Security
5 posts — newest first.
-
Your agents need identities, not API keys
Every AI agent is a non-human identity — most run on shared, long-lived API keys no IAM review sees. Per-agent identity and your credential blast radius.
-
MCP goes stateless — what the 2026 release candidate means for your SRE tooling
The 2026-07-28 MCP release candidate deletes the session handshake for a stateless HTTP core and hardens OAuth. What changes for your agents, and when.
-
No anonymous inference endpoints — the MCP security principle you're probably violating
The NSA and NIST put MCP on notice: agents are a funnel for prompt injection and privilege abuse. Why 'no anonymous inference endpoints' — and how to comply.
-
The MCP gateway pattern: five jobs your agent runtime can't skip
Letting agents call MCP servers directly repeats the no-API-gateway mistake. The five jobs an MCP gateway must do, with reproducible patterns for each.
-
TLS and Public-Key Cryptography, Explained Without the Math
Every https and model API call rides on TLS. How public-key crypto solves key distribution, what a certificate proves, and the cert-expiry realities.