Why AI agents need more than API keys

Yaima ValdiviaFounder · June 2, 2026 · 3 min read

API keys were built for stable services calling each other. Autonomous agents act, delegate, and go wrong at machine speed — and that needs runtime authorization, not a static credential.

Continue reading →

More from the blog

May 21, 20263 min read

Scoped delegation: agent handoffs should narrow, not copy

When one agent hands work to another, it should pass on less power than it holds — not a copy of its full credential. Here's how scoped, revocable delegation keeps least privilege intact across a chain.

Engineering

May 14, 20262 min read

Revoke in seconds: the kill switch agents actually need

When an agent goes off the rails, waiting for a token to expire is the wrong response time. Opaque, server-checked tokens make 'stop' a single call — not a redeploy.

Security

May 7, 20262 min read

Three tiers, routed by risk: inside the Guardian pipeline

Not every agent action deserves the same scrutiny. A read deserves a rule check; a destructive action deserves reasoning. Here's how the Guardian pipeline routes each one by risk.

Architecture

April 29, 20262 min read

Read-only by default: sessions and time-boxed elevation

The safest default for an agent is one that can look but not touch. Sessions that start read-only and elevate only for a bounded window turn standing power into power on request.

Engineering