. Create a Tool Router session for Signpath What's happening: - create spins up a short-lived MCP HTTP endpoint for this user - The toolkits array contains "signpath" for Signpath access - session.mcp.url is the MCP URL that Mastra's MCPClient will connect to ```typescript async function main() { const session = await composio.create( composioUserID as string, { toolkits: ["signpath"], }, ); const composioMCPUrl = session.mcp.url; console.log("Signpath MCP URL:", composioMCPUrl); ``` ### 6. Configure Mastra MCP client and fetch tools What's happening: - MCPClient takes an id for this client and a list of MCP servers - The headers property includes the x-api-key for authentication - getTools fetches the tool definitions exposed by the Signpath toolkit ```typescript const mcpClient = new MCPClient({ id: composioUserID as string, servers: { nasdaq: { url: new URL(composioMCPUrl), requestInit: { headers: session.mcp.headers, }, }, }, timeout: 30_000, }); console.log("Fetching MCP tools from Composio..."); const composioTools = await mcpClient.getTools(); console.log("Number of tools:", Object.keys(composioTools).length); ``` ### 7. Create the Mastra agent What's happening: - Agent is the core Mastra agent - name is just an identifier for logging and debugging - instructions guide the agent to use tools instead of only answering in natural language - model uses openai("gpt-5") to configure the underlying LLM ```typescript const agent = new Agent({ name: "signpath-mastra-agent", instructions: "You are an AI agent with Signpath tools via Composio.", model: "openai/gpt-5", }); ``` ### 8. Set up interactive chat interface What's happening: - messages keeps the full conversation history in Mastra's expected format - agent.generate runs the agent with conversation history and Signpath toolsets - maxSteps limits how many tool calls the agent can take in a single run - onStepFinish is a hook that prints intermediate steps for debugging ```typescript let messages: AiMessageType[] = []; console.log("Chat started! Type 'exit' or 'quit' to end.\n"); const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: "> ", }); rl.prompt(); rl.on("line", async (userInput: string) => { const trimmedInput = userInput.trim(); if (["exit", "quit", "bye"].includes(trimmedInput.toLowerCase())) { console.log("\nGoodbye!"); rl.close(); process.exit(0); } if (!trimmedInput) { rl.prompt(); return; } messages.push({ id: crypto.randomUUID(), role: "user", content: trimmedInput, }); console.log("\nAgent is thinking...\n"); try { const response = await agent.generate(messages, { toolsets: { signpath: composioTools, }, maxSteps: 8, }); const { text } = response; if (text && text.trim().length > 0) { console.log(`Agent: ${text}\n`); messages.push({ id: crypto.randomUUID(), role: "assistant", content: text, }); } } catch (error) { console.error("\nError:", error); } rl.prompt(); }); rl.on("close", async () => { console.log("\nSession ended."); await mcpClient.disconnect(); process.exit(0); }); } main().catch((err) => { console.error("Fatal error:", err); process.exit(1); }); ``` ## Complete Code ```typescript import "dotenv/config"; import { openai } from "@ai-sdk/openai"; import { Agent } from "@mastra/core/agent"; import { MCPClient } from "@mastra/mcp"; import { Composio } from "@composio/core"; import * as readline from "readline"; import type { AiMessageType } from "@mastra/core/agent"; const openaiAPIKey = process.env.OPENAI_API_KEY; const composioAPIKey = process.env.COMPOSIO_API_KEY; const composioUserID = process.env.COMPOSIO_USER_ID; if (!openaiAPIKey) throw new Error("OPENAI_API_KEY is not set"); if (!composioAPIKey) throw new Error("COMPOSIO_API_KEY is not set"); if (!composioUserID) throw new Error("COMPOSIO_USER_ID is not set"); const composio = new Composio({ apiKey: composioAPIKey as string }); async function main() { const session = await composio.create(composioUserID as string, { toolkits: ["signpath"], }); const composioMCPUrl = session.mcp.url; const mcpClient = new MCPClient({ id: composioUserID as string, servers: { signpath: { url: new URL(composioMCPUrl), requestInit: { headers: session.mcp.headers, }, }, }, timeout: 30_000, }); const composioTools = await mcpClient.getTools(); const agent = new Agent({ name: "signpath-mastra-agent", instructions: "You are an AI agent with Signpath tools via Composio.", model: "openai/gpt-5", }); let messages: AiMessageType[] = []; const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: "> ", }); rl.prompt(); rl.on("line", async (input: string) => { const trimmed = input.trim(); if (["exit", "quit"].includes(trimmed.toLowerCase())) { rl.close(); return; } messages.push({ id: crypto.randomUUID(), role: "user", content: trimmed }); const { text } = await agent.generate(messages, { toolsets: { signpath: composioTools }, maxSteps: 8, }); if (text) { console.log(`Agent: ${text}\n`); messages.push({ id: crypto.randomUUID(), role: "assistant", content: text }); } rl.prompt(); }); rl.on("close", async () => { await mcpClient.disconnect(); process.exit(0); }); } main(); ``` ## Conclusion You've built a Mastra AI agent that can interact with Signpath through Composio's Tool Router. You can extend this further by: - Adding other toolkits like Gmail, Slack, or GitHub - Building a web-based chat interface around this agent - Using multiple MCP endpoints to enable cross-app workflows ## How to build Signpath MCP Agent with another framework - [OpenAI Agents SDK](https://composio.dev/toolkits/signpath/framework/open-ai-agents-sdk) - [Claude Agent SDK](https://composio.dev/toolkits/signpath/framework/claude-agents-sdk) - [Claude Code](https://composio.dev/toolkits/signpath/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/signpath/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/signpath/framework/codex) - [OpenClaw](https://composio.dev/toolkits/signpath/framework/openclaw) - [Hermes](https://composio.dev/toolkits/signpath/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/signpath/framework/cli) - [Google