# Lit Protocol MCP

> Lit Protocol (Decentralized Access Control) manages decentralized identity, access policies, and secure code execution in Web3. This server lets your agent generate Programmable Key Pairs (PKPs), define granular usage scopes, organize permissions into groups, and run immutable JavaScript programs inside TEEs directly through natural conversation.

## Overview
- **Category:** security-compliance
- **Price:** Free
- **Tags:** web3, decentralized-auth, pkp, tee, lit-actions, access-control

## Description

**Lit Protocol MCP Server - Decentralized Access Control** handles your entire Web3 security stack. You'll use this server to manage decentralized identity, build complex access policies, and run secure code logic right from your agent. It’s built for apps that need verifiable, protected operations without relying on a bunch of separate contracts or services. 

### Identity Management (PKPs & Accounts)

You can initialize an entirely new Lit account using `create_account` with a provided API key. You'll generate and track Programmable Key Pairs (**PKPs**) as verifiable, distributed identities through the `create_wallet` function. If you need to know if an account is active before doing anything, run `check_account_exists`. To see every PKP identity your connected account owns, call `list_wallets`. 

### Access Control and Grouping

This system lets you build granular access schemas using groups. You can create a new, distinct group with `add_group` and then view all existing ones by calling `list_groups`. To assign specific permissions, you'll add an existing PKP to a group via `add_pkp_to_group`; this grants the key the entire group's set of rules. If a key needs to lose access, use `remove_pkp_from_group` to detach it from its assigned group. You can also clean up by deleting an empty group using `remove_group`. 

### Secure Code Execution (Lit Actions)

The server lets you run immutable JavaScript programs—called Lit Actions—inside a Trusted Execution Environment (**TEE**). First, register a new standalone Lit Action by providing its name and IPFS Content Identifier (CID) using `add_action`; you'll see all registered actions when you call `list_actions`. To actually execute the code, use `execute_lit_action`, accepting either raw code or the action’s IPFS ID for secure running. 

### API Key Scope Control

You gotta control what your agent can do with specific credentials. Use `add_usage_api_key` to generate a new usage API key, setting specific, limited scopes right out of the gate. If those permissions change, you'll modify them using `update_usage_api_key`. To check what keys are active for auditing purposes, run `list_api_keys`. When an API key is no longer needed, delete it and revoke its access fully with `remove_usage_api_key`. 

### Operational & Billing Tools

For operational needs, you can get the current credit balance associated with your account's billing profile using `get_billing_balance`. To initiate payments, call `create_payment_intent`, which sets up a Stripe PaymentIntent object (it requires at least $5.00). Once payment details are processed successfully, use `confirm_payment` to finalize the credit top-up.

## Tools

### add_action_to_group
Assigns an existing action's CID to a specific access group, granting permission for that function.

### add_action
Registers a new standalone Lit Action by providing its name and IPFS Content Identifier (CID).

### add_group
Creates a new, distinct access control group within the Lit Protocol system.

### add_pkp_to_group
Adds an existing Programmable Key Pair (PKP) to a designated access group, granting it the group's permissions.

### add_usage_api_key
Generates and sets up a new usage API key with specific, limited scopes for operational use.

### check_account_exists
Verifies whether an account is registered and active using a provided Lit Protocol API key.

### confirm_payment
Finalizes the credit top-up process after payment details have been successfully processed.

### create_account
Initializes and registers an entirely new Lit account within the system using a provided API key.

### create_payment_intent
Creates a Stripe PaymentIntent object, typically requiring a minimum value of $5.00 for billing purposes.

### create_wallet
Requests and generates a new Programmable Key Pair (PKP) identity linked to your existing account.

### execute_lit_action
Runs a defined Lit Action, accepting either the raw code or its IPFS ID for secure execution in a TEE.

### get_billing_balance
Retrieves the current credit balance associated with your account's billing profile.

### list_actions
Lists all Lit Actions that have been previously registered within your connected environment.

### list_api_keys
Returns a list of usage API keys, showing only the metadata for auditing purposes.

### list_groups
Retrieves and displays all currently defined access control groups in the system.

### list_wallets
Lists every Programmable Key Pair (PKP) identity currently owned by your connected account.

### remove_group
Permanently deletes an existing, empty access control group from the system.

### remove_pkp_from_group
Removes a specified PKP identity from its assigned access group.

### remove_usage_api_key
Deletes an existing usage API key, revoking its associated permissions and access scopes.

### update_usage_api_key
Modifies the defined permissions or scope of an active usage API key.

## Prompt Examples

**Prompt:** 
```
List all my PKP wallets and their addresses.
```

**Response:** 
```
I've retrieved your PKPs. You have 2 active wallets: PKP #1 (Address: 0x123...) and PKP #2 (Address: 0x456...). Would you like to manage permissions for any of them?
```

**Prompt:** 
```
Execute this Lit Action code to sign a message: 'console.log("signing...");'
```

**Response:** 
```
Executing the Lit Action in a TEE... The execution was successful. The output logs show 'signing...' and the operation completed securely. Do you need the execution receipt?
```

**Prompt:** 
```
Create a new access group named 'Beta Testers'.
```

**Response:** 
```
Group 'Beta Testers' has been created successfully with ID 'group_987'. You can now add PKPs to this group using the `add_pkp_to_group` tool.
```

## Capabilities

### Manage Decentralized Identities
Generate, list, and track Programmable Key Pairs (PKPs) that serve as verifiable, distributed accounts for your application.

