When a human calls an API, identity is well understood, OAuth tokens, JWTs, API keys. When an AI agent calls that same API via MCP, the identity model breaks down. Who is the caller? What should it be allowed to do? How do you revoke access when something goes wrong? As MCP adoption moves from dev laptops into production systems, the absence of a consistent identity and authorization layer for agent-initiated traffic is becoming a critical gap. This session walks through the auth problem from first principles covering OAuth flows for non-human callers, per-agent rate limiting, JWT validation at the MCP proxy layer, and policy enforcement patterns that don't require rewriting your backend services. Attendees will leave with a concrete mental model and implementation patterns for securing MCP tool calls in production.
Kaiwalya Koparkar is a Platform Advocate at Gravitee and CNCF Ambassador with CKA and CKAD certifications. He specialises in API Management, cloud-native infrastructure, and SRE, and is the founder of Cloud Native Nashik.
