yena shared this post · 2h ago
mark

Companies are scaling to thousands of custom agents that call tools and each other. But most of those calls happen directly, with no verified identity and no authorization check.

Instead, each agent should have its own identity, a short-lived, attested credential rather than a static API key. When it's acting for a user or another agent, its identity should say so.

An agent gateway enforces this. Every call routes through the gateway, and before it reaches a tool or another agent, that endpoint verifies the agent's identity, uses it to authorize which tools (MCPs, APIs, CLIs) and other agents (A2A) the agent can reach, and audits the call. Every action then traces back to the user who triggered it, and no agent can exceed the permissions of whoever it's acting for.

And there are already strong open source and vendor options, so you don't need to build this yourself.

52