Secure my API for AI agents
AI agents are calling APIs. They need the same governance as human consumers — identity, scoped permissions, rate limits, and audit trails.
What you need
Section titled “What you need”- A deployed API on Apiway (ship one first if you haven’t)
- An AI agent that supports MCP (Claude Code, Copilot, or your own)
The pipeline
Section titled “The pipeline”-
Your API is already MCP-ready
Every API deployed through Apiway with a well-described OpenAPI spec is automatically discoverable via MCP. The gateway exposes your endpoints as tools that AI agents can find and call.
No extra configuration. If your spec has good summaries and parameter descriptions, it works.
-
Create an agent identity
Don’t share human credentials with AI agents. Create a dedicated identity:
Terminal window curl -X POST https://core.api.apiway.net/v1/subscriptions \-H "Authorization: Bearer $TOKEN" \-H "Content-Type: application/json" \-d '{"apiId": "{api-id}","consumer": "checkout-agent","type": "agent"}'The agent gets its own credentials, its own scopes, and its own audit trail — separate from every human user.
-
Scope the permissions
Agents shouldn’t have access to everything. Restrict to specific operations:
Terminal window curl -X PUT https://core.api.apiway.net/v1/subscriptions/{id}/scopes \-H "Authorization: Bearer $TOKEN" \-H "Content-Type: application/json" \-d '{"scopes": ["get:/orders", "post:/orders"]}'The gateway enforces this. If the agent tries to call
DELETE /orders, it gets a403. No trust required. -
Set rate limits and cost guards
Protect against runaway agents:
Terminal window curl -X PUT https://core.api.apiway.net/v1/subscriptions/{id}/limits \-H "Authorization: Bearer $TOKEN" \-H "Content-Type: application/json" \-d '{"rateLimit": 500,"unit": "minute","budgetCeiling": 1000,"budgetUnit": "GBP"}'Soft alert at threshold. Hard stop at ceiling. The agent can’t run up an uncontrolled bill.
-
Connect your AI assistant
Point your MCP-compatible agent to the gateway:
{"mcpServers": {"apiway": {"url": "https://alpha.gateway.apiway.net/mcp","headers": {"Authorization": "Bearer $AGENT_TOKEN"}}}}The agent discovers available tools, understands parameters, and makes governed calls — all through natural conversation.
-
Audit everything
Every agent call is logged with full context:
Terminal window curl https://core.api.apiway.net/v1/subscriptions/{id}/audit \-H "Authorization: Bearer $TOKEN"Who called what, when, with which parameters, and what the response was. The audit trail your regulator will ask for.
What you got
Section titled “What you got”- Agent identity — dedicated credentials, not shared service accounts
- Scoped permissions — per-operation access control enforced at the gateway
- Cost guards — budget ceiling prevents runaway consumption
- MCP discovery — AI agents find and use your APIs automatically
- Full audit trail — every call traced, every decision recorded
Next steps
Section titled “Next steps”- Monetise your API — AI agents are just another consumer with a subscription
- Manage APIs your agents consume — track what your agents spend on external APIs
- Add governance to your CI/CD — govern agent-built APIs the same way