<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Arcade.dev</title>
    <description>The latest articles on DEV Community by Arcade.dev (arcade).</description>
    <link>https://dev.to/arcade</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F12915%2Febc942d3-5ae5-44e5-9a4a-06829aad6a1a.png</url>
      <title>DEV Community: Arcade.dev</title>
      <link>https://dev.to/arcade</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/arcade"/>
    <language>en</language>
    <item>
      <title>Best AI Agent Authentication Platforms (2026)</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Fri, 10 Jul 2026 23:26:06 +0000</pubDate>
      <link>https://dev.to/arcade/best-ai-agent-authentication-platforms-2026-2l60</link>
      <guid>https://dev.to/arcade/best-ai-agent-authentication-platforms-2026-2l60</guid>
      <description>&lt;p&gt;AI engineering teams are moving agents from single-user demos to multi-user enterprise deployments, and authentication breaks first.&lt;/p&gt;

&lt;p&gt;A prototype can run on environment variables or a shared service account. A production agent that acts across tenants, users, and enterprise systems needs delegated authorization, credential isolation, policy enforcement, and audit trails. Without that layer, teams inherit credential drift, rate-limit collisions, broad API keys, inconsistent policy decisions, and confused deputy risk from &lt;a href="https://unit42.paloaltonetworks.com/ai-agent-prompt-injection/" rel="noopener noreferrer"&gt;indirect prompt injection attacks&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The right platform depends on what the agent needs to do: execute governed actions for users, connect quickly to many tools, sync product data, extend an identity layer, or secure infrastructure around the agent.&lt;/p&gt;

&lt;p&gt;This article compares the available platforms across authorization enforcement, credential management, deployment model, tool execution, consent and approvals, and auditability.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;TL;DR&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Production AI agents fail when they rely on shared service accounts, static API keys, or DIY OAuth. You end up with confused deputy risk, token drift, and weak auditability. The durable pattern is two identities plus delegated context: the agent, the user, and the task-specific authorization context evaluated at runtime.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Best overall for 2026 production agent auth:&lt;/strong&gt; &lt;strong&gt;Arcade.dev&lt;/strong&gt; (action runtime + delegated context + &lt;strong&gt;per-action permission intersection&lt;/strong&gt; + token vault + hosted tool execution + audit logs).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose Auth0 or WorkOS&lt;/strong&gt; if you're extending an existing CIAM/IdP and will build/own the execution runtime.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose Composio&lt;/strong&gt; for individual use cases and rapid prototyping across many apps.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose AWS AgentCore&lt;/strong&gt; if your team is standardized on AWS services.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose Nango or Merge&lt;/strong&gt; when integration infrastructure is the primary requirement, and you will handle agent authorization separately.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Non-negotiables:&lt;/strong&gt; two-identity modeling, delegated context, per-user token vault + auto-refresh, just-in-time consent, runtime policy hooks (HITL), OTel audit trails, SOC 2 Type II + KMS/HSM encryption.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Quick comparison of AI agent authentication platforms (2026)&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;The key question is where authorization is enforced. Gateways and wrappers can connect agents to tools. A runtime is the control point where credentials are resolved, permissions are checked, policies are applied, and the tool call executes for a specific user, agent, tenant, resource, and task.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AI agent auth platform comparison matrix&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Platform&lt;/th&gt;
&lt;th&gt;Deployment model&lt;/th&gt;
&lt;th&gt;Credential support&lt;/th&gt;
&lt;th&gt;Authorization enforcement point&lt;/th&gt;
&lt;th&gt;MCP/tool execution&lt;/th&gt;
&lt;th&gt;Best for&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Arcade&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Managed cloud, hybrid/private MCP servers, VPC, air-gapped, and enterprise self-host on Kubernetes&lt;/td&gt;
&lt;td&gt;Per-user OAuth token vault, auto-refresh, and secrets for API-key-based custom tools&lt;/td&gt;
&lt;td&gt;Runtime-enforced user + agent + delegated context intersection before tool execution&lt;/td&gt;
&lt;td&gt;Hosted execution, agent-optimized tools, and governed MCP gateways&lt;/td&gt;
&lt;td&gt;Production multi-user autonomous agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Composio&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Managed cloud with SDKs, CLI, MCP clients, and remote/local sandbox options&lt;/td&gt;
&lt;td&gt;Per-user connected accounts with managed auth&lt;/td&gt;
&lt;td&gt;Session and tool-level controls for fast agent integrations&lt;/td&gt;
&lt;td&gt;MCP gateway, SDKs, and tool catalog&lt;/td&gt;
&lt;td&gt;Individual use cases and rapid prototyping&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;AWS AgentCore&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Fully managed AWS-native services&lt;/td&gt;
&lt;td&gt;IAM, OAuth, OBO flows, secure credential exchange, and AWS credential services&lt;/td&gt;
&lt;td&gt;AWS-native identity, gateway security, and policy controls across AgentCore services&lt;/td&gt;
&lt;td&gt;Managed gateway that turns APIs, Lambda, and services into MCP-compatible tools&lt;/td&gt;
&lt;td&gt;AWS-native agent infrastructure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Nango&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Cloud or open-source self-hosted deployment&lt;/td&gt;
&lt;td&gt;Per-connection OAuth, API-key credentials, and managed refresh&lt;/td&gt;
&lt;td&gt;Integration-level credential management. Teams own the agent/user permission intersection&lt;/td&gt;
&lt;td&gt;Syncs, webhooks, action functions, and MCP&lt;/td&gt;
&lt;td&gt;Code-owned integration infrastructure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Merge&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Managed SaaS APIs and Agent Handler&lt;/td&gt;
&lt;td&gt;Linked accounts, plus per-user or group auth in Agent Handler&lt;/td&gt;
&lt;td&gt;Scoped access over Merge connectors and Agent Handler&lt;/td&gt;
&lt;td&gt;Unified APIs and MCP-ready connectors&lt;/td&gt;
&lt;td&gt;Embedded integrations and early governed agent tooling&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Auth0&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Managed identity tenant&lt;/td&gt;
&lt;td&gt;OIDC/OAuth, agent identity, and Token Vault&lt;/td&gt;
&lt;td&gt;Identity and policy layer. Teams provide the tool execution runtime&lt;/td&gt;
&lt;td&gt;No native MCP runtime&lt;/td&gt;
&lt;td&gt;Extending Okta/Auth0 identity programs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;WorkOS&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Managed identity and authorization APIs&lt;/td&gt;
&lt;td&gt;SSO, Directory Sync, and relationship-based FGA&lt;/td&gt;
&lt;td&gt;Policy decision layer. Teams provide token vaulting and tool execution&lt;/td&gt;
&lt;td&gt;No native MCP runtime&lt;/td&gt;
&lt;td&gt;Fine-grained policy for teams building their own runtime&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;How we evaluated AI agent authentication platforms&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;We reviewed current product pages and official documentation, then compared each platform against the production requirements for multi-user agents that take actions across enterprise systems. Raw connector count was secondary. The priority was whether the platform could safely authorize, execute, and audit real actions for real users.&lt;/p&gt;

&lt;p&gt;We evaluated each platform across seven criteria:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Authorization enforcement:&lt;/strong&gt; Whether the platform enforces permissions at execution time using the user, agent, tenant, resource, scope, task, and delegated context.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential management:&lt;/strong&gt; Whether the platform provides OAuth token vaulting, automatic refresh, secrets/API-key support, and isolation from the LLM context window.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Consent and approvals:&lt;/strong&gt; Whether the platform supports just-in-time consent, verified first-time authorization, and step-up approvals for commit actions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tool execution model:&lt;/strong&gt; Whether the platform executes tool calls in a governed runtime or only provides identity, policy, SDKs, gateways, or integration functions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Deployment model:&lt;/strong&gt; Whether the platform supports managed cloud, hybrid, private MCP servers, VPC, air-gapped, or self-hosted deployment models.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Auditability and compliance:&lt;/strong&gt; Whether logs are detailed enough for SIEM, incident response, SOC 2 review, and per-action chain of custody.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Best-fit architecture:&lt;/strong&gt; Whether the platform is built for production agent actions, rapid prototypes, product integrations, identity/policy layers, or cloud-native infrastructure.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We weighted runtime authorization highest because the core threat model for multi-user agents is a classic version of the confused deputy problem, adapted to agents. When malicious content enters an agent's context window, the LLM can autonomously call an API using the application's underlying credentials. If the platform relies on broad service credentials, the agent blindly executes undesired actions.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Category 1: Agent runtimes, gateways, and AWS-native infrastructure&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Agent-native authorization runtimes are complete infrastructure platforms built specifically to execute, secure, and manage the lifecycle of AI tool calling. They sit directly between your LLM orchestration layer and the destination MCP servers and tools, managing identity policy and executing the actual network request.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Arcade (agent-native action runtime)&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Engineering teams scaling multi-user, multi-tool agents that require strict, per-action authorization, secure token vaulting, and reliable MCP tools without rebuilding the infrastructure themselves.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Arcade is a purpose-built, vendor-neutral action runtime for building and deploying AI agents that take actions across enterprise systems. It is the execution layer where credentials are resolved, permissions are checked, policies are applied, and the tool call runs. It unifies agent authorization, an extensive library of intent-optimized tools, and tool- and agent-level governance into a single infrastructure layer.&lt;/p&gt;

&lt;p&gt;Arcade enforces a strict permission intersection model at execution time. This means agents only act within the intersection of their own scoped permissions and the delegated user's permissions. External credentials stay completely isolated from the LLM context window.&lt;/p&gt;

&lt;p&gt;That runtime placement matters. A stateless gateway can route requests, but it cannot reliably evaluate where a request sits inside a multi-step agent workflow. Arcade evaluates the specific user, agent, tenant, resource, scope, and task context at the point of execution.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Multi-user, post-prompt authorization:&lt;/strong&gt; Evaluates access rights per action at the exact moment of execution. This prevents privilege escalation and neutralizes indirect prompt injection attacks before they reach the API.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Two-identity delegated context:&lt;/strong&gt; Carries the agent identity, delegated user identity, tenant, scope, audience, resource, task ID, and expiry through the tool call.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Automated token vault:&lt;/strong&gt; An encrypted, per-user, per-provider vault that handles the full OAuth token lifecycle automatically. Async token refresh, rotation, and scope mismatch resolution happen without developer intervention.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Secrets for API-key tools:&lt;/strong&gt; Supports &lt;a href="https://docs.arcade.dev/en/guides/create-tools/tool-basics/create-tool-secrets" rel="noopener noreferrer"&gt;managed secrets for custom tools&lt;/a&gt;, including API-key-based integrations when OAuth delegation is not available.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Just-in-time consent:&lt;/strong&gt; Requests new provider access or scopes only when a task needs them, then resumes execution without exposing credentials to the LLM.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Verified first-time authorization:&lt;/strong&gt; Binds first-time OAuth authorization to the authenticated app user so the wrong user cannot complete an intercepted consent flow.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Agent-optimized MCP tools:&lt;/strong&gt; A large catalog of tools optimized for LLM intent rather than raw API wrappers. This semantic alignment reduces parameter hallucination and schema mismatches compared to the alternative.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Contextual Access capability:&lt;/strong&gt; Pre- and post-tool-call policy hooks for injecting custom governance logic, including required out-of-band approvals for human-in-the-loop workflows on irreversible commit actions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OTel-compatible audit logging:&lt;/strong&gt; Generates standardized logs for SIEMs to support enterprise SOC 2 and compliance audits, tracking the user, agent, policy decision, and arguments for tool actions. Because Arcade doesn't touch or store the underlying data flowing through tool calls, it simplifies compliance and integrates with existing DLP and AI security posture tools for PII scanning, never acting as a new policy silo.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Eliminates the massive engineering burden of building per-user OAuth flows, handling token drift, and synchronizing token expirations across different providers.&lt;/li&gt;
&lt;li&gt;Provides a strong security posture against prompt injection because credentials never touch the LLM or the client application.&lt;/li&gt;
&lt;li&gt;Fully agnostic to models, frameworks, and clients. Avoids cloud vendor lock-in while offering flexible deployment models, including managed cloud, hybrid/private MCP servers, VPC, air-gapped, and enterprise self-hosted deployments.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The cloud-hosted version uses specific callback URL patterns that highly customized legacy identity providers require manual adaptation to support.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Free tier available for development, testing, and rapid prototyping.&lt;/li&gt;
&lt;li&gt;Usage-based pricing based on tool calls and auth events, alongside a platform fee.&lt;/li&gt;
&lt;li&gt;Enterprise tier provides VPC, air-gapped, custom SLA requirements, and dedicated support.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Composio (MCP Gateway and Integration Wrapper)&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Developers and individual users who need to prototype AI agents quickly across many apps.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.composio.dev/" rel="noopener noreferrer"&gt;Composio&lt;/a&gt; provides managed authentication, per-user sessions, MCP access, SDKs, and a large catalog of pre-built tools. It is best suited for individual workflows and prototype agent builds where speed of setup matters more than centralized enterprise governance.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Extensive connector catalog:&lt;/strong&gt; Covers many apps and tool actions out of the box.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MCP access through sessions:&lt;/strong&gt; Connects agents to tools quickly through session-based MCP usage.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Managed auth:&lt;/strong&gt; Handles standard OAuth flows and per-user connected accounts.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Intent-based tool search:&lt;/strong&gt; Helps agents select actions from the catalog.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Framework agnostic:&lt;/strong&gt; Provides SDKs for Python, JavaScript/TypeScript, and native framework integrations like LangChain and LlamaIndex.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Fast setup for prototypes, hackathons, and early-stage agent builds.&lt;/li&gt;
&lt;li&gt;Broad connector catalog for common SaaS tools.&lt;/li&gt;
&lt;li&gt;Drop-in integrations with popular open-source AI frameworks.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Better fit for individual use cases and prototypes than centralized, enterprise-wide agent governance.&lt;/li&gt;
&lt;li&gt;MCP-based usage does not provide the same runtime-enforced agent and user permission intersection as a full action runtime.&lt;/li&gt;
&lt;li&gt;Restricts SOC 2 Type II compliance to its highest Enterprise tier, complicating security reviews for startups.&lt;/li&gt;
&lt;li&gt;Observability does not publish the same OTel-first audit model expected in SIEM-heavy enterprise environments.&lt;/li&gt;
&lt;li&gt;The tool catalog is only extensible using the vendor SDK, promoting vendor lock-in. Connecting external MCP servers into the gateway is not supported.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Per-tool-call tiered pricing model.&lt;/li&gt;
&lt;li&gt;Free tier available for individual developers and testing.&lt;/li&gt;
&lt;li&gt;Pro and Enterprise plans required for higher rate limits, compliance standards, and priority support.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;AWS AgentCore (AWS-native agent identity and runtime)&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Teams standardized on AWS that want a managed, native agent stack and accept the resulting service coupling.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-bedrock-agentcore.html" rel="noopener noreferrer"&gt;AWS AgentCore&lt;/a&gt; provides a suite of managed cloud services for building, deploying, routing, observing, and securing agents inside AWS. It leans on AWS identity, networking, policy, and observability primitives rather than providing a vendor-neutral action runtime.&lt;/p&gt;

&lt;p&gt;Combine AgentCore Runtime, Gateway, Identity, Policy, and Observability, and AWS gives you a broad native environment for agent deployment. The tradeoff is tighter coupling to AWS services and operating models, and the need to manually manage how the services work with each other.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;AWS IAM and OAuth integration:&lt;/strong&gt; Integrates AWS IAM with OAuth and on-behalf-of identity flows for agent access.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AgentCore Runtime and Gateway:&lt;/strong&gt; Provides managed runtime infrastructure and gateway components for tool and MCP access.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AWS-native policy and observability:&lt;/strong&gt; Uses AWS services for policy enforcement, logs, traces, metrics, and operational controls.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Aligns with existing architectures and native integrations for organizations standardized on AWS.&lt;/li&gt;
&lt;li&gt;Uses AWS IAM, networking, and security operations patterns that many enterprises already run.&lt;/li&gt;
&lt;li&gt;Provides high scalability and availability backed by mature AWS infrastructure.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Creates significant AWS ecosystem lock-in. Moving to GCP, Azure, or hybrid on-premises environments requires re-architecting the identity, runtime, and observability layers.&lt;/li&gt;
&lt;li&gt;Requires AWS platform expertise across identity, networking, runtime, gateway, observability, and cost controls.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Pay-as-you-go model across AgentCore services and underlying AWS services.&lt;/li&gt;
&lt;li&gt;Total cost of ownership spans runtime, gateway, identity, observability, model usage, storage, and networking.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Category 2: Unified APIs and integration runtimes&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Unified-API and integration platforms were originally built to simplify traditional B2B SaaS integrations. They're now pivoting to support AI agent use cases.&lt;/p&gt;

&lt;p&gt;These tools excel at standardizing disparate API schemas, managing product integrations, and keeping background data pipelines fresh. They can support AI agents through MCP or action functions, but their core fit is integration infrastructure rather than turnkey agent governance.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Nango (code-first integration runtime for syncs, actions, and MCP)&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Engineering teams that need code-owned integration infrastructure for data syncs, webhooks, and selected agent tools.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.nango.dev/" rel="noopener noreferrer"&gt;Nango&lt;/a&gt; is a code-first integration platform for managing OAuth, API credentials, syncs, webhooks, proxy requests, and integration functions.&lt;/p&gt;

&lt;p&gt;Nango supports MCP and tool calling through action functions. Its core fit is code-owned integration infrastructure for external-account auth, syncs, webhooks, and selected agent tools rather than turnkey agent governance.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Continuous data syncs:&lt;/strong&gt; Keeps third-party data fresh for product workflows and agent context.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Webhooks and triggers:&lt;/strong&gt; Supports reactive automation alongside polling and proxy requests.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Integrations as code:&lt;/strong&gt; Lets teams manage integration logic through a structured, code-owned workflow.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;White-labeled auth flows:&lt;/strong&gt; Provides end-user authentication and authorization for product integrations.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Action functions through MCP:&lt;/strong&gt; Exposes selected functions as tools for agent workflows.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Logs and OTel export:&lt;/strong&gt; Provides integration observability for debugging and operations.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Effective at keeping third-party data fresh for product workflows and agent context.&lt;/li&gt;
&lt;li&gt;Code-first model gives engineering teams control over integration behavior.&lt;/li&gt;
&lt;li&gt;Handles API polling, proxy requests, and webhooks in one integration layer.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent tools are built from custom action functions, so teams still own tool design and safety tuning.&lt;/li&gt;
&lt;li&gt;Higher operational overhead required to maintain custom integration code compared to turnkey managed agent runtimes.&lt;/li&gt;
&lt;li&gt;No native runtime-enforced agent and user permission intersection for delegated agent actions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Pricing scales across active connections, proxy requests, function runs, compute, logs, sync storage, and webhooks.&lt;/li&gt;
&lt;li&gt;Free tier provided for testing and low-volume usage.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Merge (normalized unified API with early Agent Handler support)&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Teams that need standardized embedded integrations across specific SaaS categories and want to evaluate early agent-tooling features separately.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://merge.dev/docs" rel="noopener noreferrer"&gt;Merge&lt;/a&gt; offers a Unified API that normalizes data within fixed software categories, including HRIS, ATS, CRM, Ticketing, Accounting, and File Storage. By making CRMs or ATS platforms look similar to the developer, Merge reduces integration debt.&lt;/p&gt;

&lt;p&gt;Merge Agent Handler adds MCP-ready connectors, tool packs, authentication options, DLP, audit trails, and SIEM streaming on top of Merge's integration infrastructure. It is a newer layer relative to Merge's mature Unified API. Evaluate it separately for production agent action use cases.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Category unified APIs:&lt;/strong&gt; Provides stable normalized schemas across HRIS, ATS, CRM, Ticketing, Accounting, and File Storage categories.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Embedded auth link:&lt;/strong&gt; Provides a drop-in UI component for end-user authentication and authorization.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Normalized webhooks:&lt;/strong&gt; Standardizes event listening across fundamentally different third-party platforms into a single event stream.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Agent Handler:&lt;/strong&gt; Exposes selected tools to agents through MCP-ready connectors with scoped permissions and audit controls.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Reduces engineering maintenance when integrating with multiple tools in the same software category.&lt;/li&gt;
&lt;li&gt;Normalized schemas reduce API complexity and boilerplate code for developers.&lt;/li&gt;
&lt;li&gt;Mature core Unified API infrastructure for embedded integrations.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Unification uses a lowest-common-denominator schema, so agents lose access to niche, app-specific actions that don't fit the common model.&lt;/li&gt;
&lt;li&gt;Agent Handler is newer, so tool coverage, policy model, and deployment fit still need validation before production use.&lt;/li&gt;
&lt;li&gt;Built primarily for B2B embedded data syncs, so agent tool-calling is still adjacent to a data-sync-first architecture.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Unified API pricing is contract-oriented and commonly based on linked accounts and product usage.&lt;/li&gt;
&lt;li&gt;Agent Handler pricing uses usage credits and separate plan tiers.&lt;/li&gt;
&lt;li&gt;Free sandbox environment available for initial testing.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Category 3: Identity providers (CIAM/IdP) for agent identities&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Traditional customer identity and access management (CIAM) and workforce identity platforms are now releasing features specifically targeting machine and agent identities. These platforms are strong at directory management and complex authorization modeling, but they explicitly leave the tool execution and MCP gateway layers to you.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Auth0 (Okta) for AI agent identities&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Enterprises already using Auth0 or Okta that want to extend existing identity architecture to include agents as first-class principals while owning the execution runtime.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://auth0.com/ai" rel="noopener noreferrer"&gt;Auth0&lt;/a&gt; is extending its identity platform for AI agent use cases with OAuth, OIDC, agent identity, cross-app access, and token management capabilities. Its strength is identity architecture: defining the human, the agent, and the access grants that connect them.&lt;/p&gt;

&lt;p&gt;Auth0 is a strong fit when an organization wants agent identity to live inside the same trust and compliance program as its existing Auth0 or Okta deployment. Teams still need to build or buy the runtime that executes MCP/tool calls, handles retries, and applies per-action governance.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Agent-as-security-principal:&lt;/strong&gt; Supports distinct, trackable agent identities inside the existing identity architecture.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OAuth and OIDC foundation:&lt;/strong&gt; Uses standard identity protocols for token issuance, token exchange, and API access grants.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Token management:&lt;/strong&gt; Provides Token Vault (GA) for OAuth token storage, refresh, and exchange; Cross-App Access (XAA) is upcoming (as of July 2026) for centralized consent across the enterprise.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Fine-grained authorization:&lt;/strong&gt; Supports authorization checks for RAG, APIs, and application resources.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Uses existing enterprise identity trust and compliance documentation. Makes it a straightforward architectural sell to the CISO.&lt;/li&gt;
&lt;li&gt;Strong standards-based implementation of modern OAuth and OIDC specifications.&lt;/li&gt;
&lt;li&gt;Backed by Okta's proven enterprise scalability and extensive developer documentation.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Identity and authorization layer, not a complete action runtime. Engineering teams must bring their own MCP server and agent execution runtimes.&lt;/li&gt;
&lt;li&gt;Implementing fine-grained authorization for complex, dynamic agent intents requires significant custom data modeling upfront.&lt;/li&gt;
&lt;li&gt;Pricing can escalate rapidly when you're multiplying thousands of human users by numerous corresponding agent identities.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Contract-oriented CIAM pricing based on plan, users, tenants, enterprise features, and agent-related usage.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;WorkOS fine-grained authorization for agents&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;B2B SaaS teams that need relationship-based authorization checks and directory sync for agent-aware products they are building themselves.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Overview&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://workos.com/docs/fga" rel="noopener noreferrer"&gt;WorkOS&lt;/a&gt; provides core enterprise identity infrastructure, including SSO, directory sync, and Fine-Grained Authorization (FGA). Its FGA product acts as a policy decision layer for applications that need relationship-based access checks.&lt;/p&gt;

&lt;p&gt;Built on relationship graphs, WorkOS helps teams define who can access which resources before an agent or application takes action. It does not execute external API calls or store delegated SaaS tokens.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key features&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Hierarchical FGA:&lt;/strong&gt; Enforces access policies based on nested resource hierarchies, like Organization → Team → Document.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Directory sync:&lt;/strong&gt; Pulls user groups, roles, and states directly from enterprise IdPs like Microsoft Entra and Okta automatically.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;High-speed check APIs:&lt;/strong&gt; Provides sub-50ms p95 policy checks for runtime authorization decisions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pros&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Relationship-based FGA is strong for limiting lateral movement and unintended privilege escalation.&lt;/li&gt;
&lt;li&gt;Effective for multi-tenant SaaS environments that require deeply customized data sharing rules.&lt;/li&gt;
&lt;li&gt;Top-tier developer experience, SDKs, and clean API design for policy management.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cons&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Requires careful relationship tuple and schema design before agent workflows can rely on the policy model.&lt;/li&gt;
&lt;li&gt;Doesn't provide an execution runtime, a pre-built agent tool catalog, or an MCP gateway. WorkOS acts as the policy decision point.&lt;/li&gt;
&lt;li&gt;No native external OAuth token vaulting. WorkOS determines if an action is allowed, but you have to build the vault to hold the credentials to actually execute the action.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Pricing&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Usage-based pricing on FGA relationship checks.&lt;/li&gt;
&lt;li&gt;Flat predictable rates for SSO and Directory Sync infrastructure features.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Adjacent tools: policy engines and workload identity&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Tools like Cerbos and Oso provide reliable policy-as-code capabilities. They act as Policy Decision Points (PDPs), evaluating YAML-defined or DSL-defined rules at runtime, but they don't inherently store user tokens or execute network calls. You have to pair these tools with an execution runtime or integration layer to function within an agent stack.&lt;/p&gt;

&lt;p&gt;Confusing workload identity with delegated identity creates the wrong accountability model for user-delegated agents.&lt;/p&gt;

&lt;p&gt;Workload identity platforms like Aembit are designed for service-to-service communication on the compute plane. They issue bounded authority to non-human entities where no human is in the delegation chain.&lt;/p&gt;

&lt;p&gt;AI agents operating on behalf of a user require delegated identity. Treating workload identity tools as solutions for delegated on-behalf-of agent actions fails enterprise accountability requirements entirely.&lt;/p&gt;

&lt;p&gt;Logging an agent's multi-tenant actions under a generalized service account destroys the cryptographic audit trail linking the action back to the specific human who authorized it.&lt;/p&gt;

&lt;p&gt;These adjacent tools are effective for securing the infrastructure that the agent runs on, but they don't solve the fundamental "delegated user OAuth plus LLM execution" problem. Pair them alongside an agent runtime.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Reference architecture for delegated AI agent authentication (seven-step flow)&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;A safe execution pattern ensures credentials are never exposed to the context window and actions remain auditable:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Human authentication:&lt;/strong&gt; The end-user authenticates into the application through OIDC or an equivalent app-layer identity system.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;User-bound prompt:&lt;/strong&gt; The app sends the user's prompt to the agent orchestration layer and passes the authenticated user ID into every runtime call.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Delegated context creation:&lt;/strong&gt; The runtime binds the user, agent, tenant, scope, audience, resource, task ID, and expiry into a delegated execution context.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Just-in-time authorization:&lt;/strong&gt; If the task needs a new provider or scope, the runtime pauses execution, verifies the current app user, collects granular consent, and resumes the task.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Intersectional policy check:&lt;/strong&gt; The runtime cross-references the user's identity and the agent's baseline access, then calculates the strict intersection of allowed permissions for the specific tool action.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Vaulted token retrieval and execution:&lt;/strong&gt; Upon authorization, the runtime retrieves the specific per-user access token from an encrypted vault and executes the action against the target MCP server or API.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Audit generation:&lt;/strong&gt; The runtime generates an OpenTelemetry-compatible audit log with the human delegator, agent, tenant, task, resource, policy decision, approval state, and external action taken.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Worked examples: AI agent authentication in practice&lt;/strong&gt;
&lt;/h2&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Give an agent built-in Gmail access without maintaining your own OAuth&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Pattern: A support or productivity agent needs to read and send Gmail for many users. Shared service accounts over-scope access and fail security review, and building per-user OAuth, storage, and refresh yourself is weeks of undifferentiated work.&lt;/p&gt;

&lt;p&gt;Arcade advantage: Arcade provides built-in, per-user Gmail authorization with a managed token vault, so the agent gets scoped access without you maintaining your own OAuth. Composio and Nango can also broker Gmail OAuth; the difference is whether token vaulting, refresh, and per-action authorization come built in or require extra wiring.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Delegate a user's Google Meet access for a Claude agent&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Pattern: A Claude agent schedules and joins Google Meet calls for a user. The agent needs delegated Google access tied to that user, not a static, over-broad key.&lt;/p&gt;

&lt;p&gt;Arcade advantage: Arcade runs the delegated OAuth handshake once, vaults the token, and enforces that the agent acts only within that user's Meet permissions. If the agent is later tricked by an injected instruction, it still cannot exceed what the delegated user is authorized to do.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Automatically refresh OAuth tokens for a Notion integration&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Pattern: Long-running agents routinely hit expired Notion tokens mid-task. A per-user, per-provider token vault needs to refresh and rotate tokens automatically so the agent keeps working without re-prompting the user.&lt;/p&gt;

&lt;p&gt;Arcade advantage: Arcade provides a built-in automated token vault for agent workloads, keeping provider tokens isolated from the LLM context window while maintaining persistent access. Auth0 and Nango offer token vaulting too; for agent workloads, the deciding factors are automatic async refresh, execution context, and runtime authorization.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Enforce granular enterprise permissions for Xero and Outlook&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Pattern: Finance and operations agents touching Xero or Outlook need per-user, per-action authorization plus an audit trail. Irreversible actions, such as posting an invoice in Xero or sending an external email from a shared Outlook mailbox, require human approval and a durable record.&lt;/p&gt;

&lt;p&gt;Arcade advantage: Arcade's Contextual Access policy hooks evaluate the agent-and-user permission intersection on every call and can require human approval before the action executes. Policy engines like Cerbos or Oso complement this pattern when a runtime enforces their decisions at execution time.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;How to choose the right AI agent auth platform&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Start with where authorization is enforced. Gateways and wrappers can connect agents to tools. A runtime is the control point where credentials are resolved, permissions are checked, policies are applied, and the tool call executes for a specific user, agent, tenant, resource, and task.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Account for the MCP authorization gap&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;The industry standard for &lt;a href="https://modelcontextprotocol.io/" rel="noopener noreferrer"&gt;connecting agents to external systems&lt;/a&gt; is the Model Context Protocol (MCP), developed by Anthropic, but MCP does not solve agent authorization by itself.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization" rel="noopener noreferrer"&gt;current MCP specification&lt;/a&gt; defines authorization for HTTP-based transports, but authorization is not mandatory for every MCP implementation. MCP defines the handshake. The runtime still needs to handle token vaulting, just-in-time consent, verified user binding, policy enforcement, and audit logs. Connect an LLM directly to an MCP server using static tokens, and you've bypassed user-level security entirely.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Check permission intersection&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Safe authorization needs the permission intersection model. Platforms must evaluate the strict intersection of what the agent can do and what the delegated user can do, per action. Effective permission is always this intersection and never the user's full permission set.&lt;/p&gt;

&lt;p&gt;That check needs three inputs on every tool call: the agent identity, the human user identity, and the delegated execution context. The context binds scope, audience, tenant, resource, task ID, and expiry to the request.&lt;/p&gt;

&lt;p&gt;Two-identity modeling and permission intersection are related, but they are not the same thing. Two-identity modeling defines the actors: the agent and the user. Permission intersection defines the decision: the action is allowed only when both the agent and the user are allowed to perform it in that delegated context.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Check production readiness&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Production readiness comes down to strict non-negotiables:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Two-identity delegated context:&lt;/strong&gt; Every request must carry the agent identity, the human user identity, and the task-specific context. The runtime evaluates user, agent, tenant, resource, scope, task ID, and expiry together.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OIDC and OAuth separation:&lt;/strong&gt; OIDC authenticates the human user. OAuth authorizes the agent's tool access on that user's behalf. Conflating them creates reusable, over-scoped tokens.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Short-lived, scoped, audience-bound tokens:&lt;/strong&gt; Tokens need resource and action scopes, audience binding, and short lifetimes to limit replay and lateral movement.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Automated per-user token vaulting and per-tenant permissioning:&lt;/strong&gt; Long-running async agents need credentials that automatically refresh across multiple providers without user intervention. Platforms must enforce permissions per user and per tenant, ensuring credentials stay completely isolated from the LLM context window.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Just-in-time consent:&lt;/strong&gt; Agents request new scopes only when a task needs them. Blanket onboarding consent over-permissions users before the agent knows the action.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Read, draft, and commit approval levels:&lt;/strong&gt; Reading and drafting stay low friction. External side effects like sending email, deleting records, committing code, or transferring funds require explicit step-up approval.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Verified first-time auth binding:&lt;/strong&gt; First-time OAuth authorization must bind the consent flow to the authenticated app user, so an intercepted flow cannot be completed by the wrong person.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Context-aware policy hooks:&lt;/strong&gt; Systems must support pausing execution for human-in-the-loop approvals on destructive actions and checking existing enterprise entitlement systems before every tool call.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OTel-compatible audit logs:&lt;/strong&gt; Every tool call must generate a verifiable chain of custody with the user, agent, tenant, task, resource, policy decision, approval state, and outcome.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Enterprise compliance:&lt;/strong&gt; The platform must pass SOC 2 Type II validation, support geographical data residency boundaries, and use KMS or HSM hardware for token encryption.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Legacy approaches like coarse OAuth scopes, flat role-based access control, shared service accounts, and unmanaged static API keys fail user-delegated agent auth. Managed secrets and API keys can still work for non-delegated tools or provider-limited integrations when they are vaulted, scoped, and kept out of the LLM context window.&lt;/p&gt;

&lt;p&gt;To meet the audit and compliance requirements, a proper system log must capture both identities executing the action:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"timestamp"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2026-06-14T08:23:45Z"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"trace_id"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"5b8a9d1e-4c2f-88a1"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"event_type"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"tool_execution"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"identities"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"agent_id"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"spiffe://internal/agent/financial-analyzer"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"delegated_user_id"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"usr_9a8b7c6d5e"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"tenant_id"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"tenant_acme"&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"delegated_context"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"task_id"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"task_123"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"audience"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"salesforce-api"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"opportunity_456"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"scope"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"opportunity.update"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"expires_at"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2026-06-14T08:38:45Z"&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"tool"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"server"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"mcp-salesforce-gateway"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"update_opportunity"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"vaulted_token_reference"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"kms-enc-771a"&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"policy"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"decision"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"policy_version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2026-06-01"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"intersection_policy_applied"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"strict_obo"&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"approval_status"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"not_required"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"prompt_hash"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"sha256:8c42..."&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"status"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"authorized"&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  &lt;strong&gt;Choose by architecture&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Choose Arcade when your agent needs to execute real actions for many users, and you need delegated authorization, token vaulting, policy hooks, tool execution, deployment flexibility, and audit logs in one runtime.&lt;/p&gt;

&lt;p&gt;Choose Composio for individual use cases, rapid prototypes, and fast access to many tools. Use Nango or Merge when integration infrastructure is the primary requirement and agent authorization is handled separately. Choose Auth0 or WorkOS when your priority is extending an existing identity or policy layer, and you will build or buy the execution runtime. Choose AWS AgentCore when your team is standardized on AWS-native agent infrastructure. Use policy engines and workload identity tools alongside the runtime to secure infrastructure and policy decisions.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Conclusion&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Production agent auth is execution infrastructure, not just identity infrastructure. If your agents rely on shared credentials, custom OAuth glue, or broad API keys, you inherit confused deputy risk and weak auditability.&lt;/p&gt;

&lt;p&gt;Arcade provides the action runtime for teams moving multi-user agents into production. It brings delegated authorization, permission intersection, token vaulting, policy hooks, hosted tool execution, flexible deployment, and audit logs into one layer.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Evaluate Arcade.dev&lt;/a&gt; to secure agent operations without rebuilding that infrastructure from scratch.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;AI agent authentication and authorization FAQ&lt;/strong&gt;
&lt;/h2&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is the difference between AI agent authentication and authorization?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Authentication verifies the identity of the user and the agent interacting with the system. Authorization determines what specific actions the agent and the user can take by calculating the strict intersection of their combined access rights.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is the two-identity model for AI agent authorization?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Every tool call carries two identities: the agent application making the request and the human user on whose behalf the request is made. A production runtime evaluates both identities plus the delegated task context before executing the action.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Why should OIDC and OAuth stay separate for agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;OIDC authenticates the human user into the application. OAuth authorizes the agent's tool access on that user's behalf. Keeping them separate prevents user login sessions from becoming broad, reusable tool credentials.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How do I prevent confused deputy attacks in AI agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Use a post-prompt, runtime authorization layer that scopes all tool executions strictly to the end-user's permissions. Never allow an agent to execute API calls using a blanket, shared service account.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How should I handle OAuth token refresh for autonomous AI agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Use an automated, encrypted token vault that's completely isolated from the LLM context window. This external vault must handle background rotation, provider-specific expiration limits, and scope mismatches during long-running async tasks.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What role does MCP play in AI agent security?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;The Model Context Protocol standardizes how AI agents connect to external data sources and execution environments. Its HTTP authorization spec defines an authorization pattern, but MCP does not provide multi-tenant token vaulting, runtime policy enforcement, or audit logs. Securing the MCP gateway with a strict, user-delegated authentication and authorization runtime layer is the critical foundation for safe production deployments.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is on-behalf-of (OBO) access for AI agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;OBO access means an agent calls an API using a user-delegated token so every action is performed and audited as that specific user, not a shared service account.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Do I need an agent runtime if I already use Auth0/Okta/WorkOS?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;For production delegated actions, yes. IdPs handle identity and policy, but you still need a runtime/gateway to vault tokens, execute tool calls safely, and produce per-action audit logs.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Can I use service accounts or API keys for AI agents in production?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Only for non-delegated, service-to-service tasks. For user-delegated actions, they break accountability and increase confused deputy risk because the agent can act with overly broad privileges.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is the permission intersection model and why does it matter?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;The permission intersection model is a security model where effective permission is the intersection of the agent's allowed actions and the user's allowed actions, evaluated per tool call to prevent privilege escalation.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is just-in-time authorization for AI agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Just-in-time authorization means the agent requests provider access or a new scope only when a specific task requires it. The runtime pauses, collects granular consent, vaults the token, and resumes execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Why choose an agent runtime instead of an MCP gateway?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;An MCP gateway connects agents to tools. An agent runtime enforces authorization at execution time, where it can resolve credentials, check the user-agent permission intersection, apply policy hooks, execute the tool call, and generate the audit record.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Does MCP include authentication and authorization by default?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Not by itself. MCP standardizes tool connectivity and defines optional HTTP authorization behavior, but token vaulting, audit trails, and runtime policy enforcement are out of scope. You need an additional auth/runtime layer for production.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;When should I choose Arcade?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Choose Arcade when you need to deploy multi-user agents that take real actions across enterprise systems, and you need delegated authorization, reliable tools, and governance in a single runtime. Arcade is built for teams that want to skip months of building per-user OAuth flows, token vaults, just-in-time consent, policy hooks, and audit infrastructure. If you're scaling beyond a single-user prototype, need to pass security reviews, or operate in a regulated industry, Arcade provides the complete action runtime to get to production without assembling separate services.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What should an audit log include for AI agent tool calls?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;At minimum: timestamp, trace ID, agent ID, delegated user ID, tenant, task ID, resource, tool/action, policy decision, policy version, approval status, and outcome. Every action needs to be attributable and reviewable for compliance.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How do I support human-in-the-loop approvals for risky agent actions?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Use runtime policy hooks that can pause execution and require explicit approval before destructive actions (e.g., sending money, sending external emails, deleting records, changing permissions).&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What's the difference between workload identity and delegated identity for agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Workload identity secures service-to-service calls for compute. Delegated identity secures user-on-behalf-of actions and must preserve user attribution and consent.&lt;/p&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>mcp</category>
      <category>agents</category>
    </item>
    <item>
      <title>OpenCode MCP Integration Guide: Connect MCP Servers with Arcade.dev</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Thu, 09 Jul 2026 16:47:51 +0000</pubDate>
      <link>https://dev.to/arcade/opencode-mcp-integration-2026-21ng</link>
      <guid>https://dev.to/arcade/opencode-mcp-integration-2026-21ng</guid>
      <description>&lt;p&gt;The Model Context Protocol (MCP) lets &lt;a href="https://opencode.ai/" rel="noopener noreferrer"&gt;OpenCode&lt;/a&gt; trigger pipelines or interact with developer tools such as Git directly from the editor. Local command-based connections are straightforward, but adding more services can create configuration sprawl, credential management risk, and raw MCP tool wrappers that are hard for agents to use reliably.&lt;/p&gt;

