Connect Ai Agent Safely

Use this playbook before letting an AI agent call Zerq-managed APIs or MCP tools.

Use this when

• You are enabling Cursor/Claude/ChatGPT or internal agents.
• You need to prevent tool overreach and accidental writes.

Prerequisites

• Dedicated agent client and profile exist.
• Required MCP surface (gateway or management) is chosen.
• You can run at least one allow and one deny test before rollout.

Step 1: isolate agent identity

1. Create dedicated X-Client-ID per agent environment (dev/stage/prod).
2. Use a profile scoped to minimum required collections/tools.
3. Use short-lived tokens and planned rotation cadence.

Step 2: enforce least privilege

1. Publish only needed routes/tools.
2. Keep profile read-only first; add writes only with explicit approval.
3. Apply stricter rate limits than human traffic.
4. Keep destructive methods (DELETE, wide POST) blocked by default.

Step 3: verify policy behavior

# Allowed operation
curl -i "https://gateway.example.com/mcp/tools/list" \
  -H "Authorization: Bearer $AGENT_TOKEN" \
  -H "X-Client-ID: ai-assistant-prod" \
  -H "X-Profile-ID: prod-ai-readonly"

# Expected denied operation
curl -i -X POST "https://gateway.example.com/mcp/tools/delete-config" \
  -H "Authorization: Bearer $AGENT_TOKEN" \
  -H "X-Client-ID: ai-assistant-prod" \
  -H "X-Profile-ID: prod-ai-readonly"

Expected deny semantics

• 401 invalid token.
• 403 tool or route outside granted scope.
• 405 method blocked.
• 429 safety throttle triggered.

Go-live checklist

• Confirm logs show the agent profile and expected request volume.
• Confirm one explicit denied write operation (403 or 405) is captured.
• Confirm token rotation path works without manual intervention.

Rollback

1. Disable or narrow the agent profile.
2. Revoke/rotate the current token.
3. Re-enable with read-only scope first.

Related docs

• Gateway MCP
• Management MCP
• AI Clients - Cursor Setup
• AI & MCP Security Governance