Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

Agent-Scoped Authentication

I require that APIs support authentication credentials scoped specifically to agents, so that an autonomous consumer acts under its own narrowly-bound identity with least-privilege scopes rather than borrowing a human user's broad session. Every agent-facing API must let us issue, constrain, and revoke these credentials independently, and must make the intended scopes discoverable through the definition. I hold this line at design time because agents can act quickly and at scale, and a credential that was fine for a person becomes a real liability in the hands of software that never sleeps. Scoping authentication to the agent is how we keep automated access auditable, bounded, and safe to revoke without breaking everything else.

Strategies

APIs Are Ready for AI Agents

I want every API we operate to be ready for the agents that are now showing up as first-class consumers alongside our human developers. That means our APIs publish the machine-readable signposts ag...

APIs Expose an MCP Server

I want our APIs to meet agents where they already are by exposing a Model Context Protocol server that turns our operations into tools an agent can pick up and use without a custom integration for ...

Experiences

Security

API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...

Access

Gaining the necessary access to effectively use an API is often more challenging than it appears. Intentional and unintentional barriers can create friction in discovering and onboarding with an AP...

Agent Experience

Agent experience is developer experience for machines. As AI agents become first-class consumers of APIs, the experience they have discovering, understanding, authenticating, and calling an API mat...

Lifecycle

key Authentication Develop

Authentication is where access begins. Keys, OAuth, JWT, and mTLS each make sense in different contexts, and I pick the approach that fits the consumer and the risk. Getting authentication right is...

security Security Production

Security runs through every stop on this lifecycle, but it also deserves its own attention. OWASP alignment, vulnerability scanning, and defense in depth protect both the provider and the consumer....