&lt;p&gt;Arcade.dev is an action runtime, not just a routing gateway. Through its &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways" rel="noopener noreferrer"&gt;MCP gateway&lt;/a&gt;, OpenCode gets access to agent-optimized tools through one endpoint, with native OAuth for gateway authentication and authorization, downstream token vaulting, structured execution logs, and managed tool execution.&lt;/p&gt;

&lt;p&gt;This guide walks developers through testing a local MCP server in OpenCode and connecting OpenCode to Arcade through a user-bound OAuth gateway session.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR: OpenCode MCP Setup with Arcade.dev
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Install the local Git test server integration: &lt;code&gt;uvx mcp-server-git&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Configure &lt;code&gt;opencode.jsonc&lt;/code&gt; to define both your local test server and the remote Arcade MCP gateway.&lt;/li&gt;
&lt;li&gt;Send a test prompt like &lt;code&gt;List unstaged files in the repo.&lt;/code&gt; to verify the local connection.&lt;/li&gt;
&lt;li&gt;Route tool calls through your Arcade MCP Gateway URL, for example &lt;code&gt;https://api.arcade.dev/mcp/&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Use OpenCode's remote MCP OAuth flow to authenticate with Arcade Auth. Do not put a static Arcade API key in the default OpenCode config.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Quickstart: Connect OpenCode to a Local MCP Server
&lt;/h2&gt;

&lt;p&gt;Setting up locally first lets you confirm the OpenCode MCP workflow before connecting to a remote gateway with more services.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1: Start the Local Git MCP Server
&lt;/h3&gt;

&lt;p&gt;Use &lt;code&gt;uvx&lt;/code&gt; to initialize a local Git MCP server.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Terminal Command:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;uvx mcp-server-git
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Step 2: Add the MCP Server to Your OpenCode Config
&lt;/h3&gt;

&lt;p&gt;Add the local server to your OpenCode MCP configuration file.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Configuration File (&lt;code&gt;opencode.jsonc&lt;/code&gt;):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json-doc"&gt;&lt;code&gt;&lt;span class="c1"&gt;// ~/.config/opencode/opencode.jsonc&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"$schema"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"https://opencode.ai/config.json"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"mcp"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"git-mcp"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"enabled"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;true&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"type"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"local"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"command"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"uvx"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"mcp-server-git"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Step 3: Verify OpenCode Detects the MCP Connection
&lt;/h3&gt;

&lt;p&gt;Restart OpenCode and open the MCP connections panel. A successful integration displays a connected status for the local server.&lt;/p&gt;

&lt;h3&gt;
  
  
  Test Prompt: Query Your Repository Through MCP
&lt;/h3&gt;

&lt;p&gt;With the server connected, you can check your unstaged or specific files using natural language directly within your IDE.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;User Prompt:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;List unstaged SQL files in the repo.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fd3yt6oqu9yhkruebg38f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fd3yt6oqu9yhkruebg38f.png" alt="OpenCode in VS Code using the git-mcp local MCP server to list unstaged .sql files, detecting scripts/custom_commands.sql and test_blocks.sql as untracked from a natural-language prompt" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Connect OpenCode to Arcade Instead of Raw MCP Servers
&lt;/h2&gt;

&lt;p&gt;OpenCode can connect directly to individual MCP servers. That works for simple local tests, but it becomes tedious when every service has its own configuration block, credential format, timeout behavior, and raw tool schema.&lt;/p&gt;

&lt;p&gt;Passing static tokens through environment variables or config files increases exposure through local process access, logs, accidental commits, and poorly isolated tool execution. Arcade's MCP gateway addresses this by keeping downstream service credentials out of OpenCode config and prompts.&lt;/p&gt;

&lt;p&gt;Raw MCP tool wrappers also hurt agent reliability. They can expose large schemas, require brittle parameters, and cause the assistant to spend extra context correcting malformed tool calls. Arcade's tool catalog is optimized for natural-language intents, so OpenCode can request an action while Arcade handles the deterministic tool call behind the gateway.&lt;/p&gt;

&lt;p&gt;OpenCode authenticates to Arcade with OAuth, and Arcade vaults downstream service tokens separately. That separation keeps service tokens out of the editor config while preserving a user-bound gateway session for tool execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  Native OpenCode MCP vs Arcade Action Runtime
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Native MCP: Static Tokens in Local Config
&lt;/h4&gt;

&lt;p&gt;In the native approach, hardcoding an API key into configuration files means OpenCode sends the raw token directly to the MCP server. That token can leak through local files, logs, process access, accidental commits, or a poorly isolated tool path.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Native Configuration Snippet:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json-doc"&gt;&lt;code&gt;&lt;span class="nl"&gt;"environment"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"STRIPE_API_KEY"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"sk_live_12345"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Vulnerable&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Arcade Action Runtime: OAuth, Token Vaulting, and Managed Tool Execution
&lt;/h4&gt;

&lt;p&gt;In the Arcade approach, OpenCode authenticates to the Arcade gateway through OAuth. Arcade separately vaults downstream service credentials. This separates how OpenCode authenticates to Arcade from how Arcade authenticates to downstream services.&lt;/p&gt;

&lt;p&gt;OpenCode sends an intent, and Arcade uses the vaulted downstream token at execution time. The gateway session is tied to the authenticated user, while downstream credentials stay out of the OpenCode configuration and model context.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Arcade Configuration Snippet:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json-doc"&gt;&lt;code&gt;&lt;span class="nl"&gt;"oauth"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// OpenCode uses OAuth for the Arcade gateway session&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  OpenCode MCP Architecture Comparison
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Technical Dimension&lt;/th&gt;
&lt;th&gt;Native OpenCode MCP Setup&lt;/th&gt;
&lt;th&gt;Arcade Action Runtime Approach&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Authentication &amp;amp; Authorization&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Static tokens in local config&lt;/td&gt;
&lt;td&gt;OAuth-backed gateway session for the signed-in user&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Credential Security&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Tokens exposed through local config and process boundaries&lt;/td&gt;
&lt;td&gt;Downstream tokens vaulted by Arcade and not passed to the LLM&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Execution Visibility&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Fragmented local IDE logs&lt;/td&gt;
&lt;td&gt;Gateway execution logs with tool call, user, system, and timestamp details when available&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;State Management&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Manual, ephemeral state handling&lt;/td&gt;
&lt;td&gt;Managed timeouts, retries, idempotency, and partial action execution&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;When building a custom OAuth token vault, you must handle dynamic credential rotation, persistent state, concurrent refresh race conditions, and runtime permission enforcement. Arcade reduces this overhead by handling token lifecycle management, state persistence, and tool execution through the action runtime.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Configure OpenCode with Arcade
&lt;/h2&gt;

&lt;p&gt;Connecting OpenCode to Arcade shifts downstream service authentication out of local command configuration. OpenCode uses OAuth to establish a user-bound session with the Arcade gateway, while Arcade keeps downstream tokens out of the LLM context.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Arcade Gateway Configuration (&lt;code&gt;opencode.jsonc&lt;/code&gt;):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json-doc"&gt;&lt;code&gt;&lt;span class="c1"&gt;// ~/.config/opencode/opencode.jsonc&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"mcp"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"arcade-gateway"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"type"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"remote"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"url"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"https://api.arcade.dev/mcp/&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"enabled"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;true&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"oauth"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{},&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Configuration Parameters:&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Parameter&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;The slug shown in your Arcade dashboard after creating the MCP Gateway.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;oauth&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Enables OpenCode's OAuth flow for the remote MCP server. Use this for Arcade Auth gateways.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;After saving the config, authenticate the gateway:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;opencode mcp auth arcade-gateway
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;OpenCode opens a browser for the OAuth flow and stores the resulting MCP credentials locally. When creating the Arcade gateway for this setup, use &lt;strong&gt;Arcade Auth&lt;/strong&gt; so the session is tied to the Arcade account you sign in with.&lt;/p&gt;

&lt;h2&gt;
  
  
  OpenCode MCP Integration Considerations
&lt;/h2&gt;

&lt;h3&gt;
  
  
  How Do You Manage Context Limits in OpenCode MCP?
&lt;/h3&gt;

&lt;p&gt;When tool responses grow large, token usage can climb quickly. Arcade provides a &lt;a href="https://www.arcade.dev/tools/" rel="noopener noreferrer"&gt;registry of 8000+ agent-optimized tools&lt;/a&gt; designed to return focused, structured output. Request summarized or filtered data to keep context lean. The MCP gateway translates natural language intent into deterministic schemas, which limits the size and complexity of individual tool calls.&lt;/p&gt;

&lt;h3&gt;
  
  
  How Does Arcade Handle MCP Timeouts and Retries?
&lt;/h3&gt;

&lt;p&gt;Direct MCP connections can time out on slow tool calls. Arcade manages retries and idempotency automatically, while also handling partial execution. For long-running asynchronous jobs, the action runtime manages state and returns the result when the task completes.&lt;/p&gt;

&lt;h2&gt;
  
  
  OpenCode MCP Use Cases with Arcade
&lt;/h2&gt;

&lt;p&gt;Arcade's agent-optimized tool registry translates natural language into deterministic MCP server and tool calls, which reduces parameter hallucination compared to basic tool wrappers.&lt;/p&gt;

&lt;h3&gt;
  
  
  Use Case 1: Create Google Calendar Events from OpenCode
&lt;/h3&gt;

&lt;p&gt;Developers can schedule events directly from the editor without navigating to the Google Calendar dashboard.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;User Prompt:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Create an event in Google Calendar for tomorrow at 2 PM to review the deployment plan.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Feoor94arlfbatw30y8ch.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Feoor94arlfbatw30y8ch.png" alt="OpenCode calling the Arcade MCP gateway GoogleCalendar_CreateEvent tool to add a Google Calendar event, returning a success confirmation for June 10, 2026" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Expected Output:&lt;/strong&gt; The agent creates the calendar event and invites the relevant participants. Arcade uses the authorized downstream connection for the signed-in user, performs the API call, and outputs the final event link and confirmation.&lt;/p&gt;

&lt;h3&gt;
  
  
  Use Case 2: Export Figma Files Through the Arcade MCP Gateway
&lt;/h3&gt;

&lt;p&gt;Retrieve design assets without leaving your development workflow.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;User Prompt:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Export the 'Landing Page Hero' frame from Figma as a PNG.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fovhx9cis36v7yknwkaor.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fovhx9cis36v7yknwkaor.png" alt="OpenCode calling the Arcade MCP gateway Figma_ExportImage tool to export a Figma frame as a PNG, returning an AWS S3 download URL" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Expected Output:&lt;/strong&gt; The agent retrieves and exports the requested Figma frame. If authorization is missing, Arcade returns the required authorization step. If your Figma token has expired, Arcade's automated token vault handles the refresh cycle without exposing credentials to OpenCode.&lt;/p&gt;

&lt;h3&gt;
  
  
  Use Case 3: Create and Update Jira Tickets from OpenCode
&lt;/h3&gt;

&lt;p&gt;Keep your project management board in sync from your IDE.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;User Prompt:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Create a ticket in Jira for the demo task and assign it to me.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwzmeueioz4px37aziesr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwzmeueioz4px37aziesr.png" alt="OpenCode calling the Arcade MCP gateway Jira_CreateIssue tool to create ticket DEMO-9 in the DEMO project, returning a live Atlassian ticket URL" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Expected Output:&lt;/strong&gt; The ticket is created and assigned through the authorized Jira connection for the signed-in user. The Arcade gateway tracks the transaction with details such as the agent, user, action, system, and timestamp when execution logs are available.&lt;/p&gt;

&lt;h2&gt;
  
  
  OpenCode MCP Troubleshooting
&lt;/h2&gt;

&lt;p&gt;Migrating from a local configuration to a remote gateway can present network or authorization challenges.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Symptom&lt;/th&gt;
&lt;th&gt;Likely Cause&lt;/th&gt;
&lt;th&gt;Concrete Fix&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;Connection refused&lt;/code&gt; on startup&lt;/td&gt;
&lt;td&gt;OpenCode cannot reach the remote MCP server&lt;/td&gt;
&lt;td&gt;Verify outbound firewall rules and ensure the &lt;code&gt;&amp;lt;ARCADE_GATEWAY_URL&amp;gt;&lt;/code&gt; path is exact&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Persistent &lt;code&gt;401 Unauthorized&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Gateway OAuth not completed or downstream user grant expired&lt;/td&gt;
&lt;td&gt;Run &lt;code&gt;opencode mcp auth arcade-gateway&lt;/code&gt;, then complete any required Arcade tool authorization&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tools missing from OpenCode&lt;/td&gt;
&lt;td&gt;Gateway OAuth not completed, tool not enabled, or downstream authorization missing&lt;/td&gt;
&lt;td&gt;Run &lt;code&gt;opencode mcp list&lt;/code&gt;, check the Arcade gateway tool selection, and complete the required OAuth flow&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;Execution Paused&lt;/code&gt; / Timeout&lt;/td&gt;
&lt;td&gt;Missing downstream authorization or a long-running tool call&lt;/td&gt;
&lt;td&gt;Complete the required authorization step, then retry the tool call&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  How to Fix 401 Unauthorized Loops and Missing MCP Tools
&lt;/h3&gt;

&lt;p&gt;A missing tool catalog often results from incomplete gateway authentication or missing downstream authorization. OpenCode stores MCP OAuth credentials locally after &lt;code&gt;opencode mcp auth&lt;/code&gt;, so make sure the Arcade gateway session is complete before debugging tool calls.&lt;/p&gt;

&lt;p&gt;Check Arcade execution logs for error details about parameter hallucinations or payload failures. The logs can help identify the tool payload OpenCode attempted to send, supporting prompt adjustments and debugging.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion: Secure OpenCode MCP with Arcade
&lt;/h2&gt;

&lt;p&gt;Adding more MCP-connected services to OpenCode surfaces problems that local demos don't expose, including credential exposure, fragmented configuration, and brittle raw MCP tool schemas.&lt;/p&gt;

&lt;p&gt;Arcade closes these gaps by centralizing downstream token vaulting, tool execution, and execution logs in the action runtime. For OpenCode, use the OAuth-backed Arcade gateway flow by default so the MCP session is tied to the authenticated user.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Create your first Arcade integration and test it today&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  How do I connect OpenCode to an MCP server?
&lt;/h3&gt;

&lt;p&gt;Edit your OpenCode config file. Define local servers using &lt;code&gt;type: "local"&lt;/code&gt; and &lt;code&gt;command&lt;/code&gt;. To connect to a remote MCP server like the Arcade gateway, set the &lt;code&gt;type&lt;/code&gt; to &lt;code&gt;remote&lt;/code&gt; and provide the endpoint URL.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can I use native OpenCode MCP without Arcade.dev?
&lt;/h3&gt;

&lt;p&gt;Yes, especially for simple local tools. For authenticated third-party services, native setups push credential storage, token refresh, and tool reliability into each local server or wrapper. This increases the risk of credential sprawl.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can OpenCode MCP use environment variables instead of Arcade.dev's token vault?
&lt;/h3&gt;

&lt;p&gt;Storing API keys in local environment variables works for simple demos. As the number of connected services grows, it pushes authorization and rotation logic into each client or wrapper. This increases exposure through local process boundaries, logs, and accidental commits.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where is the OpenCode MCP configuration file?
&lt;/h3&gt;

&lt;p&gt;The global configuration file is located at &lt;code&gt;~/.config/opencode/opencode.jsonc&lt;/code&gt;. OpenCode project-specific config can live in &lt;code&gt;opencode.jsonc&lt;/code&gt; at the project root.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why are MCP tools not appearing in OpenCode?
&lt;/h3&gt;

&lt;p&gt;OpenCode only lists tools from servers it can reach and authenticate against. Verify that your remote URL is correct, run &lt;code&gt;opencode mcp auth gateway-name&lt;/code&gt;, and ensure the authenticated user is authorized for the tools you expect to see.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does Arcade.dev provide MCP execution logs?
&lt;/h3&gt;

&lt;p&gt;Arcade.dev provides execution logs that can capture details such as the agent, user, action, system, and timestamp. Availability and export options depend on your Arcade setup.&lt;/p&gt;

</description>
      <category>mcp</category>
      <category>opensource</category>
      <category>tutorial</category>
      <category>ai</category>
    </item>
    <item>
      <title>How to Connect MCP to Codex with Arcade.dev (2026)</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Thu, 09 Jul 2026 04:59:04 +0000</pubDate>
      <link>https://dev.to/arcade/codex-mcp-integration-2026-10pa</link>
      <guid>https://dev.to/arcade/codex-mcp-integration-2026-10pa</guid>
      <description>&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Provision a Gateway:&lt;/strong&gt; Create an Arcade MCP Gateway via the Arcade dashboard to manage third-party integrations.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Configure Codex:&lt;/strong&gt; Update &lt;code&gt;~/.codex/config.toml&lt;/code&gt; to connect to your Arcade Gateway URL using Streamable HTTP MCP.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Authenticate Securely:&lt;/strong&gt; Use the &lt;code&gt;codex mcp login arcade&lt;/code&gt; command to trigger Arcade's OAuth flow, tying the session to your user identity.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Test the Connection:&lt;/strong&gt; Restart Codex and verify the Arcade MCP server appears in your active tools list.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Run Authenticated Actions:&lt;/strong&gt; Ask Codex to schedule Calendar events, create Word documents, or manage Linear issues etc directly from your editor.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Stay Secure:&lt;/strong&gt; Let Arcade handle token vaulting, refreshing, and execution, keeping sensitive credentials completely out of your local configs and LLM prompts.&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Why Use Arcade.dev to Connect Codex and MCP?
&lt;/h2&gt;

&lt;p&gt;Having &lt;a href="https://developers.openai.com/codex" rel="noopener noreferrer"&gt;Codex&lt;/a&gt; autonomously schedule Google Calendar events, generate Microsoft Word documents, and manage Linear issues directly from your editor provides a significant engineering advantage. Connecting a local MCP server is straightforward, but adding these authenticated services can create configuration sprawl, credential management risk, and raw MCP tool wrappers that are hard for agents to use reliably.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; is an action runtime, not only a routing gateway. Through its &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways" rel="noopener noreferrer"&gt;MCP gateway&lt;/a&gt;, Codex gets access to agent-optimized tools through one endpoint, with native OAuth for gateway authentication and authorization, downstream token vaulting, structured execution logs, and managed tool execution.&lt;/p&gt;

&lt;p&gt;This guide walks through testing a local &lt;code&gt;stdio&lt;/code&gt; MCP server in Codex and connecting Codex to Arcade through a user-bound OAuth gateway session.&lt;/p&gt;

&lt;h2&gt;
  
  
  Codex MCP Quickstart: Connecting a Local Filesystem Server
&lt;/h2&gt;

&lt;p&gt;Establish a basic local baseline before introducing a remote gateway. This allows immediate interaction with the local filesystem via Codex.&lt;/p&gt;

&lt;p&gt;Use &lt;code&gt;npx&lt;/code&gt; to run the filesystem MCP server from Codex's MCP configuration. No global package install is required for this local baseline.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight toml"&gt;&lt;code&gt;&lt;span class="c"&gt;# ~/.codex/config.toml&lt;/span&gt;
&lt;span class="nn"&gt;[mcp_servers.local_filesystem]&lt;/span&gt;
&lt;span class="py"&gt;enabled&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
&lt;span class="py"&gt;command&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"npx"&lt;/span&gt;
&lt;span class="py"&gt;args&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
  &lt;span class="s"&gt;"-y"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="s"&gt;"@modelcontextprotocol/server-filesystem"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="s"&gt;"&amp;lt;ABSOLUTE_DIRECTORY_PATH&amp;gt;"&lt;/span&gt;
&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Restart Codex and confirm the MCP server appears in the available tool list. This confirms the client is communicating with the MCP process.&lt;/p&gt;

&lt;p&gt;For a practical application, use Codex to analyze local logs with the following prompt:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;I have connected a local filesystem MCP server for the /tmp/codex_test_logs directory. Please read the application logs in that directory, identify the most frequent errors
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fv7urj4c8k1dlehf63bnh.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fv7urj4c8k1dlehf63bnh.png" alt="Screenshot of the Codex interface finding frequent log errors" width="624" height="363"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This native &lt;code&gt;stdio&lt;/code&gt; mechanism functions effectively local scenarios. However, it does not provide downstream token vaulting or managed execution for authenticated third-party tool calls.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Challenges of Using Codex MCP Without an Action Runtime
&lt;/h2&gt;

&lt;p&gt;Adding authenticated MCP services to Codex exposes distinct architectural limitations. Without an action runtime, systems encounter common failure modes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Raw MCP tool wrappers inject large schemas into the prompt, reducing LLM accuracy and depleting token limits.&lt;/li&gt;
&lt;li&gt;Hardcoded service credentials increase exposure through local files, process access, logs, and accidental commits.&lt;/li&gt;
&lt;li&gt;Local environments leave credential lifecycle, retries, and auditability to each individual MCP server or wrapper.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Consider the mechanism comparison:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Native approach:&lt;/strong&gt; A local script or MCP wrapper often receives hardcoded service tokens through config, environment variables, or headers. Those credentials can leak through local files, logs, process access, accidental commits, or poorly isolated tool execution.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Arcade approach:&lt;/strong&gt; Downstream service tokens reside in Arcade's token vault. Arcade uses those credentials at execution time and returns tool results to Codex, keeping downstream credentials out of Codex prompts and local MCP server definitions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without Arcade, developers have to build custom token vaulting, refresh handling, and state management around each MCP server. Arcade reduces this overhead by handling token lifecycle management, state persistence, and tool execution through the action runtime.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Technical dimension&lt;/th&gt;
&lt;th&gt;Native Codex MCP approach&lt;/th&gt;
&lt;th&gt;Arcade Action Runtime approach&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Credential security&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Tokens often live in local config or wrappers&lt;/td&gt;
&lt;td&gt;Downstream tokens vaulted by Arcade and not passed to Codex&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Execution state&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Retries and long-running state handled ad hoc&lt;/td&gt;
&lt;td&gt;Action-runtime-managed execution, retries, and token refresh&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Tool reliability&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Raw MCP tool wrappers cause parameter hallucination&lt;/td&gt;
&lt;td&gt;Agent-optimized tools reduce parameter hallucination&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Authentication &amp;amp; authorization&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Static tokens in local config&lt;/td&gt;
&lt;td&gt;OAuth-backed gateway session for the signed-in user&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  Step-by-Step: How to Configure Arcade MCP Gateway for Codex
&lt;/h2&gt;

&lt;p&gt;Connecting Codex to Arcade over remote MCP requires configuring the gateway URL and then authenticating Codex to that MCP server. Codex supports OAuth for Streamable HTTP MCP servers, so the recommended path is to let the Arcade Gateway bind the Codex MCP session to the Arcade OAuth user flow instead of hardcoding a static gateway credential in the config.&lt;/p&gt;

&lt;p&gt;Add the Arcade MCP Gateway to &lt;code&gt;~/.codex/config.toml&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight toml"&gt;&lt;code&gt;&lt;span class="c"&gt;# ~/.codex/config.toml&lt;/span&gt;
&lt;span class="nn"&gt;[mcp_servers.arcade]&lt;/span&gt;
&lt;span class="py"&gt;enabled&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
&lt;span class="py"&gt;url&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"https://api.arcade.dev/mcp/&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then authenticate the server:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;codex mcp login arcade
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This OAuth-first setup is the safest fit for Codex because the user identity is established by the MCP authorization flow rather than by a reusable value in a shared config file.&lt;/p&gt;

&lt;p&gt;Codex also supports bearer tokens and HTTP headers for Streamable HTTP MCP servers, but this guide does not recommend a shared header-based setup. For the Arcade workflow covered here, use Arcade Auth and &lt;code&gt;codex mcp login&lt;/code&gt; so the gateway session is tied to the authenticated user.&lt;/p&gt;




&lt;h2&gt;
  
  
  Practical Use Cases for Codex and Arcade MCP Integration
&lt;/h2&gt;

&lt;p&gt;Integrating Codex with Arcade enables developers to chain authenticated actions across developer systems without placing downstream service tokens in Codex config.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Scheduling Google Calendar Events with Codex MCP
&lt;/h3&gt;

&lt;p&gt;Using Arcade, Codex can seamlessly interact with your Google Calendar to create, update, and delete events, respond to RSVPs, find mutually free time slots, and list your schedule without leaving the editor.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;I want to create a new meeting event in my Google Calendar. The event name is going to be Reminder that Arcade provides Google Calendar integration tools. Can you do it for me please?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbnhv78ao1zyvpb8remv5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbnhv78ao1zyvpb8remv5.png" alt="Screenshot showing Codex successfully scheduling a Google Calendar event" width="624" height="363"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Creating Microsoft Word Documents via Codex
&lt;/h3&gt;

&lt;p&gt;Developers can use Codex and Arcade to generate, read, and append text to Microsoft Word documents directly in their OneDrive workspace.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;I want to create a Microsoft Word document using the Arcade tools. The name of the document will be Tool integration test using codex.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fa128yv3hqfrgd1y5ggiw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fa128yv3hqfrgd1y5ggiw.png" alt="Screenshot of Codex creating a Microsoft Word document" width="624" height="363"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Managing Linear Issues Directly from Codex
&lt;/h3&gt;

&lt;p&gt;Using Arcade, Codex can create, update, and track Linear issues, transition issue states, add comments, manage projects and initiatives, and link GitHub PRs, helping you stay on top of your project management tasks without switching contexts.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;I want to create a new issue in Linear. The issue is around testing codex integration using arcade to linear. The Team name is Research &amp;amp; Development
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fx6o52wcsattbrty4h2td.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fx6o52wcsattbrty4h2td.png" alt="Screenshot of Codex in the IDE creating a Linear issue" width="624" height="363"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  Codex MCP Troubleshooting: Common Connection Errors and Fixes
&lt;/h2&gt;

&lt;p&gt;Timeouts and authorization states are common hurdles when operating MCP over Streamable HTTP. Consult the Arcade dashboard or execution logs available in your setup to review tool-level authorization and execution errors.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Symptom&lt;/th&gt;
&lt;th&gt;Likely Cause&lt;/th&gt;
&lt;th&gt;Concrete Fix&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;JSON-RPC &lt;code&gt;-32001&lt;/code&gt; error (timeout)&lt;/td&gt;
&lt;td&gt;Tool call exceeds the configured timeout&lt;/td&gt;
&lt;td&gt;Increase Codex's &lt;code&gt;tool_timeout_sec&lt;/code&gt; for the MCP server if the tool call is expected to take longer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;401/403 on tool call&lt;/td&gt;
&lt;td&gt;Gateway OAuth incomplete, scopes missing, or token expired&lt;/td&gt;
&lt;td&gt;Run &lt;code&gt;codex mcp login arcade&lt;/code&gt;, then complete the required Arcade authorization flow&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;400 &lt;code&gt;invalid_grant&lt;/code&gt; error&lt;/td&gt;
&lt;td&gt;Permanent session termination&lt;/td&gt;
&lt;td&gt;Requires complete re-authentication flow, not just a retryable refresh&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Streamable HTTP connection drops&lt;/td&gt;
&lt;td&gt;Proxies buffering or dropping streams&lt;/td&gt;
&lt;td&gt;Review proxy buffering and timeout settings between Codex and the MCP server&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Streamable HTTP drops can occur when proxies or firewalls aggressively terminate idle connections. Review buffering and timeout settings before debugging tool authorization.&lt;/p&gt;

&lt;p&gt;A 400 &lt;code&gt;invalid_grant&lt;/code&gt; error indicates the external provider revoked the user's underlying OAuth grant. This represents a permanent session termination rather than a transient network error. The user must complete a fresh authorization flow via Arcade to restore access.&lt;/p&gt;




&lt;h2&gt;
  
  
  Conclusion: Secure Codex MCP Integrations with Arcade.dev
&lt;/h2&gt;

&lt;p&gt;Adding authenticated services to Codex requires shifting downstream authorization, token storage, and execution state out of local tool wrappers and into an action runtime. Arcade provides that infrastructure.&lt;/p&gt;

&lt;p&gt;By handling downstream token vaulting and managed tool execution, Arcade helps Codex use authenticated services without exposing downstream credentials to the model context. &lt;a href="https://account.arcade.dev/register" rel="noopener noreferrer"&gt;Create your first Arcade integration and test it today&lt;/a&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  Frequently Asked Questions (FAQ) on Codex and Arcade MCP
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Can I use native local &lt;code&gt;stdio&lt;/code&gt; instead of Arcade?
&lt;/h3&gt;

&lt;p&gt;Local &lt;code&gt;stdio&lt;/code&gt; is useful for personal development and internal prototypes. For authenticated third-party services, it leaves token storage, refresh handling, retries, and auditability to each local wrapper. Arcade vaults downstream tokens and executes tool calls through the action runtime.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can I use raw MCP tool wrappers instead of Arcade's agent-optimized tools?
&lt;/h3&gt;

&lt;p&gt;Raw MCP tool wrappers frequently cause context pollution and parameter hallucination in language models. Arcade supplies a catalog of intent-optimized tools that mitigates these failure modes.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does Arcade.dev provide MCP execution logs?
&lt;/h3&gt;

&lt;p&gt;Arcade.dev provides execution logs that can capture details such as the agent, user, action, system, and timestamp. Availability and export options depend on your Arcade setup.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where should I store MCP credentials and service tokens?
&lt;/h3&gt;

&lt;p&gt;Never hardcode downstream service credentials in configuration files or prompts. Use Arcade's token vault for downstream OAuth tokens, and treat any Codex-to-Arcade gateway credential as sensitive infrastructure credentialing that should be injected through a secret manager or trusted environment.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why does my Streamable HTTP MCP connection keep dropping?
&lt;/h3&gt;

&lt;p&gt;Proxies and firewalls can buffer or time out long-lived connections. Review proxy buffering and idle timeout settings between Codex and the MCP server.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do I troubleshoot 401/403 errors from Codex MCP tools?
&lt;/h3&gt;

&lt;p&gt;These errors typically indicate incomplete gateway OAuth, missing authorization scopes, or expired user consent. Run &lt;code&gt;codex mcp login arcade&lt;/code&gt;, then complete the Arcade authorization flow for the required tool.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is JSON-RPC &lt;code&gt;-32001&lt;/code&gt; in MCP and how do I fix it?
&lt;/h3&gt;

&lt;p&gt;This error indicates a request timeout, which typically occurs when operations exceed the default 60-second limit. Increase the timeout configuration or implement asynchronous progress notifications for long-running tool executions.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>openai</category>
      <category>mcp</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>How to Connect Hermes Agent to MCP with Arcade.dev</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Mon, 29 Jun 2026 06:12:33 +0000</pubDate>
      <link>https://dev.to/arcade/secure-connect-hermes-mcp-1f7m</link>
      <guid>https://dev.to/arcade/secure-connect-hermes-mcp-1f7m</guid>
      <description>&lt;p&gt;For developers running Nous Research's Hermes Agent, connecting to a remote Model Context Protocol (MCP) server is straightforward. But as you add more services, you run into real problems: configuration sprawl, credential management, and raw API wrappers that cause the language model to hallucinate parameters and burn tokens.&lt;/p&gt;

&lt;p&gt;Arcade.dev's MCP gateway gives your Hermes Agent access to thousands of agent-optimized tools through a single endpoint, with downstream credentials vaulted away from the agent process and native OAuth for gateway authentication.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Scope note:&lt;/strong&gt; One person, one Hermes profile, one gateway process. A shared multi-user service needs per-user MCP connections and token storage, plus an appropriate isolation boundary (containers or OS-level separation, since &lt;a href="https://hermes-agent.nousresearch.com/docs/user-guide/profiles#profiles-vs-workspaces-vs-sandboxing" rel="noopener noreferrer"&gt;Hermes profiles are not sandboxes&lt;/a&gt;). Arcade &lt;a href="https://docs.arcade.dev/en/guides/user-sources" rel="noopener noreferrer"&gt;User Sources&lt;/a&gt; can provide external identity for production agents, but do not add per-user MCP isolation to Hermes by themselves. That architecture is a separate problem.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://hermes-agent.nousresearch.com/docs/guides/use-mcp-with-hermes/" rel="noopener noreferrer"&gt;Install MCP support&lt;/a&gt; (included in the standard installer; from source: &lt;code&gt;uv pip install -e ".[mcp]"&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Point Hermes at your Arcade MCP gateway using &lt;code&gt;auth: oauth&lt;/code&gt; in &lt;code&gt;~/.hermes/config.yaml&lt;/code&gt;. Do not put a static &lt;code&gt;ARCADE_API_KEY&lt;/code&gt; in the config; Hermes's native OAuth flow establishes a user-bound session in Arcade.&lt;/li&gt;
&lt;li&gt;Authorize each required tool or provider scope set through Arcade's &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;&lt;code&gt;tools.authorize&lt;/code&gt; API&lt;/a&gt; before running tool calls that need them. Arcade vaults the tokens so they never reach the language model.&lt;/li&gt;
&lt;li&gt;Restrict tool exposure with &lt;code&gt;tools.include&lt;/code&gt; / &lt;code&gt;tools.exclude&lt;/code&gt; for least privilege.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How to connect Hermes Agent to an MCP server (quick start)
&lt;/h2&gt;

&lt;p&gt;Before connecting to Arcade, make sure your base Hermes Agent installation supports the Model Context Protocol. The standard installer includes MCP support by default. If you're working from source or managing a custom environment, install the MCP extras from the repository root:&lt;/p&gt;

&lt;h3&gt;
  
  
  Install MCP support (from source)
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;uv pip &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;-e&lt;/span&gt; &lt;span class="s2"&gt;".[mcp]"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Add an MCP server to ~/.hermes/config.yaml
&lt;/h3&gt;

&lt;p&gt;Once installed, Hermes routes connections through the &lt;code&gt;mcp_servers&lt;/code&gt; block in &lt;code&gt;config.yaml&lt;/code&gt;. For a basic test against a standard HTTP MCP server, define the connection and inject a static Bearer token:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;mcp_servers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;remote_test_api&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;url&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://mcp.internal.example.com"&lt;/span&gt;
    &lt;span class="na"&gt;headers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;Authorization&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Bearer&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;${REMOTE_TEST_API_KEY}"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This pattern is fine for a single developer hitting an internal test server they control. For remote servers that support OAuth, prefer Hermes's native OAuth flow instead of static tokens.&lt;/p&gt;

&lt;h3&gt;
  
  
  Authenticate with Hermes's native OAuth flow
&lt;/h3&gt;

&lt;p&gt;The recommended way to connect Hermes to OAuth-protected remote MCP servers, including Arcade, is through its native OAuth 2.1 support. Set &lt;code&gt;auth: oauth&lt;/code&gt; in the configuration block. When configured, Hermes handles dynamic client registration, prints an authorization URL to the terminal, opens your browser, and waits for the callback on a local loopback port.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;mcp_servers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;my_server&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;url&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://example.com/mcp"&lt;/span&gt;
    &lt;span class="na"&gt;auth&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;oauth&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Authenticate and reload tools
&lt;/h3&gt;

&lt;p&gt;After saving an OAuth configuration, run &lt;code&gt;hermes mcp login &amp;lt;server&amp;gt;&lt;/code&gt; from a fresh terminal. This provides enough time to complete browser authentication (five minutes, compared to the 30-second window during automatic config reload). Once authenticated, start or restart Hermes. Use &lt;code&gt;/reload-mcp&lt;/code&gt; in the chat interface when you need to refresh the registered tools after later configuration changes.&lt;/p&gt;

&lt;p&gt;Verify the tools loaded successfully by running:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;hermes mcp &lt;span class="nb"&gt;test&lt;/span&gt; &amp;lt;server&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Why connect Hermes to Arcade
&lt;/h2&gt;

&lt;p&gt;You could wire Hermes to each service individually, one MCP server for Gmail, another for Slack, another for your CRM. That works until you're managing a dozen config blocks, each with its own credentials, timeouts, and failure modes. Arcade solves several problems at once.&lt;/p&gt;

&lt;h3&gt;
  
  
  One endpoint instead of many
&lt;/h3&gt;

&lt;p&gt;The &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways/create-via-dashboard" rel="noopener noreferrer"&gt;Arcade MCP Gateway&lt;/a&gt; gives your Hermes Agent access to &lt;a href="https://www.arcade.dev/tools/" rel="noopener noreferrer"&gt;thousands of tools&lt;/a&gt; through a single URL. Instead of managing separate server connections and keeping track of which service lives where, your Hermes Agent talks to one gateway. Arcade handles routing and tool execution behind it.&lt;/p&gt;

&lt;h3&gt;
  
  
  Agent-optimized tools reduce hallucinations and token cost
&lt;/h3&gt;

&lt;p&gt;Raw API wrappers hurt agent performance because they're built for deterministic software, not probabilistic language models.&lt;/p&gt;

&lt;p&gt;When an agent receives a raw API definition, it frequently hallucinates required parameters, enters retry loops on malformed JSON payloads, and burns tokens trying to correct its own errors. Arcade's tools are designed at the intent level, translating natural language into precise API calls. In &lt;a href="https://www.arcade.dev/blog/attio-mcp-toolkit-benchmark/" rel="noopener noreferrer"&gt;published benchmarks&lt;/a&gt;, this approach has cut response token usage substantially compared to raw API passthrough, while also lowering parameter hallucination rates.&lt;/p&gt;

&lt;h3&gt;
  
  
  Downstream credentials stay out of the agent process
&lt;/h3&gt;

&lt;p&gt;Storing API keys and OAuth tokens in environment files is a real risk, even for a single user. Recent reports from GitGuardian identified &lt;a href="https://www.gitguardian.com/state-of-secrets-sprawl-report-2026" rel="noopener noreferrer"&gt;tens of thousands of unique secrets exposed&lt;/a&gt; in public MCP configuration files.&lt;/p&gt;

&lt;p&gt;Arcade vaults downstream service tokens (Gmail, Slack, CRM, etc.) so they never reach Hermes or the model context. Refresh and revocation are centralized in Arcade rather than scattered across config files.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to configure the Arcade MCP gateway in Hermes
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Gateway configuration
&lt;/h3&gt;

&lt;p&gt;Define the gateway connection in &lt;code&gt;~/.hermes/config.yaml&lt;/code&gt; and set &lt;code&gt;auth: oauth&lt;/code&gt;. When you start Hermes, the native OAuth flow will prompt you to authenticate with your Arcade account in the browser.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;mcp_servers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;arcade_gateway&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;url&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://api.arcade.dev/mcp/&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;"&lt;/span&gt;
    &lt;span class="na"&gt;auth&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;oauth&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Replace &lt;code&gt;&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;&lt;/code&gt; with the slug shown in your &lt;a href="https://api.arcade.dev/dashboard" rel="noopener noreferrer"&gt;Arcade dashboard&lt;/a&gt; after creating a gateway. When setting up the gateway, select &lt;strong&gt;Arcade Auth&lt;/strong&gt; as the authentication mode, which lets you sign in with your Arcade account.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do not use a static &lt;code&gt;ARCADE_API_KEY&lt;/code&gt; in the headers.&lt;/strong&gt; Arcade's own documentation describes API keys as &lt;a href="https://docs.arcade.dev/en/get-started/setup/api-keys" rel="noopener noreferrer"&gt;administrator credentials&lt;/a&gt; that let anyone who has the key make requests as you. Hermes's native OAuth flow gives you a user-bound OAuth session instead.&lt;/p&gt;

