Part 3: Identity & AuthN For Agentic Workflows

If Part 2 helped you build a robust Server, Part 3 addresses the most headache-inducing question in Security: “How does the MCP Server know WHICH Agent is calling it, and does that Agent have the PERMISSION to do so?” In the early days of Agentic AI, developers often bypassed this by hardcoding long-lived API Keys. But in a Zero Trust environment, an API Key stored in plain text inside a Python script of an Agent is a ticking time bomb. If the Agent falls victim to a Prompt Injection attack, the hacker captures that API Key and gains full access to your infrastructure. ...

May 15, 2026 · 6 min · Lê Tuấn Anh

OAuth 2.1 & Prompt Versioning for Production AI Agents

Answer-first: Production AI API design requires securing agent identities using OAuth 2.1 client credentials, versioning prompts inside CI/CD gates to prevent quality regression, and tracking runtime costs. Monitoring token usage and accuracy ensures robust operational predictability. What You’ll Learn That AI Won’t Tell You Secure prompt versioning practices using git commits and CI checks. Rate-limiting AI agents at the API Gateway using token-bucket configurations. Running AI APIs in production for the past 18 months has produced three lessons that I did not find in any “getting started with LLMs” tutorial. They emerged from incidents, postmortems, and that specific kind of 2 AM Slack message where a word you never wanted to see — “silent,” as in “silent failure” — appears in a production context. ...

May 18, 2026 · 14 min · Lê Tuấn Anh