Securing AI agent credentials with MCP tunnels

Justy So the wild part is the article's basically saying the model was never the scary bit. The keys were.

Cody Yeah. That's the real argument, and I think it's mostly right. Enterprises don't panic because an agent is clever, they panic because it might walk around holding auth tokens.

Justy Which is such an Exploring Next episode four hundred twenty-five problem. Not, wow the demo worked. More, cool, who accidentally gave the intern the master badge.

Cody And in this case the intern is a stochastic process with tool access. Great. Love that for everyone.

Justy Also, before we get too deep, I slept terribly. I had that classic LA thing where you swear it'll be a quick errand and somehow you lose two hours buying light bulbs and standing in traffic. Anyway, that did make me weirdly sympathetic to enterprise teams who are like, no, we're not adding one more brittle system unless the security story is cleaner.

Cody Mm-hm.

Cody I got in late and did the opposite coast version. Red-eye brain, bad coffee, then a package got delivered to the wrong building again. So when I read 'lightweight outbound-only gateway' I was like, okay, at least ONE thing in my life has a clear route. Anyway. The piece is saying Anthropic split the system in two. The agent loop stays on Anthropic's side, but tool execution runs inside the company's own infrastructure.

Justy Right, right.

Justy And that split is the point, not some vague 'enterprise ready' sticker. If the agent can plan and recover from errors up in Claude land, but the actual touching of internal systems happens inside your boundary, then the user story changes a lot for any company sitting on private APIs or databases.

Cody Exactly.

Cody The article gives two pieces. Self-hosted sandboxes are in public beta for Claude Managed Agents. Those keep files, packages, and tool execution within your perimeter. Then MCP tunnels are in research preview, and the claim there is the tunnel reaches private M C P servers without putting credentials into the agent context.

Justy Which, to me, is the sentence that matters. Not 'agents can connect,' because sure, they could always connect if you were willing to do cursed things with tokens. It's 'without leaking credentials' that's new enough to change procurement conversations.

Cody Yeah.

Cody I do think the article is careful in a good way. It doesn't say this solves agent security full stop. It says the threat model changes. That's more believable. If an agent goes weird, you've reduced what it's carrying. You have NOT made a weird agent harmless. It can still ask for bad actions through allowed tools, or abuse overly broad permissions on the network side.

Justy That's where your eyebrows go up, Cody. Because if the tunnel or the sandbox is hooked to a too-powerful internal service account, congrats, the credential isn't in the prompt anymore but the blast radius can still be ugly.

Cody Yes, exactly. Security people have been yelling a version of that forever. Moving secrets out of the agent is genuinely good. But the permissioning still has to be narrow, the audit trail has to exist, and the private M C P server can't just become a magic back door with a nicer brochure.

Justy A nicer brochure is honestly half of enterprise software. But I buy the practical distinction the article makes versus OpenAI's local execution update from April. Anthropic's framing is that existing sandbox approaches, including that one, don't separate the hosted agent loop from enterprise-side execution in the same way.

Cody I think that's the strongest technical comparison in the piece, though I'd phrase it carefully. It's not that local execution is fake security. It's that Anthropic is emphasizing a cleaner division of responsibilities. Hosted orchestration, local execution, outbound-only connectivity. That can be easier to reason about operationally, especially for larger companies with hard network boundaries.

Justy Oh interesting.

Cody And the article also says teams should start with sandboxes, not tunnels. I actually agree with that. Sandboxes are in beta now, tunnels are research preview, and the sandbox piece is what changes the deployment shape today. The tunnel story is promising, but it's still a promise.

Justy That felt refreshingly non-hypey to me. Like, if you're already on Claude Managed Agents, the move is probably test self-hosted sandboxes and see whether your workflows still behave. If you're evaluating platforms, the question isn't 'does it have M C P' because everybody says that now. It's 'where do tools run, and who holds the credentials when something goes sideways.'

Cody Sure.

Justy Also tiny side riff. 'MCP tunnels' sounds either extremely serious or like a children's museum tube exhibit. There is no middle.

Cody It really does.

Cody And self-hosted sandbox sounds fun until you remember it's for enterprise auth isolation. Nothing says whimsy like boundary enforcement.

Justy So who actually cares. I think it's platform teams, security people, and whoever owns internal developer tooling. Probably not the team making a cute external chatbot. This matters when the agent needs real access to company systems and the blocker has been, absolutely not, we are not stuffing tokens into a model-shaped backpack.

Cody That's my read too. And I could be wrong, but the article's best line of reasoning is basically: enterprises were not waiting for smarter agents, they were waiting for safer plumbing. If that's true, then this is meaningful. Not because it makes agents brilliant, just because it makes some deployments less reckless.

Justy Which is a very Cody endorsement. Not exciting, merely less reckless.

Cody That's how things get adopted, Justy. Quietly. Behind a gateway. With fewer keys in the backpack.

Justy Honestly, that's a pretty good place to leave it. Go buy your light bulbs, secure your tunnels, and maybe don't hand the backpack the master badge.