&lt;p&gt;You can optionally override &lt;code&gt;connect_timeout&lt;/code&gt; and &lt;code&gt;timeout&lt;/code&gt; in the config block if you need custom values, but Hermes ships with reasonable defaults.&lt;/p&gt;

&lt;p&gt;After authenticating with &lt;code&gt;hermes mcp login arcade_gateway&lt;/code&gt;, verify the connection:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;hermes mcp &lt;span class="nb"&gt;test &lt;/span&gt;arcade_gateway
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  What changes after connecting to Arcade
&lt;/h3&gt;

&lt;p&gt;With this configuration, Hermes no longer needs to manage credentials for the third-party services it calls. It formulates intent and sends the request to the Arcade gateway. Arcade resolves the authentication for the connected services and executes the underlying API call, returning only the result to Hermes.&lt;/p&gt;

&lt;h2&gt;
  
  
  How downstream service authorization works
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Authorizing services like Gmail, Slack, and CRMs
&lt;/h3&gt;

&lt;p&gt;Before your Hermes Agent can act on a downstream service like Gmail or a CRM, you need to authorize that service's connection through Arcade. Arcade's standard flow is just-in-time: when an agent calls a tool that requires a service the user hasn't connected yet, Arcade returns an authorization URL through &lt;a href="https://www.arcade.dev/blog/mcp-server-authorization-guide" rel="noopener noreferrer"&gt;MCP URL-mode elicitation&lt;/a&gt;. A client that supports elicitation surfaces this URL to the user, who completes the OAuth flow once. Arcade then vaults and automatically refreshes the resulting token.&lt;/p&gt;

&lt;p&gt;As of June 2026, Hermes does not support URL-mode elicitation. Its handler explicitly declines URL-mode responses (&lt;a href="https://github.com/NousResearch/hermes-agent/blob/a7983d5ad768551508667e8c708e13def7ee28ab/tools/mcp_tool.py#L1236-L1303" rel="noopener noreferrer"&gt;current implementation&lt;/a&gt;), so the authorization URL never reaches you. This limitation may change in a future release. Until then, authorize your service connections before running tool calls that require them.&lt;/p&gt;

&lt;p&gt;Arcade provides a &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;&lt;code&gt;tools.authorize&lt;/code&gt; API&lt;/a&gt; for this purpose. Install the SDK and set a temporary API key in a dedicated setup shell:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;arcadepy
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;ARCADE_API_KEY&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"&amp;lt;your-api-key&amp;gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Run preauthorization in this dedicated shell, separate from the one you use to launch Hermes.&lt;/p&gt;

&lt;p&gt;Then run the following to authorize a tool's required scopes:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;arcadepy&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Arcade&lt;/span&gt;

&lt;span class="c1"&gt;# For this personal Arcade Auth setup, use the email address
# associated with your Arcade account.
&lt;/span&gt;&lt;span class="n"&gt;USER_ID&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;you@example.com&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;

&lt;span class="n"&gt;client&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;Arcade&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;  &lt;span class="c1"&gt;# Uses ARCADE_API_KEY from the environment
&lt;/span&gt;
&lt;span class="n"&gt;auth_response&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;authorize&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Gmail.ListEmails&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;USER_ID&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;auth_response&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;status&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;completed&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Authorize Gmail: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;auth_response&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;wait_for_completion&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;auth_response&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A few things to note about this setup step:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;In this workflow, use the administrator API key only for preauthorization; the key itself is not scoped to that operation. Never place it in Hermes's configuration, and unset or revoke it afterward.&lt;/li&gt;
&lt;li&gt;The Arcade SDK uses dotted names (&lt;code&gt;Gmail.ListEmails&lt;/code&gt;) for &lt;code&gt;tools.authorize&lt;/code&gt; calls. Hermes &lt;code&gt;tools.include&lt;/code&gt; filters use the MCP wire names, which are underscore-separated (&lt;code&gt;Gmail_ListEmails&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Authorization applies to the scopes requested by that specific tool. Another Gmail tool may request additional scopes and trigger a separate authorization challenge. Authorize each tool or provider scope set you plan to use, not just one per service.&lt;/li&gt;
&lt;li&gt;For this personal Arcade Auth configuration, use the same email address you used to sign into Arcade as the &lt;code&gt;user_id&lt;/code&gt;. If the &lt;code&gt;user_id&lt;/code&gt; doesn't match your gateway OAuth session identity, Arcade vaults the token under a different user and Hermes won't be able to use it.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How token vaulting works at runtime
&lt;/h3&gt;

&lt;p&gt;When your Hermes Agent calls a tool that interacts with an authorized service, the request goes to the Arcade gateway. Arcade checks that you have a valid, vaulted token for that service, makes the API call on your behalf, and returns the result to Hermes.&lt;/p&gt;

&lt;p&gt;If a token has expired, Arcade handles the refresh automatically. If a service isn't authorized yet, the tool call will return an authorization error. Authorize the required tool scopes through the &lt;code&gt;tools.authorize&lt;/code&gt; API and retry.&lt;/p&gt;

&lt;p&gt;Arcade keeps downstream service tokens out of Hermes and the model context. Hermes still stores its own MCP gateway OAuth token locally (under &lt;code&gt;~/.hermes/mcp-tokens/&lt;/code&gt;), so normal host and process security remain necessary. Vaulting prevents direct disclosure of downstream tokens and centralizes refresh and revocation, but it does not prevent a compromised Hermes process from invoking tools already authorized for its Arcade session.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to manage tool visibility and filtering in Hermes
&lt;/h2&gt;

&lt;h3&gt;
  
  
  How to use tools.include and tools.exclude
&lt;/h3&gt;

&lt;p&gt;Hermes provides native configuration semantics to restrict tool access, so your agent operates under the principle of least privilege. Use &lt;code&gt;tools.include&lt;/code&gt; and &lt;code&gt;tools.exclude&lt;/code&gt; in &lt;code&gt;config.yaml&lt;/code&gt; to filter Arcade's tool catalog down to what your use case actually needs. Restrict visibility to safe, read-only, or draft actions where possible:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;mcp_servers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;arcade_gateway&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;url&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://api.arcade.dev/mcp/&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;"&lt;/span&gt;
    &lt;span class="na"&gt;auth&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;oauth&lt;/span&gt;
    &lt;span class="na"&gt;tools&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;include&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Gmail_ListEmails&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Gmail_WriteDraftEmail&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Hermes compares &lt;code&gt;tools.include&lt;/code&gt; against the raw tool names returned by the MCP server. Arcade's MCP layer &lt;a href="https://github.com/ArcadeAI/arcade-mcp/blob/f537771f296c6cab91fe403964ce45b28357cd72/libs/arcade-mcp-server/arcade_mcp_server/convert.py#L40-L55" rel="noopener noreferrer"&gt;converts canonical dotted names to underscores&lt;/a&gt; before sending them over the wire, so use underscore names in your filter (e.g. &lt;code&gt;Gmail_ListEmails&lt;/code&gt;, not &lt;code&gt;Gmail.ListEmails&lt;/code&gt;).&lt;/p&gt;

&lt;p&gt;In this configuration, even though Arcade supports sending and deleting emails, the Hermes Agent can't see or invoke those capabilities. If you use an exclude block alongside an include block, the include rules take precedence.&lt;/p&gt;

&lt;h3&gt;
  
  
  Restricting to safe actions
&lt;/h3&gt;

&lt;p&gt;A good starting pattern is to give the agent read and draft access only. Let it list emails, read calendar events, and write draft messages, but not send, delete, or modify anything irreversibly. You can widen the tool set incrementally as you build confidence in the agent's behavior.&lt;/p&gt;

&lt;h2&gt;
  
  
  Troubleshooting
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Troubleshooting checklist (symptoms, causes, fixes)
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Symptom&lt;/th&gt;
&lt;th&gt;Likely cause&lt;/th&gt;
&lt;th&gt;Concrete fix&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Expected tools are missing in chat&lt;/td&gt;
&lt;td&gt;Gateway tool selection doesn't include that tool, overly restrictive &lt;code&gt;tools.include&lt;/code&gt; filtering, or the MCP server failed discovery.&lt;/td&gt;
&lt;td&gt;Verify the tool is enabled in your Arcade gateway, review your Hermes include/exclude rules, and check &lt;code&gt;~/.hermes/logs/errors.log&lt;/code&gt; for discovery errors.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OAuth flow times out during config reload&lt;/td&gt;
&lt;td&gt;Hermes config auto-reload allows only 30 seconds for interactive OAuth, which may not be enough.&lt;/td&gt;
&lt;td&gt;Run &lt;code&gt;hermes mcp login arcade_gateway&lt;/code&gt; from a separate terminal, which allows five minutes. Then restart Hermes or use &lt;code&gt;/reload-mcp&lt;/code&gt; to refresh tools.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Connection rejected after config change&lt;/td&gt;
&lt;td&gt;OAuth flow not completed or incorrect gateway URL.&lt;/td&gt;
&lt;td&gt;Check &lt;code&gt;~/.hermes/logs/errors.log&lt;/code&gt;, confirm the gateway URL matches your Arcade dashboard, and re-run the OAuth flow.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OAuth flow fails in a headless environment&lt;/td&gt;
&lt;td&gt;Hermes can't open a browser in a remote or containerized deployment.&lt;/td&gt;
&lt;td&gt;See the &lt;a href="https://hermes-agent.nousresearch.com/docs/user-guide/features/mcp#oauth-authenticated-http-servers" rel="noopener noreferrer"&gt;Hermes headless OAuth documentation&lt;/a&gt; for workarounds including SSH port forwarding.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tool call returns authorization error for a downstream service&lt;/td&gt;
&lt;td&gt;The required tool scopes haven't been authorized yet in Arcade.&lt;/td&gt;
&lt;td&gt;Authorize the required tool scopes using the &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;&lt;code&gt;tools.authorize&lt;/code&gt; API&lt;/a&gt;, then retry the tool call.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Where to debug: Hermes logs vs Arcade dashboard
&lt;/h3&gt;

&lt;p&gt;When a tool call fails, start with &lt;code&gt;~/.hermes/logs/errors.log&lt;/code&gt; for connection-level issues (wrong URL, OAuth failures, timeouts). For tool execution failures (authorization errors, malformed requests, downstream API rejections), check Arcade's execution logs when available for your deployment.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion: connect Hermes to Arcade and start building
&lt;/h2&gt;

&lt;p&gt;Connecting Hermes Agent to MCP takes minimal effort in local development. Adding dozens of services, managing credentials for each, and keeping raw API wrappers from causing hallucinations is where the real time goes.&lt;/p&gt;

&lt;p&gt;Arcade gives your Hermes Agent access to thousands of agent-optimized tools through one gateway, with downstream credentials vaulted away from the agent process and the language model. You focus on building the agent logic that matters.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://app.arcade.dev/register" rel="noopener noreferrer"&gt;Create a free Arcade.dev account&lt;/a&gt;, configure your first gateway, and connect your Hermes Agent today.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently asked questions (FAQ)
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Should I use Hermes's native OAuth or a static API key to connect to Arcade?
&lt;/h3&gt;

&lt;p&gt;Use native OAuth (&lt;code&gt;auth: oauth&lt;/code&gt;). A static &lt;code&gt;ARCADE_API_KEY&lt;/code&gt; is an &lt;a href="https://docs.arcade.dev/en/get-started/setup/api-keys" rel="noopener noreferrer"&gt;administrator credential&lt;/a&gt; that lets anyone who has the key make requests as you. The OAuth flow gives you a user-bound session instead.&lt;/p&gt;

&lt;h3&gt;
  
  
  What do I need to add to ~/.hermes/config.yaml to connect Hermes to Arcade?
&lt;/h3&gt;

&lt;p&gt;Add an &lt;code&gt;mcp_servers&lt;/code&gt; entry with your gateway &lt;code&gt;url&lt;/code&gt; (format: &lt;code&gt;https://api.arcade.dev/mcp/&amp;lt;YOUR-GATEWAY-SLUG&amp;gt;&lt;/code&gt;) and set &lt;code&gt;auth: oauth&lt;/code&gt;. Optionally add &lt;code&gt;tools.include&lt;/code&gt; / &lt;code&gt;tools.exclude&lt;/code&gt; to restrict the visible tool set. Timeout overrides are available but Hermes ships with reasonable defaults.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do I authorize downstream services like Gmail or Slack?
&lt;/h3&gt;

&lt;p&gt;Use Arcade's &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;&lt;code&gt;tools.authorize&lt;/code&gt; API&lt;/a&gt; to authorize each required tool or provider scope set before running tool calls that need them. Hermes does not currently support MCP URL-mode elicitation, so authorization must happen out of band. Make sure the &lt;code&gt;user_id&lt;/code&gt; you pass matches the identity from your gateway OAuth session. Once authorized, Arcade vaults the tokens and your agent can call the corresponding tools.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do I prevent downstream tokens from being exposed to the language model?
&lt;/h3&gt;

&lt;p&gt;Use &lt;code&gt;auth: oauth&lt;/code&gt; to connect to Arcade, and authorize downstream services through the &lt;code&gt;tools.authorize&lt;/code&gt; API. Arcade vaults all downstream tokens and returns only tool results to Hermes. Note that Hermes still stores its own gateway OAuth token locally under &lt;code&gt;~/.hermes/mcp-tokens/&lt;/code&gt;, so host-level security practices still apply.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why are expected tools missing in the Hermes chat UI?
&lt;/h3&gt;

&lt;p&gt;Common causes: the tool isn't included in your Arcade gateway configuration, your &lt;code&gt;tools.include&lt;/code&gt; filter is too restrictive, or MCP server discovery failed. Verify the tool is enabled in your gateway, check your Hermes include/exclude rules, and review &lt;code&gt;~/.hermes/logs/errors.log&lt;/code&gt; for discovery errors.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do I reload MCP tools after changing config.yaml?
&lt;/h3&gt;

&lt;p&gt;Use &lt;code&gt;/reload-mcp&lt;/code&gt; in Hermes for local iteration. If the OAuth flow times out during a config reload (the auto-reload window is 30 seconds), run &lt;code&gt;hermes mcp login arcade_gateway&lt;/code&gt; from a separate terminal, then restart Hermes or use &lt;code&gt;/reload-mcp&lt;/code&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can I use this setup for multiple users?
&lt;/h3&gt;

&lt;p&gt;Not with a single Hermes process. Hermes shares its MCP server connections and OAuth token store at the process level, so all users of one process share the same identity. For multi-user setups, you need per-user &lt;a href="https://hermes-agent.nousresearch.com/docs/user-guide/profiles" rel="noopener noreferrer"&gt;Hermes profiles&lt;/a&gt; running as separate processes, with appropriate OS-level or container isolation (profiles alone &lt;a href="https://hermes-agent.nousresearch.com/docs/user-guide/profiles#profiles-vs-workspaces-vs-sandboxing" rel="noopener noreferrer"&gt;are not sandboxes&lt;/a&gt;). Arcade &lt;a href="https://docs.arcade.dev/en/guides/user-sources" rel="noopener noreferrer"&gt;User Sources&lt;/a&gt; can provide external identity for production agents, but do not add per-user MCP isolation to Hermes by themselves.&lt;/p&gt;

&lt;h3&gt;
  
  
  What's the minimum setup checklist for Hermes plus Arcade?
&lt;/h3&gt;

&lt;p&gt;Create an Arcade account and gateway, authorize the required tool scopes through &lt;code&gt;tools.authorize&lt;/code&gt;, add the gateway to &lt;code&gt;config.yaml&lt;/code&gt; with &lt;code&gt;auth: oauth&lt;/code&gt;, and optionally restrict tools with &lt;code&gt;include&lt;/code&gt;/&lt;code&gt;exclude&lt;/code&gt;.&lt;/p&gt;

</description>
      <category>hermes</category>
      <category>mcp</category>
      <category>security</category>
      <category>agents</category>
    </item>
    <item>
      <title>Claude Tag: How to Build Your Own Slack AI Agent with Arcade.dev</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Thu, 25 Jun 2026 20:21:44 +0000</pubDate>
      <link>https://dev.to/arcade/claude-tag-how-to-build-your-own-slack-ai-agent-with-arcadedev-3724</link>
      <guid>https://dev.to/arcade/claude-tag-how-to-build-your-own-slack-ai-agent-with-arcadedev-3724</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;"Today, 65% of our product team's code is created by our internal version of Claude Tag."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That's Anthropic, talking about its own engineering team. And this is not code autocomplete or a chatbot generating snippets in isolation. Claude Tag is a shared agent inside Slack that teammates mention by name to investigate bugs, pull metrics, work support tickets, and complete longer-running tasks. It reads thread context, connects to approved tools and codebases, and posts results back in the same conversation.&lt;/p&gt;

&lt;p&gt;The question is not whether Claude Tag is impressive. It is: what would your team delegate if you had one?&lt;/p&gt;

&lt;p&gt;You do not need to recreate Anthropic's entire product to find out. This tutorial recreates Claude Tag's core interaction pattern, not Anthropic's proprietary product. Start with one high-value Slack workflow, give the agent a small toolset, and use &lt;a href="https://www.arcade.dev" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; for the action layer: tool connectivity, authorization, and controlled access to external systems.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key takeaways: Claude Tag and building your own Slack AI agent
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Claude Tag is Anthropic's shared AI agent for Slack&lt;/strong&gt;. It lets teams mention &lt;code&gt;@Claude&lt;/code&gt; in selected channels to complete multi-step work using conversation context, connected tools, and codebases.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Claude Tag turns Slack into the agent interface&lt;/strong&gt;. It can remember relevant channel context, work asynchronously, use a dedicated identity, and return results in the thread where the request began.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;You can recreate the core Claude Tag pattern.&lt;/strong&gt; This tutorial builds a Claude Tag-style Slack AI agent with Python, Slack Bolt, OpenAI, and Arcade.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Arcade provides secure tool access.&lt;/strong&gt; The example connects the agent to read-only GitHub, Datadog, and PagerDuty tools while Arcade handles authorization, credentials, tool execution, and access controls.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Start with one bounded workflow&lt;/strong&gt;. Incident triage is a strong first use case because it crosses multiple systems, produces reviewable evidence, and does not require irreversible actions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Production agents need explicit safeguards.&lt;/strong&gt; Restrict the agent to approved Slack channels, use dedicated or per-user identities, require human approval for consequential writes, log its actions, and maintain a kill switch.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What is Claude Tag and why does your team want it?
&lt;/h2&gt;

&lt;p&gt;Anthropic launched &lt;a href="https://www.anthropic.com/news/introducing-claude-tag" rel="noopener noreferrer"&gt;Claude Tag&lt;/a&gt; on June 23, 2026 as a beta for Enterprise and Team customers. The operating model is simple: Claude joins selected Slack channels as a teammate. Anyone in the channel can tag &lt;code&gt;@Claude&lt;/code&gt; with a request. It breaks the task into stages, works through them using connected tools, and replies in-thread with what it produced. Once a thread is active, anyone there can steer it without re-mentioning the agent.&lt;/p&gt;

&lt;p&gt;What makes this different from a personal chatbot is that the work happens in public. The channel is the interface, the context, and the audit trail. A single shared Claude instance serves an entire channel, building persistent memory as it follows along. It can work asynchronously, schedule its own follow-up tasks, and combine context from Slack threads, Google Drive docs, ticketing systems, and data warehouses into a single answer.&lt;/p&gt;

&lt;p&gt;The underlying insight is not about AI capabilities. It is about where work starts. Most cross-functional tasks begin as a Slack message. Someone asks a question, flags a problem, or requests information that lives across three systems. The true value of shared agents is when it can do useful work in a place where that work already begins.&lt;/p&gt;

&lt;h2&gt;
  
  
  Do not build an AI employee. Pick one workflow.
&lt;/h2&gt;

&lt;p&gt;The fastest way to stall an agent project is to scope it as "an AI that can do anything." Start with one workflow. Choose something that is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Frequent.&lt;/strong&gt; The team does it every week, ideally every day.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cross-system.&lt;/strong&gt; It requires pulling context from two or more tools (Slack, GitHub, a dashboard, a CRM).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tedious to investigate manually.&lt;/strong&gt; Someone has to copy-paste between tabs, summarize findings, and post an update.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Easy for a human to review.&lt;/strong&gt; The agent produces a summary or recommendation, not a final irreversible action.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Some high-value starting points:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Incident triage&lt;/strong&gt; across Slack, GitHub, and observability tools. When errors spike after a deployment, the agent pulls recent commits, queries Datadog for error rates and latency, checks PagerDuty for related incidents, and posts a structured summary with evidence links.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Support escalation summaries&lt;/strong&gt; using your ticketing system, CRM, and internal docs. Instead of an engineer spending 15 minutes rebuilding context on an escalated ticket, the agent does it in seconds and posts the summary in the escalation channel.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Product-feedback triage&lt;/strong&gt; that reads a Slack thread, extracts the core request, checks for duplicates in Linear or Jira, and creates a properly tagged issue with the original thread linked.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Account research&lt;/strong&gt; that pulls together CRM data, recent email threads, product usage metrics, and internal notes before a customer call.&lt;/p&gt;

&lt;p&gt;Start narrow. A focused agent earns trust faster than a broadly capable one.&lt;/p&gt;

&lt;h2&gt;
  
  
  How does a Claude Tag-style Slack agent work?
&lt;/h2&gt;

&lt;p&gt;The architecture behind a Claude Tag-style agent has four layers:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Slack is the interface.&lt;/strong&gt; Users tag the agent in a thread. Slack delivers the triggering event; your application retrieves thread context via the API and displays results.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The model is the reasoning layer.&lt;/strong&gt; It understands the request, decides what information it needs, and synthesizes a response. Use whatever LLM and agent framework fits your stack.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Arcade is the action layer.&lt;/strong&gt; It connects the agent to approved tools, handles authorization and token management, and enforces access policy. The model never sees credentials.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Your app handles orchestration.&lt;/strong&gt; Task state, retries, async job processing, and posting updates back to Slack.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fx54ag558ryuzh4oecx79.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fx54ag558ryuzh4oecx79.png" alt="Slack AI agent architecture showing the five stages from a Slack @mention, through the agent's reasoning loop and the Arcade API MCP Gateway, to approved tools and the result returned in Slack" width="800" height="400"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Each layer is independently replaceable. Swap the model, change the framework, add tools. The boundaries stay clean.&lt;/p&gt;

&lt;p&gt;What we are building is a shared agent, not a multi-user agent. Every tool call runs under a single service identity regardless of who tagged the bot. Step 4 covers how to add per-user authorization if your use case requires it.&lt;/p&gt;

&lt;p&gt;This prototype starts a run only when mentioned. Claude Tag's production experience supports unmentioned follow-ups within an active thread. To add that behavior, subscribe to &lt;code&gt;message.channels&lt;/code&gt; and &lt;code&gt;message.groups&lt;/code&gt;, track active thread IDs, and filter out bot-generated messages. That is a production extension beyond the scope of this walkthrough.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to build a Claude Tag-style Slack agent with Arcade
&lt;/h2&gt;

&lt;p&gt;This walkthrough uses Python with Slack's Bolt framework and the Arcade Python SDK. The same pattern works with any language or agent framework that supports MCP or Arcade's REST API.&lt;/p&gt;

&lt;h3&gt;
  
  
  Prerequisites
&lt;/h3&gt;

&lt;p&gt;You need Python 3.8+, permission to create and install a Slack app, an &lt;a href="https://docs.arcade.dev/home/api-keys" rel="noopener noreferrer"&gt;Arcade account and API key&lt;/a&gt;, and an &lt;a href="https://platform.openai.com/api-keys" rel="noopener noreferrer"&gt;OpenAI API key&lt;/a&gt;. For local Slack Events API testing, also install and authenticate the &lt;a href="https://ngrok.com/docs/getting-started" rel="noopener noreferrer"&gt;ngrok CLI&lt;/a&gt; or another public HTTPS tunnel.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;python3 &lt;span class="nt"&gt;-m&lt;/span&gt; venv .venv
&lt;span class="nb"&gt;source&lt;/span&gt; .venv/bin/activate
python &lt;span class="nt"&gt;-m&lt;/span&gt; pip &lt;span class="nb"&gt;install &lt;/span&gt;slack-bolt arcadepy openai
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Step 1: Create the Slack app and event trigger
&lt;/h3&gt;

&lt;p&gt;Create a Slack app at &lt;a href="https://api.slack.com/apps" rel="noopener noreferrer"&gt;api.slack.com/apps&lt;/a&gt;. Under &lt;strong&gt;OAuth &amp;amp; Permissions&lt;/strong&gt;, add the bot scopes &lt;code&gt;app_mentions:read&lt;/code&gt;, &lt;code&gt;chat:write&lt;/code&gt;, &lt;code&gt;channels:history&lt;/code&gt;, and &lt;code&gt;groups:history&lt;/code&gt;. Install the app to your workspace, then copy the Bot User OAuth Token (&lt;code&gt;xoxb-...&lt;/code&gt;) and Signing Secret from the app settings.&lt;/p&gt;

&lt;p&gt;You now have everything needed to set the environment variables:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;SLACK_BOT_TOKEN&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"xoxb-..."&lt;/span&gt;
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;SLACK_SIGNING_SECRET&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"..."&lt;/span&gt;
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;ARCADE_API_KEY&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"..."&lt;/span&gt;
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;ARCADE_USER_ID&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"you@company.com"&lt;/span&gt;
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;OPENAI_API_KEY&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"..."&lt;/span&gt;
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;SLACK_ALLOWED_CHANNEL_IDS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"C0123456789"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For &lt;code&gt;ARCADE_USER_ID&lt;/code&gt;, use the email associated with your Arcade account. Arcade's &lt;a href="https://docs.arcade.dev/home/quickstart" rel="noopener noreferrer"&gt;default development verifier&lt;/a&gt; expects that identity. This is the single shared identity under which every tool call executes. All mentions in all approved channels resolve to this one account. It does not create GitHub or PagerDuty service accounts on its own. If the agent must act under a dedicated downstream identity, use dedicated accounts during the OAuth flows in Step 2.&lt;/p&gt;

&lt;p&gt;Replace &lt;code&gt;C0123456789&lt;/code&gt; with your actual Slack channel ID. Open the channel in Slack's web or desktop app and copy the &lt;code&gt;C...&lt;/code&gt; portion of its URL (&lt;code&gt;https://app.slack.com/client/T.../C...&lt;/code&gt;). See Slack's &lt;a href="https://slack.com/help/articles/221769328-Locate-your-Slack-URL-or-ID" rel="noopener noreferrer"&gt;guide to locating IDs&lt;/a&gt; for details.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;SLACK_ALLOWED_CHANNEL_IDS&lt;/code&gt; restricts the agent to specific channels, enforcing the per-channel scoping that Claude Tag uses. Comma-separate multiple channel IDs. If different channels need different permissions or toolsets, you will need a &lt;code&gt;channel_id&lt;/code&gt;-to-identity mapping or separate deployments.&lt;/p&gt;

&lt;p&gt;Slack's three-second rule is the critical implementation detail. Your endpoint must return HTTP 200 within three seconds or Slack marks delivery as failed and retries up to three times. Bolt handles acknowledgement automatically when you use the standard decorator pattern. For production workloads where agent processing takes longer, offload work to a task queue. Deduplicate on Slack's top-level &lt;code&gt;event_id&lt;/code&gt; before enqueueing work, otherwise retries can execute the same tools twice.&lt;/p&gt;

&lt;p&gt;Save this as &lt;code&gt;app.py&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;logging&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;

&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;slack_bolt&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;App&lt;/span&gt;
&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agent&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;run_agent&lt;/span&gt;  &lt;span class="c1"&gt;# Step 3
&lt;/span&gt;
&lt;span class="n"&gt;ALLOWED_CHANNEL_IDS&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;value&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;strip&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
    &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;value&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;SLACK_ALLOWED_CHANNEL_IDS&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="nf"&gt;split&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;,&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;value&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;strip&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;app&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;App&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;token&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;SLACK_BOT_TOKEN&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
    &lt;span class="n"&gt;signing_secret&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;SLACK_SIGNING_SECRET&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;


&lt;span class="nd"&gt;@app.event&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;app_mention&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;handle_mention&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;say&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;context&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;logger&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;channel&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;ALLOWED_CHANNEL_IDS&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;logger&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;warning&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Ignoring mention from unauthorized channel %s&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;channel&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt;

    &lt;span class="c1"&gt;# Ignore messages from bots (including this one) to prevent loops
&lt;/span&gt;    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;bot_id&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt;

    &lt;span class="n"&gt;thread_ts&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;thread_ts&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;ts&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;

    &lt;span class="k"&gt;try&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="c1"&gt;# Retrieve up to 50 messages of thread context.
&lt;/span&gt;        &lt;span class="c1"&gt;# Production implementations should follow
&lt;/span&gt;        &lt;span class="c1"&gt;# response_metadata.next_cursor for longer threads.
&lt;/span&gt;        &lt;span class="n"&gt;replies&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;conversations_replies&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;channel&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;channel&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
            &lt;span class="n"&gt;ts&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;limit&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;50&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;bot_user_id&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;context&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;bot_user_id&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;transcript&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[]&lt;/span&gt;
        &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;message&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;replies&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;messages&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;[]):&lt;/span&gt;
            &lt;span class="n"&gt;text&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;message&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;text&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;""&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;bot_user_id&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
                &lt;span class="n"&gt;text&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;replace&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;@&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;bot_user_id&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt;&amp;gt;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;""&lt;/span&gt;&lt;span class="p"&gt;).&lt;/span&gt;&lt;span class="nf"&gt;strip&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
                &lt;span class="n"&gt;speaker&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;message&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;user&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="n"&gt;message&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;bot_id&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;unknown&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
                &lt;span class="n"&gt;transcript&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;speaker&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt;: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

        &lt;span class="nf"&gt;say&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;On it. Gathering context...&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

        &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;run_agent&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;ARCADE_USER_ID&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
            &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;transcript&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
        &lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="c1"&gt;# Slack recommends keeping messages under 4,000 characters.
&lt;/span&gt;        &lt;span class="c1"&gt;# Truncate or chunk longer responses in production.
&lt;/span&gt;        &lt;span class="nf"&gt;say&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;except&lt;/span&gt; &lt;span class="nb"&gt;Exception&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;logger&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;exception&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Agent failed&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="nf"&gt;say&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;I couldn&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;t complete that investigation. Check the application logs.&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;thread_ts&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="p"&gt;)&lt;/span&gt;


&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;__name__&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;__main__&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;logging&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;basicConfig&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;level&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;logging&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;INFO&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="c1"&gt;# This is Bolt's built-in development server. For production,
&lt;/span&gt;    &lt;span class="c1"&gt;# deploy through a supported web-framework adapter (e.g. Flask + Gunicorn).
&lt;/span&gt;    &lt;span class="n"&gt;app&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;start&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nf"&gt;int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;PORT&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;3000&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A few things to note. Bolt handles signing-secret verification automatically when you pass &lt;code&gt;signing_secret&lt;/code&gt; to the App constructor. The channel allowlist on the first check enforces per-channel scoping so the agent only responds in channels you have explicitly approved. The &lt;code&gt;conversations_replies&lt;/code&gt; call retrieves up to one page of thread context so the agent sees more than just the triggering message. Slack's &lt;a href="https://docs.slack.dev/apis/events-api" rel="noopener noreferrer"&gt;Events API&lt;/a&gt; delivers only the triggering event, not the thread history, so your app must fetch it. And the &lt;code&gt;event.get("bot_id")&lt;/code&gt; guard prevents the agent from responding to its own messages and creating an infinite loop.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 2: Connect GitHub, Datadog, and PagerDuty with Arcade
&lt;/h3&gt;

&lt;p&gt;Arcade connects your agent to external systems through a curated set of tools. For incident triage, you need read-only tools from GitHub, Datadog, and PagerDuty. Select specific tools rather than loading entire toolkits. Toolkits include write operations that contradict a read-only agent's scope, and a narrower tool list helps the model pick the right tool more reliably.&lt;/p&gt;

&lt;p&gt;These tool names match Arcade's current &lt;a href="https://docs.arcade.dev/en/resources/integrations/development/github" rel="noopener noreferrer"&gt;GitHub&lt;/a&gt;, &lt;a href="https://docs.arcade.dev/en/resources/integrations/development/datadog" rel="noopener noreferrer"&gt;Datadog&lt;/a&gt;, and &lt;a href="https://docs.arcade.dev/en/resources/integrations/development/pagerduty" rel="noopener noreferrer"&gt;PagerDuty&lt;/a&gt; catalogs:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;TOOL_NAMES&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Github.ListRepositoryActivities&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Github.GetPullRequest&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Datadog.AggregateEvents&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Datadog.SearchLogs&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Pagerduty.ListIncidents&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Pagerduty.ListLogEntries&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Authorize tools before first use.&lt;/strong&gt; GitHub and PagerDuty require OAuth authorization. Datadog requires API credentials configured as Arcade secrets (&lt;code&gt;DATADOG_API_KEY&lt;/code&gt;, &lt;code&gt;DATADOG_APPLICATION_KEY&lt;/code&gt;, and &lt;code&gt;DATADOG_SITE&lt;/code&gt;). Configure the Datadog secrets in the &lt;a href="https://api.arcade.dev/dashboard/auth/secrets" rel="noopener noreferrer"&gt;Arcade secrets dashboard&lt;/a&gt;, then save the following as &lt;code&gt;authorize.py&lt;/code&gt; and run it once to complete the OAuth flows:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;arcadepy&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Arcade&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;

&lt;span class="n"&gt;arcade&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;Arcade&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="n"&gt;user_id&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;ARCADE_USER_ID&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;

&lt;span class="n"&gt;OAUTH_TOOLS&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Github.ListRepositoryActivities&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Github.GetPullRequest&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Pagerduty.ListIncidents&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Pagerduty.ListLogEntries&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;]&lt;/span&gt;

&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;tool_name&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;OAUTH_TOOLS&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;auth&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;authorize&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;status&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;completed&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Authorize &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt;: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;wait_for_completion&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nb"&gt;id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;All OAuth-backed tools authorized.&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Open each URL and complete the OAuth consent. Arcade stores the tokens and refreshes them automatically. Subsequent calls reuse the authorization until it expires, is revoked, or a tool requires additional permissions. See Arcade's &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;authorization guide&lt;/a&gt; for the full setup flow.&lt;/p&gt;

&lt;p&gt;If your agent framework supports MCP natively, you can alternatively create an &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways" rel="noopener noreferrer"&gt;Arcade MCP Gateway&lt;/a&gt; that federates these tools behind a single Streamable-HTTP endpoint. The gateway serves tool definitions over MCP, so your agent discovers exactly the tools you curated. The direct SDK approach shown here works with any framework.&lt;/p&gt;

&lt;p&gt;Tool selection is both a technical and product decision. The fewer tools the agent sees, the more reliably it picks the right one.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 3: Build the tool-calling agent loop
&lt;/h3&gt;

&lt;p&gt;This is the piece that connects the Slack trigger to the tools. Your agent runtime sits between Slack and Arcade: it receives the thread transcript, uses an LLM to decide what tools to call, and executes them through Arcade.&lt;/p&gt;

&lt;p&gt;Arcade is framework-agnostic. It works with LangGraph, the OpenAI Agents SDK, CrewAI, Mastra, Pydantic AI, Google ADK, or any MCP-compatible client. The integration has two touchpoints, both through the &lt;code&gt;arcadepy&lt;/code&gt; SDK: &lt;code&gt;tools.formatted.get&lt;/code&gt; to load tool definitions, and &lt;code&gt;tools.execute&lt;/code&gt; to run them.&lt;/p&gt;

&lt;p&gt;Save the following as &lt;code&gt;agent.py&lt;/code&gt;. This is the &lt;code&gt;run_agent&lt;/code&gt; function imported in Step 1, using the OpenAI Chat Completions API directly:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;json&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;

&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;arcadepy&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Arcade&lt;/span&gt;
&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;openai&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;OpenAI&lt;/span&gt;

&lt;span class="n"&gt;arcade&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;Arcade&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;   &lt;span class="c1"&gt;# reads ARCADE_API_KEY from env
&lt;/span&gt;&lt;span class="n"&gt;llm&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;OpenAI&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;      &lt;span class="c1"&gt;# reads OPENAI_API_KEY from env
&lt;/span&gt;
&lt;span class="c1"&gt;# Load tools once at startup, not on every request
&lt;/span&gt;&lt;span class="n"&gt;TOOL_NAMES&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Github.ListRepositoryActivities&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Github.GetPullRequest&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Datadog.AggregateEvents&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Datadog.SearchLogs&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Pagerduty.ListIncidents&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Pagerduty.ListLogEntries&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;]&lt;/span&gt;

&lt;span class="n"&gt;OPENAI_TOOLS&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[]&lt;/span&gt;
&lt;span class="n"&gt;ARCADE_NAME_BY_FUNCTION&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{}&lt;/span&gt;

&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;arcade_name&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;TOOL_NAMES&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;definition&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;formatted&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
        &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;arcade_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="nb"&gt;format&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;openai&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;OPENAI_TOOLS&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;definition&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;ARCADE_NAME_BY_FUNCTION&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;definition&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;function&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;][&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;name&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;arcade_name&lt;/span&gt;

&lt;span class="n"&gt;SYSTEM_PROMPT&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;You investigate production incidents using only the supplied read-only &lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;tools. Return a concise summary, evidence with source identifiers or &lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;links, a recommended next step, and an Actions taken section. Never &lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;claim a query succeeded unless its tool result confirms success.&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;MAX_TOOL_ROUNDS&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;8&lt;/span&gt;


&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;run_agent&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;messages&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;role&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;system&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;content&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;SYSTEM_PROMPT&lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;role&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;user&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;content&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
    &lt;span class="p"&gt;]&lt;/span&gt;

    &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;_&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="nf"&gt;range&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;MAX_TOOL_ROUNDS&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="n"&gt;response&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;llm&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;chat&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;completions&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;create&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;model&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;getenv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;OPENAI_MODEL&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;gpt-4.1&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
            &lt;span class="n"&gt;messages&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;messages&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;OPENAI_TOOLS&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;store&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="bp"&gt;False&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;msg&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;response&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;choices&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="n"&gt;message&lt;/span&gt;
        &lt;span class="n"&gt;messages&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;msg&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

        &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;msg&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tool_calls&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
            &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;msg&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;content&lt;/span&gt; &lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;No response was produced.&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;

        &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;tc&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;msg&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tool_calls&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
            &lt;span class="n"&gt;arcade_name&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ARCADE_NAME_BY_FUNCTION&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;tc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;function&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
            &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;execute&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
                &lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;arcade_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                &lt;span class="nb"&gt;input&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;loads&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;function&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;arguments&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                &lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="p"&gt;)&lt;/span&gt;

            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;success&lt;/span&gt; &lt;span class="ow"&gt;and&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;output&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
                &lt;span class="n"&gt;value&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;output&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;value&lt;/span&gt;
            &lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
                &lt;span class="n"&gt;error&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;
                    &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;output&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;message&lt;/span&gt;
                    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;output&lt;/span&gt; &lt;span class="ow"&gt;and&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;output&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;
                    &lt;span class="k"&gt;else&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Unknown tool error&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
                &lt;span class="p"&gt;)&lt;/span&gt;
                &lt;span class="n"&gt;value&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;error&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

            &lt;span class="n"&gt;messages&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
                &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;role&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;tool&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;tool_call_id&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;tc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nb"&gt;id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;content&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;dumps&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;value&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;default&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
            &lt;span class="p"&gt;})&lt;/span&gt;

