Skip to main content

Ownership & verification

Trust in an MCP server depends heavily on who controls it.

LightNow therefore includes first-class support for verifying that a publisher actually owns the domains and repositories referenced by their MCP servers.

This page explains the concepts behind ownership & verification in LightNow.

Why ownership matters

In the MCP world, a server is often identified by:

  • a reverse-DNS name (e.g. com.acme.mcp.billing),
  • one or more domains (e.g. acme.com, mcp.acme.com),
  • a source repository (e.g. https://github.com/acme/mcp-billing),
  • container images or build artifacts.

Without verification, anyone could:

  • publish a server that pretends to belong to acme.com,
  • use a GitHub repository URL they do not control,
  • or spoof reverse-DNS names.

Ownership verification closes this gap by letting publishers prove control over the assets linked to their MCP servers.

Domain verification

Domain verification links a domain (e.g. acme.com) to a user or tenant in LightNow.

Methods

LightNow supports at least two methods:

  1. DNS TXT record

    • You create a TXT record for your domain with a verification token.
    • Example: _lightnow-verification.acme.com TXT "lightnow-verification=…" (exact name/value depends on implementation).
    • LightNow resolves the DNS record and checks that the token matches.

  2. Well-known HTTP endpoint

    • You host a verification token at a well-known path on your domain.
    • Example: https://acme.com/.well-known/lightnow-verification.txt.
    • LightNow fetches this endpoint and validates the token.

Internally, the Registry-API maintains domain verification tokens and their status:

  • pending – token issued, waiting for DNS/HTTP to be configured,
  • verified – domain ownership successfully confirmed,
  • failed / expired – verification failed or timed out.

In the UI, users can:

  • request a new verification token for a domain,
  • see the required DNS/HTTP configuration,
  • trigger a re-check once they have applied the changes.

Verified domains become strong ownership signals for the trust score.

Repository ownership

Source repositories are just as important as domains.
LightNow supports repository ownership verification with:

  • Records that link repositories (e.g. https://github.com/acme/mcp) to a tenant or user.
  • Verification strategies that prove control over the repository.

GitHub App integration

The primary strategy for GitHub is a GitHub App installation:

  1. The publisher installs the official LightNow GitHub App into their GitHub organization or account.
  2. GitHub sends webhook events when the app is installed, updated or removed.
  3. LightNow records GitHub installations (with account login, installation ID, metadata).
  4. LightNow periodically fetches or synchronizes the list of repositories for an installation.
  5. Each repository can then be linked to a tenant or user as a verified repository.

Internally, the Registry-API stores:

  • github_installations – which tenants/users have linked which GitHub installations,
  • verified_repositories – normalized records of repositories with provider, owner, repo, URL, method and status.

When an MCP server references a repository URL like:

Ready to explore trusted MCP servers?

Access our curated registry of independently evaluated and scored
MCP servers for AI agents.

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our Privacy Policy.