MCP Gateways: The Control Plane for Agentic Integration - Alex Salazar, Arcade.dev

by Alex Salazar

Day 1 · Astor Ballroom (7th Floor) · MCP Best Practices · 44 min · 4 min read

Applied AI

TL;DR

Alex Salazar demonstrated how an MCP gateway acting as an actions runtime solves agent authorization by taking the intersection of agent permissions and user permissions using OAuth 2.1. The live demo showed a Claude agent reading email via Arcade, with a token revocation instantly blocking the request. Salazar argued that agent and user identity must be separated and enforced at the action layer, not the reasoning layer.

Why Agent Authorization Fails: Service Accounts and User Credentials

▶ Watch (4:37)

Service accounts give the agent its own over-provisioned permissions. Anyone with access to the agent, including an intern, inherits those permissions. That creates an authorization bypass vulnerability. User credentials fix the scope problem for single-user agents but give the agent the user’s full power to delete files or wire money. Both patterns block enterprise deployment. Salazar argued for a third path: take the intersection of what the agent is allowed to do and what the user is allowed to do using OAuth 2.1, a 15-year-old model that fits existing security systems.

The MCP Gateway as an Actions Runtime

▶ Watch (11:22)

An MCP gateway is the front door to a control plane for agent actions. The actions runtime handles identity separation, tool curation, authorization on every request, and audit trails. Agents are non-deterministic and cannot enforce their own policies. The runtime must check every action against both agent and user permissions. This is a policy enforcement system, not a policy definition system. It integrates with existing identity providers like Entra and Salesforce permission models rather than creating new policy silos.

Skills Layer and Multi-Agent Foundation

▶ Watch (14:00)

MCP tools are building blocks. Skills are procedural knowledge that tell the agent how to combine tools into a workflow, such as replying to an email or issuing credit. Salazar positioned skills as a new MCP primitive under discussion in the working groups. With a central actions runtime, organizations can give multiple agents — Claude, Cursor, custom agents — access to the same blessed tool layer and skills while controlling each agent’s scope via separate gateways. A coding agent has no reason to access SAP. A sales agent has no reason to access Jira.

Live Demo: Token Revocation Blocks Access at the Action Layer

▶ Watch (21:31)

Salazar connected Claude to Arcade as its MCP gateway. Claude read an email from Nate using a Gmail tool through Arcade. He then revoked the OAuth token in the Arcade dashboard. When Claude tried to read the email again, Arcade could not find a token for that agent-user-service combination. It initiated a new authorization request, and the tool call did not proceed until the user re-authenticated. The agent’s context still held the previous email, but the action layer blocked execution. This demonstrated per-request authorization enforcement separate from the agent’s reasoning loop.

Q&A

How does the actions runtime integrate with existing identity providers? Salazar answered that the runtime is a policy enforcement system that integrates into systems like Entra and Salesforce rather than creating new policy silos. ▶ Watch (28:21)

Can the same agent have different policies for different environments (e.g., coding vs. email)? Yes, by using separate gateways; currently you can give Claude and Cursor different gateways, and as the MCP spec evolves stronger agent authentication will make it easier. ▶ Watch (32:41)

What prevents a malicious MCP server from being selected over a blessed one? The actions runtime allows central IT to bless specific MCP servers and prevent end users from spinning up arbitrary ones. ▶ Watch (36:31)

Notable Quotes

the agent can hallucinate all it wants about robbing a bank. The only time anybody cares is when it pulls a gun. Alex Salazar · ▶ Watch (3:49)

What really matters where enforcement is most important is when the AI decides to take an action Alex Salazar · ▶ Watch (4:12)

It’s not about agent identity, service accounts, not human identity, whatever we’re going to call it today. And it’s not about the user’s credentials. It’s about taking the intersection. Alex Salazar · ▶ Watch (8:05)

Key Takeaways

Use an MCP gateway to enforce authorization on every request, not at the agent level.
Separate agent identity from user identity and take their intersection using OAuth 2.1.
Centralize tool curation, skills, and audit trails in an actions runtime for multi-agent enterprise deployments.

About the Speaker(s)

Alex Salazar is the Co-Founder and CEO of Arcade.dev, the runtime for MCP that enables AI agents to securely take real actions across enterprise systems. He’s solving the hardest problems standing between AI agent demos and production deployment: secure agent authorization, high-accuracy…

Filed under

Applied AI