    &lt;span class="k"&gt;raise&lt;/span&gt; &lt;span class="nc"&gt;RuntimeError&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Agent exceeded the maximum number of tool rounds&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A few things worth noting. Tools are loaded once at module level using &lt;code&gt;formatted.get&lt;/code&gt; for each specific tool, which avoids pulling in unwanted write operations and eliminates per-request overhead. The &lt;code&gt;ARCADE_NAME_BY_FUNCTION&lt;/code&gt; mapping handles the translation between OpenAI's function names and Arcade's tool names. The loop caps at &lt;code&gt;MAX_TOOL_ROUNDS&lt;/code&gt; to prevent runaway execution. Structured tool failures returned by Arcade are fed back to the model as tool results, so it can report issues in its summary rather than crashing silently. Network and SDK exceptions still bubble to the outer Slack handler. And &lt;code&gt;store=False&lt;/code&gt; disables storage of the Chat Completion as application state. It does not itself enable Zero Data Retention; API requests may still generate abuse-monitoring logs according to your organization's &lt;a href="https://developers.openai.com/api/docs/guides/your-data" rel="noopener noreferrer"&gt;data-control settings&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Arcade documents &lt;code&gt;formatted.get&lt;/code&gt;, &lt;code&gt;formatted.list&lt;/code&gt;, and the OpenAI format &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/get-tool-definitions" rel="noopener noreferrer"&gt;here&lt;/a&gt;. Chat Completions remains supported, and GPT-4.1 supports function calling. OpenAI recommends the Responses API for new projects, but the pattern above is valid. For a complete Slack-to-Arcade reference implementation using LangGraph, see &lt;a href="https://github.com/ArcadeAI/SlackAgent" rel="noopener noreferrer"&gt;ArcadeAI/SlackAgent&lt;/a&gt;. For other frameworks, see Arcade's &lt;a href="https://docs.arcade.dev/en/get-started/agent-frameworks/openai-agents/setup-python" rel="noopener noreferrer"&gt;framework-specific setup guides&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 4: Run and test the agent
&lt;/h3&gt;

&lt;p&gt;With all three files saved:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Run &lt;code&gt;python authorize.py&lt;/code&gt; once to complete the OAuth flows.&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;python app.py&lt;/code&gt; to start the Bolt development server.&lt;/li&gt;
&lt;li&gt;In another terminal, run &lt;code&gt;ngrok http 3000&lt;/code&gt; to expose the server.&lt;/li&gt;
&lt;li&gt;In your Slack app settings, set the Request URL to &lt;code&gt;https://&amp;lt;your-ngrok-host&amp;gt;/slack/events&lt;/code&gt;, subscribe to &lt;code&gt;app_mention&lt;/code&gt;, and reinstall the app if Slack prompts you.&lt;/li&gt;
&lt;li&gt;Invite the bot to your test channel with &lt;code&gt;/invite @YourBot&lt;/code&gt; and try a mention.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Step 5: Configure identity and secure tool access
&lt;/h3&gt;

&lt;p&gt;The prototype above is a shared agent: one fixed service identity (&lt;code&gt;ARCADE_USER_ID&lt;/code&gt;) handles every tool call, no matter which teammate tagged the bot. That is the right starting point for a read-only agent, but it is not the only option. A multi-user agent, where each person authorizes tools under their own identity, requires a different auth pattern. Which identity the agent uses, and whether users need to authorize tools themselves, depends on the access model you choose.&lt;/p&gt;

&lt;p&gt;A useful architecture for recreating the Claude Tag pattern uses two identity models. Public launch material confirms Claude Tag's channel-scoped shared identity, and the DM model extends naturally from it:&lt;/p&gt;

&lt;p&gt;In &lt;strong&gt;shared channels&lt;/strong&gt;, the agent acts under its own dedicated identity, not the tagging user's. Permissions are scoped per-channel.&lt;/p&gt;

&lt;p&gt;In &lt;strong&gt;DMs&lt;/strong&gt;, the agent runs with the user's own connectors and credentials.&lt;/p&gt;

&lt;p&gt;Replicate this with Arcade's auth patterns:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;For shared-channel agents&lt;/strong&gt; (like &lt;code&gt;#eng-incidents&lt;/code&gt;), use a fixed service identity as shown in Steps 1 through 3. If you are connecting through an MCP Gateway instead of the direct SDK, &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways" rel="noopener noreferrer"&gt;Arcade Headers&lt;/a&gt; authenticates the gateway connection. An important distinction: Arcade Headers authenticates the connection to the gateway itself, but it does not bypass OAuth authorization required by individual tools like GitHub or PagerDuty. Gateway authentication and &lt;a href="https://docs.arcade.dev/en/learn/server-level-vs-tool-level-auth" rel="noopener noreferrer"&gt;tool-level authorization&lt;/a&gt; are separate layers. That is why the one-time setup in Step 2 is necessary regardless of which auth mode you choose.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;For personal DM agents&lt;/strong&gt;, the tools change too. Instead of shared incident-response tools, a DM agent might access a user's own Gmail, Calendar, or Drive. Use per-user OAuth through Arcade's &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;&lt;code&gt;tools.authorize&lt;/code&gt;&lt;/a&gt; flow. When a tool requires the user's own credentials, Arcade returns an authorization URL. Your app posts that URL to the user in Slack, waits for consent, then resumes execution. The model never sees the token.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;authorize_and_execute&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;slack_client&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;channel_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;Authorize a tool for a specific user and execute it.&lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt;
    &lt;span class="n"&gt;auth&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;authorize&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
        &lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Gmail.ListEmails&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;status&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;completed&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="c1"&gt;# In a DM, use a persistent message (no need for ephemeral)
&lt;/span&gt;        &lt;span class="n"&gt;slack_client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;chat_postMessage&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;channel&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;channel_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Please authorize Gmail access: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;wait_for_completion&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nb"&gt;id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;arcade&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;execute&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
        &lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Gmail.ListEmails&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;user_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Arcade stores and refreshes OAuth tokens automatically. Subsequent calls reuse the authorization until it expires, is revoked, or a tool requires additional permissions.&lt;/p&gt;

&lt;p&gt;Note that Step 1 does not currently implement DM support. To add it, you need the bot scope &lt;code&gt;im:history&lt;/code&gt;, the bot event &lt;code&gt;message.im&lt;/code&gt;, and a separate &lt;code&gt;@app.event("message")&lt;/code&gt; handler that checks &lt;code&gt;event["channel_type"] == "im"&lt;/code&gt; and filters out bot messages. Slack does not deliver DMs as &lt;code&gt;app_mention&lt;/code&gt; events. See Slack's &lt;a href="https://docs.slack.dev/reference/events/message.im/" rel="noopener noreferrer"&gt;&lt;code&gt;message.im&lt;/code&gt; documentation&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;For a per-user identity without requiring email scopes in Slack, Arcade accepts any consistent unique identifier. A composite Slack identity like &lt;code&gt;f"{body['team_id']}:{event['user']}"&lt;/code&gt; works and avoids the need for &lt;code&gt;users:read&lt;/code&gt; or &lt;code&gt;users:read.email&lt;/code&gt; permissions.&lt;/p&gt;

&lt;p&gt;For production multi-user agents, use Arcade's &lt;a href="https://docs.arcade.dev/en/guides/user-facing-agents/secure-auth-production" rel="noopener noreferrer"&gt;custom user verifier&lt;/a&gt; so end-user identity is verified against your own identity system rather than relying on Slack ID mapping alone. Note that production multi-user OAuth also requires your own provider OAuth app credentials, since Arcade's default OAuth apps use the Arcade verifier.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 6: Return auditable results in Slack
&lt;/h3&gt;

&lt;p&gt;Trustworthy agents show their work. Structure every response so a human can verify what happened before acting on it.&lt;/p&gt;

&lt;p&gt;Here is what a good incident-triage response looks like in Slack:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Summary: Checkout error rate increased 340% starting at 14:32 UTC, correlating with deployment v2.41.3 merged at 14:28.
Evidence:
- Datadog: p99 latency spiked from 220ms to 1,400ms at 14:32
- GitHub: PR #1847 modified the payment validation middleware
- PagerDuty: No prior incidents on checkout-service in the last 7 days
Recommended next step: Review the diff in PR #1847, specifically checkout/validation.py lines 84-112. Consider a rollback if error rate does not stabilize within 15 minutes.
Actions taken: Read-only queries to GitHub, Datadog, and PagerDuty. No writes performed.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The "actions taken" line matters. It tells the team exactly what the agent did and, just as importantly, what it did not do.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to secure and govern a Claude Tag-style Slack agent
&lt;/h2&gt;

&lt;p&gt;Governance is not a compliance afterthought. It is what lets teams deploy useful agents in the first place. Without clear controls, security teams will block the project before it ships.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Start read-only.&lt;/strong&gt; Give the agent query access to GitHub, Datadog, and PagerDuty. Do not grant write access until the team has confidence in the agent's judgment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Require approval before consequential writes.&lt;/strong&gt; Opening a PR, acknowledging a PagerDuty incident, posting to a customer-facing channel: these should require a human to confirm. Arcade's &lt;a href="https://docs.arcade.dev/en/guides/contextual-access" rel="noopener noreferrer"&gt;Contextual Access&lt;/a&gt; hooks let you enforce this with pre-execution webhooks that allow, deny, or modify tool execution. Your application collects the human approval and resumes the job; Contextual Access handles the policy-enforcement layer.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Scope tool access by workflow.&lt;/strong&gt; The incident agent should not see CRM tools. The support agent should not see deployment tooling. Separate tool sets per workflow enforce this structurally, whether you use explicit tool lists in the SDK or separate MCP Gateways.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Log what the agent did.&lt;/strong&gt; Arcade's audit logs capture administrative actions by default. Combine these with your application-level logs and downstream SaaS audit trails so you can always answer: what did the agent do, under which identity, in which system?&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Make it easy to stop.&lt;/strong&gt; A kill switch is a feature. Revoking the agent's dedicated API key or disabling the Slack app should take seconds.&lt;/p&gt;

&lt;h2&gt;
  
  
  Build the Slack agent your team will actually tag
&lt;/h2&gt;

&lt;p&gt;The goal is not an AI agent that can do everything. It is one dependable agent that removes friction from a workflow your team performs every week.&lt;/p&gt;

&lt;p&gt;Pick the workflow. Define the toolset. Wire up the Slack trigger. Connect the tools through &lt;a href="https://www.arcade.dev" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt;. Start read-only, return inspectable results, and expand scope as trust builds.&lt;/p&gt;

&lt;p&gt;The team that ships a useful agent in one channel next week will learn more than the team that spends a quarter designing a platform for every channel.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Start here:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;[ ] Identify one recurring, cross-system workflow your team performs in Slack&lt;/li&gt;
&lt;li&gt;[ ] Pick a small read-only toolset from Arcade's &lt;a href="https://docs.arcade.dev/en/resources/integrations" rel="noopener noreferrer"&gt;tool catalog&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;[ ] Authorize those tools for your service identity (&lt;code&gt;python authorize.py&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;[ ] Build the Slack trigger with thread context retrieval and error handling&lt;/li&gt;
&lt;li&gt;[ ] Deploy, observe, and expand deliberately&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Explore Arcade's &lt;a href="https://docs.arcade.dev/en/resources/integrations" rel="noopener noreferrer"&gt;tool catalog&lt;/a&gt;, &lt;a href="https://docs.arcade.dev/en/guides/tool-calling/custom-apps/auth-tool-calling" rel="noopener noreferrer"&gt;authorization guides&lt;/a&gt;, and &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways" rel="noopener noreferrer"&gt;MCP Gateway documentation&lt;/a&gt; to get started. The code from this guide is on &lt;a href="https://github.com/manveer/open-claude-tag" rel="noopener noreferrer"&gt;GitHub&lt;/a&gt;. Fork it and build something useful.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is Claude Tag?
&lt;/h3&gt;

&lt;p&gt;Claude Tag is Anthropic's shared AI agent for Slack, launched on June 23, 2026 for Enterprise and Team customers. Unlike the previous Claude in Slack integration, which ran as a personal assistant under each user's own account, Claude Tag operates as a shared teammate in channels. Anyone can tag &lt;a class="mentioned-user" href="https://dev.to/claude"&gt;@claude&lt;/a&gt;, and the entire exchange is visible to the channel. It reads thread context, uses connected tools, and posts structured results in-thread.&lt;/p&gt;

&lt;h3&gt;
  
  
  How is Claude Tag different from Claude in Slack?
&lt;/h3&gt;

&lt;p&gt;Claude in Slack gave each user a private instance that acted under their personal permissions and usage quota. Claude Tag replaces that with a single shared identity per channel, scoped by an admin. Work is visible to the whole channel, anyone can pick up a conversation where someone else left off, and Claude builds persistent context as it follows along. Anthropic will automatically migrate existing Claude in Slack workspaces to Claude Tag on August 3, 2026.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can you build your own version of Claude Tag?
&lt;/h3&gt;

&lt;p&gt;Yes. Claude Tag's core interaction pattern is reproducible: a Slack event trigger, an LLM reasoning loop, and authorized access to external tools. This tutorial builds that pattern with Python, Slack Bolt, and Arcade. Arcade handles tool connectivity and OAuth token management so you can connect to systems like GitHub, Datadog, and PagerDuty without managing credentials yourself. The result is not Anthropic's proprietary product, but a Claude Tag-style agent you fully control.&lt;/p&gt;

&lt;h3&gt;
  
  
  What does Arcade do in a Slack AI agent?
&lt;/h3&gt;

&lt;p&gt;Arcade is the action layer between your agent and external tools. It handles three things: loading tool definitions formatted for your LLM, executing tool calls with the correct credentials injected at runtime, and managing OAuth authorization flows so the model never sees tokens or API keys. You choose which tools the agent can access, and Arcade enforces that scope on every request.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does my Slack AI agent have access to user passwords or API keys?
&lt;/h3&gt;

&lt;p&gt;No. Arcade manages all credentials on the server side. When a tool requires OAuth (like GitHub or PagerDuty), the user completes a consent flow once and Arcade stores and refreshes the token. When a tool requires API keys (like Datadog), those are configured as secrets in the Arcade dashboard. The LLM and your application code never see raw credentials. Arcade injects the right token at execution time.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>claude</category>
      <category>agents</category>
      <category>mcp</category>
    </item>
    <item>
      <title>Enterprise-Managed Authorization Is a Foundation, Not a Ceiling: Why Connected Agents Need Per-Action Authorization</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Tue, 23 Jun 2026 20:19:06 +0000</pubDate>
      <link>https://dev.to/arcade/enterprise-managed-authentication-mcp-per-action-authorization-for-enterprise-ai-agents-3hd1</link>
      <guid>https://dev.to/arcade/enterprise-managed-authentication-mcp-per-action-authorization-for-enterprise-ai-agents-3hd1</guid>
      <description>&lt;h2&gt;
  
  
  &lt;strong&gt;TL;DR&lt;/strong&gt;
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Enterprise-Managed Authorization (EMA) centralizes access provisioning and eliminates per-server consent prompts. It is the right solution for connection-time governance. It was not designed to authorize each individual tool call, and it does not.
&lt;/li&gt;
&lt;li&gt;AI workflows need per-action authorization to limit the blast radius of prompt injection, because attacks exploit the gap between "this agent is allowed to connect" and "this specific action should execute right now."
&lt;/li&gt;
&lt;li&gt;A secure authorization layer must evaluate the intersection of organization policies, user delegation, and agent capability boundaries immediately before an action executes.
&lt;/li&gt;
&lt;li&gt;Production-grade deployments use a pre-execution interceptor and credential isolation to guarantee that large language models never access raw authentication tokens directly.
&lt;/li&gt;
&lt;li&gt;High-risk production deployments need action-level runtime enforcement, implemented in-house or through an action runtime such as Arcade, without replacing existing corporate identity infrastructure, including EMA.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;What Enterprise-Managed Authorization (EMA) Solves for MCP&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://modelcontextprotocol.io/extensions/auth/enterprise-managed-authorization" rel="noopener noreferrer"&gt;Enterprise-Managed Authorization&lt;/a&gt; is now stable. The extension, adopted by Anthropic, Microsoft, Okta, and a growing number of MCP servers, solves the per-server OAuth consent tax that slowed enterprise MCP adoption.&lt;/p&gt;

&lt;p&gt;Before EMA, every employee had to authorize every MCP server individually. Security teams had no centralized control. Work and personal accounts bled together. EMA eliminates all of this by making the organization's IdP the authoritative decision-maker for MCP server access. Administrators define policy once. Users authenticate through single sign-on and inherit every server their role permits. No per-app OAuth, nothing to configure as a one-off.&lt;/p&gt;

&lt;p&gt;Under the hood, as part of the SSO-based authorization flow, the client obtains an identity assertion and uses it to request an Identity Assertion JWT Authorization Grant (ID-JAG), which it exchanges for access tokens from each MCP server's authorization server. Three properties follow: authorize once and inherit everywhere, centralized policy and audit for access decisions, and elimination of personal/enterprise account mixups.&lt;/p&gt;

&lt;p&gt;This is valuable infrastructure. It is also, by design, a grant-time decision. EMA's IdP evaluates policy when tokens are issued (and may re-evaluate on renewal), but its standardized authorization visibility does not extend to individual tool calls. EMA determines &lt;em&gt;who may connect to what&lt;/em&gt;. It has nothing to say about whether a specific tool call, proposed by a potentially compromised agent five minutes after the token was issued, should actually execute.&lt;/p&gt;

&lt;p&gt;That gap is where the real attacks live.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;How Prompt Injection Exploits Authenticated AI Agents&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;In early 2025, security researcher Johann Rehberger demonstrated &lt;a href="https://embracethered.com/blog/posts/2025/spaiware-and-chatgpt-command-and-control-via-prompt-injection-zombai/" rel="noopener noreferrer"&gt;SpAIware&lt;/a&gt;: a single indirect prompt injection, delivered through a malicious website, planted persistent instructions in ChatGPT's memory store. Those instructions survived logouts and browser restarts. The compromised instance then acted as a command-and-control relay, polling a public GitHub repository for attacker commands and writing exfiltrated data to Azure Blob Storage request logs. The CSA's March 2026 &lt;a href="https://labs.cloudsecurityalliance.org/research/csa-research-note-promptware-agent-commander-c2-20260317-csa/" rel="noopener noreferrer"&gt;Promptware report&lt;/a&gt; generalized this into a broader class of agent C2 attacks.&lt;/p&gt;

&lt;p&gt;The agent's built-in capabilities (web access, memory, code execution) were all legitimately available to its runtime. EMA-style centralized provisioning would not have changed the outcome. The injected instructions exploited capabilities already present in the agent's environment, not separately provisioned OAuth connections. No authorization layer distinguished a user-initiated action from an injection-initiated one. Connection-time governance was powerless because the problem was never authentication. The agent was who it claimed to be.&lt;/p&gt;

&lt;p&gt;In mid-2026, researchers demonstrated prompt-injection attacks through GitHub comments, issue bodies, and PR titles that &lt;a href="https://www.securityweek.com/claude-code-gemini-cli-github-copilot-agents-vulnerable-to-prompt-injection-via-comments/" rel="noopener noreferrer"&gt;hijacked Claude Code, Gemini CLI, and GitHub Copilot Agent&lt;/a&gt;. Across the three products, the attacks exploited pre-authorized tool capabilities to exfiltrate CI secrets; some variants also induced shell-command execution. A related &lt;a href="https://arxiv.org/abs/2605.11229" rel="noopener noreferrer"&gt;academic study&lt;/a&gt; documented similar injection vectors across 15 GitHub Actions. Anthropic's remediation was telling: they disallowed the &lt;code&gt;ps&lt;/code&gt; tool rather than restricting broad tool access. The response was a band-aid on a connection-level wound.&lt;/p&gt;

&lt;p&gt;These are not isolated demonstrations. &lt;a href="https://www.f5.com/resources/articles/top-agentic-ai-security-vulnerabilities-in-banking" rel="noopener noreferrer"&gt;F5&lt;/a&gt; describes a banking scenario in which threat actors use prompt injection against an AI chatbot to initiate unauthorized financial transactions, with the bank identifying the loss only after multiple accounts are impacted. &lt;a href="https://github.com/requie/AI-Red-Teaming-Guide" rel="noopener noreferrer"&gt;The AI Red Teaming Guide&lt;/a&gt; catalogs a growing body of MCP-related vulnerabilities disclosed through 2025. Simon Willison, who has tracked prompt injection since 2022, coined the "&lt;a href="https://simonw.substack.com/p/the-lethal-trifecta-for-ai-agents" rel="noopener noreferrer"&gt;lethal trifecta&lt;/a&gt;" for this pattern: private data, untrusted content, and external communication converging in the same system.&lt;/p&gt;

&lt;p&gt;The common thread across every attack: attackers induced agents to misuse capabilities already available to their runtimes. No authorization layer asked whether the specific action matched the user's intent.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Per-action authorization&lt;/strong&gt; evaluates whether a specific tool call should proceed based on the intersection of organization policy, user delegation, and agent capability, checked at execution time, after the prompt, for every action independently. It is distinct from grant-time authorization (evaluated at token issuance, which is what EMA provides) and session-level authorization (checked once per conversation).&lt;/p&gt;

&lt;p&gt;Per-action authorization is not itself a prompt-injection detector. It limits blast radius by denying or escalating actions that violate deterministic constraints. An injected action that remains within those constraints may still execute, so provenance controls, content isolation, and human approval remain necessary for sensitive operations.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;EMA vs. Per-Action Authorization: Provisioning vs. Runtime&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;EMA and per-action authorization are not competing solutions. They operate at different points in the execution lifecycle and address different threat models.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Concern&lt;/th&gt;
&lt;th&gt;EMA (Connection-Time)&lt;/th&gt;
&lt;th&gt;Per-Action Authorization (Runtime)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Decision point&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Before the agent connects to a server&lt;/td&gt;
&lt;td&gt;Before the agent executes a specific tool call&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;What it answers&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;"Is this user/agent allowed to access this MCP server?"&lt;/td&gt;
&lt;td&gt;"Should this specific action execute in this context?"&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Policy inputs&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;IdP groups, roles, conditional access rules&lt;/td&gt;
&lt;td&gt;Organization policy + user delegation + agent capability + tool arguments + trusted provenance and risk signals&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Threat model&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Unauthorized connections, personal/enterprise mixups, shadow IT&lt;/td&gt;
&lt;td&gt;Prompt injection, permission abuse, lateral movement through valid connections&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Evaluation frequency&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;At token issuance/renewal&lt;/td&gt;
&lt;td&gt;Every tool call&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Audit trail&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;"User X connected to Server Y at time T"&lt;/td&gt;
&lt;td&gt;"Agent A attempted action B with parameters C, evaluated against policy D, outcome E"&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;EMA provides the outer gate. It ensures that only authorized users connect to approved servers through managed corporate identities. But EMA itself adds no per-tool-call semantic policy. Individual MCP servers may enforce scopes, ACLs, or rate limits on each request, but those controls are server-specific, inconsistent across the ecosystem, and unaware of whether a tool call originated from user intent or injected instructions.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4496698/nsa-releases-security-design-considerations-for-ai-driven-automation-leveraging/" rel="noopener noreferrer"&gt;NSA's May 2026 Cybersecurity Information document&lt;/a&gt; on MCP security is blunt: "MCP itself cannot enforce these security principles at the protocol level." This applies equally to EMA. The extension centralizes provisioning decisions. It does not, and cannot, evaluate whether the tool call an agent is about to make was triggered by the user's intent or by a malicious instruction embedded in a GitHub comment.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Why OAuth Scopes Are Not Enough for AI Agent Authorization&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;OAuth scopes are space-delimited strings and are often too coarse for transaction-specific authorization. A &lt;code&gt;mail.send&lt;/code&gt; scope grants the ability to email any recipient. It cannot encode which recipient, in what context, whether the user intended this specific email, or whether the conversation was corrupted by an injection.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.rfc-editor.org/info/rfc9396/" rel="noopener noreferrer"&gt;RFC 9396&lt;/a&gt; (Rich Authorization Requests) partially addresses this by using JSON objects to describe API access with &lt;code&gt;type&lt;/code&gt;, &lt;code&gt;locations&lt;/code&gt;, and &lt;code&gt;actions&lt;/code&gt; fields. RAR can constrain later operations using transaction-specific authorization details (recipient, amount, resource), and resource servers can enforce those details. But RAR does not standardize provenance-aware evaluation of whether an agent's later action still reflects the user's current intent. When an agent makes a tool call from a potentially compromised conversation, RAR constrains the parameters but cannot determine whether the call was user-initiated or injection-initiated.&lt;/p&gt;

&lt;p&gt;The MCP specification's auth extensions face the same structural limitation. As of June 2026, both EMA and Client Credentials operate at the transport/connection level. The ext-auth repository contains no per-action authorization extension. Final MCP SEP-2468 recommends that authorization servers include the OAuth authorization-response &lt;code&gt;iss&lt;/code&gt; parameter and requires clients to validate it, mitigating authorization-server mix-up attacks. This is a transport-security measure, not per-action evaluation. MCP's core authorization does support runtime insufficient-scope challenges and step-up authorization, where scopes may depend on request arguments and context. These are valuable server-side controls, but they remain server-defined scope enforcement, not standardized provenance-aware authorization.&lt;/p&gt;

&lt;p&gt;This is not an oversight in the protocol or the extension. It reflects an architectural boundary. Authentication answers "who is this?" Connection-level authorization (including EMA) answers "what can this entity access?" Per-action authorization answers "should this specific action happen right now?" Zero-touch OAuth establishes the first two. The third requires an additional application- or runtime-level mechanism.&lt;/p&gt;

&lt;p&gt;OAuth has progressively added defenses across the authorization and token lifecycle. &lt;a href="https://www.rfc-editor.org/info/rfc6749/" rel="noopener noreferrer"&gt;RFC 6749&lt;/a&gt; (2012) and &lt;a href="https://www.rfc-editor.org/info/rfc6750/" rel="noopener noreferrer"&gt;RFC 6750&lt;/a&gt; defined bearer tokens without sender-constraining. PKCE (2015) mitigated authorization-code interception. DPoP (2023) sender-constrained tokens to reduce replay. &lt;a href="https://www.rfc-editor.org/info/rfc9700/" rel="noopener noreferrer"&gt;RFC 9700&lt;/a&gt; (2025) updated the entire threat model based on "practical experiences gathered since OAuth 2.0 was published." These mechanisms are not per-action authorization, but they illustrate the broader movement away from relying on bearer credentials alone. Each addition responded to real attacks that exploited assumptions about what grant-time credentials could safely cover.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;The Three-Layer Authorization Model for AI Agents&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Agents operate at the intersection of three distinct permission sets, not one.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html" rel="noopener noreferrer"&gt;AWS IAM&lt;/a&gt; provides a useful precedent for this model. The following table simplifies IAM's full evaluation logic (which combines identity-based and resource-based grants, then constrains them by permissions boundaries and SCPs) to illustrate the intersection principle:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;IAM Layer&lt;/th&gt;
&lt;th&gt;Agent Authorization Analog&lt;/th&gt;
&lt;th&gt;What It Controls&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Service Control Policy (Organization)&lt;/td&gt;
&lt;td&gt;Organization policy&lt;/td&gt;
&lt;td&gt;Maximum permissions any agent in this org can possess&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Identity-based policy (User)&lt;/td&gt;
&lt;td&gt;User delegation&lt;/td&gt;
&lt;td&gt;What this specific user has delegated to the agent&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Permission boundary (Entity)&lt;/td&gt;
&lt;td&gt;Agent capability boundary&lt;/td&gt;
&lt;td&gt;What this agent type is designed and permitted to do&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The identity or resource policy must grant the action, while the permissions boundary and SCP must permit it. An explicit deny overrides an allow, and adding a permissions boundary can only reduce effective permissions.&lt;/p&gt;

&lt;p&gt;EMA maps cleanly onto the first two layers at connection time. The IdP enforces organization-level policy (which servers are approved) and user-level access (which roles and groups the user belongs to). But it evaluates these layers at token issuance, not per tool call, and it does not standardize an agent-specific capability boundary. OAuth authorization servers can apply client-specific policy, but EMA itself does not define how agent capabilities should be constrained beyond what scopes and roles permit.&lt;/p&gt;

&lt;p&gt;Suppose your organization policy says "no agent may delete production databases." A user has delegated broad access to their calendar, email, and project management tools. The agent is a triage-bot designed to label issues and assign them. The effective permission is the intersection: the triage-bot can label and assign issues in the user's projects, and nothing else. It cannot send email (outside its capability boundary), cannot delete databases (blocked by org policy), and cannot access another user's calendar (not delegated).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.osohq.com/research" rel="noopener noreferrer"&gt;Oso's 2026 Least Privilege Report&lt;/a&gt; (analyzing 2.4 million workers and 3.6 billion permissions) found that 96% of enterprise permissions go unused over 90 days. Employees typically possess 10 times the access they actually need. Thirty-one percent of workers can modify or delete sensitive data. Thirteen percent can reach regulated data including financial and health records.&lt;/p&gt;

&lt;p&gt;Humans often leave dormant permissions unused because of judgment, habit, and professional accountability. Agents do not share those natural constraints and can operate continuously at machine speed. When an agent inherits a human's permission set through a grant-time OAuth token (whether provisioned manually or through EMA), it may exercise capabilities the human rarely touches, turning latent over-provisioning into active attack surface.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://openfga.dev/" rel="noopener noreferrer"&gt;OpenFGA&lt;/a&gt; (built on &lt;a href="https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/" rel="noopener noreferrer"&gt;Google Zanzibar's principles&lt;/a&gt;) has formalized this by modeling agents as first-class principals, identical to human users, with explicit authorization tuples like &lt;code&gt;user: agent:triage-bot, relation: member, object: project:alpha&lt;/code&gt;. But the intersection model must be augmented with runtime evaluation: not just "does this agent have the permission?" but "does this agent's current context justify exercising this permission?"&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Zero-Touch OAuth vs. Runtime Security for AI Agents&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;The zero-touch reflex and the security reflex are both right, and they pull in opposite directions.&lt;/p&gt;

&lt;p&gt;One view holds that the protocol should stay out of application-level authorization. Before EMA, users completed one authorization flow per MCP server; afterward, the client included a bearer token that the server validated on every HTTP request. EMA centralizes that initial provisioning without changing the server's responsibility to validate requests.&lt;/p&gt;

&lt;p&gt;The opposing view holds that user-visible friction can still serve a purpose. A per-server consent prompt is not approval of each transaction, but it does show the user what access is being granted. In hosts that expose connected tools across conversations, pre-connecting a high-stakes server can make it reachable from any such conversation. That argues for separate transaction-specific controls, not for preserving per-server OAuth prompts as their substitute.&lt;/p&gt;

&lt;p&gt;Some security teams value explicit user consent for accountability, while others prefer centrally administered access with fine-grained agent policies. Both needs can be met by combining centralized provisioning with runtime enforcement and targeted human approval.&lt;/p&gt;

&lt;p&gt;Without a runtime enforcement layer, zero-touch provisioning can leave an action-level authorization gap. Authorization should therefore be separated from model decision-making and enforced by the harness or execution layer, whether in-process, in a sidecar, or as a remote service.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;How to Implement Per-Action Authorization with a Pre-Execution Interceptor&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Insert a policy evaluation point between the LLM's tool-call decision and the actual tool execution. This is the "post-prompt, pre-execution" gap that EMA and zero-touch OAuth leave open by design.&lt;/p&gt;

&lt;p&gt;The common objection is latency. Three implementations demonstrate that per-action policy evaluation is feasible at low cost relative to typical LLM inference:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://opensource.microsoft.com/blog/2026/04/02/introducing-the-agent-governance-toolkit-open-source-runtime-security-for-ai-agents/" rel="noopener noreferrer"&gt;&lt;strong&gt;Microsoft's Agent Governance Toolkit&lt;/strong&gt;&lt;/a&gt; (April 2026), which Microsoft describes as the first toolkit addressing all 10 OWASP agentic AI risks: a stateless policy engine with a &lt;code&gt;ToolCallInterceptor&lt;/code&gt; that hooks into native framework extension points. &lt;strong&gt;Microsoft's own benchmarks report p99 under 0.1 milliseconds.&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OPA/Rego sidecar&lt;/strong&gt;: suitable local policies can evaluate in single-digit milliseconds, although teams should benchmark their own policy complexity and deployment topology.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Google Zanzibar&lt;/strong&gt;: per-request authorization serving many large-scale Google services. &lt;strong&gt;Reported p95 under 10 milliseconds at millions of checks per second.&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The minimal viable architecture has three components:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Interceptor&lt;/strong&gt; hooking between the LLM's tool-call output and tool execution. Frameworks provide native extension points (&lt;a href="https://www.arcade.dev/blog/agent-authorization-langgraph-guide/" rel="noopener noreferrer"&gt;LangChain callbacks&lt;/a&gt;, CrewAI middleware).
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Stateless policy engine&lt;/strong&gt; evaluating each call against organization, user, and agent policy layers. &lt;a href="https://www.openpolicyagent.org/" rel="noopener noreferrer"&gt;OPA&lt;/a&gt;, &lt;a href="https://cedarpolicy.com/" rel="noopener noreferrer"&gt;Cedar&lt;/a&gt;, or equivalent, running locally or as a sidecar.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential store&lt;/strong&gt; isolated from the LLM. Raw tokens are never exposed to the model's context window. Credentials are injected only after policy allows execution.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The interceptor pattern in practice looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="k"&gt;async&lt;/span&gt; &lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;authorized_tool_call&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;agent_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;delegation_chain&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;decision&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nf"&gt;opa_evaluate&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;tool&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;args&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;agent_id&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;agent_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;delegation_chain&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;delegation_chain&lt;/span&gt;
    &lt;span class="p"&gt;})&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;outcome&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;allow&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nf"&gt;execute_tool&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;elif&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;outcome&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;deny&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;error&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;reason&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;reason_code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]}&lt;/span&gt;
    &lt;span class="k"&gt;elif&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;outcome&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;escalate&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nf"&gt;request_human_approval&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;decision&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;reason&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;
    &lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;error&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Unknown policy outcome&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;code&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;unknown_outcome&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Production implementations should canonicalize tool arguments, bind policy decisions and human approvals to a hash of the exact tool name and arguments, and re-evaluate policy after an asynchronous approval. This prevents arguments, credentials, or policy state from changing between authorization and execution.&lt;/p&gt;

&lt;p&gt;When Rego policies are written to return structured decisions (reason code, deciding policy rule), OPA can surface that context to the caller. A safe, user-facing reason code can be returned to the model so it can replan. Detailed policy rules and sensitive denial context should remain in internal audit logs rather than being exposed to the model.&lt;/p&gt;

&lt;p&gt;Production implementations use &lt;a href="https://www.rfc-editor.org/info/rfc8693/" rel="noopener noreferrer"&gt;RFC 8693&lt;/a&gt; OAuth 2.0 Token Exchange to issue short-lived, least-privilege credentials bound to the current user and session. The LLM never sees any token; the execution layer receives the attenuated credential. This means a successful prompt injection that exfiltrates the agent's context window yields no actionable credentials. EMA's ID-JAG flow establishes the user's identity; credential isolation reduces the risk of that identity being exploited through token theft. Action-level policy and containment remain necessary to prevent the execution layer itself from being used as a confused deputy.&lt;/p&gt;

&lt;p&gt;Different risk levels warrant different patterns:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Pattern&lt;/th&gt;
&lt;th&gt;When to Use&lt;/th&gt;
&lt;th&gt;Latency&lt;/th&gt;
&lt;th&gt;Human Required?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Synchronous policy check&lt;/td&gt;
&lt;td&gt;Read operations, low-risk tool calls&lt;/td&gt;
&lt;td&gt;&amp;lt; 10ms&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Asynchronous human-in-the-loop (HITL) approval&lt;/td&gt;
&lt;td&gt;Financial transactions, data deletion&lt;/td&gt;
&lt;td&gt;Minutes to hours&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Deny-with-replan&lt;/td&gt;
&lt;td&gt;Agent can choose an alternative action&lt;/td&gt;
&lt;td&gt;&amp;lt; 10ms + inference&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The asynchronous pattern draws from &lt;a href="https://www.arcade.dev/blog/build-ai-agents-for-financial-services-banking/" rel="noopener noreferrer"&gt;financial services' four-eyes principle&lt;/a&gt; (maker-checker): one party prepares an action, another independently reviews and approves before execution. The agent is the "maker." When a human independently reviews the agent's proposed action, this is literal maker-checker. Automated policy enforcement provides an analogous independent control but is not, by itself, the four-eyes principle.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Why Per-Action Authorization Is Inevitable for Enterprise AI&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;The industry has repeatedly moved from coarse upfront grants toward narrower runtime controls, and each time, it wasn't optional for long.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Android permissions.&lt;/strong&gt; Before Android 6.0 Marshmallow (2015), apps received all requested permissions at install time. Users faced an all-or-nothing choice. Android 6.0 moved "dangerous permissions" to a contextual, just-in-time model: apps must request them at the moment of use, and users can deny or revoke specific permissions. Once granted, permissions persist until revoked, so this is not per-action authorization. But the shift from blanket install-time grants to contextual, revocable runtime grants is the same directional move. Install-time permissions are connection-time provisioning (EMA's domain).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Google BeyondCorp.&lt;/strong&gt; After Operation Aurora (2010) demonstrated that perimeter-based trust was insufficient, Google replaced its castle-and-moat model with per-request evaluation based on device state, user identity, and context, regardless of network location. The lesson: "connected" (on the corporate network) was not an authorization decision.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;OAuth's own evolution.&lt;/strong&gt; OAuth retained bearer-token deployments while adding PKCE, DPoP, and updated security guidance to harden different stages of the flow. Neither PKCE nor DPoP is per-action authorization, but both responded to attacks that exploited assumptions about what grant-time credentials could safely cover.&lt;/p&gt;

&lt;p&gt;AI agent authorization is the next instance. EMA represents the maturation of the connection layer, the same way centralized SSO matured enterprise web app access. The CSA, NSA, and OWASP already emphasize action-level controls, least privilege, deterministic validation, and explicit approval for consequential operations. The question is how quickly the industry will build the runtime layer that complements centralized provisioning.&lt;/p&gt;

&lt;p&gt;Compliance pressure is accelerating the timeline. SOC 2 Trust Services Criteria map naturally to per-action controls. CC6.1 (logical and physical access controls) can be supported when audit trails capture each agent action, not just token issuance. CC6.6 (system boundary protection) is strengthened when policy enforcement operates at the tool-call level, not just the network perimeter. CC7.2 (anomaly monitoring) benefits from granular agent telemetry that reveals unusual tool-call patterns in real time. Per-tool-call logging is not a verbatim SOC 2 requirement, but it can provide useful evidence when auditors assess how agent access and actions are controlled.&lt;/p&gt;

&lt;p&gt;On the analyst side, Gartner's Market Guide for Guardian Agents and Forrester's 2026 Technology and Security Predictions both signal that agent governance is now an enterprise category. &lt;a href="https://www.forrester.com/press-newsroom/forrester-tech-security-2026-predictions/" rel="noopener noreferrer"&gt;Forrester predicts&lt;/a&gt; enterprises will defer 25% of planned AI spending to 2027 as financial scrutiny intensifies and organizations struggle to demonstrate ROI.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Building a Production Per-Action Authorization Architecture&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;A production-grade implementation requires seven components:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Connection-time provisioning&lt;/strong&gt; (EMA, centralized IdP) controlling which users and agents access which servers.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Pre-execution interceptor&lt;/strong&gt; between the LLM's tool-call output and execution.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Policy engine&lt;/strong&gt; evaluating the three-layer intersection (org x user x agent) per call.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential isolation&lt;/strong&gt; from the LLM, with tokens injected only after policy allows.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Deny-by-default&lt;/strong&gt; stance with structured reason feedback for model replanning.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Human-in-the-loop (HITL) approval&lt;/strong&gt; for high-risk actions via Slack, email, or equivalent out-of-band flow.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Per-action audit logging&lt;/strong&gt; supporting SOC 2 Trust Services Criteria (CC6.1, CC6.6, CC7.2).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;None of these components require novel technology. Microsoft AGT delivers sub-millisecond policy enforcement. OPA handles deny-with-reason in single-digit milliseconds. Zanzibar processes millions of authorization checks per second. EMA handles centralized provisioning today. The necessary building blocks exist. The gap is in connecting them: applying policies consistently across all agents as they scale to more users and systems. That is the central gap an action runtime fills. Without infrastructure for secure action, organizations often restrict agents to analysis and recommendations, keeping realized ROI incremental.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.arcade.dev/get-started/authorization/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; evaluates agent scope and user scope together on every tool call. Its &lt;a href="https://docs.arcade.dev/en/guides/contextual-access" rel="noopener noreferrer"&gt;Contextual Access&lt;/a&gt; capability adds customer-defined organization policy through pre-execution hooks that can allow, deny, or modify tool calls. Credentials remain isolated from the LLM, and the model never receives raw tokens. Arcade's catalog includes 8,000+ agent-optimized tools designed around natural-language intent rather than raw API passthrough.&lt;/p&gt;

