Cool cool. Except. What about auth? Authn and authz. Agent should be you always? If not, every API...

lll-o-lll • today at 7:56 AM • 3 replies • view on HN

Cool cool. Except.

What about auth? Authn and authz. Agent should be you always? If not, every API supports keys? If so, no fears about context poisoned agents leaking those keys?

One thing an MCP (server) gives you is a middleware layer to control agent access. Whether you need that is use-case dependent.

Replies

upcoming-sesame • today at 10:15 PM

That's not a limitation of CLIs, they can work with a different auth as well.

they are just a superior tool to MCP because the agent can write code that invokes, pipes and do many other things with the tool

mstipetic • today at 7:59 AM

Also resources - which are by far the coolest part of MCP. Prompts? Elicitation? Resource templates? If you think of MCP as only a replacement for tool calls I can see the argument but it's much more than that.

friendzis • today at 8:05 AM

> If not, every API supports keys?

How would MCP help you if the API does not support keys?

But that's not the point. The agent calls CLI tools, which reads secrets from somewhere where the agent cannot even access. How can agent leak the keys it does not have access to?

You ARE running your agents in containers, right?

➕ show 1 reply

alt Hacker News

Replies