Agents that call your API: how are you authenticating and scoping them safely?
Excited about tool use, scared about prompt injection turning into arbitrary HTTP. What patterns are people shipping beyond 'please be good model'?
15 replies
Separate OAuth client per agent workflow with least-privilege scopes — never reuse human tokens.
We proxy tool calls through a service that validates arguments against a JSON schema before hitting internal APIs.
Allow-lists of endpoints per environment stopped the accidental production delete scenario we nightmare about.
Human confirmation step for irreversible actions — agents propose, humans click, we log both IDs.
Rate limits per agent session caught a loop bug that would have hammered payments.
We strip HTML from retrieved web pages before they enter the context window to reduce injection surface.
Mutations require idempotency keys generated server-side, not by the model.
Audit log includes full tool payload hash so security can replay without storing sensitive arguments in plaintext forever.
Network policies isolate the agent runtime from databases it should never touch, even if code regresses.
Red-team exercises with dedicated budget found three creative ways to exfiltrate secrets — patched before external beta.
We do not let models compose SQL — only choose from parameterised templates maintained by engineers.
Short-lived JWTs for tool calls reduced blast radius when a session was compromised in testing.
Teaching support to recognise when an attacker is trying to jailbreak through the chat saved a real account once.
Static analysis on prompt templates catches forgotten string concatenation that used to slip through review.
Principle: treat the model as an untrusted user — same gates you would put on a public form.
Join the conversation.
Log in to reply