&lt;p&gt;Arcade goes beyond routing. Its &lt;a href="https://docs.arcade.dev/en/guides/mcp-gateways" rel="noopener noreferrer"&gt;MCP Gateway&lt;/a&gt; federates multiple servers behind a single controlled endpoint. For governance, Arcade generates structured, OpenTelemetry-compatible &lt;a href="https://www.arcade.dev/blog/ai-agent-governance-compliance/" rel="noopener noreferrer"&gt;audit events&lt;/a&gt; for every agent action, attributable to the requesting user and exportable to enterprise SIEM systems.&lt;/p&gt;

&lt;p&gt;Arcade integrates with existing OAuth and IdP flows, including Microsoft Entra and Okta, rather than replacing them. It can be &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;deployed in Arcade Cloud, in a customer VPC, on-premises, or in a fully air-gapped environment&lt;/a&gt;, allowing organizations to control data residency and network isolation.&lt;/p&gt;

&lt;p&gt;Other tools in this space (OPA, Cedar, Microsoft AGT, Kontext, &lt;a href="https://authzed.com/" rel="noopener noreferrer"&gt;AuthZed&lt;/a&gt;) address individual pieces: policy engines, credential management, or governance overlays. Arcade provides all of these capabilities out of the box. By uniting agent authorization (policy and credentials), agent-optimized tools, and lifecycle governance into a single runtime, Arcade solves the complete execution-time security challenge. That matters because these three concerns interact at execution time.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;Conclusion&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;EMA is the right answer to one authorization problem, but not the complete answer for agent runtime security.&lt;/p&gt;

&lt;p&gt;The industry has repeatedly moved from coarse upfront grants toward narrower runtime controls. Each time, early adopters avoided the painful retrofit that the rest of the industry eventually endured.&lt;/p&gt;

&lt;p&gt;The teams building continuous authorization into their agent architecture now, complementing EMA with runtime policy enforcement, make the same bet the Android, BeyondCorp, and OAuth security teams made: that "provisioned" was never the same as "authorized," and that the gap between them is where real attacks live.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;FAQ&lt;/strong&gt;
&lt;/h2&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is Enterprise-Managed Authorization (EMA) for MCP?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Enterprise-Managed Authorization is an MCP extension that allows organizations to centrally manage which MCP servers their users can access. It uses the organization's identity provider (IdP) to provision access based on groups, roles, and conditional access rules. Users authenticate once through SSO and automatically connect to all approved MCP servers without per-server consent prompts.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How does EMA relate to per-action authorization?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;EMA and per-action authorization solve different problems at different points in the execution lifecycle. EMA governs who connects to what (provisioning). Per-action authorization governs whether a specific tool call should execute (runtime enforcement). EMA is the outer gate; per-action authorization is the inner gate. A complete enterprise architecture needs both centralized provisioning and runtime enforcement; EMA is one way to provide the provisioning layer.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What is per-action authorization for AI agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Per-action authorization is a security model that evaluates whether a specific AI agent tool call should proceed based on organization policy, user delegation, and agent capability. It checks permissions at execution time, immediately after the prompt and before the action occurs. This limits the blast radius of prompt injection by blocking policy-violating actions, even when the underlying permissions were legitimately provisioned through EMA or standard OAuth.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Why is EMA not sufficient for AI agent security?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;EMA centralizes access provisioning, which is valuable. But it evaluates access at token issuance (not per tool call) and cannot detect if a specific runtime action was genuinely requested by the user or triggered by a prompt injection. Because AI agents execute tasks at machine speed, they can rapidly exercise latent over-provisioning inherent in standard OAuth scopes, even when those scopes were provisioned through a centrally managed, policy-governed flow.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How can prompt injection abuse access granted through EMA and OAuth?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Prompt injection abuses EMA- and OAuth-granted access by planting malicious instructions within untrusted content that an authenticated AI agent processes. Because the agent's connection to tools like GitHub or Azure is already authorized via valid, centrally-provisioned tokens, these calls use valid credentials and remain within granted scopes, so they can pass conventional token, scope, and ACL checks. Those checks do not establish whether the user intended the particular action.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Does per-action authorization add latency to AI agents?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Per-action authorization typically adds low latency when evaluated locally or in-process. Suitable local policies can complete in single-digit milliseconds, though results vary with policy complexity and network topology. For local policies this overhead is usually small relative to LLM inference, but remote services and complex policies should be benchmarked in the target deployment.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How do you implement per-action authorization alongside EMA?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;You implement per-action authorization by inserting a pre-execution interceptor between the LLM tool call output and the actual tool execution. This interceptor uses a stateless policy engine to evaluate the requested action against organization, user, and agent policies. EMA continues to handle grant-time provisioning through the IdP. Developers can build this architecture manually or use an action runtime platform like Arcade to enforce runtime checks across their agent infrastructure while preserving their existing EMA and IdP flows.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What Does Arcade Do for AI Agent Authorization?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Arcade is an action runtime platform that provides per-action authorization, managed tools, and governance for AI agents in a single unified system. It evaluates agent and user scopes on every tool call and can enforce customer-defined organization policy through pre-execution hooks immediately before execution. Arcade integrates with existing IdP infrastructure (such as Microsoft Entra and Okta via OIDC) rather than replacing it, adding the runtime enforcement layer that grant-time provisioning cannot provide. It also isolates credentials from the LLM so that the model never sees raw tokens, reducing credential-exfiltration risk during prompt injection attacks. Action-level policy and containment remain necessary to prevent the execution layer from being used as a confused deputy.&lt;/p&gt;

</description>
      <category>mcp</category>
      <category>ai</category>
      <category>agents</category>
      <category>security</category>
    </item>
    <item>
      <title>Lessons from building 20 MCP Apps in 2 days</title>
      <dc:creator>Teal Larson</dc:creator>
      <pubDate>Fri, 19 Jun 2026 21:56:10 +0000</pubDate>
      <link>https://dev.to/arcade/lessons-from-building-20-mcp-apps-in-2-days-1f98</link>
      <guid>https://dev.to/arcade/lessons-from-building-20-mcp-apps-in-2-days-1f98</guid>
      <description>&lt;p&gt;A few weeks back, my team sat down for two days and built around twenty MCP Apps. I came out with a much better idea of what they are, what they aren't (yet), and where the duct tape is currently holding things together. Here's the brain dump.&lt;/p&gt;

&lt;p&gt;If you haven't run into them yet: MCP Apps is the first official extension to the MCP spec. It lets a tool return a UI resource alongside its result. The host renders that UI inline as a sandboxed iframe. Tables, charts, forms, branded layouts, little interactive bits that can call back into other tools. Real, actual UI in the middle of a chat-based experience. Very cool.&lt;/p&gt;

&lt;p&gt;They matter because some information is just better visually. A neatly grouped list of pull requests is much easier to scan than a wall of bulleted text. A chart beats a CSV. And as more of our day-to-day work shifts into chat, "bring your brand and your product surface into the conversation" stops being a nice-to-have.&lt;/p&gt;

&lt;p&gt;OK. Lessons.&lt;/p&gt;

&lt;h2&gt;
  
  
  The call is coming from inside the house
&lt;/h2&gt;

&lt;p&gt;MCP Apps live inside the server. This was the first thing that surprised me. An MCP App isn't a hosted URL you point your tool at or some third-party iframe you embed. It is fetched via MCP, not HTTP, so the UI code ships with the MCP server and is served via the ui:// resource scheme.&lt;/p&gt;

&lt;p&gt;There are a number of different ways you could go about organizing this. For example, you could co-locate the files with the tools themselves:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;my-mcp-server/
  tools/
    list_projects    
      list_projects.py
      project-summary.html
    list_project_patterns
      list_project_patterns.py
      pattern-card.html    
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Or co-locate them in a single place:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;my-mcp-server/
  tools/
   list_projects.py
   list_project_patterns.py
  ui/
    pattern-card.html
    project-summary.html
    ...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We were using React because we wanted to leverage the existing internal design system components. So we landed on:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;my-mcp-server/
   tools/
   ui/
     pattern-card.tsx
     project-summary.tsx
     package.json
     vite.config.mjs
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A single Vite project at the root of /ui, configured to output an HTML file per TSX file at build time.&lt;/p&gt;

&lt;h2&gt;
  
  
  MCP Apps are enrichment-only
&lt;/h2&gt;

&lt;p&gt;If a host supports MCP Apps, your user sees the rich UI. If it doesn't (Claude Code, most terminal-based clients, anything that isn't on the new extension), the _meta.ui property is silently ignored and your user just gets the text response.&lt;/p&gt;

&lt;p&gt;So the text response is still the contract. Your MCP App is enrichment on top. If you stuff the actual answer into the UI and leave your text response empty, congratulations: you've shipped a tool that works in some clients and silently breaks in others. Always design as if half your users will never see the app.&lt;br&gt;
Keep these things STUPID simple&lt;br&gt;
I am going to be the first one to tell you: keep your MCP App components dumb. Pure. Boring. All data passed in as props from the tool result. No fetches from inside the app, no state machines, no calls back to your API.&lt;/p&gt;

&lt;p&gt;The tool runs, computes its answer, hands the data to the UI as props, and the UI is just a deterministic render of that. This made our apps fast to build, easy to reason about, and very simple to test in isolation. It also kept us honest about what exactly we were sending into a sandbox we don't fully control (more on that in a sec).&lt;/p&gt;

&lt;h2&gt;
  
  
  Host quirks are real
&lt;/h2&gt;

&lt;p&gt;There's a spec, but hosts implement it with their own opinions. Container width, padding, default typography, dark/light handling, the whole vibe varies. ChatGPT renders wide in a browser. Claude renders narrow in a chat panel. Mobile is mobile. VS Code's side panel is its own little adventure.&lt;/p&gt;

&lt;p&gt;There's no standardized testing harness yet, so our iteration loop was: build, install in client A, eyeball it, install in client B, eyeball it, adjust, repeat. Compared to ordinary frontend dev, where you'd just spin up a Storybook or run Playwright across browsers in CI, it felt slow. Like, painfully slow.&lt;/p&gt;

&lt;p&gt;Two things helped:&lt;/p&gt;

&lt;p&gt;Designing layouts that gracefully reflow at narrow widths from the start, rather than fixing them after the fact.&lt;br&gt;
Using a file watcher to rebuild on save, so the inner loop wasn't quite so brutal.&lt;/p&gt;

&lt;p&gt;The tooling will catch up. For now: plan for visual QA across multiple hosts, and accept the dev loop is going to feel slow.&lt;/p&gt;

&lt;h2&gt;
  
  
  The host can see everything
&lt;/h2&gt;

&lt;p&gt;MCP Apps run in a sandboxed iframe, but the content of that iframe is visible to the host. This has a real implication and I don't want to bury it: don't use MCP Apps to collect secrets. No API keys in form fields. No OAuth tokens. Nothing you wouldn't want logged.&lt;/p&gt;

&lt;p&gt;If you need to collect secrets, use URL elicitation or a separate secure form outside the MCP App. You can pair that with an MCP App that polls the external endpoint for completion status. The secret itself just shouldn't live inside the rendered iframe.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;If you're starting from zero:&lt;/p&gt;

&lt;p&gt;Bundle your UI inside your server. Multi-page Vite, one HTML per surface, your existing design system imported directly.&lt;br&gt;
Always make the text response stand on its own.&lt;br&gt;
Pure components, props in, no client-side state.&lt;br&gt;
Test on every host you care about, by hand, until tooling catches up.&lt;br&gt;
Don't put secrets in the app.&lt;/p&gt;

&lt;p&gt;The patterns that do still feel impossible (gathering tool inputs via UI before the call, for example) might not stay that way for long. MCP Tasks are in the experimental phase and looks like it could open that door&lt;/p&gt;

&lt;p&gt;For now: MCP Apps are early, the spec is moving, the tooling is thin, and they're already worth shipping. &lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>frontend</category>
    </item>
    <item>
      <title>Best Composio Alternatives in 2026 for Production AI Agents</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Thu, 11 Jun 2026 19:25:27 +0000</pubDate>
      <link>https://dev.to/arcade/best-composio-alternatives-in-2026-for-production-ai-agents-446p</link>
      <guid>https://dev.to/arcade/best-composio-alternatives-in-2026-for-production-ai-agents-446p</guid>
      <description>&lt;p&gt;Composio offers over 1,000 toolkits and 20,000 tools through MCP and direct APIs.&lt;/p&gt;

&lt;p&gt;It's great for rapid prototyping, but scaling AI agents to production requires a different architecture.&lt;/p&gt;

&lt;p&gt;This guide evaluates four production-ready alternatives, covering authorization models, governance, deployment options, and real migration complexity, for engineering teams moving beyond the prototype stage.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key takeaways
&lt;/h2&gt;

&lt;p&gt;When evaluating Composio alternatives for production, prioritize per-user delegated authorization (just-in-time user consent), agent-optimized tools with constrained schemas that reduce hallucination, and centralized governance with immutable audit logs, ideally OpenTelemetry-compatible. Deployment model (cloud, VPC, or air-gapped) is also an important consideration for enterprise environments.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Best overall for secure multi-user production:&lt;/strong&gt; Arcade.dev&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Best for AWS-native ecosystems:&lt;/strong&gt; AWS AgentCore&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Best for data-centric B2B data sync:&lt;/strong&gt; Merge&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Best for shadow AI discovery and governance:&lt;/strong&gt; Natoma&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How to evaluate Composio vs. production-ready alternatives
&lt;/h2&gt;

&lt;p&gt;Composio is an MCP gateway and integration wrapper; it works well for early prototyping, single-user internal utilities, or budget-constrained projects. Its extensive integration catalog and low per-call pricing make it the fastest way to wire up a multi-app agent for a proof of concept.&lt;/p&gt;

&lt;p&gt;Moving beyond prototypes reveals architectural limitations around identity, blast radius, observability, and multi-user AI agent authorization when routing multiple real users through agent workflows.&lt;/p&gt;

&lt;p&gt;Evaluating a production-ready alternative comes down to three questions:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Where do my users' OAuth tokens and API keys live, and what is the blast radius if the platform is breached?&lt;/li&gt;
&lt;li&gt;Who can register and run tool definitions, and is execution governed and versioned?&lt;/li&gt;
&lt;li&gt;If something goes wrong, can I prove exactly what every agent did?&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Adopting a runtime like Arcade or a unified data layer like Merge doesn't replace your agent orchestration loops. Teams still bring their own orchestration layers, like &lt;a href="https://docs.langchain.com/oss/python/langchain/overview" rel="noopener noreferrer"&gt;LangChain&lt;/a&gt; or &lt;a href="https://mastra.ai/" rel="noopener noreferrer"&gt;Mastra&lt;/a&gt;, to manage reasoning and maintain contextual state. The platforms evaluated below operate as execution runtimes and gateways, securing and standardizing the tool layer that orchestration frameworks call.&lt;/p&gt;

&lt;p&gt;When evaluating authorization and blast radius, look for delegated authorization models that evaluate the intersection of agent and user permissions for each action at runtime, scoped to that action, with credentials never exposed to the LLM. The weaker pattern, common in prototyping-first tools, is pre-authorized tokens with broad, static permissions that are fast to wire up, but widen the blast radius the moment an agent is compromised.&lt;/p&gt;

&lt;p&gt;On &lt;a href="https://composio.dev/blog/composio-may-2026-security-incident" rel="noopener noreferrer"&gt;May 21, 2026, an attacker&lt;/a&gt; gained access from internal monitoring tools into automated remediation systems, registered malicious tool definitions inside the tool-execution sandbox and executed arbitrary code. They separately abused compromised employee Gmail OAuth tokens via magic-link sign-in. Roughly 0.3% of active connections were exposed, including about 5,001 GitHub tokens, a small number of Gmail and other service tokens, and an auxiliary cache that held about 5,241 API keys during the breach window, with the full scope not yet known at the time of disclosure.&lt;/p&gt;

&lt;p&gt;Composio responded with credential rotation and OAuth revocation across roughly 100 toolkits, and is introducing customer-key self-custody (a Zero Trust Proxy KMS), with keys visible only at creation and IP allowlisting. This incident maps directly onto the authorization, blast-radius, and governance dimensions, demonstrating that the criteria most critical to production-readiness are exactly the ones that breadth-and-price comparisons tend to ignore.&lt;/p&gt;

&lt;p&gt;Tool reliability is another critical axis of evaluation. You need to differentiate between intent-level tools and raw API wrappers. Tools with constrained, intention-aligned schemas reduce the surface area for hallucinations and map more reliably to API calls than raw wrappers do. Raw API wrappers force the LLM to guess the exact schema structure, leading to endless retry loops and excessive token usage.&lt;/p&gt;

&lt;p&gt;Production workloads demand strict MCP and agent governance. Composio lets teams build custom tools through its SDK, but does not support connecting external MCP servers, including official vendor-published servers. This locks teams into Composio's catalog for pre-built integrations. Look for a governed tool registration that lets teams connect external MCP servers and manage their own tool definitions alongside pre-built catalogs, with pre- and post-tool-call policy enforcement and immutable audit logs. OpenTelemetry (OTel) compliance is the emerging standard for production AI observability. Platforms must support &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/mcp/" rel="noopener noreferrer"&gt;OTel with GenAI and MCP semantic conventions&lt;/a&gt;, capturing exact tool execution states to provide a reliable audit substrate.&lt;/p&gt;

&lt;p&gt;Pricing structure, deployment and self-hosting support, developer experience, and documentation quality should also guide your final platform choice.&lt;/p&gt;

&lt;h2&gt;
  
  
  Composio alternatives comparison table
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Arcade&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;AWS AgentCore&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Merge&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Natoma&lt;/strong&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Best for&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Secure multi-user production&lt;/td&gt;
&lt;td&gt;AWS-native ecosystems&lt;/td&gt;
&lt;td&gt;B2B data sync&lt;/td&gt;
&lt;td&gt;Shadow AI discovery&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Pricing model&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Platform + Usage based&lt;/td&gt;
&lt;td&gt;Usage-based (Complex)&lt;/td&gt;
&lt;td&gt;Platform / Linked accounts&lt;/td&gt;
&lt;td&gt;Seat-based / Enterprise&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;MCP gateway/capability&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Runtime + Gateway&lt;/td&gt;
&lt;td&gt;Partial (BYO servers)&lt;/td&gt;
&lt;td&gt;Gateway Only&lt;/td&gt;
&lt;td&gt;Gateway Only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;User and agent authorization&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Delegated per-user auth, scoped agent permissions, runtime intersection enforcement&lt;/td&gt;
&lt;td&gt;IAM and workload identities; end-user delegation depends on implementation&lt;/td&gt;
&lt;td&gt;Linked account credentials for data access; limited agent-specific authorization&lt;/td&gt;
&lt;td&gt;ABAC and role-based profiles across AI clients&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Key differentiator vs Composio&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Unified MCP runtime: auth + agent-optimized tools + governance&lt;/td&gt;
&lt;td&gt;Deep AWS compliance integration&lt;/td&gt;
&lt;td&gt;Normalized data schemas&lt;/td&gt;
&lt;td&gt;Shadow AI discovery&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Deployment options&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Cloud, VPC, Air-gapped&lt;/td&gt;
&lt;td&gt;Cloud (AWS only)&lt;/td&gt;
&lt;td&gt;Cloud&lt;/td&gt;
&lt;td&gt;Cloud, VPC&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Audit logs support&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Immutable runtime audit logs&lt;/td&gt;
&lt;td&gt;CloudWatch/X-Ray via AWS setup&lt;/td&gt;
&lt;td&gt;Linked-account audit trail&lt;/td&gt;
&lt;td&gt;Tool-call and activity logs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;OpenTelemetry (OTel) compliance&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  In-depth reviews of the best Composio alternatives
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Arcade: Composio alternative for secure, multi-user production
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;Engineering and AI product teams deploying secure, governed, multi-user agents in production environments.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;Arcade.dev is the MCP runtime for building and deploying multi-user AI agents that take real actions across enterprise systems. It unifies agent authorization, agent-optimized tools, and lifecycle governance into a single execution layer, on the principle that a runtime is the best gateway. The layer that brokers identity and routes traffic should also enforce policy and capture audit, rather than leaving teams to bolt those concerns onto a thin proxy.&lt;/p&gt;

&lt;p&gt;This means engineering teams don't have to rebuild security plumbing, complex token management, and logging infrastructure for every new software integration.&lt;/p&gt;

&lt;h4&gt;
  
  
  Arcade vs. Composio: Key differences
&lt;/h4&gt;

&lt;p&gt;Composio focuses on breadth with a large catalog of tools auto-generated from OpenAPI specifications. Arcade focuses on depth with &lt;a href="https://www.arcade.dev/compare/arcade-vs-composio/" rel="noopener noreferrer"&gt;tools built to agent-experience principles and validated with evals before release&lt;/a&gt;, and provides the full runtime stack of authorization, agent-optimized tools, and governance in a single execution layer. That architectural difference drives three major advantages:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Centralized Governance:&lt;/strong&gt; Arcade is the central enforcement point for policies your organization has already defined in IdPs, SaaS tools, and security systems, rather than asking teams to recreate them. Unlike Composio's Tool Router, Arcade can register and govern built-in, custom, and external MCP servers via a single control plane. That control plane covers every tool, agent, and auth provider, with strict versioning, a shared registry that prevents teams from rebuilding what already exists, visibility filtering so that agents only see tools their users are permitted to invoke, and immutable, OpenTelemetry-compatible audit logs. Pre- and post-tool-call hooks let compliance teams drop in custom variables (workflow state, time windows, request volume, session context) that the runtime treats as first-class enforcement primitives. Arcade's SOC 2 Type 2 certification validates these controls through an independent audit.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Delegated Authorization:&lt;/strong&gt; Arcade uses a &lt;a href="https://www.arcade.dev/blog/ai-agent-authentication-authorization/" rel="noopener noreferrer"&gt;multi-user, post-prompt authorization model&lt;/a&gt; with just-in-time permissions mapping. The runtime evaluates the exact intersection of what the agent and user are allowed to do, per action, at execution time. Tokens are managed through Arcade's &lt;a href="https://www.arcade.dev/get-started/authorization/" rel="noopener noreferrer"&gt;automated token vault&lt;/a&gt;, keeping credentials isolated from the underlying language model and removing prompt injection as a direct credential-theft vector. Destructive actions can be routed through out-of-band approvals before they execute.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Intent-Level Reliability:&lt;/strong&gt; Arcade bypasses raw API wrappers by offering a &lt;a href="https://www.arcade.dev/tools/" rel="noopener noreferrer"&gt;catalog of 8,000+ agent-optimized MCP tools&lt;/a&gt; with constrained schemas that map reliably to API calls, reducing hallucination surface area. These tools select only the fields an agent requests and flatten responses into key-value pairs, which sharply reduces token consumption. In Arcade's &lt;a href="https://www.arcade.dev/blog/attio-mcp-toolkit-benchmark/" rel="noopener noreferrer"&gt;head-to-head Attio CRM benchmark&lt;/a&gt;, Composio returned roughly 100x more response tokens than Arcade across identical queries (747,083 vs. 7,426), a gap that can reach six figures in monthly token spend at enterprise scale. Built-in parallelized execution, intelligent retries with developer-defined context, and automatic failover sit alongside the catalog.&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Pros: What you gain with Arcade
&lt;/h4&gt;

&lt;p&gt;Arcade delivers production-grade security. Teams pass stringent enterprise security reviews by using vaulted tokens, just-in-time user consent flows, and out-of-band approvals for destructive actions, backed by SOC 2 Type 2 certification. Arcade can be deployed in the cloud, a customer VPC, on-prem, or fully air-gapped environments, which matters for regulated industries and teams running sensitive or legacy systems where the "I do not want to personally be on the hook for this" risk is highest.&lt;/p&gt;

&lt;p&gt;Arcade also eliminates configuration sprawl. Organizations manage all custom, third-party, and built-in tools from one centralized control plane with strict versioning. Since Arcade uses specialized intent-level tools, you'll see lower token usage and &lt;a href="https://www.arcade.dev/blog/connect-ai-agents-enterprise-tools/" rel="noopener noreferrer"&gt;fewer parameter hallucinations&lt;/a&gt; compared to basic API wrappers.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons: What you give up with Arcade
&lt;/h4&gt;

&lt;p&gt;Arcade is purpose-built for multi-user production. Teams in the earliest single-user prototyping phase, where per-user authorization, governance, and audit are not yet requirements, may not need the full runtime on day one. In practice, most teams that reach Arcade start exactly there and switch once the agent meets real users.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pricing: How Arcade is priced
&lt;/h4&gt;

&lt;p&gt;Arcade uses a platform fee plus usage-based pricing on tool calls and auth events, designed for predictable scaling at enterprise volumes.&lt;/p&gt;

&lt;h4&gt;
  
  
  Migration considerations
&lt;/h4&gt;

&lt;p&gt;For an existing Composio-backed agent, the main work is replacing Composio tool calls with Arcade's agent-optimized tools, connecting existing OAuth and IdP providers, and validating that each workflow preserves the right user consent, tool permissions, and audit trail. Because Arcade exposes a standard MCP runtime endpoint, teams can keep their orchestration layer while moving tool execution into Arcade.&lt;/p&gt;




&lt;h3&gt;
  
  
  AWS AgentCore: Composio alternative for AWS-native agent stacks
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;Enterprise engineering teams fully entrenched in the AWS ecosystem who require tight integration with the existing infrastructure and strict compliance models, and have the expertise and resources to manage the integrations themselves.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;Amazon Bedrock AgentCore is a platform for building, connecting, and optimizing AI agents. Unlike standalone third-party tools, it connects agents to enterprise systems via MCP servers, internal APIs, and Lambda functions, leveraging the massive scale of AWS's broader security, identity, and networking infrastructure.&lt;/p&gt;

&lt;h4&gt;
  
  
  AWS AgentCore vs. Composio: Key differences
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Deep AWS native integration:&lt;/strong&gt; AgentCore inherits AWS's massive enterprise compliance halo. That gives teams access to SOC 2-, ISO-, and HIPAA-certified infrastructure, alongside resilient, multi-region availability.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AWS identity and security controls:&lt;/strong&gt; AgentCore can use &lt;a href="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-iam.html" rel="noopener noreferrer"&gt;AWS Identity and Access Management (IAM)&lt;/a&gt; for access policies, AWS Security Token Service (STS) for short-lived role assumption, and Key Management Service (KMS) for secret encryption during tool execution. These controls are powerful, but teams must configure and connect them across the agent execution path.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AWS ecosystem evaluation tooling:&lt;/strong&gt; AWS offers experimentation and evaluation tooling around Bedrock agent workflows, so teams can test agent variations and tool-call reliability within the AWS environment. These capabilities still require setup across the surrounding AWS services.&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Pros: What you gain with AWS AgentCore
&lt;/h4&gt;

&lt;p&gt;You get compliance and alignment with AWS architectures. If your organization already mandates strict VPC boundaries, private subnets, and granular IAM roles, AgentCore fits into that secure paradigm.&lt;/p&gt;

&lt;p&gt;Combine it with AWS CloudWatch and X-Ray, and you get debugging and trace correlation for every agent action across your cloud footprint.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons: What you give up with AWS AgentCore
&lt;/h4&gt;

&lt;p&gt;The primary tradeoff is operational assembly and management overhead. Building a secure agent environment in AgentCore requires configuring and stitching together multiple AWS services, such as IAM, CloudWatch, X-Ray, Step Functions, and Lambda, whereas a purpose-built runtime such as Arcade bundles per-user authorization, lifecycle governance, OpenTelemetry-compatible audit, and execution into a single layer that maps cleanly across clouds.&lt;/p&gt;

&lt;p&gt;This assembly burden introduces hidden logging and compute costs that are difficult to forecast. It also creates significant ecosystem lock-in. Once you build your agent architecture tightly around AWS IAM and Bedrock routing, you lose the portability that independent, cloud-agnostic runtimes provide.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pricing: How AWS AgentCore is priced
&lt;/h4&gt;

&lt;p&gt;AgentCore relies on a complex, usage-based AWS pricing model spanning multiple underlying compute and logging services. Forecasting total costs accurately is difficult.&lt;/p&gt;

&lt;h4&gt;
  
  
  Migration considerations
&lt;/h4&gt;

&lt;p&gt;Moving a Composio-backed agent to AWS AgentCore requires more AWS-specific implementation work. Teams need to translate integration logic into Lambda functions, AWS-hosted MCP servers, or other AWS services, then configure IAM, workload identities, logging, and tracing around those execution paths.&lt;/p&gt;




&lt;h3&gt;
  
  
  Merge: Composio alternative for unified APIs and B2B data sync
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;B2B SaaS companies focused on data-centric integration and normalizing data across hundreds of third-party platforms, like HRIS, ATS, and CRM systems.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;Merge originally established itself as a leading Unified API provider, and has recently expanded to include an Agent Handler and Gateway. It connects AI tools to enterprise applications not just by routing raw requests, but by normalizing business data into standard, predictable schemas.&lt;/p&gt;

&lt;h4&gt;
  
  
  Merge vs. Composio: Key differences
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Normalized Data Models:&lt;/strong&gt; Instead of connecting raw APIs and returning varied JSON structures, Merge standardizes data across entire software categories. All ticket data looks the same whether it comes from Jira, Zendesk, or Salesforce. This predictable schema benefits both Retrieval-Augmented Generation (RAG) and massive B2B data-syncing operations.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Unified API focus:&lt;/strong&gt; Merge has a stronger legacy in rigorous B2B data synchronization compared to Composio's primary focus on raw, varied action execution.&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Pros: What you gain with Merge
&lt;/h4&gt;

&lt;p&gt;Engineering teams get built-in data syncing capabilities that form the bedrock of contextual, data-heavy RAG pipelines.&lt;/p&gt;

&lt;p&gt;Merge also brings a mature compliance posture for data-sync workloads, including SOC 2 Type II, HIPAA support, and GDPR alignment. Its dedicated Security Gateway can &lt;a href="https://docs.merge.dev/merge-agent-handler/overview" rel="noopener noreferrer"&gt;scan and redact Personally Identifiable Information (PII)&lt;/a&gt; before data ever reaches your underlying language models, though this is also achievable in runtime platforms like Arcade via pre- and post-tool-call hooks.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons: What you give up with Merge
&lt;/h4&gt;

&lt;p&gt;Merge is strongest when the agent needs standardized data access across categories like HRIS, ATS, ticketing, CRM, and accounting. Compared with Composio, it is less of a broad action-execution layer for quickly calling many vendor APIs. Merge also comes from the Unified API and B2B data-sync category, so its AI capabilities are layered onto a data integration foundation rather than designed first as an agent execution runtime. Teams that need agents to perform varied actions across many apps should confirm the required actions are supported by Merge's normalized models and Agent Handler, rather than assuming the breadth of a tool-wrapper catalog.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pricing: How Merge is priced
&lt;/h4&gt;

&lt;p&gt;Merge operates on a premium B2B SaaS pricing model focused on platform usage and the total volume of active linked accounts.&lt;/p&gt;

&lt;h4&gt;
  
  
  Migration considerations
&lt;/h4&gt;

&lt;p&gt;Moving from Composio to Merge is less about swapping an agent runtime and more about changing the integration layer. Teams need to map existing tool calls to Merge's normalized data models and adjust agent code that expects raw vendor-specific API responses.&lt;/p&gt;




&lt;h3&gt;
  
  
  Natoma: Composio alternative for shadow AI discovery
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;IT and Security teams that need to discover and govern unmanaged AI clients and rogue MCP servers across enterprise networks.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;Natoma is an enterprise MCP gateway focused on discovering and governing AI tool access across fragmented clients like Claude Code, Cursor, ChatGPT, and custom internal agents. Its strongest fit is shadow AI discovery: finding unmanaged AI clients and rogue MCP servers, then applying identity-aware access controls so security teams can see and govern how agents connect to enterprise systems.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.snowflake.com/en/news/press-releases/snowflake-announces-intent-to-acquire-natoma-providing-secure-connectivity-for-the-agentic-enterprise/" rel="noopener noreferrer"&gt;Snowflake announced a definitive agreement to acquire Natoma&lt;/a&gt; on May 27, 2026. Buyers should validate the standalone product roadmap, support model, and integration coverage before standardizing on it.&lt;/p&gt;

&lt;h4&gt;
  
  
  Natoma vs. Composio: Key differences
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Policy at the tool layer:&lt;/strong&gt; Natoma emphasizes Attribute-Based Access Control (ABAC) and bundles toolkits into strict, role-based Profiles. It focuses on rigorous policy enforcement and the integration of AWS Cedar policies rather than on basic API routing.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Shadow AI discovery:&lt;/strong&gt; Unlike Composio, Natoma offers dedicated network-level tools to discover and govern unmanaged AI clients and rogue shadow MCP servers across an enterprise network.&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Pros: What you gain with Natoma
&lt;/h4&gt;

&lt;p&gt;Organizations get high visibility into exactly which AI clients are active in their enterprise environments.&lt;/p&gt;

&lt;p&gt;You can secure existing AI coding assistants and internal agent builds without changing the underlying language models or orchestration frameworks that those tools rely on. Extensive SIEM and EDR integrations ensure your security operations center stays fully informed.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons: What you give up with Natoma
&lt;/h4&gt;

&lt;p&gt;Natoma focuses primarily on authorization and identity mapping. Like other governance-focused overlays, it doesn't include a catalog of pre-built, agent-optimized tools.&lt;/p&gt;

&lt;p&gt;For built-in execution-reliability features like automatic failover and intelligent retries that stabilize fragile API connections, teams typically pair it with a dedicated runtime.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pricing: How Natoma is priced
&lt;/h4&gt;

&lt;p&gt;Natoma uses a custom Enterprise SaaS pricing model requiring organizations to contact their sales team for tiered seat licensing.&lt;/p&gt;

&lt;h4&gt;
  
  
  Migration considerations
&lt;/h4&gt;

&lt;p&gt;Moving from Composio to Natoma depends on whether the goal is replacing tool execution or adding governance over existing AI clients and MCP servers. Teams should validate supported integrations, policy coverage, and the product roadmap following Snowflake's announced intent to acquire Natoma.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion: Choosing the best Composio alternative for production
&lt;/h2&gt;

&lt;p&gt;Governance determines whether you can safely scale AI agents beyond a single user, and the foundational layer you pick makes that governance enforceable rather than aspirational.&lt;/p&gt;

&lt;p&gt;Choose &lt;strong&gt;Arcade&lt;/strong&gt; for a full multi-user production runtime with built-in governance and agent-optimized tools. Choose &lt;strong&gt;AWS AgentCore&lt;/strong&gt; for strict AWS-native integrations. Go for &lt;strong&gt;Merge&lt;/strong&gt; if your priority is B2B data syncing and normalized schemas. Consider &lt;strong&gt;Natoma&lt;/strong&gt; for shadow AI discovery across enterprise networks.&lt;/p&gt;

&lt;p&gt;If you're transitioning from a prototype to a secure, multi-user production environment, &lt;a href="https://app.arcade.dev/register" rel="noopener noreferrer"&gt;explore Arcade.dev to see how a unified MCP runtime natively solves authorization and governance&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is Composio best for?
&lt;/h3&gt;

&lt;p&gt;Composio works best for rapid prototyping and early-stage agents where you want quick access to a large catalog of integrations and don't need strict multi-user authorization, governance, and production-level auditability.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is Composio production-ready for multi-user AI agents?
&lt;/h3&gt;

&lt;p&gt;Composio can support limited production scenarios, but teams typically outgrow it when they need per-user delegated authorization, blast-radius controls, and standardized observability and audit logs across many users and tools.&lt;/p&gt;

&lt;h3&gt;
  
  
  What should I look for in a production-ready alternative to Composio?
&lt;/h3&gt;

&lt;p&gt;Prioritize per-user delegated authorization with tokens kept out of model context, governance controls for tool registration and policy enforcement, and audit logs and traceability (ideally OpenTelemetry) for every tool call.&lt;/p&gt;

&lt;h3&gt;
  
  
  Which Composio alternative is best for secure, multi-user production agents?
&lt;/h3&gt;

&lt;p&gt;Arcade is the best choice for teams that need a unified MCP runtime with just-in-time authorization and centralized governance for multi-user production deployments.&lt;/p&gt;

&lt;h3&gt;
  
  
  When should I choose Arcade instead of Composio?
&lt;/h3&gt;

&lt;p&gt;Choose Arcade when you need a unified MCP runtime for multi-user production agents with per-user delegated authorization, centralized governance, and agent-optimized tools in a single execution layer. It fits teams moving beyond prototyping that require vaulted credentials, immutable audit logs, and flexible deployment (cloud, VPC, or air-gapped).&lt;/p&gt;

&lt;h3&gt;
  
  
  When should I choose AWS AgentCore instead of a standalone runtime?
&lt;/h3&gt;

&lt;p&gt;Choose AWS AgentCore when you're all-in on AWS (IAM, VPC, CloudWatch/X-Ray) and have the engineering resourcing and expertise to assemble and manage multiple AWS services to meet your security, compliance, and operational requirements.&lt;/p&gt;

&lt;h3&gt;
  
  
  When is Merge a better choice than Composio?
&lt;/h3&gt;

&lt;p&gt;Choose Merge when your primary need is B2B data integration, especially normalized schemas and data sync across categories like HRIS, ATS, and CRM, rather than governed, multi-step action execution for many end users.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is MCP (Model Context Protocol), and why does it matter for these tools?
&lt;/h3&gt;

&lt;p&gt;MCP is a standard way for agents to call tools and servers. It matters because a production setup needs consistent authorization, governance, and observability around those tool calls, especially when many users share the same agent system.&lt;/p&gt;

&lt;h3&gt;
  
  
  What does "delegated authorization" mean for AI agents?
&lt;/h3&gt;

&lt;p&gt;Delegated authorization means the agent performs actions on behalf of a specific end user. Each tool call is evaluated against both the agent's permissions and the user's permissions at runtime, reducing the risk of shared credentials and oversized access.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>security</category>
      <category>agents</category>
    </item>
    <item>
      <title>Best Natoma Alternatives in 2026 After the Snowflake Acquisition</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Thu, 11 Jun 2026 19:20:22 +0000</pubDate>
      <link>https://dev.to/arcade/best-natoma-alternatives-in-2026-after-the-snowflake-acquisition-425k</link>
      <guid>https://dev.to/arcade/best-natoma-alternatives-in-2026-after-the-snowflake-acquisition-425k</guid>
      <description>&lt;p&gt;On May 27, 2026, Snowflake &lt;a href="https://www.snowflake.com/en/news/press-releases/snowflake-announces-intent-to-acquire-natoma-providing-secure-connectivity-for-the-agentic-enterprise/" rel="noopener noreferrer"&gt;announced its intent to acquire Natoma&lt;/a&gt;. This validates both Natoma and the enterprise Model Context Protocol governance category. Still, the acquisition prompts engineering leaders, AI platform teams, and security buyers to reassess their multi-user agent infrastructure.&lt;/p&gt;

