Introduce Authentication in Gateways

[g3force]

Where do you need to authenticate?

• MCP
  1. Authenticate / authorize at the tool server or gateway itself
     1. Which tool servers am I allowed to use
     2. Which tools of a tool server am I allowed to use (e.g. read-only vs read-write)
  2. Authenticate / authorize for the tool/API used by the MCP server
• Agent (A2A, AG-UI, etc.)
  1. Authenticate / authorize at the Agent Gateway
     • Which agents am I allowed to use
  2. Authenticate / authorize for the MCP tools and sub-agents being used
• AI Gateway / LLM Model
  1. Global API key
  2. Virtual API key for unique identification of agents (not users)
• Frontend (own UI or something like LibreChat, n8n)
  1. Adopt the login context of the frontend for agents and tools
  2. User manually configures credentials for agents/MCP servers (API key, JWT token)
  3. User initiates OAuth flow and confirms consent form specifically for one or more tools/APIs

How do you need to be able to authenticate?

• MCP
  • OAuth flow in the browser, if possible
  • Pass tokens through otherwise (e.g. when an agent calls an MCP tool)
  • MCP supports negotiating the authentication and can, for example, transmit the necessary metadata for an OAuth flow
• A2A
  • Fundamentally similar to MCP. Available security schemes can also be communicated here.

[g3force]

Authentication at the Gateways can be done using Envoy. It supports both, OIDC and Api Key protection, which is good for initial protection, without additional authorization.

With agentic-layer/sdk-python#20, outside apps can pass API Tokens through the Agent to MCP Tools. This is not yet a production-grade solution, but is a first step.

A full authentication and authorization solution depends on the used providers and boils down to using OAuth 2.0 / 2.1.