ADK](https://composio.dev/toolkits/signpath/framework/google-adk) - [LangChain](https://composio.dev/toolkits/signpath/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/signpath/framework/ai-sdk) - [LlamaIndex](https://composio.dev/toolkits/signpath/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/signpath/framework/crew-ai) ## Related Toolkits - [Supabase](https://composio.dev/toolkits/supabase) - Supabase is an open-source backend platform offering scalable Postgres databases, authentication, storage, and real-time APIs. It lets developers build modern apps without managing infrastructure. - [Codeinterpreter](https://composio.dev/toolkits/codeinterpreter) - Codeinterpreter is a Python-based coding environment with built-in data analysis and visualization. It lets you instantly run scripts, plot results, and prototype solutions inside supported platforms. - [GitHub](https://composio.dev/toolkits/github) - GitHub is a code hosting platform for version control and collaborative software development. It streamlines project management, code review, and team workflows in one place. - [Ably](https://composio.dev/toolkits/ably) - Ably is a real-time messaging platform for live chat and data sync in modern apps. It offers global scale and rock-solid reliability for seamless, instant experiences. - [Abuselpdb](https://composio.dev/toolkits/abuselpdb) - Abuselpdb is a central database for reporting and checking IPs linked to malicious online activity. Use it to quickly identify and report suspicious or abusive IP addresses. - [Alchemy](https://composio.dev/toolkits/alchemy) - Alchemy is a blockchain development platform offering APIs and tools for Ethereum apps. It simplifies building and scaling Web3 projects with robust infrastructure. - [Algolia](https://composio.dev/toolkits/algolia) - Algolia is a hosted search API that powers lightning-fast, relevant search experiences for web and mobile apps. It helps developers deliver instant, typo-tolerant, and scalable search without complex infrastructure. - [Anchor browser](https://composio.dev/toolkits/anchor_browser) - Anchor browser is a developer platform for AI-powered web automation. It transforms complex browser actions into easy API endpoints for streamlined web interaction. - [Apiflash](https://composio.dev/toolkits/apiflash) - Apiflash is a website screenshot API for programmatically capturing web pages. It delivers high-quality screenshots on demand for automation, monitoring, or reporting. - [Apiverve](https://composio.dev/toolkits/apiverve) - Apiverve delivers a suite of powerful APIs that simplify integration for developers. It's designed for reliability and scalability so you can build faster, smarter applications without the integration headache. - [Appcircle](https://composio.dev/toolkits/appcircle) - Appcircle is an enterprise-grade mobile CI/CD platform for building, testing, and publishing mobile apps. It streamlines mobile DevOps so teams ship faster and with more confidence. - [Appdrag](https://composio.dev/toolkits/appdrag) - Appdrag is a cloud platform for building websites, APIs, and databases with drag-and-drop tools and code editing. It accelerates development and iteration by combining hosting, database management, and low-code features in one place. - [Appveyor](https://composio.dev/toolkits/appveyor) - AppVeyor is a cloud-based continuous integration service for building, testing, and deploying applications. It helps developers automate and streamline their software delivery pipelines. - [Backendless](https://composio.dev/toolkits/backendless) - Backendless is a backend-as-a-service platform for mobile and web apps, offering database, file storage, user authentication, and APIs. It helps developers ship scalable applications faster without managing server infrastructure. - [Baserow](https://composio.dev/toolkits/baserow) - Baserow is an open-source no-code database platform for building collaborative data apps. It makes it easy for teams to organize data and automate workflows without writing code. - [Bench](https://composio.dev/toolkits/bench) - Bench is a benchmarking tool for automated performance measurement and analysis. It helps you quickly evaluate, compare, and track your systems or workflows. - [Better stack](https://composio.dev/toolkits/better_stack) - Better Stack is a monitoring, logging, and incident management solution for apps and services. It helps teams ensure application reliability and performance with real-time insights. - [Bitbucket](https://composio.dev/toolkits/bitbucket) - Bitbucket is a Git-based code hosting and collaboration platform for teams. It enables secure repository management and streamlined code reviews. - [Blazemeter](https://composio.dev/toolkits/blazemeter) - Blazemeter is a continuous testing platform for web and mobile app performance. It empowers teams to automate and analyze large-scale tests with ease. - [Blocknative](https://composio.dev/toolkits/blocknative) - Blocknative delivers real-time mempool monitoring and transaction management for public blockchains. Instantly track pending transactions and optimize blockchain interactions with live data. ## Frequently Asked Questions ### What are the differences in Tool Router MCP and Signpath MCP? With a standalone Signpath MCP server, the agents and LLMs can only access a fixed set of Signpath tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Signpath and many other apps based on the task at hand, all through a single MCP endpoint. ### Can I use Tool Router MCP with Mastra AI? Yes, you can. Mastra AI fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Signpath tools. ### Can I manage the permissions and scopes for Signpath while using Tool Router? Yes, absolutely. You can configure which Signpath scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do. ### How safe is my data with Composio Tool Router? All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Signpath data and credentials are handled as safely as possible. --- [See all toolkits](https://composio.dev/toolkits) · [Composio docs](https://docs.composio.dev/llms.txt)