&lt;p&gt;When evaluating MCP runtime alternatives, you're facing a real architectural decision of whether to stay tethered to an ecosystem-native gateway or adopt an independent or vendor-neutral MCP runtime.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key takeaways
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Choose Arcade.dev&lt;/strong&gt; if you need an independent MCP runtime with secure agent authorization via On-Behalf-Of (OBO), agent-optimized tools, agent lifecycle governance, and flexible deployment (cloud, VPC, and air-gapped).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose AWS AgentCore&lt;/strong&gt; if you're all-in on AWS/Bedrock and accept AWS-only constraints.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose WorkOS&lt;/strong&gt; if your main gap is enterprise SSO/directory sync (identity), not agent execution.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Choose Merge&lt;/strong&gt; if your main need is normalized integrations and bulk data sync, not multi-step agent workflows.&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Platform&lt;/th&gt;
&lt;th&gt;Key differentiator&lt;/th&gt;
&lt;th&gt;Deployment flexibility&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Arcade&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Unified auth, tools, and governance runtime&lt;/td&gt;
&lt;td&gt;Cloud, VPC, Air-gapped&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;AWS AgentCore&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Native AWS IAM and Bedrock integration&lt;/td&gt;
&lt;td&gt;AWS-only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;WorkOS&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Developer-first human identity auth APIs&lt;/td&gt;
&lt;td&gt;Cloud&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Merge&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Unified API data normalization&lt;/td&gt;
&lt;td&gt;Cloud&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  What the Snowflake acquisition means for Natoma users
&lt;/h2&gt;

&lt;p&gt;Snowflake's acquisition of Natoma signals that strict AI governance is now a core enterprise requirement. Natoma is a fully managed enterprise MCP gateway that enforces Cedar-based attribute access control (ABAC), shadow-AI discovery, SSO and SCIM, and SIEM/EDR integrations.&lt;/p&gt;

&lt;p&gt;Enterprises currently discover an &lt;a href="https://natoma.ai/platform" rel="noopener noreferrer"&gt;average of 225 unmanaged shadow AI instances per organization&lt;/a&gt;. That makes centralized governance an immediate security priority. But this acquisition shifts the product roadmap toward native Snowflake Intelligence and Cortex ecosystems.&lt;/p&gt;

&lt;p&gt;Under the agreement, Snowflake will build Natoma into its governance and identity layer for AI agents and MCP tool access, using it as the centralized gateway enforcing identity, policy, and audit at the tool-call level.&lt;/p&gt;

&lt;p&gt;This raises real questions for current and prospective Natoma users. Will Natoma remain available and supported as a standalone product, or be folded into Snowflake's stack? Will the roadmap orient toward Snowflake Intelligence, Cortex, and the broader Snowflake ecosystem?&lt;/p&gt;

&lt;h3&gt;
  
  
  When Natoma still makes sense after the acquisition
&lt;/h3&gt;

&lt;p&gt;Natoma makes sense for enterprises already embedded in the Snowflake ecosystem, with internal role-based access control (RBAC) as their primary governance layer. It also suits platform teams that prioritize native integration with Cortex tools such as search and analyst services.&lt;/p&gt;

&lt;p&gt;Enterprise buyers who prefer their agent governance bundled with their core data warehouse procurement will find the combined offering a natural fit.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to evaluate Natoma alternatives in 2026
&lt;/h2&gt;

&lt;p&gt;An enterprise agent setup rests on three core pillars: agent authorization, agent-optimized tool reliability, and agent lifecycle governance. Any production runtime must solve all three simultaneously, plus deployment flexibility as a cross-cutting requirement.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1os2hksbqo14vi1jekko.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1os2hksbqo14vi1jekko.jpg" alt="A detailed architectural diagram illustrating the workflow and components of an MCP Runtime system within a B2B SaaS environment. A Client Application sends a Tool Request to the central MCP Runtime hub, which orchestrates three branches: Identity Context and Authorization (to Per-User Delegated Authorization, then to an OAuth / Identity Provider for Policy Evaluation); Tool Catalog and Execution (to an Agent-Optimized Tool Catalog that Invokes actions, leading to execution on External Enterprise SaaS); and Governance and Auditing (to Lifecycle Governance and Audit Logs to Emit Telemetry). The diagram uses a hierarchical structure with rounded nodes and a navy, teal, and gray color scheme." width="799" height="436"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  How agent authorization and OBO execution works
&lt;/h3&gt;

&lt;p&gt;Teams either give agents their own identity with broad credentials, or they inherit the user's full access. Both approaches create an excessive blast radius. Any failure, whether from misconfiguration, hallucinated tool calls, or adversarial input, propagates across every connected system.&lt;/p&gt;

&lt;p&gt;The runtime must enforce the exact intersection of agent and user permissions for each action, evaluating both what the agent is allowed to do and what the user is allowed to do at execution time. This process requires managing the complete OAuth token lifecycle isolated from the language model itself.&lt;/p&gt;

&lt;p&gt;Make sure the system supports pre- and post-call policy hooks to dynamically evaluate granular access requests at runtime.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to evaluate agent-optimized tool reliability
&lt;/h3&gt;

&lt;p&gt;Most MCP servers wrap APIs designed for structured inputs, such as &lt;code&gt;recipient_user_id&lt;/code&gt; or &lt;code&gt;file_id&lt;/code&gt;, not for natural language like "send this to Finance." The root cause is that tool schemas are written for machine consumers rather than language models. Verbose schemas bloat the context window, and mismatched parameter names cause the model to hallucinate values.&lt;/p&gt;

&lt;p&gt;Evaluate whether the runtime provides curated tools optimized for natural-language intent rather than rigid machine interfaces. The runtime execution layer must also support intelligent retries, automatic schema validation, and automated failover capabilities.&lt;/p&gt;

&lt;h3&gt;
  
  
  What agent lifecycle governance should include
&lt;/h3&gt;

&lt;p&gt;Every tool execution requires immutable, &lt;a href="https://opentelemetry.io/docs/concepts/semantic-conventions/" rel="noopener noreferrer"&gt;OpenTelemetry-compatible audit logs&lt;/a&gt; tracing the agent action per user per connected service.&lt;/p&gt;

&lt;p&gt;The runtime must enforce visibility filtering so that agents discover only the specific, approved tools permitted by the active human user session. It should also provide version control for safe upgrades and a shared registry with team-level access controls to prevent tool sprawl across projects.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to assess deployment flexibility and vendor independence
&lt;/h3&gt;

&lt;p&gt;Enterprise architecture demands deployment versatility. Can the runtime operate as a vendor-neutral layer that runs across any major cloud provider? Can you self-host it on a private network or securely deploy it in air-gapped environments?&lt;/p&gt;

&lt;p&gt;Systems tied to a broader data warehouse or cloud provider ecosystem will dictate your downstream infrastructure choices and limit cross-platform integrations.&lt;/p&gt;

&lt;h2&gt;
  
  
  In-depth reviews of the best Natoma alternatives
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Alternative 1: Arcade (independent action runtime)
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;Enterprise engineering teams needing a complete, vendor-neutral action runtime for multi-user production agents. Security-conscious organizations requiring per-user delegated authorization and air-gapped deployments.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;&lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev is an independent action runtime&lt;/a&gt; that unifies agent authorization, agent-optimized tools, and continuous lifecycle governance into a single execution layer.&lt;/p&gt;

&lt;p&gt;While standalone gateways or specialized registries often focus primarily on routing traffic, Arcade handles the direct, parallelized execution of a catalog of over 8,000 agent-optimized MCP tools. It enforces access controls at the intersection of agent and user permissions, ensuring secure downstream actions.&lt;/p&gt;

&lt;h4&gt;
  
  
  Key differentiators vs. Natoma
&lt;/h4&gt;

&lt;p&gt;Arcade is a full actions runtime, not only a routing gateway. It directly executes and manages the runtime reliability of the tools, whereas Natoma routes requests to your existing deployed servers.&lt;/p&gt;

&lt;p&gt;It maintains platform independence through cloud-agnostic, flexible deployment models and provides an extensive, curated catalog of agent-optimized tools built for language-model intent. This often reduces parameter-hallucination issues found in standard interface wrappers.&lt;/p&gt;

&lt;p&gt;Arcade co-authored the MCP auth specification alongside Microsoft and Okta/Auth0, and authored the URL Elicitation specification with Anthropic. This standards-level involvement shapes how the protocol itself handles identity and consent.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pros (what you gain)
&lt;/h4&gt;

&lt;p&gt;You get a centralized control plane for authorization, reliable tool execution, and continuous governance without stitching together multiple fragmented point solutions.&lt;/p&gt;

&lt;p&gt;Arcade enforces a permission-intersection model in which every action is authorized at the strict intersection of the agent's permissions and the specific human user's permissions. This two-identity approach isolates credentials from the language model, preventing privilege escalation.&lt;/p&gt;

&lt;p&gt;The runtime acquires credentials only when an action is required, requesting minimum OAuth permissions scoped to that specific tool. For irreversible actions, out-of-band approvals enforce a mandatory human approval step. You also get detailed, &lt;a href="https://docs.arcade.dev/en/guides/audit-logs" rel="noopener noreferrer"&gt;OpenTelemetry-compatible audit logging&lt;/a&gt; for every agent action executed across the runtime. Arcade holds SOC 2 Type II certification, with coverage that extends from the underlying cloud infrastructure through to every tool call an agent executes.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons (what you give up)
&lt;/h4&gt;

&lt;p&gt;You give up the likely future advantage of Natoma being built into Snowflake Intelligence, Cortex, and Snowflake-native governance workflows. Snowflake governance policies can still be applied to workflows running through Arcade, but not natively by default. You also lose the administrative convenience of bundled procurement and unified billing if your company already purchases significant Snowflake infrastructure.&lt;/p&gt;

&lt;h4&gt;
  
  
  Deployment and flexibility
&lt;/h4&gt;

&lt;p&gt;Arcade provides maximum environmental adaptability. It &lt;a href="https://docs.arcade.dev/en/guides/deployment-hosting" rel="noopener noreferrer"&gt;supports cloud deployments, self-hosted deployments within your own virtual private cloud, and air-gapped environments&lt;/a&gt; designed for regulated industries. Arcade is also agnostic to models, agent frameworks, and clients, so your team can use any combination of LLM providers and orchestration tools without runtime constraints. Post-acquisition, Natoma will likely become more opinionated toward Snowflake-supported models and tooling.&lt;/p&gt;

&lt;p&gt;Arcade brokers authorization protocols with your existing identity providers, including Okta and Microsoft Entra, enforcing existing policies rather than requiring duplication.&lt;/p&gt;

&lt;h3&gt;
  
  
  Alternative 2: WorkOS (enterprise identity and SSO)
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;SaaS application developers whose primary roadblock is managing human user identity synchronization rather than handling agent-specific tool execution.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;WorkOS is a developer platform with APIs designed to make applications enterprise-ready. It offers AuthKit, single sign-on, automated directory synchronization, and standard role-based access control.&lt;/p&gt;

&lt;p&gt;It is a foundational identity building block, not a full AI agent platform.&lt;/p&gt;

&lt;h4&gt;
  
  
  Key differentiators vs. Natoma
&lt;/h4&gt;

&lt;p&gt;WorkOS maintains a pure focus on identity, providing robust infrastructure for human identity management.&lt;/p&gt;

&lt;p&gt;It delivers a great developer experience through comprehensive documentation, software development kits, and integrated drop-in interface components that accelerate time-to-market for standard authentication flows.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pros (what you gain)
&lt;/h4&gt;

&lt;p&gt;You get the fastest available path to implementing enterprise single sign-on and automated directory synchronization. WorkOS provides an off-the-shelf administrative portal that empowers enterprise buyers to manage their own user provisioning.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons (what you give up)
&lt;/h4&gt;

&lt;p&gt;WorkOS has no native understanding of AI agents, the Model Context Protocol (MCP), or tool-calling security primitives.&lt;/p&gt;

&lt;p&gt;Your engineering team must build the agent authorization layer from scratch, mapping WorkOS identities to individual agent scope boundaries.&lt;/p&gt;

&lt;h3&gt;
  
  
  Alternative 3: AWS AgentCore (AWS-native agent platform)
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;Large enterprises committed to Amazon Web Services as their exclusive cloud provider, seeking to build native AI agents directly within Amazon Bedrock.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;AgentCore is the dedicated agent platform layer within Amazon Bedrock. It connects foundation models to enterprise systems while enforcing access policies and tracing agent workflows.&lt;/p&gt;

&lt;p&gt;It delivers a secure, scalable environment backed by existing Amazon identity and access management infrastructure and automated reasoning primitives.&lt;/p&gt;

&lt;h4&gt;
  
  
  Key differentiators vs. Natoma
&lt;/h4&gt;

&lt;p&gt;AgentCore offers cloud-native integration with deep, structural ties to AWS-native serverless functions, isolated virtual private clouds, and existing identity infrastructure.&lt;/p&gt;

&lt;p&gt;It also includes built-in evaluations, providing robust native tooling for experimenting with and evaluating agent behavior under high-volume production traffic.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pros (what you gain)
&lt;/h4&gt;

&lt;p&gt;You achieve strong compliance and security inheritance if your critical workloads already operate within the Amazon ecosystem.&lt;/p&gt;

&lt;p&gt;AgentCore provides secure connectivity to other AWS-hosted services, including storage buckets, relational databases, and internal private APIs, without routing sensitive traffic over the public internet.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons (what you give up)
&lt;/h4&gt;

&lt;p&gt;You sacrifice vendor neutrality. AgentCore locks your agent architecture into the Amazon ecosystem and Bedrock execution paradigms.&lt;/p&gt;

&lt;p&gt;This architecture is difficult to deploy across multi-cloud environments or hybrid on-premise setups outside the prescribed footprint. And requires a heavy engineering burden to manage the separate services.&lt;/p&gt;

&lt;h3&gt;
  
  
  Alternative 4: Merge (unified API for data sync)
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Best for
&lt;/h4&gt;

&lt;p&gt;Engineering teams building products requiring standardized data synchronization across common software categories rather than executing multi-step agent operations.&lt;/p&gt;

&lt;h4&gt;
  
  
  Overview
&lt;/h4&gt;

&lt;p&gt;Merge is a unified API for normalized business data, providing a single integration point for hundreds of third-party tools. It's the most narrowly scoped option in this list, but the right fit for data-heavy use cases. Their &lt;a href="https://merge.dev/blog/agent-handler" rel="noopener noreferrer"&gt;agent handler product&lt;/a&gt; allows large language models to query and push structured data through these normalized interfaces.&lt;/p&gt;

&lt;h4&gt;
  
  
  Key differentiators vs. Natoma
&lt;/h4&gt;

&lt;p&gt;Merge excels at data normalization, translating disparate external interfaces into a unified data schema. It focuses on aggregating standard integration layers rather than managing protocol-level execution governance for custom-deployed servers.&lt;/p&gt;

&lt;h4&gt;
  
  
  Pros (what you gain)
&lt;/h4&gt;

&lt;p&gt;You get access to hundreds of standard external platforms without having to read individual technical documentation. Merge also automatically handles authentication for end-user application integrations.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cons (what you give up)
&lt;/h4&gt;

&lt;p&gt;Merge offers less granular control over per-user delegated execution policies, which are required for enterprise protocol governance.&lt;/p&gt;

&lt;p&gt;Its integrations optimize for bulk data synchronization rather than natural-language intent, increasing the risk of token bloat during complex reasoning loops.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion: Choosing the right Natoma alternative after the acquisition
&lt;/h2&gt;

&lt;p&gt;The Snowflake acquisition of Natoma pushes engineering leaders to evaluate whether their agent infrastructure solves authorization, tool reliability, and governance together, while maintaining the deployment flexibility their architecture demands.&lt;/p&gt;

&lt;p&gt;The best alternative depends on your architectural philosophy and whether you stay tethered to a Snowflake-native gateway, piece together governance tools, or adopt an independent runtime. These choices are not mutually exclusive. A two-layer approach keeps data-proximate agents operating natively inside Snowflake for internally governed analytics while deploying an external, vendor-neutral runtime such as Arcade to handle cross-cloud tool execution.&lt;/p&gt;

&lt;p&gt;Prioritize platforms that solve agent authorization, agent-optimized tool reliability, and lifecycle governance simultaneously. Addressing only one or two of these pillars will create gaps that slow your production rollout.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.arcade.dev/contact" rel="noopener noreferrer"&gt;Book a demo with the Arcade.dev team today&lt;/a&gt; to see the permission intersection model execute in a live production environment.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What changed for Natoma users after the Snowflake acquisition?
&lt;/h3&gt;

&lt;p&gt;Natoma's roadmap will likely align more tightly with Snowflake's ecosystem, which can reduce cross-cloud portability. Teams should reassess whether they want Snowflake-native governance or an independent runtime for multi-cloud agent execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is Natoma still a good choice after the acquisition?
&lt;/h3&gt;

&lt;p&gt;Yes, if your agents primarily run in Snowflake and you want governance tightly coupled to Snowflake RBAC and Cortex workflows. If you need multi-cloud execution or non-Snowflake toolchains, an independent layer may be a better fit.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why choose Arcade as a Natoma alternative?
&lt;/h3&gt;

&lt;p&gt;Arcade is a vendor-neutral action runtime that combines per-user delegated authorization, a catalog of over 8,000 agent-optimized tools, and lifecycle governance in a single layer. It supports cloud, VPC, and air-gapped deployments, and is agnostic to models, frameworks, and clients. For teams that need cross-cloud portability and production-grade agent infrastructure without ecosystem lock-in, Arcade covers authorization, execution, and audit without requiring additional point solutions.&lt;/p&gt;

&lt;h3&gt;
  
  
  What's the difference between an MCP gateway and an action runtime?
&lt;/h3&gt;

&lt;p&gt;A gateway routes requests and enforces access policies for tool calls. A runtime executes tools, enforces policy, and audits, handling reliability (retries, failover, validation), delegated auth flows, and telemetry during execution. For production multi-user deployments, a runtime is architecturally superior because it owns the full execution lifecycle rather than just the routing layer.&lt;/p&gt;

&lt;h3&gt;
  
  
  When should I choose an independent Natoma alternative instead of a Snowflake-native option?
&lt;/h3&gt;

&lt;p&gt;Choose an independent option when you need multi-cloud portability, want to avoid data-cloud lock-in, or must support VPC, on-prem, and air-gapped deployments. An independent option also fits better when agents need to call many external SaaS tools outside Snowflake.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is per-user delegated authorization and why does it matter for agents?
&lt;/h3&gt;

&lt;p&gt;Per-user delegated authorization means each tool action is authorized using the intersection of the end user's permissions and the agent's allowed scope. This approach reduces the blast radius compared with shared service accounts and improves auditability for enterprise security reviews.&lt;/p&gt;

&lt;h3&gt;
  
  
  Which alternative is best if I already have an agent execution stack and only need governance?
&lt;/h3&gt;

&lt;p&gt;A governance overlay fits best. Focus on registry, threat detection, and audit controls layered on top of your existing runtime rather than replacing execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  Which option is best if my company is all-in on AWS?
&lt;/h3&gt;

&lt;p&gt;If your agents run on Bedrock and you rely on AWS IAM and native AWS networking controls, an AWS-native agent platform is the most straightforward choice. Keep in mind that it comes with a trade-off on multi-cloud portability.&lt;/p&gt;

&lt;h3&gt;
  
  
  What should I look for in an enterprise action runtime evaluation?
&lt;/h3&gt;

&lt;p&gt;Prioritize per-user delegated authorization, agent-optimized tool reliability, centralized audit and governance, and deployment flexibility (cloud, VPC, and air-gapped). These criteria directly determine whether your agent infrastructure can scale securely across users, tools, and environments.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>security</category>
      <category>identity</category>
    </item>
    <item>
      <title>AI agent governance and runtime compliance framework for CISOs</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Tue, 09 Jun 2026 20:50:33 +0000</pubDate>
      <link>https://dev.to/arcade/ai-agent-governance-compliance-5841</link>
      <guid>https://dev.to/arcade/ai-agent-governance-compliance-5841</guid>
      <description>&lt;p&gt;AI agents are now in production across healthcare, financial services, and critical SaaS systems. They mutate data, trigger workflows, and call external APIs on behalf of real users. These are autonomous actors, not the read-only recommendation engines that security teams already know how to govern. The business is shipping them, and saying no won't pause that. The CISO question is no longer whether to allow agents into production. It's how to say yes safely, fast enough that security isn't the reason the business can't ship.&lt;/p&gt;

&lt;p&gt;The honest answer is that traditional enterprise security models don't survive contact with this workload. Governance-as-logging assembles evidence after the breach. Governance-as-spreadsheet drifts the moment code ships. Governance-as-policy-PDF answers an auditor's question about intent, not the runtime question of what an agent actually did at 03:14 on a Tuesday. None of these are governance. They are documentation. And building bespoke security infrastructure to close the gap is the same mistake in engineering form: months of plumbing while the actual governance gap stays open.&lt;/p&gt;

&lt;p&gt;Governance is a runtime contract enforced at the exact millisecond of every tool call, paired with an immutable audit trail that an auditor can replay end-to-end. Every agent action must be attributable, policy-governed, immutably audit-replayable, and revocable across user, agent, tenant, and task. Enforced at runtime, provable after the fact.&lt;/p&gt;

&lt;p&gt;What follows is a CISO-grade rubric organized around the four concerns CISOs surface in the field, with the six runtime capabilities that address them. Hand it to your AI/ML team. Hand it to the security architects and IAM leads pulled into the project. Both audiences should be able to verify against it before any agent reaches production.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;A CISO-grade rubric for AI agent governance organizes around the four concerns every CISO surfaces in the field. The 6 capabilities that address them sit beneath each:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Identity and attribution: the service account problem.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Capability 1: Agent and tool registry under version control&lt;/li&gt;
&lt;li&gt;Capability 2: Delegated agent authorization with scoped, just-in-time credentials&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;2. Active prevention at the tool call: saying yes safely.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Capability 3: Centralized policy enforcement at runtime&lt;/li&gt;
&lt;li&gt;Capability 4: Action-layer guardrails (parameter validation, rate limits, output filtering, prompt injection interception, step-up authorization for high-impact actions)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;3. Observability your SIEM can use: after the fact.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Capability 5: Immutable, replayable audit trail&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;4. Continuous audit-readiness: the verification rubric itself.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Capability 6: Compliance attestation at the agent and action layer&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;No patchwork of SIEMs, policy engines, GRC platforms, identity providers, or MCP gateways answers all four concerns end-to-end. A unified MCP runtime does.&lt;/p&gt;




&lt;h2&gt;
  
  
  Mapping AI agent governance to NIST, ISO/IEC 42001, and the EU AI Act
&lt;/h2&gt;

&lt;p&gt;The policy layer of enterprise AI governance is defined by a small set of converging international frameworks: ISO/IEC 42001, the NIST AI Risk Management Framework, ISO/IEC 42005, the EU AI Act, and the CSA/NIST Agentic Profile, which extends them for autonomous systems. Technical controls need to anchor here.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.iso.org/standard/42001" rel="noopener noreferrer"&gt;ISO/IEC 42001&lt;/a&gt; sets the foundational requirements for an enterprise AI Management System. It demands continuous system monitoring, strict event logging, and traceable data provenance.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://www.nist.gov/itl/ai-risk-management-framework" rel="noopener noreferrer"&gt;NIST AI Risk Management Framework&lt;/a&gt;, extended by the GenAI Profile, provides a risk operating model that emphasizes continuous testing, evaluation, verification, and validation throughout the agent lifecycle.&lt;/p&gt;

&lt;p&gt;ISO/IEC 42005 builds on these by mandating rigorous AI system impact assessments. You'll need documented, immutable evidence of risk treatments and architectural safeguards.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://artificialintelligenceact.eu/the-act/" rel="noopener noreferrer"&gt;EU AI Act&lt;/a&gt; is what's actually driving urgency. Its phased timeline doesn't just turn best practices into legally binding requirements. It turns the gap between policy and runtime into a legal liability that the security team is responsible for.&lt;/p&gt;

&lt;p&gt;Prohibited practices and AI literacy obligations became applicable on February 2, 2025. Strict obligations for General Purpose AI providers took effect on August 2, 2025, requiring detailed technical documentation and systemic risk monitoring. By August 2, 2026, the broad applicability phase requires that every high-risk AI system implement automatic, immutable logging and strict human oversight.&lt;/p&gt;

&lt;p&gt;These are not deadlines on the security team's roadmap. They are legal exposure that attaches whenever an agent in a regulated workload acts without governance evidence the runtime can produce on demand. "We're planning to address this" is not a defensible position when an auditor asks why the agent that processed yesterday's PHI access can't be replayed.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://labs.cloudsecurityalliance.org/agentic/agentic-nist-ai-rmf-profile-v1/" rel="noopener noreferrer"&gt;Cloud Security Alliance and NIST Agentic Profile&lt;/a&gt; bridge the gap between broad regulatory mandates and technical implementation. This profile explicitly extends the NIST AI RMF to address threats specific to autonomous systems.&lt;/p&gt;

&lt;p&gt;It introduces autonomy-tier classification, tool-use risk modeling, and continuous delegation-chain monitoring, giving you the vocabulary to assess multi-agent interactions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Standards define what. A runtime defines how.
&lt;/h3&gt;

&lt;p&gt;These standards are rigorous about the policy layer. They are silent about execution. NIST AI RMF tells you to monitor; it doesn't intercept a prompt injection. ISO/IEC 42001 tells you to log; it doesn't block an undesired API call. The EU AI Act requires human oversight; it doesn't mandate cryptographic approval for a specific tool-call payload.&lt;/p&gt;

&lt;p&gt;Closing the gap between legal requirement and technical reality is a runtime problem, not a documentation problem. The control point is the action layer (the moment an agent tries to call a tool), not the infrastructure boundary, the network perimeter, or a policy document. Runtime enforcement is what turns the standards into active security controls at the place the action actually happens.&lt;/p&gt;




&lt;h2&gt;
  
  
  Classifying AI agent autonomy tiers (1–4)
&lt;/h2&gt;

&lt;p&gt;Governance strictness has to scale with agent autonomy. A structured classification gives you the vocabulary to do that.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://labs.cloudsecurityalliance.org/agentic/agentic-nist-ai-rmf-profile-v1/" rel="noopener noreferrer"&gt;CSA / NIST AI RMF Agentic Profile&lt;/a&gt; defines a four-tier classification aligned with the operational characteristics that drive governance requirements. Data sensitivity, action reversibility, and potential legal or customer impact should dictate the maximum acceptable tier for any workload.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Agent autonomy-tier classification (CSA / NIST Agentic Profile)&lt;/em&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Autonomy tier&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Governance requirement&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Tier 1: fully supervised&lt;/td&gt;
&lt;td&gt;Agent generates outputs that require human approval before any action is taken.&lt;/td&gt;
&lt;td&gt;Governance structures equivalent to non-agentic generative AI.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tier 2: constrained autonomy&lt;/td&gt;
&lt;td&gt;Agent executes pre-approved action types within a predefined scope. Actions outside that scope require human escalation.&lt;/td&gt;
&lt;td&gt;Formal action scope documentation, approval authority delegation policies, defined escalation triggers, action-consequence mapping.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tier 3: broad autonomy within boundaries&lt;/td&gt;
&lt;td&gt;Agent operates with broad autonomy within a defined operational boundary. Bounded by hard constraints on resource access, action scope, and time horizon, and subject to continuous monitoring.&lt;/td&gt;
&lt;td&gt;Continuous behavioral monitoring, defined response playbooks, real-time agent registries integrated with IAM.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tier 4: full autonomy within constrained environment&lt;/td&gt;
&lt;td&gt;Agent operates at full autonomy within a constrained environment, capable of spawning sub-agents, acquiring new tool capabilities, and executing long-horizon plans with minimal human interaction.&lt;/td&gt;
&lt;td&gt;All Tier 3 requirements plus formal oversight board review at defined intervals.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Tier 1 is the starting point for high-stakes workflows where you can't easily reverse an action; every output is gated by human approval before it executes. Tier 2 is the practical default for most current enterprise deployments. Agents act autonomously within pre-approved scopes and escalate anything outside them. Tier 3 introduces broad autonomy within a defined operational boundary and is appropriate where continuous monitoring and well-bounded behavioral envelopes are in place. Tier 4 introduces sub-agent orchestration and long-horizon planning. It requires formal oversight board review and is rarely appropriate outside controlled research environments or specialized workloads.&lt;/p&gt;




&lt;h2&gt;
  
  
  Action-layer risk taxonomy for AI agents (tool calls, identity, and delegation)
&lt;/h2&gt;

&lt;p&gt;Relying on generic vulnerability lists, such as the &lt;a href="https://owasp.org/www-project-top-10-for-large-language-model-applications" rel="noopener noreferrer"&gt;OWASP Top 10,&lt;/a&gt; isn't enough to secure autonomous systems.&lt;/p&gt;

&lt;p&gt;Prompt injections and training data poisoning are real concerns. But when you deploy agents, focus on the action layer. When an AI system can mutate data, trigger workflows, and interact with external APIs, the threat model changes.&lt;/p&gt;

&lt;p&gt;Once an agent can act, the threat model collapses into a set of operational questions: &lt;em&gt;which tool, with which parameters, on whose behalf, under which policy version, with what approval, and for how long that authority holds.&lt;/em&gt; The last one, time-bounded authority, is the dimension most often missed. A token issued for a session must expire when the session ends, not linger for hours or days as a residual credential that outlives the workflow that produced it. Just-in-time issuance and tight TTLs are part of the threat model, not part of the infrastructure details.&lt;/p&gt;

&lt;p&gt;An action-layer risk taxonomy maps specific agentic threats directly to architectural mitigations in the runtime, moving security teams from theoretical vulnerabilities to deterministic system design.&lt;/p&gt;

&lt;h3&gt;
  
  
  Threat-to-mitigation mapping for tool calls
&lt;/h3&gt;

&lt;p&gt;&lt;em&gt;Action-layer threat-to-mitigation mapping&lt;/em&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Threat vector&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Primary mitigation (from 6-capability framework)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Tool-call hijacking&lt;/td&gt;
&lt;td&gt;Malicious input manipulates the agent into calling a tool with malicious or manipulated parameters.&lt;/td&gt;
&lt;td&gt;Capability 4: action-layer guardrails (parameter validation)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Delegated prompt injection&lt;/td&gt;
&lt;td&gt;An agent is compromised by malicious data it retrieves from an external source, leading to undesired actions within its authorized scope.&lt;/td&gt;
&lt;td&gt;Capability 2: delegated agent authorization (scoped credentials limit blast radius)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Credential exfiltration&lt;/td&gt;
&lt;td&gt;An agent with overly broad permissions leaks or misuses sensitive credentials to which it has access.&lt;/td&gt;
&lt;td&gt;Capability 2: delegated agent authorization (per-agent identity, rapid revocation)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Shadow tool execution&lt;/td&gt;
&lt;td&gt;Developers connect unauthorized tools or external APIs to an agent without centralized security oversight.&lt;/td&gt;
&lt;td&gt;Capability 1: agent and tool registry under version control&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unattributable automation&lt;/td&gt;
&lt;td&gt;An agent executes a destructive action, but security teams cannot definitively prove which user or policy authorized it.&lt;/td&gt;
&lt;td&gt;Capability 5: immutable, replayable audit trail&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Context window poisoning&lt;/td&gt;
&lt;td&gt;Sensitive information reaches the agent's context when it shouldn't: secrets or PII in tool outputs, retrieved data, or memory shared across user sessions.&lt;/td&gt;
&lt;td&gt;Capability 4: action-layer guardrails (output filtering and redaction)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Categorizing risks by tool invocation and identity lets security leaders build active defenses that intercept malicious intent before it reaches the resource server.&lt;/p&gt;

&lt;p&gt;This taxonomy shows that defending an agentic system requires structural controls at the exact moment a tool is called. Legacy approaches that rely solely on model-level alignment or generic network firewalls don't cut it.&lt;/p&gt;




&lt;h2&gt;
  
  
  Service accounts: the universal failure mode
&lt;/h2&gt;

&lt;p&gt;Every CISO has been burned by shared service accounts. They break attribution. They block revocation. They're how a single misconfigured credential ends up holding access to half the data lake six months after the engineer who provisioned it left the company. Every agent project that ships on a service account repeats that mistake faster.&lt;/p&gt;

&lt;p&gt;The failure modes are predictable. Give the agent its own identity with broad permissions, and any user behind that agent (including an intern) can bypass their own access controls. Lock those permissions down to be safe, and the agent can't do anything useful, which is how most agent projects stall before reaching production. Let the agent inherit the user's full permissions instead, and one prompt injection cascades through every system that user can touch. Three patterns, all breaking least privilege the moment an agent acts on behalf of more than one person.&lt;/p&gt;

&lt;p&gt;The fix is not better service account hygiene. It's per-agent identity tied to the requesting user, scoped to the specific tool and action, acquired just-in-time, and revocable in isolation when that user is offboarded or compromised. This is the foundation every other governance capability rests on. The rest of the rubric assumes you've fixed this problem first.&lt;/p&gt;




&lt;h2&gt;
  
  
  The 6-capability rubric for AI agent governance at runtime
&lt;/h2&gt;

&lt;p&gt;Neutralizing those risks requires an architecture that controls the full lifecycle of an agent action. Fragmented observability tools don't get you there. You need a unified &lt;a href="https://modelcontextprotocol.io/docs/getting-started/intro" rel="noopener noreferrer"&gt;MCP&lt;/a&gt; runtime that addresses all four CISO concerns through six specific capabilities.&lt;/p&gt;

&lt;p&gt;This is the rubric a CISO hands to their AI/ML team to verify before any agent is deployed to production. Skipping any capability creates a gap that an auditor or attacker will find. &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; is the reference implementation.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;The 6-capability rubric, organized by CISO concern&lt;/em&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;CISO concern&lt;/th&gt;
&lt;th&gt;Capabilities&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;Identity and attribution:&lt;/strong&gt; the service account problem&lt;/td&gt;
&lt;td&gt;1. Agent and tool registry under version control&lt;br&gt;2. Delegated agent authorization with scoped, just-in-time credentials&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;Active prevention at the tool call:&lt;/strong&gt; saying yes safely&lt;/td&gt;
&lt;td&gt;3. Centralized policy enforcement at runtime&lt;br&gt;4. Action-layer guardrails (parameter validation, rate limits, output filtering, prompt injection interception, step-up authorization for high-impact actions)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;Observability your SIEM can use:&lt;/strong&gt; after the fact&lt;/td&gt;
&lt;td&gt;5. Immutable, replayable audit trail&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;Continuous audit-readiness:&lt;/strong&gt; the verification rubric itself&lt;/td&gt;
&lt;td&gt;6. Compliance attestation at the agent and tool plane&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Identity and attribution: the service account problem
&lt;/h3&gt;

&lt;p&gt;If service accounts are the universal failure mode, this concern is the resolution. The registry establishes which agents and tools exist; delegated authorization with scoped credentials binds every action to the specific user, tool, and scope that authorized it.&lt;/p&gt;

&lt;h4&gt;
  
  
  Capability 1: Agent and tool registry under version control
&lt;/h4&gt;

&lt;p&gt;A centralized agent and tool registry under strict version control is the foundation of any governance stack. The registry ensures agents can only discover and invoke vetted, approved tools, preventing shadow servers and duplicated effort across teams.&lt;/p&gt;

&lt;p&gt;Every agent, every tool, and every connected MCP server should appear in the registry with their owners, purposes, model versions, autonomy tiers, and approved user populations. If you can't produce this list on demand, your governance posture is already drifting.&lt;/p&gt;

&lt;h4&gt;
  
  
  Capability 2: Delegated agent authorization with scoped, just-in-time credentials
&lt;/h4&gt;

&lt;p&gt;Treating the agent as a distinct security principal is the architectural commitment that resolves the service account problem. That means per-agent identity, scoped credentials acquired just-in-time, and a credential scope bound to a specific user, tool, and action context. Identity answers who the agent is acting as. It does not, on its own, decide whether any particular request is safe to execute. That decision is the job of policy and enforcement, which come next.&lt;/p&gt;

&lt;p&gt;Static API keys and shared service accounts break attribution and force you into all-or-nothing access decisions. Per-user, per-tool, just-in-time scoped tokens preserve least privilege without bottlenecking the agent. They also let security teams revoke access rapidly, isolating and ending a compromised agent's access instantly without impacting the broader system or shared service accounts.&lt;/p&gt;

&lt;h3&gt;
  
  
  Active prevention at the tool call: saying yes safely
&lt;/h3&gt;

&lt;p&gt;Identity is necessary but not sufficient. The CISO needs assurance that even a correctly identified action will be blocked if it falls outside policy or requires human authorization. This concern is the active defense layer between the agent's intent and the resource server.&lt;/p&gt;

&lt;h4&gt;
  
  
  Capability 3: Centralized policy enforcement at runtime
&lt;/h4&gt;

&lt;p&gt;Identity says what the agent's credentials permit. Policy says what the organization permits. Different decisions, same tool call.&lt;/p&gt;

&lt;p&gt;An agent might have valid credentials to call the trade API (Cap 2) but still be blocked by a policy that requires human approval for trades over $10K, denies trades for restricted instruments, or restricts production changes outside business hours. Centralized policy-as-code, evaluated at every tool call, keeps these business rules consistent across teams.&lt;/p&gt;

&lt;p&gt;Each decision records the exact policy version that authorized it. Without strict version pinning, you get silent compliance breaks when authorization rules are modified or rolled back. An auditor investigating an action three months after the fact must be able to replay the exact decision matrix that authorized it.&lt;/p&gt;

&lt;h4&gt;
  
  
  Capability 4: Action-layer guardrails
&lt;/h4&gt;

&lt;p&gt;Identity tells you who the agent is. Policy tells you whether the action is allowed. Enforcement is what actually intercepts the request and either blocks it, modifies it, escalates it to a human, or otherwise transforms it. This is the layer that catches what identity and policy don't.&lt;/p&gt;

&lt;p&gt;Pre-tool-call enforcement validates parameters and applies rate limits before the request reaches the resource server. Post-tool-call enforcement filters and redact outputs before they re-enter the agent's context window. This is where threats like tool-call hijacking and context window poisoning are caught at the exact moment a tool is called.&lt;/p&gt;

&lt;p&gt;For irreversible or high-impact actions, enforcement should escalate the request out of band for human approval. The list of actions that trigger step-up authorization includes sending external email, modifying production data, executing code, transferring money, changing permissions, deleting records, and any decision affecting employment, credit, health, or legal status. Approval thresholds scale with the agent's autonomy tier, with stricter requirements at Tier 2 and above.&lt;/p&gt;

&lt;p&gt;Relying on an agent to request permission in a chat interface is deeply flawed. Prompt injections can easily bypass these in-band checks. Process approvals out-of-band using standard protocols like JSON Web Signatures, cryptographically linking the human approval to the specific tool-call's hash and context. You're proving mathematically that a human authorized the exact payload the agent intends to send.&lt;/p&gt;

&lt;h3&gt;
  
  
  Observability your SIEM can use: after the fact
&lt;/h3&gt;

&lt;p&gt;Even with prevention in place, incidents happen. The CISO comes in after the fact and needs an audit trail that their existing SIEM can query and replay, plus a detection layer that surfaces drift before it becomes the next incident.&lt;/p&gt;

&lt;h4&gt;
  
  
  Capability 5: Immutable, replayable audit trail
&lt;/h4&gt;

&lt;p&gt;Governance requires tamper-proof, replayable evidence. You need immutable audit logs that support full replay of any agent interaction.&lt;/p&gt;

&lt;p&gt;The minimum for attribution is five fields: Agent ID, User ID, Tool Call, Target System, and Timestamp. With those, you can prove who triggered which action, against which system, when. Full replay (which an auditor will ask for) requires the runtime to capture in addition to the above: Tenant, Task, Prompt Hash, Retrieved-Context References, Model Version, Policy Version, Decision, Approval, and Output Hash. All stored immutably.&lt;/p&gt;