### Structure Access Permissions
Build complex access schemas by creating groups and assigning specific PKPs to them, controlling who can do what across your system.

### Execute Secure Code Logic
Run immutable JavaScript programs (Lit Actions) inside TEEs, ensuring that critical business logic executes in a verifiable, protected environment.

### Control API Key Scope
Create and update usage API keys, allowing you to enforce granular permissions on what actions your agent can perform using specific credentials.

## Use Cases

### The Onboarding Audit
A security engineer needs to confirm that only the 'Tier 1 Support' group has access to execute the `lit-action: verify_user` function. They run `list_groups`, confirm the 'Tier 1 Support' ID, then use `add_action_to_group` to check if the action is mapped correctly and finally use `list_wallets` to ensure no other keys are mistakenly added.

### Secure Contract Testing
A dApp builder needs to test a new, complex decentralized payment routine. They don't want to deploy it fully; they just need to run the logic in a sandbox. The agent calls `execute_lit_action`, providing either the code or CID, and gets an immediate, secure result without touching mainnet funds.

### Revoking Stale Access
An account employee leaves the company. The dev team needs to revoke their access immediately. Instead of logging into several systems, they use `list_wallets` to find the old PKP and then call `remove_pkp_from_group` to instantly cut off all permissions across every group.

### Setting up Multi-Stage Permissions
You are building a system where 'Managers' can approve actions only if they have been created by an 'Admin'. You first use `add_group` to make 'Admins' and 'Managers', then use `add_pkp_to_group` twice, and finally define the flow logic using `execute_lit_action`.

## Benefits

- Define Roles with `add_group` and `add_pkp_to_group`. Instead of giving every user individual permissions, you build a group (e.g., 'Admins') and assign the keys once, controlling who gets what instantly.
- Run Critical Logic in TEEs via `execute_lit_action`. You execute immutable JavaScript programs inside a secure environment, meaning your core business rules can't be tampered with by external calls.
- Maintain Strict Control with Key Scopes. Use `add_usage_api_key` and `update_usage_api_key` to limit what an agent can do. You can ensure that the key used for reading data can't write it.
- Audit Access with Detail. Tools like `list_groups` and `list_api_keys` give you a clear, programmatic overview of who has access, eliminating manual checks across multiple web portals.
- Manage Identities Programmatically. Instead of relying on complex front-end forms, your agent can call `create_wallet` to generate a new PKP identity or `list_wallets` to see all existing ones.

## How It Works

The bottom line is: you tell your agent what needs to happen (e.g., 'Create a group for admins and give them permission X'), and the server executes the necessary sequence of API calls.

1. First, subscribe to the server and provide your Lit Protocol API Key. This authenticates your connection.
2. Next, use tools like `create_account` or `list_wallets` to set up your core identities (PKPs) and define access groups using `add_group`.
3. Finally, execute complex tasks—like running an immutable function via `execute_lit_action` or defining a new scope with `add_usage_api_key`—through natural language prompts.

## Frequently Asked Questions

**How do I list all my decentralized wallets using the lit-protocol-decentralized-access-control MCP Server?**
You use the `list_wallets` tool. This command pulls every Programmable Key Pair (PKP) identity currently owned by your connected account, giving you a full inventory of your distributed identities.

**What is the difference between `add_action` and `execute_lit_action`?**
`add_action` registers a function's existence (name + CID). `execute_lit_action` actually runs that registered, secure function inside the TEE for verifiable results.

**Can I restrict access to only certain groups using the lit-protocol-decentralized-access-control MCP Server?**
Yes. You define restriction boundaries by creating groups (`add_group`) and then explicitly controlling membership with `add_pkp_to_group`. This is how you enforce granular policy.

**Does the lit-protocol-decentralized-access-control MCP Server handle payments?**
It has tools to manage billing. You use `create_payment_intent` and then `confirm_payment` when your account needs a credit top-up before running cost-intensive functions.

**If I need to change a key's permissions after it's created, how does `update_usage_api_key` work?**
It modifies the usage scope immediately. You pass the key ID and the new permitted scopes. This lets your agent restrict access or expand privileges without needing to delete and recreate the entire key.

**When I run `add_pkp_to_group`, is it possible for one wallet (PKP) to belong to multiple groups?**
Yes, a PKP can be a member of many groups. You simply call the `add_pkp_to_group` tool once for every group ID that needs access. It won't overwrite existing memberships.

**What should my agent do if `check_account_exists` fails authentication?**
The tool will return a specific status code and error message detailing the failure reason (e.g., expired key, invalid scope). Your agent must check this response body to determine if it needs to prompt for new credentials.

**How do I ensure that only authorized groups can execute certain actions using `add_action_to_group`?**
You link the specific Action CID or name directly to a Group ID. The system enforces this mapping; a group cannot run an action unless it's explicitly registered with the `add_action_to_group` tool.

**Can I execute custom JavaScript code securely within a TEE?**
Yes! Use the `execute_lit_action` tool. You can provide either inline JavaScript code or an IPFS CID to run immutable programs inside Lit's Trusted Execution Environments.

**How do I see all the decentralized wallets (PKPs) associated with my account?**
Simply use the `list_wallets` tool. It will return all Programmable Key Pairs (PKPs) owned by your account, including their IDs and addresses.

**Is it possible to organize access control by grouping different identities?**
Absolutely. You can use `add_group` to create a new group and then `add_pkp_to_group` to manage which decentralized identities belong to that specific access schema.