&lt;p&gt;This stream should follow the &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai" rel="noopener noreferrer"&gt;OpenTelemetry GenAI semantic conventions&lt;/a&gt; for export to an enterprise SIEM. Include key attributes, such as the operation name and requested model, to ensure interoperability.&lt;/p&gt;

&lt;h3&gt;
  
  
  Continuous audit-readiness: the verification rubric itself
&lt;/h3&gt;

&lt;p&gt;The first three concerns address what the runtime does. This one addresses how you continuously prove it, without manual evidence assembly at audit time.&lt;/p&gt;

&lt;h4&gt;
  
  
  Capability 6: Compliance attestation at the agent and tool plane
&lt;/h4&gt;

&lt;p&gt;Compliance attestation becomes native to the runtime. Because every action is authenticated, evaluated, and immutably logged, the system continuously generates the exact evidence required for SOC 2 Type II attestation at the agent and tool plane.&lt;/p&gt;

&lt;p&gt;The same audit stream maps to ISO/IEC 42001 management-system controls, NIST AI RMF risk functions, ISO/IEC 42005 impact assessments, EU AI Act jurisdictional obligations, OWASP LLM Top 10 risk categories, and CSA Agentic Profile autonomy classification.&lt;/p&gt;

&lt;p&gt;Governance requires an integrated runtime. Security treated as an afterthought in observability won't survive a regulator's first replay request.&lt;/p&gt;




&lt;h2&gt;
  
  
  Observability and SIEM integration
&lt;/h2&gt;

&lt;p&gt;A runtime governance layer doesn't sit parallel to your security stack. It extends the SIEM, IAM, and DLP investments you've already made. The "I already have too many tools" objection is the right one for a CISO to lead with. The answer is that the runtime is not another tool. It's a layer that extends the ones you have into the place and enforces the policies where agents actually act. Flexible, not parallel.&lt;/p&gt;

&lt;p&gt;Every agent action emits a structured event that follows the &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai" rel="noopener noreferrer"&gt;OpenTelemetry GenAI semantic conventions&lt;/a&gt;. Your security operations team queries these events in the same SIEM they already use (Datadog, Splunk, New Relic, Sumo Logic), using the same query syntax and dashboards. Identity flows from the same IdP that handles human login. Sensitive-payload detection is built on the same DLP that classifies your file shares. Nothing parallel; everything already familiar to the security team.&lt;/p&gt;

&lt;p&gt;That distinction matters at audit time. Auditors don't ask for a binder of policies and screenshots. They query the audit log for the exact action, time window, or policy version they are interested in. A runtime that emits OpenTelemetry GenAI events lets your security operations team answer that query in the tools they already use to query everything else.&lt;/p&gt;

&lt;p&gt;It also closes a compliance gap most programs hit at audit time. SOC 2 Type II or HIPAA attestation on the underlying cloud doesn't extend to the agent or tool plane unless the runtime layer is explicitly in scope. The agent plane is where the action actually happens: every tool call, every credential resolution, every policy decision. Compliance evidence has to follow the action, not stop at the infrastructure boundary. A governance runtime that ships SOC 2 Type II coverage at the agent and tool plane closes that gap directly.&lt;/p&gt;




&lt;h2&gt;
  
  
  10 AI agent governance anti-patterns that break runtime compliance
&lt;/h2&gt;

&lt;p&gt;The right architecture matters, but knowing what breaks it matters as much. These ten traps are the patterns that render compliance efforts useless at audit time or during incident response.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. AI governance by spreadsheet
&lt;/h3&gt;

&lt;p&gt;Treating compliance as static documentation rather than a dynamic byproduct of runtime execution guarantees your security posture will drift from reality the moment code is deployed. Security controls must be expressed as code and enforced automatically, not verified manually through periodic spreadsheet updates.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Mutable application logs
&lt;/h3&gt;

&lt;p&gt;Storing audit trails in standard, editable relational databases exposes you to massive compliance risks. Regulators and auditors demand immutable, replayable ledgers that prove an audit trail hasn't been tampered with to hide a rogue agent's actions or a developer's mistake.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Identity collapse and shadow MCP servers
&lt;/h3&gt;

&lt;p&gt;Using a single shared API key for all users interacting with an agent breaks attribution. When a breach occurs, you can't tell which user triggered the action. Without centralized identity, shadow servers proliferate without oversight, creating invisible, ungoverned attack surfaces.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Credentials exposed to the agent
&lt;/h3&gt;

&lt;p&gt;Storing API keys in the agent's system prompt, passing OAuth tokens as parameters the LLM can see, or letting credentials touch the agent's context window at any point creates a leak vector that no audit log can fix. A prompt injection that exfiltrates the credential is no different from one that exfiltrates user data. Credentials must be brokered by the runtime, scoped to the specific tool call, and never enter the agent's context.&lt;/p&gt;

&lt;h3&gt;
  
  
  5. In-band chat approvals
&lt;/h3&gt;

&lt;p&gt;Delivering human-in-the-loop approval prompts within the agent's own chat interface creates a critical vulnerability. Adversarial prompt injections can forge these interfaces or trick the model into bypassing approval logic, authorizing destructive actions without genuine user consent.&lt;/p&gt;

&lt;h3&gt;
  
  
  6. Agent-side policy enforcement
&lt;/h3&gt;

&lt;p&gt;Trusting the agent to enforce its own policy is like trusting a process to enforce its own permissions. LLMs can be prompt-injected to override their own guardrails, are non-deterministic about when they apply them, and produce no audit trail of what they decided or why. Policy enforcement must sit outside the agent, deterministic and auditable. The agent calls; the runtime decides.&lt;/p&gt;

&lt;h3&gt;
  
  
  7. Decentralized policy enforcement
&lt;/h3&gt;

&lt;p&gt;When policy is enforced in multiple places (the agent's system prompt, ad-hoc rules in tool wrappers, separate policy engines per team), there's no single source of truth. Each enforcement point drifts. Each runs its own version. Auditors can't replay decisions consistently, because no one can prove which policy authorized an action three months ago. Centralized, version-pinned policy enforcement at runtime is the only way to keep agent behavior consistent across teams and to make it replayable across audits.&lt;/p&gt;

&lt;h3&gt;
  
  
  8. No autonomy-tier classification
&lt;/h3&gt;

&lt;p&gt;Treating every agent identically, regardless of risk, forces overinvestment in low-stakes workloads while underprotecting high-impact ones. Without a clear tier classification mapped to data sensitivity and action reversibility, governance strictness can't scale with operational risk. Your security posture stays uniform when it should be proportional.&lt;/p&gt;

&lt;h3&gt;
  
  
  9. No revoke-and-rotate workflow
&lt;/h3&gt;

&lt;p&gt;When an employee is offboarded or a credential is suspected to be compromised, you need to instantly rotate that user's tokens and revoke their delegated agent access without disrupting the rest of the user base. Architectures built on shared service accounts can't selectively revoke a single user's access, forcing security teams to choose between all-or-nothing breakage.&lt;/p&gt;

&lt;h3&gt;
  
  
  10. Compliance attestation that covers the cloud but not the agent
&lt;/h3&gt;

&lt;p&gt;A SOC 2 or HIPAA certificate on your cloud provider is not a certificate on your agent fleet. Many programs only discover this gap mid-audit, when the auditor asks for evidence of agent actions, policy decisions, and approvals, and the answer is "our cloud is certified," which doesn't address the question. The agent plane needs its own attestation scope, or it will remain inadmissible no matter how many infrastructure-layer reports you produce.&lt;/p&gt;




&lt;h2&gt;
  
  
  Implementation patterns for AI agent governance in regulated industries
&lt;/h2&gt;

&lt;p&gt;Those are the failure modes. The flip side is what running the framework actually looks like in production, across highly regulated environments with distinct autonomy requirements.&lt;/p&gt;

&lt;h3&gt;
  
  
  Healthcare (HIPAA): Tier 1 approval and PHI logging
&lt;/h3&gt;

&lt;p&gt;Consider a Tier 1 clinical note-summarization agent deployed under HIPAA. The contractual layer (Business Associate Agreements between covered entities and processors) sits outside the runtime, but the obligations it creates live within it: strict data boundaries, demonstrable PHI access controls, and an audit trail that proves who accessed what, when, and under whose authority.&lt;/p&gt;

&lt;p&gt;Before any summarized note is committed back to an electronic health record system, the framework requires human-in-the-loop approval. The runtime logs the physician's cryptographic signature alongside the exact prompt hash, the retrieved patient context, and the output hash. Every instance of access to Protected Health Information is immutably logged.&lt;/p&gt;

&lt;p&gt;This pattern exercises three CISO concerns simultaneously: identity and attribution (the physician is the security principal), active prevention at the tool call (no PHI write without signed approval), and observability that the SIEM can use (every access is replayable). The contract still has to be signed, but the evidence to demonstrate it is generated automatically.&lt;/p&gt;

&lt;h3&gt;
  
  
  Financial services: Tier 2 bounded trade execution
&lt;/h3&gt;

&lt;p&gt;Consider a Tier 2 bounded agent for compliant trade execution. The agent operates autonomously, but only within the pre-approved scope defined by policy-as-code.&lt;/p&gt;

&lt;p&gt;A trader might ask the agent to rebalance a portfolio based on specific market signals. When the agent attempts the tool call to the trading API, the runtime intercepts the request and evaluates it against trading limits and risk parameters. The system records the exact policy version used to make the decision. If an auditor or regulator questions a trade later, you can replay the exact decision matrix, from the initial user prompt hash through the policy evaluation to the final output hash.&lt;/p&gt;

&lt;p&gt;This pattern leans hardest on active prevention at the tool call (policy-as-code enforcement, version-pinned) and continuous audit-readiness (replayable decision matrices). Identity is the trader; attribution is the policy version. A regulator asking "why was this trade allowed?" has a deterministic answer.&lt;/p&gt;

&lt;h3&gt;
  
  
  Cross-industry: enterprise offboarding (Tier 1–2)
&lt;/h3&gt;

&lt;p&gt;For large enterprises and public sector deployments running Tier 1 to Tier 2 agents, strict data residency and identity lifecycle management are most important.&lt;/p&gt;

&lt;p&gt;Consider an employee undergoing an unexpected HR offboarding event. In a traditional setup with shared API keys, revoking access without breaking the agent for other users is nearly impossible. With an integrated runtime treating the agent as a distinct security principal tied to the user's identity, the offboarding event automatically triggers token rotation. The system revokes that specific user's delegated agent access instantly, ending in-flight operations and neutralizing the credential risk. No disruption to the rest of the organization.&lt;/p&gt;

&lt;p&gt;This pattern is the clearest demonstration of identity and attribution doing their jobs. The service account problem is the failure mode that this prevents; per-agent identity tied to the requesting user is the resolution. If your runtime can't pass an offboarding fire drill in under a minute, the rest of the rubric doesn't matter.&lt;/p&gt;




&lt;h2&gt;
  
  
  Where each vendor category fits the agent governance rubric
&lt;/h2&gt;

&lt;p&gt;The AI security market is highly fragmented. Enterprise architects end up stitching together disparate tools that were never designed for autonomous agents. The vendor landscape sorts into categories that Arcade integrates with, displaces at the agent action layer, or treats as out of scope. The difference matters.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Vendor categories and their relationship to Arcade&lt;/em&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Architectural layer&lt;/th&gt;
&lt;th&gt;Example vendors&lt;/th&gt;
&lt;th&gt;Relationship to Arcade&lt;/th&gt;
&lt;th&gt;Why&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;SIEM and observability platforms&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Datadog, Splunk, New Relic, Sumo Logic&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Feed&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Arcade exports OpenTelemetry GenAI events. Your security operations team queries them in the same SIEM they already use, with the same query syntax. The SIEM stays; the runtime sends it the agent-action layer it currently can't see.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Policy engines and FGA platforms&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Open Policy Agent, Cedar, OpenFGA, Oso (Polar DSL), WorkOS FGA&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Complement&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Define and evaluate fine-grained authorization rules. The runtime integrates with your policy engine and enforces those rules at the agent action layer, applying them in the per-user, per-tool, per-action context where agents actually act.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;GRC platforms&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Vanta, Drata, Secureframe&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Complement&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Map theoretical controls and automate attestation paperwork. Don't govern the actual API tool calls an agent makes. Arcade integrates with your GRC platform and enforces those controls on every tool call. GRC declares; Arcade enforces.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Identity providers&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Okta, Auth0, WorkOS, Clerk&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Complement&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Authenticate the human user. Stop at the human login boundary. Arcade brokers delegated agent tokens against the same IdP and extend identity into the agent action plane.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;MCP gateways and integration wrappers&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Composio&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Displaces&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Connect language models to tools for rapid prototyping. Lacks enterprise-grade identity isolation, just-in-time consent, out-of-band approval routing, and immutable audit at the agent plane.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Agent frameworks&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;LangChain, Mastra&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Complement&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Operate at the reasoning layer (deciding what the agent should do). Arcade governs the underlying action layer, decoupled from the framework. Pick a framework for reasoning and a runtime for action. They combine.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;MCP runtimes&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;The unifying layer&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Ships the complete 6-capability rubric natively. SOC 2 Type II coverage extends from the underlying cloud through to every tool call an agent makes.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Relying on a patchwork of these vendor classes leaves significant security gaps and integration liabilities. A unified MCP runtime brings agent registration, per-user authorization, policy-as-code enforcement, immutable audit, and runtime attestation under a single, cohesive operating model. It extends the SIEM, IdP, and DLP investments your security team already runs.&lt;/p&gt;




&lt;h2&gt;
  
  
  Next steps to migrate to an MCP runtime for agent governance
&lt;/h2&gt;

&lt;p&gt;Closing the gap between governance policy and runtime enforcement is a concrete engineering exercise. Four moves get you most of the way:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Audit your current agent and tool registry.&lt;/strong&gt; Inventory every agent, every connected tool, every shadow MCP server, and every shared service account. If you can't produce an authoritative list with owner, purpose, model version, autonomy tier, and approved users in under a day, your governance posture is already drifting.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Stop building bespoke audit infrastructure.&lt;/strong&gt; Custom event-bus schemas, mutable application logs masquerading as audit trails, hand-rolled OpenTelemetry pipelines for agent traces. This is undifferentiated technical debt. Your engineers should ship governed agents, not maintain compliance plumbing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Test revoke-and-rotate aggressively.&lt;/strong&gt; Run an offboarding fire drill with a real test user. Verify that a single offboarding event rotates that user's tokens, terminates in-flight agent operations on their behalf, and leaves every other user's workflow undisturbed. If the workflow can't do this in under a minute, your runtime can't survive a real credential incident.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Evaluate an MCP runtime.&lt;/strong&gt; Look for a runtime that ships the six governance capabilities natively, with SOC 2 Type II attestation that covers the agent and tool plane, not just the underlying cloud.&lt;/p&gt;

&lt;p&gt;Stitching together passive observability tools and standalone policy engines can't satisfy this requirement. &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; is the first MCP runtime to ship the complete agent governance rubric natively (runtime enforcement plus immutable, replayable audit), with SOC 2 Type II that extends from the underlying cloud to every tool call an agent makes.&lt;/p&gt;




&lt;h2&gt;
  
  
  Frequently asked questions (FAQ)
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is AI agent governance, and how is it different from LLM governance?
&lt;/h3&gt;

&lt;p&gt;AI agent governance controls and proves what an agent can &lt;em&gt;do&lt;/em&gt;, especially tool/API calls, using runtime policy enforcement, identity, and immutable audit trails. LLM governance often focuses on model behavior and outputs rather than execution-layer actions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why isn't logging enough for AI agent compliance?
&lt;/h3&gt;

&lt;p&gt;Logs are passive and occur after the fact. They can't stop an undesired tool call or prompt-injection-driven action. Regulated environments require deterministic, pre-execution enforcement plus tamper-proof, replayable evidence.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does an MCP runtime replace our SIEM?
&lt;/h3&gt;

&lt;p&gt;No. It extends it. Every agent action emits an OpenTelemetry GenAI event into the same SIEM your security operations team already queries (Datadog, Splunk, New Relic, Sumo Logic). The runtime extends your SIEM into the agent action plane; it doesn't displace it. The same model applies to your IdP (Okta, Entra, etc.) and DLP. The runtime extends those investments rather than running parallel to them.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does this lock us into a specific agent framework?
&lt;/h3&gt;

&lt;p&gt;No. A runtime governance layer is decoupled from the agent framework. LangChain, Mastra, your own in-house framework: whichever your AI/ML team picks for agent reasoning, the runtime governs the action layer underneath it the same way. Frameworks decide what the agent should do; the runtime governs whether and how it gets to do it.&lt;/p&gt;

&lt;h3&gt;
  
  
  What does "runtime enforcement at the tool-call boundary" mean?
&lt;/h3&gt;

&lt;p&gt;Every tool/API request is intercepted, evaluated against policy-as-code, and either blocked, modified (e.g., redacted), or allowed before it reaches the resource server. Then it's logged with the decision and policy version.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do I choose the right autonomy tier for an agent?
&lt;/h3&gt;

&lt;p&gt;Classify autonomy by data sensitivity, reversibility of actions, and potential legal/customer impact. Use Tier 1 (fully supervised, human approval per action) for high-stakes irreversible workloads. Tier 2 (constrained autonomy within pre-approved scope) is the default for the enterprise.&lt;/p&gt;

&lt;h3&gt;
  
  
  What are the minimum audit log fields required for agent governance?
&lt;/h3&gt;

&lt;p&gt;See the canonical schema in Capability 5 above: Agent ID, User ID, Tool Call, System, and Timestamp at minimum. Stored immutably. Richer fields (prompt hash, retrieved-context references, policy version, output hash) enable full replay.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is "policy version pinning" and why does it matter?
&lt;/h3&gt;

&lt;p&gt;Policy version pinning records the exact policy version that authorized a specific action at that time. It prevents "silent compliance breaks" when policies change and enables auditors to accurately replay historical decisions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why are in-chat human approvals unsafe for agents?
&lt;/h3&gt;

&lt;p&gt;In-band chat approvals can be spoofed or bypassed via prompt injection. Use out-of-band approvals (e.g., signed approvals bound to the tool-call hash) to cryptographically prove a human authorized the exact payload.&lt;/p&gt;

&lt;h3&gt;
  
  
  What does "agent-as-a-security-principal" mean?
&lt;/h3&gt;

&lt;p&gt;Each agent gets its own identity and scoped credentials tied to the requesting user and tenant. This enables least privilege, clear attribution, and rapid revocation without relying on shared API keys.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can we just use a service account per agent?
&lt;/h3&gt;

&lt;p&gt;No. Shared or pooled service accounts break attribution (you can't tell which user triggered an action), block selective revocation (you can't rotate one user's access without breaking everyone's), and force all-or-nothing access decisions. The category requires per-agent identity tied to the requesting user, scoped to specific tools and actions, acquired just-in-time, and revocable in isolation.&lt;/p&gt;

&lt;h3&gt;
  
  
  How does this map to the EU AI Act, NIST AI RMF, and ISO 42001?
&lt;/h3&gt;

&lt;p&gt;Those frameworks require traceability, monitoring, risk controls, and oversight. The runtime governance stack implements them operationally via identity, policy-as-code, immutable logs, HITL, and continuous assurance.&lt;/p&gt;

&lt;h3&gt;
  
  
  Our cloud provider is SOC 2 Type II certified. Isn't that enough?
&lt;/h3&gt;

&lt;p&gt;No. Cloud attestation doesn't extend to the agent and tool plane unless the runtime layer is explicitly in scope. Auditors will ask for evidence of every agent action, every policy decision, and every approval. If your stack only attests at the infrastructure layer, the agent plane is unattested and inadmissible, regardless of your cloud provider's certificate.&lt;/p&gt;

&lt;h3&gt;
  
  
  What are the most common anti-patterns in agent governance?
&lt;/h3&gt;

&lt;p&gt;Ten patterns break runtime compliance: spreadsheet governance, mutable logs, identity collapse with shadow MCP servers, credentials exposed to the agent, in-band chat approvals, agent-side policy enforcement, decentralized policies, no autonomy-tier classification, no revoke-and-rotate workflow, and compliance attestation that covers the cloud but not the agent or tool plane. Each one breaks auditability or allows unauthorized actions to slip through.&lt;/p&gt;

</description>
      <category>agents</category>
      <category>mcp</category>
      <category>security</category>
      <category>ai</category>
    </item>
    <item>
      <title>6 Signs Your In-House AI Agents Need an MCP Runtime</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Tue, 09 Jun 2026 20:44:55 +0000</pubDate>
      <link>https://dev.to/arcade/when-ai-agents-need-mcp-runtime-431p</link>
      <guid>https://dev.to/arcade/when-ai-agents-need-mcp-runtime-431p</guid>
      <description>&lt;p&gt;Someone on your revenue operations team got tired of nagging account executives about CRM hygiene. So they wired up an agent. Salesforce has an MCP server, the model can call tools, and the workflow is obvious: take the meeting transcript, pull out the next steps, update the opportunity, log the activity, push a follow-up task. An afternoon of work, one API token in a &lt;code&gt;.env&lt;/code&gt; file, and the thing runs.&lt;/p&gt;

&lt;p&gt;It works. AEs stop complaining. The demo gets passed around. Within a week, two other teams want the same thing for Zendesk and Jira, and you have quietly become the owner of production Agentic AI inside the company.&lt;/p&gt;

&lt;p&gt;Then it stops being an afternoon project. Not because the agent got worse, but because the moment it acts on behalf of other people, every shortcut that made the prototype fast turns into a question you cannot answer with a &lt;code&gt;print()&lt;/code&gt; statement.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;You need an MCP runtime for your AI Agents when auth, permissions, audit logs, integrations, reuse, or risk ownership start moving out of the prototype phase.&lt;/li&gt;
&lt;li&gt;MCP standardizes tool connections, but it does not, by itself, solve production governance.&lt;/li&gt;
&lt;li&gt;An MCP runtime centralizes identity, policy, tool execution, and evidence so that you do not need to rebuild those layers from scratch for deploying AI agents in production&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The wall is predictable, not a failure
&lt;/h2&gt;

&lt;p&gt;You built the right thing. The prototype-first path is the correct first move. Prototypes are cheap to assemble once a model can call tools and an &lt;a href="https://dev.to/blog/announcing-native-support-for-mcp-servers"&gt;MCP server&lt;/a&gt; can expose capabilities, and a small team can tolerate a narrow happy path. Every team now running agents at scale started exactly where you are, with one workflow, one tenant, light usage, and a forgiving risk posture.&lt;/p&gt;

&lt;p&gt;The first version works because it quietly cheats. The engineer who built it is the security boundary. They know which records the agent can touch, they wrote the prompt, and they hold the token. There is no question of "what should this agent be allowed to do," because the answer is "whatever I, the builder, can do." That assumption holds right up until the agent is doing things for people who are not you.&lt;/p&gt;

&lt;p&gt;Six signs separate a working prototype from something that needs real infrastructure. None is exotic. You will recognize your own repo in most of them.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sign 1: You're writing more auth and login plumbing than agent logic
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;The identity layer: proving who is actually calling the tools.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You've crossed it when:&lt;/strong&gt; your &lt;code&gt;auth/&lt;/code&gt; directory is bigger than your &lt;code&gt;tools/&lt;/code&gt; directory.&lt;/p&gt;

&lt;p&gt;Look at your repository. The &lt;code&gt;tools/&lt;/code&gt; directory grew a sibling &lt;code&gt;auth/&lt;/code&gt; directory, and &lt;code&gt;auth/&lt;/code&gt; is now bigger. Standups have shifted from "how do we improve the agent" to "why did this user's refresh token fail" and "which account is the agent using." A new engineer's first ticket is "add Slack," and it takes two weeks.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it happens
&lt;/h3&gt;

&lt;p&gt;Acting agents sit in the hard middle between a user and a downstream API, which forces you to own &lt;a href="https://dev.to/blog/ai-agent-authentication-authorization"&gt;multi-user AI agent authentication and authorization&lt;/a&gt; mechanics you used to get for free, and enterprise APIs do not share an identity standard. &lt;a href="https://docs.slack.dev/authentication/using-token-rotation/" rel="noopener noreferrer"&gt;Slack rotates access tokens every 12 hours&lt;/a&gt;; &lt;a href="https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/best-practices-for-creating-a-github-app" rel="noopener noreferrer"&gt;GitHub&lt;/a&gt; expires installation tokens in an hour and refresh tokens in six months; &lt;a href="https://learn.microsoft.com/en-us/graph/permissions-overview" rel="noopener noreferrer"&gt;Microsoft Graph&lt;/a&gt; splits delegated from app-only access with its own consent model. Implementing one is a week. Implementing five, with refresh, rotation, revocation, and per-user storage, is a sustained quarter. Get the concurrency wrong and two threads refresh the same single-use token at once, the provider reads it as a replay attack, and the user is locked out.&lt;/p&gt;

&lt;h3&gt;
  
  
  How it plays out
&lt;/h3&gt;

&lt;p&gt;Trace it through the Salesforce agent. The first version runs on one static admin token. Then the sales director wants updates recorded under the rep who was on the call, so you build per-user OAuth with a background worker to store, encrypt, and refresh tokens (Salesforce access tokens expire in two hours). Then security asks what happens when an AE leaves, so revocation has to tie into your IdP's deprovisioning. Each request is reasonable. Together, they are an IAM client you never set out to build.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; the prototype needed a login; the production agent needs an identity model, especially once enterprise teams expect &lt;a href="https://dev.to/blog/sso-for-ai-agents-authentication-and-authorization-guide"&gt;SSO for AI agents&lt;/a&gt; to work like the rest of their software stack.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sign 2: Your permissions are a growing pile of hand-maintained if-then rules
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;The policy layer: deciding what they're allowed to do.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You've crossed it when:&lt;/strong&gt; nobody can say what the agent is allowed to do without reading the code.&lt;/p&gt;

&lt;p&gt;Sign 1 was authentication: proving who is asking. This is authorization, the harder half: deciding what they are allowed to do, and in production, agents usually mean a &lt;a href="https://dev.to/blog/ai-agent-authentication-authorization"&gt;delegated authorization stack&lt;/a&gt; that evaluates the user, the agent, and the action together. It starts with one clean check, updates the record only if the signed-in rep can edit it, and then the rules multiply. Update &lt;code&gt;Stage&lt;/code&gt;, but only with the "Pipeline Manager" permission set. Closed-won updates need manager approval. EMEA is exempt. SDRs can edit notes but not the advanced stages. Each is a defensible business need. Together, they are configuration hell, accreting in one file: &lt;code&gt;permissions.py&lt;/code&gt; fills with branches and comments like &lt;code&gt;# do NOT remove, breaks renewals team&lt;/code&gt;, and new permission requests take a sprint.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it happens
&lt;/h3&gt;

&lt;p&gt;The problem is structural: authorization depends on subject, object, and context, and inline conditionals collapse those dimensions into procedural mush. &lt;a href="https://csrc.nist.gov/pubs/sp/800/162/upd2/final" rel="noopener noreferrer"&gt;NIST's ABAC guidance&lt;/a&gt; exists for exactly this reason, and tools like &lt;a href="https://www.openpolicyagent.org/docs/latest/" rel="noopener noreferrer"&gt;Open Policy Agent&lt;/a&gt; externalize policy to keep it out of application code.&lt;/p&gt;

&lt;h3&gt;
  
  
  How it plays out
&lt;/h3&gt;

&lt;p&gt;Salesforce is the cautionary tale. Its &lt;a href="https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/security_data_sharing.htm" rel="noopener noreferrer"&gt;permission model&lt;/a&gt;, profiles, permission sets, sharing rules, field-level security, and more, is two decades of mature hand-maintained authorization. An agent re-implementing a slice of that in Python is starting the same journey with a fraction of the staff.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; at first, if-statements are the fastest way to encode context; later, they are an undocumented policy system, and a single wrong branch has blast radius across every tenant the agent touches.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sign 3: You need agent audit logs for every tool call
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;The evidence layer: reconstructing what actually happened.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You've crossed it when:&lt;/strong&gt; you can't reconstruct who did what after the fact.&lt;/p&gt;

&lt;p&gt;Suppose the permission rules are right. You still cannot prove they were followed. The clearest version of this sign is a Slack thread:&lt;/p&gt;

&lt;p&gt;"Hey, did the bot just close that opp?"&lt;br&gt;
"I think so?"&lt;br&gt;
"Can you check?"&lt;br&gt;
"The logs rolled over."&lt;/p&gt;

&lt;p&gt;That conversation is the finding. When something looks wrong, you need to answer fast: which run did it, who authorized it, what was the input, what changed downstream, and was there an approval? If you cannot, you do not have guardrails. You have an opinionated wrapper.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it happens
&lt;/h3&gt;

&lt;p&gt;An auditable action comprises at least five facets that must be recorded together: the requesting user, the agent identity, the authorization decision, the input, and the resulting change. Ad-hoc logging captures one or two, and they live in different systems. Salesforce &lt;a href="http://developer.salesforce.com/docs/atlas.en-us.field_history_retention.meta/field_history_retention/field_audit_trail.htm" rel="noopener noreferrer"&gt;Field History&lt;/a&gt; has the state change but not the reasoning; the LLM trace has the reasoning but not the change; nothing correlates them. Guardrails are point-in-time controls; audit trails are durable evidence, and acting systems need both. &lt;a href="https://docs.slack.dev/admins/audit-logs-api/" rel="noopener noreferrer"&gt;Slack's Audit Logs API&lt;/a&gt; gives you actor, action, entity, and context, but explicitly will not tell you whether the action was appropriate.&lt;/p&gt;

&lt;h3&gt;
  
  
  How it plays out
&lt;/h3&gt;

&lt;p&gt;When finance flags a deal at quarter close because the amount was moved after the close date, you can see the new value but cannot determine who changed it, on whose behalf, or based on what input. And the moment the agent mutates regulated data the question stops being internal: &lt;a href="https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312" rel="noopener noreferrer"&gt;HIPAA&lt;/a&gt; at 45 CFR §164.312(b) requires systems handling ePHI to record and examine activity.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; "we have the LLM transcript" is not an answer an auditor accepts. What they need instead is &lt;a href="https://dev.to/blog/connect-ai-agents-enterprise-tools"&gt;audit logs and telemetry for every tool call&lt;/a&gt;: who requested it, which tool ran, what changed, and how the action was authorized.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sign 4: Every new system multiplies the work instead of adding to it
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;The integration layer: running one action across many systems.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You've crossed it when:&lt;/strong&gt; the fifth connector costs more than the first, not less.&lt;/p&gt;

&lt;p&gt;Everything so far has been one agent against essentially one system. Then the roadmap arrives: "add Gmail, Calendar, Zendesk, Jira, Slack, and Salesforce." You budget for six connectors and price them roughly equal. Instead you get six different auth models, scope vocabularies, rate-limit behaviors, schemas, pagination styles, and audit surfaces. Adding Slack should have been easier than adding Salesforce. It was not. The first integration took two weeks; the fifth took five.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it happens
&lt;/h3&gt;

&lt;p&gt;You did not add six tools, you added six governance surfaces, and each one drags the earlier signs in behind it: another identity model to wire (Sign 1), another permission surface to encode (Sign 2), another audit stream to correlate (Sign 3). Every tool you bolt on imports a full instance of each. It gets worse when an agent composes across systems, because a single logical action (read from Calendar, look up in Salesforce, post to Slack) has to reconcile three identity propagations, three permission checks, three rate limits, and three failure modes within a single operation. This is the connector-count fallacy, and it is exactly the problem the &lt;a href="https://dev.to/blog/mcp-gateway-pattern"&gt;MCP gateway pattern&lt;/a&gt; is meant to avoid.&lt;/p&gt;

&lt;h3&gt;
  
  
  How it plays out
&lt;/h3&gt;

&lt;p&gt;The rate limits alone will stop a roadmap. &lt;a href="http://learn.microsoft.com/en-us/graph/throttling" rel="noopener noreferrer"&gt;Microsoft Graph&lt;/a&gt; caps you at four concurrent requests per mailbox, a ceiling that bites harder once &lt;a href="https://techcommunity.microsoft.com/blog/exchange/exchange-online-ews-your-time-is-almost-up/4492361" rel="noopener noreferrer"&gt;Exchange Web Services retires on October 1, 2026&lt;/a&gt; and its far roomier limit (27 connections) goes with it. Add Outlook so the agent can schedule follow-ups, and the first time it reads inbox threads while booking a meeting it trips that limit and starts collecting 429s. The roadmap stops while you build a centralized queue and rate limiter the prototype never needed.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; one more tool is not additive; it multiplies against everything already connected.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sign 5: Each new team rebuilds the same infrastructure
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;The reuse layer: amortizing the work across agents and teams.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You've crossed it when:&lt;/strong&gt; the next team forks nothing and starts from zero.&lt;/p&gt;

&lt;p&gt;Sign 4 was the cost of adding tools to one agent. This is the cost of adding agents to the company, the same multiplication seen from the other axis. The sales ops agent ships, after months of security clearance, token storage code, and custom audit logging. A month later the support team wants an agent that pulls Salesforce records when a Zendesk ticket opens. They look at the sales team's repo and start over. The auth is entangled with one queueing model, one set of scopes, one audit sink. Their logging assumes Salesforce. Nothing lifts cleanly, so both teams now maintain parallel auth code, and the security team has reviewed two patterns for the same risk.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it happens
&lt;/h3&gt;

&lt;p&gt;By the third agent (customer success wants a renewal-risk updater, finance wants an invoice assistant), you have three implementations of the same core layers (identity, policy, integration, evidence) and three separately approved patterns for the same risk. Put formally, you are solving an &lt;em&gt;N&lt;/em&gt; × &lt;em&gt;M&lt;/em&gt; problem by hand: &lt;em&gt;N&lt;/em&gt; agents, each rebuilt against &lt;em&gt;M&lt;/em&gt; systems. None of those layers is agent-specific, but in every repo they were written application-specific, so there is no interface to extract. A shared layer collapses the problem to &lt;em&gt;N&lt;/em&gt; + &lt;em&gt;M&lt;/em&gt;, where each connector is built once and every agent inherits it.&lt;/p&gt;

&lt;h3&gt;
  
  
  How it plays out
&lt;/h3&gt;

&lt;p&gt;This is the canonical platform-engineering trigger, and the industry has run the play before. &lt;a href="http://engineering.atspotify.com/opensource" rel="noopener noreferrer"&gt;Spotify built Backstage&lt;/a&gt; because its engineers were drowning in fragmented tooling, and Netflix calls this same idea the "paved road." An MCP runtime acts as this exact shared substrate for AI agents. By providing a centralized control plane and a shared registry for team-level access, the runtime ensures that identity, policy, evidence, and integrations are built once. Every new agent simply connects to the runtime and inherits this infrastructure, making the safe path the easy one.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; copying the first agent feels faster, right up until every copy inherits a private auth stack, permission model, and audit story. A centralized MCP runtime collapses this into a single integration point that every new team and agent can safely reuse.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sign 6: Sensitive or legacy systems are entering scope, and nobody wants to personally own the risk
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;The ownership layer: deciding who carries the risk.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You've crossed it when:&lt;/strong&gt; the pull request to a sensitive system sits open because no one will approve it.&lt;/p&gt;

&lt;p&gt;This sign is psychological before it is technical, and that is the point. You were fine letting the agent draft notes and update low-risk CRM fields. You are not fine pointing the same stack at payroll, refunds, or the ERP. A pull request to give it write access to NetSuite or Workday sits open. Reviewers comment but will not approve. The engineer asks security for sign-off; security asks the engineer. Nothing ships.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it happens
&lt;/h3&gt;

&lt;p&gt;That hesitation is correct, and notice what it is not about. The earlier signs were about building the mechanics, and by now you have most of them. This one is about who answers for the outcome when those mechanics touch something irreversible. A Salesforce note is recoverable in minutes; a journal entry in NetSuite hits the general ledger. These systems carry formal control expectations: &lt;a href="https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/fin-ops/sysadmin/set-up-segregation-duties" rel="noopener noreferrer"&gt;Dynamics 365 ties segregation of duties to SOX, IFRS, and FDA controls&lt;/a&gt;. "The agent probably did the right thing" is not part of the operating model there. Legacy systems sharpen it further, since they often lack what makes a bad write survivable: no fine-grained permissions, no auditable API, no transactional undo.&lt;/p&gt;

&lt;h3&gt;
  
  
  How it plays out
&lt;/h3&gt;

&lt;p&gt;When the lead architect is asked to point the agent at a legacy financial database, the question is not "can I build the connection?" It is "if a malicious email steers this agent into the wrong write, the damage cannot be undone, and the name on the change is mine." Blocking that deploy is a rational refusal to personally absorb an institutional risk. This is where an MCP runtime steps in. By providing features like mandatory out-of-band human approvals ("read, draft, and commit"), contextual access policy hooks, and immutable OpenTelemetry-compatible audit logs, the runtime shifts the burden of trust from the developer to secure, verifiable infrastructure.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; when accountability exceeds what one person can absorb, the work requires institutional ownership through an MCP runtime. With versioned policy, retained audit logs, routed approvals, and credentials kept entirely out of the LLM execution environment, the engineer's name is on the code, not on the risk of the decision.&lt;/p&gt;

&lt;h2&gt;
  
  
  The pattern behind the signs
&lt;/h2&gt;

&lt;p&gt;These are not six unrelated problems. They are one problem wearing six masks. You set out to build an agent and ended up hand-building a runtime, one feature at a time, without the architecture to hold it together. The auth daemon, the growing &lt;code&gt;permissions.py&lt;/code&gt;, the scattered logs, the per-connector rate limiter, the copy-pasted glue, the deploy nobody will approve: each is a piece of execution infrastructure that should exist once and apply to every agent, reinvented inside a single application instead. Identity, policy, evidence, integration, reuse, ownership: six names for the same missing layer.&lt;/p&gt;

&lt;p&gt;An &lt;a href="https://dev.to/blog/mcp-gateways-runtimes-registries-guide"&gt;MCP runtime&lt;/a&gt; is that missing layer. Not a framework for building agents, and not a platform that hosts them. It is the standard execution layer agents act through, where those six concerns live once, as infrastructure, the same way a language runtime or a container runtime is not something application code opts into so much as the substrate it cannot act without. The agent proposes; the runtime authenticates the call, enforces policy, executes the tool, and records what happened.&lt;/p&gt;

&lt;p&gt;Adopt one and your effort moves from building security boundaries to designing what the agent should actually do. The six concerns become properties of the layer rather than per-agent plumbing, and the next team inherits the safe path rather than rebuilding it. &lt;a href="https://dev.to/"&gt;Arcade.dev&lt;/a&gt;, the MCP runtime, is built for exactly this. It delivers per-action authorization that evaluates the intersection of agent and user permissions at the moment of the call (with credentials kept out of the model), a catalog of 8,000+ agent-optimized MCP tools that translate intent into safe API calls instead of letting the model hallucinate parameters, and centralized lifecycle governance with an OpenTelemetry-compatible audit record per user per service. How you get a runtime, build or buy, is its own conversation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Quick checklist: Have you outgrown the prototype?
&lt;/h2&gt;

&lt;p&gt;You do not need a runtime the first time an agent works. You need one when the agent becomes important enough that the surrounding questions matter as much as the prompt.&lt;/p&gt;

&lt;p&gt;Run the checklist against the agent you already have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;It acts on behalf of more than one user.&lt;/li&gt;
&lt;li&gt;It uses per-user OAuth instead of one developer-owned token.&lt;/li&gt;
&lt;li&gt;It can write to systems of record, not just read from them.&lt;/li&gt;
&lt;li&gt;Permissions depend on role, team, region, record owner, approval state, or business context.&lt;/li&gt;
&lt;li&gt;You cannot reconstruct every tool call from request to downstream change.&lt;/li&gt;
&lt;li&gt;Adding a new connector means rebuilding auth, scopes, rate limits, retries, and audit behavior.&lt;/li&gt;
&lt;li&gt;A second team is copying the first agent rather than reusing the shared infrastructure.&lt;/li&gt;
&lt;li&gt;Sensitive systems such as payroll, refunds, ERP, finance, healthcare, and customer data are coming into scope.&lt;/li&gt;
&lt;li&gt;Security, legal, or compliance has started asking who approved the action, not just whether the code works.&lt;/li&gt;
&lt;li&gt;A pull request is stalled because everyone agrees the agent is useful, but nobody wants to personally own the risk.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you checked one or two, you may still be in prototype territory. If you checked three or more, the agent is probably no longer the hard part. The missing layer around it is.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; once the questions are about identity, permission, evidence, reuse, and ownership, you are no longer debugging an agent. You are discovering the runtime it needs.&lt;/p&gt;

&lt;h2&gt;
  
  
  You've crossed the threshold
&lt;/h2&gt;

&lt;p&gt;If these signs sound like your standups, your repo, and your stalled pull requests, the conclusion is simple: you have outgrown the DIY approach. Not because you built it wrong, but because you built it well enough to hit the same wall that web apps hit before centralized identity, that deployments hit before CI/CD, and that infrastructure hit before container orchestration. The artifact that resolved each of those was the same shape every time: extract the execution layer. You are not late. You are exactly on time for the transition; every infrastructure category before this one has already been made.&lt;/p&gt;

&lt;p&gt;How you get that runtime, whether you &lt;a href="https://dev.to/blog/mcp-runtime-build-vs-buy"&gt;build or buy an MCP runtime&lt;/a&gt;, and how to evaluate the options, is the next conversation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is an MCP runtime?
&lt;/h3&gt;

&lt;p&gt;An MCP runtime is the governed execution layer for agents that use Model Context Protocol tools. It sits between the agent and the MCP servers it calls, handling identity, authorization, tool execution, credential isolation, policy enforcement, and audit logging.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why do AI agents need a runtime?
&lt;/h3&gt;

&lt;p&gt;AI agents need a runtime when they move from prototypes to production. MCP helps agents connect to tools, but teams still need a governed layer to decide who the agent is acting for, what it is allowed to do, how credentials are protected, and how each action is recorded.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is MCP itself a runtime?
&lt;/h3&gt;

&lt;p&gt;No. MCP standardizes how agents connect to tools and context. An MCP runtime governs what happens when those tools are used, including authorization, credential handling, policy checks, approvals, retries, rate limits, and audit trails.&lt;/p&gt;

&lt;h3&gt;
  
  
  When should a team use an MCP runtime?
&lt;/h3&gt;

&lt;p&gt;A team should use an MCP runtime when an agent acts on behalf of multiple users, connects to sensitive systems, writes to systems of record, requires per-user OAuth, needs audit logs, or is being reused across multiple teams and workflows.&lt;/p&gt;

&lt;h3&gt;
  
  
  How is an MCP runtime different from an MCP server?
&lt;/h3&gt;

&lt;p&gt;An MCP server exposes tools, resources, or prompts to an agent. An MCP runtime governs the execution of those tools in production. The server defines what is available. The runtime controls who can use it, under what policy, with which credentials, and with what audit record.&lt;/p&gt;

&lt;h3&gt;
  
  
  How is an MCP runtime different from an MCP gateway?
&lt;/h3&gt;

&lt;p&gt;An MCP gateway primarily federates tools from multiple MCP servers into a single endpoint for simplified routing and single-URL configuration. While useful for connectivity, a gateway just routes requests. An MCP runtime is a complete execution layer that goes beyond routing to include delegated multi-user authorization, intent-level tool execution, contextual policy enforcement, and immutable audit logging. A gateway routes; a runtime executes, enforces, and audits.&lt;/p&gt;

&lt;h3&gt;
  
  
  How does an MCP runtime improve security?
&lt;/h3&gt;

&lt;p&gt;An MCP runtime improves security by separating the agent from raw credentials, enforcing per-user and per-action authorization, limiting tool access, routing sensitive actions through policy checks, and recording what happened for every tool call.&lt;/p&gt;

&lt;h3&gt;
  
  
  Should companies build or buy an MCP runtime?
&lt;/h3&gt;

&lt;p&gt;Build an MCP runtime only if your agent is single-user, your APIs are fully internal, or your agent infrastructure is your core product. For multi-user production agents that need OAuth, credential vaulting, permissions, audit logs, or SaaS integrations, buying a runtime usually lets the team ship faster while avoiding the need to own permanent infrastructure.&lt;/p&gt;

</description>
      <category>mcp</category>
      <category>ai</category>
      <category>agents</category>
      <category>security</category>
    </item>
    <item>
      <title>How to manage multi-user AI agent authentication and authorization in 2026 (OAuth 2.1, OIDC, and delegated access)</title>
      <dc:creator>Manveer Chawla</dc:creator>
      <pubDate>Thu, 14 May 2026 20:18:23 +0000</pubDate>
      <link>https://dev.to/arcade/how-to-manage-multi-user-ai-agent-authentication-and-authorization-in-2026-oauth-21-oidc-and-2943</link>
      <guid>https://dev.to/arcade/how-to-manage-multi-user-ai-agent-authentication-and-authorization-in-2026-oauth-21-oidc-and-2943</guid>
      <description>&lt;h2&gt;
  
  
  TL;DR: multi-user AI agent authentication and authorization in 2026
&lt;/h2&gt;

&lt;p&gt;Moving AI agents from single-user desktop demos to enterprise production means solving a brutal engineering problem: multi-user, multi-system delegated authorization.&lt;/p&gt;

&lt;p&gt;Security architects and lead AI engineers are now dealing with agents that execute complex workflows across critical infrastructure on behalf of thousands of concurrent users.&lt;/p&gt;

&lt;p&gt;The core design principle is non-negotiable: treat every agent action as delegated user access, never as the agent's own blanket access. The whole authorization stack falls out of that distinction. Nine capabilities, two identities, one strict intersection rule.&lt;/p&gt;

&lt;p&gt;This guide breaks down how to combine OpenID Connect, OAuth 2.1, and a managed Model Context Protocol (MCP) runtime like &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; to prevent tool misuse, data leakage, and excessive agency. It's built for identity and access management leads, security architects, and AI engineering leads who need the exact infrastructure requirements to safely deploy multi-user agents into production.&lt;/p&gt;

&lt;h2&gt;
  
  
  Threat model for multi-user AI agents: prompt injection, tool misuse, and confused deputy
&lt;/h2&gt;

&lt;p&gt;You can't engineer secure authorization without defining the threat model first. For large language models, the most dangerous attack vector runs from prompt injection straight to tool misuse.&lt;/p&gt;

&lt;p&gt;If an enterprise agent inherits blanket admin access to a backend system, a single poisoned RAG document or malicious prompt can weaponize that agent. An attacker instructs the model to scan an inbox, summarize sensitive financial data, and exfiltrate the payload via an external tool call. The whole exfil chain completes without a human in the loop.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/" rel="noopener noreferrer"&gt;Open Web Application Security Project highlights these vulnerabilities&lt;/a&gt; in its updated guidelines, citing &lt;a href="https://genai.owasp.org/llmrisk/llm01-prompt-injection/" rel="noopener noreferrer"&gt;prompt injection&lt;/a&gt; and &lt;a href="https://github.com/OWASP/www-project-top-10-for-large-language-model-applications/blob/main/2_0_vulns/LLM06_ExcessiveAgency.md" rel="noopener noreferrer"&gt;excessive agency&lt;/a&gt; as primary risks that lead directly to the confused deputy problem.&lt;/p&gt;

&lt;p&gt;In a &lt;a href="https://embracethered.com/blog/posts/2023/chatgpt-cross-plugin-request-forgery-and-prompt-injection./" rel="noopener noreferrer"&gt;confused deputy attack&lt;/a&gt;, an application gets tricked into misusing its inherited authority.&lt;/p&gt;

&lt;p&gt;There's a second class of attack that targets the authorization flow itself. An attacker who can intercept or guess the identifier for a pending OAuth authorization can redirect the consent step to their own browser, either capturing the user's grant or seeding the agent with credentials it shouldn't have. Treating every first-time tool authorization as a step that must be cryptographically bound to a verified app user is the only durable defense.&lt;/p&gt;

&lt;h2&gt;
  
  
  The two-identity model for agent authorization
&lt;/h2&gt;

&lt;p&gt;Engineering teams typically make one of two mistakes when designing agent authorization. Give the agent its own identity, and an intern can bypass their permissions through the agent. Inherit the user's full access, and a single prompt injection cascades through every connected system.&lt;/p&gt;

&lt;p&gt;The right answer is the intersection: what this agent is allowed to do AND what this user is allowed to do, evaluated per action, at runtime.&lt;/p&gt;

&lt;p&gt;Effective authorization in agentic systems requires every request to carry two identity layers:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The project-level key (the agent application):&lt;/strong&gt; The workload identity making the call. Registered as an OAuth client, scoped to the application running the agent logic.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The user-level identity (on whose behalf the action is taken):&lt;/strong&gt; The actual person requesting the action, authenticated via a protocol like OpenID Connect, and represented in the request as a delegated subject.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The runtime evaluates these two identities against a &lt;em&gt;delegated execution context&lt;/em&gt;: a bounded, short-lived binding that ties a specific user to a specific agent for a specific task. The context isn't a third identity. It's the tuple of claims (user, agent, scopes, audience, tenant, task ID, expiry) the runtime evaluates at every tool call.&lt;/p&gt;

&lt;p&gt;This model enforces the identity intersection rule, which is the foundation of modern agent security.&lt;/p&gt;

&lt;p&gt;An agent's effective authority must always be calculated as the strict intersection of its own baseline permissions and the requesting human user's permissions. Never the union.&lt;/p&gt;

&lt;p&gt;If a user can't delete a database record, the agent acting on their behalf must fail when attempting the same action. It doesn't matter what the agent's maximum theoretical capabilities are.&lt;/p&gt;

&lt;p&gt;Implementing this intersection requires strict protocol separation. OpenID Connect authenticates the human user to establish who is interacting with the system. OAuth 2.1 authorizes what specific tool calls the agent can make on the human's behalf.&lt;/p&gt;

&lt;p&gt;Conflating these two protocols leads to over-permissioned tokens that get reused across systems they were never scoped for, giving a compromised agent durable access well beyond what the user actually authorized.&lt;/p&gt;

&lt;h2&gt;
  
  
  Nine capabilities for production multi-user AI agent auth
&lt;/h2&gt;

&lt;p&gt;The Model Context Protocol's own authorization spec, developed as a broad collaboration with Anthropic, &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt;, Microsoft, Okta/Auth0, and others, defines OAuth-style protected resources and authorization server discovery, with audience binding via Resource Indicators (RFC 8707) and delegation via Token Exchange (RFC 8693). MCP defines the auth handshake; the runtime layer above must still handle token vaulting, just-in-time consent, user verification, RBAC, and audit. The nine capabilities below close that gap.&lt;/p&gt;

&lt;p&gt;Building resilient multi-user agent infrastructure means evaluating your systems against this 2026 capability checklist. Unifying these capabilities prevents unauthorized access while ensuring reliable tool execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 1: Model user, agent, and delegated context
&lt;/h3&gt;

&lt;p&gt;Every authorization decision in your runtime must evaluate the user, agent, and context tuple simultaneously.&lt;/p&gt;

&lt;p&gt;If your backend tool plane only verifies the agent's API key, you've failed to model the human user.&lt;/p&gt;

&lt;p&gt;True delegated modeling ensures that the upstream resource server knows exactly which human began the request, which workload orchestrated it, and the precise context under which the delegation was granted.&lt;/p&gt;

&lt;p&gt;In practice, this means the user_id flows from your app's authenticated session into every runtime call. A typical pattern: your IdP (Stytch, Auth0, Okta, or similar) authenticates the user and issues a session, your app extracts the user identifier from that session, and your code passes that identifier explicitly to every runtime SDK call. For example, &lt;code&gt;getTools({ tools: [...], userId: userEmail })&lt;/code&gt; and &lt;code&gt;tools.execute({ ..., user_id: userEmail })&lt;/code&gt;. The runtime then resolves that specific user's vaulted OAuth tokens for the requested provider and scope. Without this explicit user binding on every call, the runtime has no way to enforce the intersection rule.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 2: Separate OpenID Connect authentication from OAuth authorization
&lt;/h3&gt;

&lt;p&gt;You need to strictly separate human authentication from delegated agent authorization. OpenID Connect handles the initial login session. OAuth 2.1 handles the subsequent tool authorization.&lt;/p&gt;

&lt;p&gt;By separating these concerns, you prevent identity conflation. An agent compromised by a malicious prompt can't reuse human session cookies to access unrelated systems.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 3: Issue short-lived, scoped, audience-bound access tokens
&lt;/h3&gt;

&lt;p&gt;Agent access tokens must adhere to the strictest cryptographic standards to prevent token replay and lateral movement.&lt;/p&gt;

&lt;p&gt;Each delegated access token should carry the full execution context as claims. In a delegated token, the subject (sub) identifies the human user on whose behalf the action is taken (e.g., user:alice). The actor (act) identifies the agent making the call (e.g., agent:support-copilot). The audience (aud) binds the token to a specific resource server (e.g., gmail-api), and the scope (scope) grants a specific permission (e.g., email.draft, not email.send). The expiry (exp) is set to a tight window of typically 5 to 30 minutes. A tenant claim (e.g., tenant:acme) carries the customer or workspace context, and a task ID (e.g., task_123) ties the call back to the originating user task or session.&lt;/p&gt;

&lt;p&gt;This claim structure enforces the intersection rule cryptographically: every token carries the user, the agent, and the bounded execution context, and the resource server validates all three before honoring the request.&lt;/p&gt;

&lt;p&gt;Your stack must enforce &lt;a href="https://www.rfc-editor.org/rfc/rfc8707.html" rel="noopener noreferrer"&gt;RFC 8707 resource indicators&lt;/a&gt; to bind tokens to a specific audience, ensuring a token minted for a calendar API can't be replayed against a CRM.&lt;/p&gt;

&lt;p&gt;Use &lt;a href="https://www.rfc-editor.org/rfc/rfc8693.html" rel="noopener noreferrer"&gt;RFC 8693 token exchange&lt;/a&gt; to safely trade broad user tokens for tightly downscoped agent tokens.&lt;/p&gt;

&lt;p&gt;Sender-constrain tokens using &lt;a href="https://www.rfc-editor.org/rfc/rfc9449.html" rel="noopener noreferrer"&gt;RFC 9449 demonstrating proof of possession (DPoP)&lt;/a&gt;, ensuring that even if an access token gets intercepted, attackers can't use it without the client's private key. The stack should also support &lt;a href="https://www.rfc-editor.org/rfc/rfc9126.html" rel="noopener noreferrer"&gt;RFC 9126&lt;/a&gt; pushed authorization requests and &lt;a href="https://www.rfc-editor.org/rfc/rfc9396.html" rel="noopener noreferrer"&gt;RFC 9396&lt;/a&gt; rich authorization requests for enhanced, tamper-proof granularity.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 4: Vault tokens and automate refresh across providers
&lt;/h3&gt;

&lt;p&gt;A &lt;a href="https://docs.arcade.dev/en/references/auth-providers/oauth2" rel="noopener noreferrer"&gt;runtime that handles token storage and refresh&lt;/a&gt; per-user, per-provider, is non-negotiable for production agents. Managing the OAuth token lifecycle across thousands of users and dozens of providers is a substantial engineering problem in its own right.&lt;/p&gt;

&lt;p&gt;Access and refresh tokens must be vaulted and encrypted on a strict per-user, per-provider basis. Your system needs to automatically handle provider-specific nuances outside the language model context.&lt;/p&gt;

&lt;p&gt;For example, &lt;a href="https://developers.google.com/identity/protocols/oauth2#expiration" rel="noopener noreferrer"&gt;Google enforces a rolling limit of 100 refresh tokens per client&lt;/a&gt;, and &lt;a href="https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens" rel="noopener noreferrer"&gt;Microsoft Entra rotates refresh tokens on every redemption with a 90-day sliding inactivity window&lt;/a&gt;. A dedicated token vault must abstract this refresh logic away from the agent developer.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 5: Enforce read, draft, and commit approval steps
&lt;/h3&gt;

&lt;p&gt;Security architects must enforce &lt;a href="https://www.arcade.dev/agents/gateway-templates/human-approval-workflow/" rel="noopener noreferrer"&gt;out-of-band approval flows&lt;/a&gt; for any irreversible action.&lt;/p&gt;

&lt;p&gt;Reading data or drafting responses requires minimal friction and can be executed synchronously. But external side effects, such as sending emails, deleting records, or committing code, must trigger explicit human step-up approvals.&lt;/p&gt;

&lt;p&gt;These approvals should occur via a secure, out-of-band channel, such as an enterprise authentication app, a separate user interface, or a direct messaging platform.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 6: Evaluate policy before every tool call by hooking into existing entitlement systems
&lt;/h3&gt;

&lt;p&gt;Never trust a language model's direct API request. Every tool call must route through a centralized policy layer that intersects the user, agent, tenant, action, resource, and task. And it must evaluate that intersection in milliseconds to avoid throttling the agent's conversational latency.&lt;/p&gt;

&lt;p&gt;Critically, this is not an invitation to stand up yet another policy system. Enterprises already have entitlement systems and identity providers like Okta, Entra, SailPoint, and homegrown role/permission stores. The runtime's job is to hook into those systems, acquire scoped tokens at runtime, and enforce the policies the enterprise has already defined, not duplicate them in a new tool.&lt;/p&gt;

&lt;p&gt;Open Policy Agent, Cedar, Oso, OpenFGA, WorkOS FGA, and Zanzibar-style relationship graphs are useful as the local enforcement engine. But the source of truth for who can do what should remain in your existing identity and governance systems. A runtime that asks you to redefine your authorization model in its own DSL is moving the problem, not solving it.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 7: Use just-in-time consent and authorization
&lt;/h3&gt;

&lt;p&gt;Blanket consent at user onboarding violates the principle of least privilege.&lt;/p&gt;

&lt;p&gt;Implement just-in-time authorization instead. When an agent requires access to a new system or an ungranted scope to fulfill a prompt, the runtime pauses execution. It returns a granular, context-specific consent interface to the user, captures the cryptographic consent, brokers the new token, and resumes the agent's task without losing conversational context.&lt;/p&gt;

&lt;p&gt;MCP's URL Elicitation Specification Enhancement Proposal (SEP), authored by &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; in collaboration with Anthropic and &lt;a href="https://modelcontextprotocol.io/specification/2025-11-25/client/elicitation" rel="noopener noreferrer"&gt;accepted into the MCP spec&lt;/a&gt;, standardizes how an agent runtime delivers granular, context-specific consent URLs to the user mid-task.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 8: Bind first-time auth flows to a verified app user
&lt;/h3&gt;

&lt;p&gt;Granular consent (Capability 7) only matters if the runtime can confirm which user is sitting at the keyboard during the first-time OAuth authorization. Without that confirmation, an attacker who intercepts a flow_id can redirect the consent step to their own browser and either hijack the authorization back into your user's session or capture the user's grant for themselves.&lt;/p&gt;

&lt;p&gt;The mitigation is a server-side user verifier. When a user authorizes a tool for the first time, the runtime redirects them to a verifier route in your app. Your verifier reads the flow_id from the query string, looks up the currently authenticated user from your app's session (Stytch, Auth0, Okta, as the IdP, or an app-layer auth system like Supabase), and posts that user_id back to the runtime via a server-side confirm_user call signed with your API key.&lt;/p&gt;

&lt;p&gt;If the user_id from your session matches the user_id specified when the flow started, the runtime continues. If not, the runtime rejects the flow. Every first-time authorization is therefore bound to a verified, authenticated identity in your app, which closes the flow-phishing attack surface.&lt;/p&gt;

&lt;p&gt;In production multi-user deployments, this is non-negotiable. Arcade's reference implementations show the pattern in &lt;a href="https://github.com/ArcadeAI/agency-tutorial-stytch" rel="noopener noreferrer"&gt;Next.js with Stytch&lt;/a&gt; and &lt;a href="https://github.com/ArcadeAI/arcade-custom-verifier-next" rel="noopener noreferrer"&gt;Next.js with Supabase&lt;/a&gt;, and Arcade's &lt;a href="https://docs.arcade.dev/en/guides/user-facing-agents/secure-auth-production" rel="noopener noreferrer"&gt;Secure Auth in Production guide&lt;/a&gt; walks through the verifier route end-to-end.&lt;/p&gt;

&lt;h3&gt;
  
  
  Capability 9: generate immutable audit logs for every agent action
&lt;/h3&gt;

&lt;p&gt;Every action taken by an agent must generate an immutable audit log with a complete chain of custody.&lt;/p&gt;

&lt;p&gt;This means capturing the requesting user, the agent identity, the tenant, the task ID, the specific tool invoked, the resource accessed, the policy decision and policy version, the prompt hash, input references, output hash, approval status, and the exact timestamp.&lt;/p&gt;

&lt;p&gt;These logs must be &lt;a href="https://opentelemetry.io/docs/concepts/signals/logs/" rel="noopener noreferrer"&gt;OpenTelemetry-compatible&lt;/a&gt;, providing structured traces that export cleanly into enterprise security information and event management systems for immediate incident response.&lt;/p&gt;

&lt;p&gt;And the audit story isn't only about the logs themselves. It's about the controls that produce them. SOC 2 Type 2 certification validates that the runtime's audit, access, and change-management controls operate as designed under independent audit. Treat the certification as a procurement floor and the per-action log structure as the actual product capability. You need both.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why a runtime, not a gateway: the architecture shift behind multi-user authorization
&lt;/h2&gt;

&lt;p&gt;In the traditional model, users interact with applications, applications call APIs, and a gateway sits between them, routing, authenticating, and rate-limiting at the perimeter. The proxy is the control point because it's the choke point: every request flows through it.&lt;/p&gt;

&lt;p&gt;In the agentic model, that topology inverts. The agent is already the proxy. A user talks to an agent. The agent reasons, plans, and calls tools on the user's behalf. It already handles mediation, routing, and orchestration. Adding a traditional API gateway in front of the tools doesn't add a control point; it adds a redundant hop that can't see into the execution context that actually matters: which user, which action, which permission, right now.&lt;/p&gt;

&lt;p&gt;That's why "MCP gateway" is the wrong frame for the auth problem. A stateless proxy evaluates each request in isolation. It can't track that a request is step 3 of a 6-step agent workflow, acting on behalf of a specific user who authorized a particular scope minutes ago. Bolting MCP support onto an API gateway is not a pivot. It's a patch.&lt;/p&gt;

&lt;p&gt;The control point in an agentic architecture is the execution layer where the tool runs. That's where credentials are resolved, permissions are checked, and actions are taken on behalf of a specific human. That's the runtime. The nine capabilities above can only be enforced there.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where each layer fits in the agent auth stack (IdP, OAuth vault, policy engine, MCP runtime)
&lt;/h2&gt;

&lt;p&gt;Understanding the vendor landscape means categorizing platforms by their strict architectural function. Misunderstanding where a tool fits in the stack leads to dangerous auth gaps.&lt;/p&gt;

&lt;p&gt;The deeper issue is consistency at scale. Even with the right primitives in place (an IdP, a token vault, a policy engine), most stacks have no uniform way to apply them across every agent, every user, and every system. Each team stitches its own integration, and two teams in the same company end up enforcing the same policy differently. The runtime is what makes a single authorization model enforceable across every agent, without each team rebuilding the plumbing.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Architectural layer&lt;/th&gt;
&lt;th&gt;Example vendors&lt;/th&gt;
&lt;th&gt;Primary function&lt;/th&gt;
&lt;th&gt;Key gap for multi-user agents&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Identity providers&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Okta, Auth0, Entra, WorkOS, and Clerk&lt;/td&gt;
&lt;td&gt;Authenticate the human user into the application via OpenID Connect.&lt;/td&gt;
&lt;td&gt;Lacks the full agent authorization stack. Support for explicit delegation flows, such as RFC 8693 and sender-constraining via DPoP, varies significantly and often requires heavy custom actions. Audit covers authentication events, not per-tool-call agent actions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;OAuth libraries and vaults&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Authlib, HashiCorp Vault, Doppler&lt;/td&gt;
&lt;td&gt;Securely store, encrypt, and manage raw OAuth tokens.&lt;/td&gt;
&lt;td&gt;Lacks a contextual decision engine, robust policy evaluation, and the dynamic, multi-provider refresh logic necessary for asynchronous agentic workflows. Audit captures token operations, not the user, agent, and tool context behind each call.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Policy engines and FGA platforms&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Open Policy Agent, Cedar, Oso (Polar DSL), OpenFGA, WorkOS FGA, Zanzibar-style, Sailpoint&lt;/td&gt;
&lt;td&gt;Evaluate fine-grained authorization policies against complex relationship graphs.&lt;/td&gt;
&lt;td&gt;Leaves token brokering, consent user experiences, and physical tool connectivity for the engineering team to build from scratch. Audit records the policy decision, not the full execution context that the resource server actually saw.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Agent frameworks&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;LangChain, Mastra, Crew AI&lt;/td&gt;
&lt;td&gt;Provide tool abstraction for agent workflows.&lt;/td&gt;
&lt;td&gt;Push the auth burden back onto your application code; treat tools like keys in a dotenv file and quietly break the moment a second customer signs up. No native audit trail for agent actions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;MCP gateways and integration wrappers&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Composio&lt;/td&gt;
&lt;td&gt;Connect language models to external tools using standardized interfaces.&lt;/td&gt;
&lt;td&gt;Designed for rapid prototyping and single-user proof-of-concept agents. An SDK-layer integration wrapper, not a runtime. Per-user OAuth is supported, but SSO, OIDC, and audit are limited rather than native, and the agent/user permission intersection isn't enforced.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;MCP runtimes&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;The first MCP runtime built for agent authorization. Delivers post-prompt user-specific permissions, isolated token lifecycle management (refresh, rotation, mismatch), OAuth protocol brokering,  contextual access policy enforcement, and immutable per-action audit logs exportable via OpenTelemetry.&lt;/td&gt;
&lt;td&gt;Not applicable. This layer explicitly unifies the previous layers and fills their operational gaps.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Reference architectures for multi-user agent auth
&lt;/h2&gt;

&lt;p&gt;These capabilities only matter if you can map them to real architectures. The three patterns below show how an MCP runtime enforces multi-user authorization in production.&lt;/p&gt;

&lt;p&gt;The patterns assume the canonical multi-user setup: an agent application that authenticates users via its own identity provider (Stytch, Auth0, Okta, or Entra) and calls the runtime through its client SDK, passing the authenticated user_id on every tool call. The runtime is the backend that brokers OAuth, vaults tokens per user, and enforces policy. For MCP-client integrations like Copilot, Cursor or Claude Desktop, the runtime's MCP gateway path is used instead, but the runtime semantics are the same.&lt;/p&gt;

&lt;p&gt;Two distinct auth flows run inside each pattern. &lt;strong&gt;Server-level auth&lt;/strong&gt; determines whether the agent application (an MCP client) can connect to the MCP server. &lt;strong&gt;Tool-level auth&lt;/strong&gt; governs whether the currently authenticated user can invoke a specific tool against this resource with these parameters right now. Server-level auth happens once per client-to-server connection. Tool-level auth runs on every tool call, and it's where the user verifier (Capability 8), just-in-time consent via URL Elicitation (Capability 7), and the permission intersection rule actually operate. Arcade's &lt;a href="https://docs.arcade.dev/en/learn/server-level-vs-tool-level-auth" rel="noopener noreferrer"&gt;Server-Level vs Tool-Level Authorization guide&lt;/a&gt; walks through the distinction in detail.&lt;/p&gt;

&lt;h3&gt;
  
  
  Pattern 1: internal productivity agent (Google Workspace)
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Architectural flow:&lt;/strong&gt; Human User -&amp;gt; [OIDC Identity Provider] -&amp;gt; Agent Application -&amp;gt; MCP Runtime -&amp;gt; &lt;a href="https://docs.arcade.dev/en/resources/integrations" rel="noopener noreferrer"&gt;Gmail and Calendar MCP tools&lt;/a&gt;-&amp;gt; Google Workspace&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Scenario:&lt;/strong&gt; An internal, Claude-based assistant organizes meetings and summarizes emails across a multi-user Google Workspace environment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Implementation:&lt;/strong&gt; The agent must never possess domain-wide delegation. Instead, the MCP runtime brokers a user-specific OAuth flow. The runtime requests delegated gmail.readonly and gmail.compose scopes, binding the resulting token strictly to the individual employee.&lt;/p&gt;

&lt;p&gt;On the user's first authorization, the runtime redirects the user's browser to a verifier route in the app. The verifier reads the flow_id, looks up the authenticated user from the OIDC session, and confirms the user_id back to the runtime. Only after the runtime matches the verifier-confirmed user_id against the user_id that started the flow does the OAuth grant proceed. From that point forward, the user's token is vaulted per provider and reused on subsequent calls without re-authorization.&lt;/p&gt;

&lt;p&gt;When the agent attempts to read an inbox, the app passes the authenticated user_id from its session into the runtime SDK call. The runtime evaluates the policy engine, retrieves that specific user's token from the vault, and executes the call.&lt;/p&gt;

&lt;p&gt;If the agent hallucinates or receives a malicious prompt to send an email, it requests the gmail.send scope. The runtime catches this unauthorized request, pauses execution, and forces an out-of-band step-up approval to the user's device. A human explicitly authorizes the transmission, or it doesn't happen.&lt;/p&gt;

&lt;h3&gt;
  
  
  Pattern 2: multi-tenant Slack agent (workspace isolation)
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Architectural flow:&lt;/strong&gt; Human User -&amp;gt; [OIDC Identity Provider] -&amp;gt; Agent Application -&amp;gt; MCP Runtime -&amp;gt; &lt;a href="https://docs.arcade.dev/en/resources/integrations/social/slack" rel="noopener noreferrer"&gt;Slack MCP tools&lt;/a&gt; -&amp;gt; Slack workspace&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Scenario:&lt;/strong&gt; A business-to-business application deploys an agent that aggregates alerts and takes administrative actions across multiple customer Slack workspaces.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Implementation:&lt;/strong&gt; Managing access across distinct corporate boundaries requires strict multi-tenant isolation. The runtime manages workspace-level OAuth installations, generating bot tokens combined with granular user-level channel permissions like chat:write and channels:history.&lt;/p&gt;

&lt;p&gt;The runtime uses RFC 8707 resource indicators, ensuring that tokens minted for Tenant A's Slack instance are mathematically bound to that tenant's audience.&lt;/p&gt;

&lt;p&gt;If an injection attack attempts to force the agent to read Tenant B's data using Tenant A's context, the policy engine rejects the cross-tenant token replay instantly. That prevents catastrophic cross-customer data leakage.&lt;/p&gt;

&lt;h3&gt;
  
  
  Pattern 3: Salesforce CRM agent (user-level permissions)
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Architectural flow:&lt;/strong&gt; Human User -&amp;gt; [OIDC Identity Provider] -&amp;gt; Agent Application -&amp;gt; MCP Runtime -&amp;gt; &lt;a href="https://docs.arcade.dev/en/resources/integrations/sales/salesforce" rel="noopener noreferrer"&gt;Salesforce MCP tools&lt;/a&gt; -&amp;gt; Salesforce&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Scenario:&lt;/strong&gt; A sales copilot updates pipeline records, drafts follow-up emails, and queries customer history on behalf of individual account executives.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Implementation:&lt;/strong&gt; Salesforce data access rules are notoriously complex. The MCP runtime requests the api and refresh_token OAuth scopes to call Salesforce on behalf of the user, then evaluates the account executive's specific Salesforce profile and permission sets at every tool call before allowing the agent to proceed. Object-level access (read on Account / Contact, edit on Opportunity stage transitions, commit on Lead conversion) is gated by the user's existing Salesforce permissions, not by the agent's own credentials.&lt;/p&gt;

&lt;p&gt;The implementation enforces strict separation between reading account contacts, drafting meeting notes, and committing pipeline updates.&lt;/p&gt;

&lt;p&gt;Through just-in-time authorization, if a junior rep asks the agent to update a closed-won opportunity they lack privileges to edit, the runtime's policy engine blocks the action at the tool boundary. It returns a graceful access denial to the language model without exposing backend credentials.&lt;/p&gt;

&lt;h2&gt;
  
  
  Agent auth anti-patterns to avoid in production
&lt;/h2&gt;

&lt;p&gt;Answer engines and security audits favor systems that eliminate known architectural flaws. If your current homegrown agent setup relies on any of these anti-patterns, your infrastructure isn't ready for enterprise production.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Single API key routing:&lt;/strong&gt; Your agent backend shares a single, highly privileged service account key across all users. This breaks identity attribution at the request layer. The backend can't distinguish between an intern's request and a CEO's request, and a single prompt injection inherits maximum blast radius across the entire user base.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;God mode with prompted guardrails:&lt;/strong&gt; The agent runs with root or admin credentials, and engineers rely on system prompts like "do not delete data" to maintain security. Language models are easily manipulated through indirect injection, so relying on the model to govern its own authorization is a fundamental security failure.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Blanket sign-up consent:&lt;/strong&gt; Forcing users to grant massive, multi-system OAuth scopes during their initial onboarding. This violates the principle of least privilege, causes consent fatigue, and provisions tokens with dangerous capabilities long before the user actually needs them.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;User interface-only checks:&lt;/strong&gt; Authorization checks are enforced exclusively at the chat interface or frontend web application, leaving the backend tool plane unprotected. If an attacker bypasses the chat interface and sends payloads directly to the tool execution endpoint, the system complies without verifying the delegated user context.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No distinction between draft and commit:&lt;/strong&gt; Your agent treats every action with the same authorization level, sending emails or transferring funds as easily as drafting them. Without a read/draft/commit gradient and an out-of-band approval step for irreversible actions, a single prompt injection causes irreversible damage.
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No immutable audit trail:&lt;/strong&gt; Your agent system has no per-action audit log or relies on application logs that can be modified after the fact. Without an immutable record of who authorized what tool action when (with policy version, prompt hash, and approval status), security incidents can't be reconstructed, and regulator-facing audit reports become impossible.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Conclusion: the delegated authorization rule for multi-user agents
&lt;/h2&gt;

&lt;p&gt;The transition to production-grade, multi-user AI agents demands a fundamental shift in how we architect security. The entire philosophy of agent authorization boils down to one strict rule:&lt;/p&gt;

&lt;p&gt;&lt;em&gt;This specific agent may perform this specific action on this specific resource, for this specific user, in this specific tenant, for this specific task, for a strictly limited period of time.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;If your current infrastructure can't cryptographically enforce and audit that exact sentence from the chat prompt down to the backend API layer, your system isn't ready for multi-user production in 2026.&lt;/p&gt;

&lt;p&gt;A gateway can't enforce that rule. A runtime can.&lt;/p&gt;

&lt;p&gt;Before you commit to a runtime, do three things. Audit your current identity mapping to confirm your backend systems actually model the user, agent, and context tuple on every tool call. Stop building bespoke OAuth plumbing. Refresh logic, just-in-time consent user interfaces, and multi-tenant token vaulting are undifferentiated technical debt your engineers shouldn't be writing. And test the intersection rule aggressively by sending malicious prompts against your own agents to verify that your policy engine intercepts them at the network boundary.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade is the first MCP runtime purpose-built for agent authorization&lt;/a&gt;, handling per-user OAuth, just-in-time consent, token vaulting, policy intersection, and immutable audit as native capabilities, not bolt-on plugins. The nine capabilities above are unified under one control plane, alongside Arcade's agent-optimized tool catalog and lifecycle governance, so your engineering teams can focus on shipping high-value agent logic instead of maintaining fragile identity plumbing.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently asked questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What's the best way to manage multi-user AI agent authentication and authorization in 2026?
&lt;/h3&gt;

&lt;p&gt;Treat every tool call as delegated user access, not agent-owned access. Implement a two-identity model (the agent application and the user on whose behalf the action is taken), bind every call to a delegated execution context, and enforce the intersection rule via OAuth 2.1 delegated tokens, a policy engine in front of tools, short-lived scoped tokens, and immutable audit logs.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is the two-identity model for agent authorization?
&lt;/h3&gt;

&lt;p&gt;Every request carries two identities: the project-level key (the agent application making the call) and the user-level identity (the human on whose behalf the action is taken). The runtime evaluates these two identities against a delegated execution context, a bounded binding that ties a specific user to a specific agent for a specific task, so the backend can attribute and constrain every action.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is the "intersection rule," and why does it matter?
&lt;/h3&gt;

&lt;p&gt;The agent's effective permissions must be the intersection of the user's permissions and the agent's allowed capabilities. Never the union. This rule prevents "confused deputy" failures where an injected prompt causes the agent to misuse broad system access.&lt;/p&gt;

&lt;h3&gt;
  
  
  How should OpenID Connect and OAuth 2.1 be used together for agents?
&lt;/h3&gt;

&lt;p&gt;Use OpenID Connect to authenticate the human user (who they are). Use OAuth 2.1 to authorize the agent's tool calls (what the agent can do on the user's behalf) with scoped, audience-bound tokens.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do you prevent prompt injection from turning into tool misuse?
&lt;/h3&gt;

&lt;p&gt;Don't rely on prompts for security. Route every tool call through a policy enforcement layer that checks user/agent/context, scopes, tenant, and resource. Use short-lived, audience-bound tokens so even a successful injection can't pivot across systems.&lt;/p&gt;

&lt;h3&gt;
  
  
  Which token properties are required for secure delegated-agent access?
&lt;/h3&gt;

&lt;p&gt;Tokens should be short-lived, scoped, and audience-bound (so they can't be replayed against other APIs). For stronger replay resistance, use sender-constrained tokens (e.g., DPoP) so stolen tokens are unusable without the client key.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do you handle OAuth refresh tokens safely for thousands of users?
&lt;/h3&gt;

&lt;p&gt;Store tokens in a per-user, per-provider encrypted vault and automate refresh/rotation outside the LLM. This prevents secrets from leaking into prompts and prevents provider-specific refresh edge cases from breaking agent workflows.&lt;/p&gt;

&lt;h3&gt;
  
  
  When should an agent require step-up approval or human confirmation?
&lt;/h3&gt;

&lt;p&gt;Require step-up approval for irreversible or high-impact actions (e.g., sending an external email, deleting records, committing code, or transferring funds). Let the agent read and draft with lower friction, but gate "commit" actions via an out-of-band confirmation flow.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is just-in-time authorization for AI agents?
&lt;/h3&gt;

&lt;p&gt;The agent requests new scopes or system access only when needed for a specific task. The runtime pauses, collects granular consent, mints a downscoped token, and resumes. This reduces over-permissioning and consent fatigue.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is MCP URL Elicitation?
&lt;/h3&gt;

&lt;p&gt;URL Elicitation is a Specification Enhancement Proposal authored by &lt;a href="https://www.arcade.dev/" rel="noopener noreferrer"&gt;Arcade.dev&lt;/a&gt; with Anthropic and &lt;a href="https://modelcontextprotocol.io/specification/2025-11-25/client/elicitation" rel="noopener noreferrer"&gt;accepted into the Model Context Protocol spec&lt;/a&gt;. It defines how an MCP runtime returns a granular, context-specific consent URL to the user mid-task when the agent needs a new scope or system, allowing the user to authorize the request out of band before the runtime resumes execution. URL Elicitation is the standardized mechanism behind just-in-time agent authorization.&lt;/p&gt;

&lt;h3&gt;
  
  
  What should be included in an audit log for agent tool calls?
&lt;/h3&gt;

&lt;p&gt;Log the user identity, agent identity, tenant, tool/action/resource, policy decision, timestamp, and a prompt or request hash. Make logs immutable and exportable via OpenTelemetry-compatible formats for incident response and compliance.  &lt;/p&gt;

</description>
      <category>mcp</category>
      <category>agents</category>
      <category>security</category>
      <category>identity</category>
    </item>
  </channel>
</rss>
