Cequence is a pioneering leader in the bot management and API security space. Protecting over 10 billion daily API transactions has put us in a position to learn a tremendous amount about the business context – seeing how users, both human and synthetic, interact with applications and APIs. This experience has enabled us to build a unique application protection platform that secures some of the largest, most complex application environments in the world.
Historically, applications served users working through web browsers and mobile apps. Then came APIs, which provided a direct path into applications, enabling faceless applications, microservices, etc. Today, we have an additional new channel in the form of artificial intelligence (AI), specifically AI browsers and agents. While this new channel leverages APIs, it does so in a different manner that requires an understanding of the subtleties of bot behavior, both legitimate and malicious.
As such, Cequence is also securing this new channel, building on years of behavioral analysis to protect agentic AI to application communication. Our in-depth understanding of how organizations create, use, and defend their applications, APIs, and AI are what makes Cequence uniquely able to not only deliver a product that enables organizations to make their applications agentic AI ready, but do so at enterprise scale with proper authentication and security.
MCP Servers Need Security
The Model Context Protocol (MCP) has emerged as the de facto standard for connecting AI agents and LLMs to applications and APIs. But as adoption picks up, many teams are implementing MCP without a clear security playbook. They are understandably focused on simply getting their project to show signs of life, to successfully handle a user query and demonstrate value. As such, crucial topics like authentication, authorization, security, and enterprise scale were ignored.
Unfortunately, risk dramatically increases when these items are treated as afterthoughts, something to be handled after you get the solution working. This misguided mindset usually results in projects that suffer from performance, scale, and security issues, not to mention hastily written code that must later be refactored. At this year’s Gartner Security and Risk Management Summit in National Harbor, Maryland, more than one analyst was quoted as saying that MCP projects would be the single biggest source of accumulated technical debt we’ve seen in a long while.
The Cequence AI Gateway not only makes it easy to create MCP servers in minutes without coding, but it also provides a much-needed interface to authentication. Any OAuth 2.0 IdP can be used to provide authentication and authorization capabilities to your newly minted MCP servers.
Further, the AI Gateway provides connectivity to the broader Cequence platform, so your MCP servers will enjoy protection from agent-fueled attacks, abuse, and fraud.
API Specs – Necessary, but Insufficient
Over the last decade, we’ve amassed an unparalleled storehouse of experience and knowledge about Application Programming Interfaces (APIs). How enterprises define, create, and use them, and of course, how threat actors try to exploit them. And while developers often create API specifications, these documents by their very nature are somewhat theoretical in the sense that they describe what should happen, a blueprint detailing how the API functions, its behavior, and the rules governing its interactions.
API specs often include:
- Endpoints and Paths: The specific URLs or resources that can be accessed through the API.
- Operations and Methods: The actions that can be performed on each endpoint (e.g., GET, POST, PUT, DELETE).
- Request and Response Structures: The expected format and content of data sent to the API (requests) and received from it (responses), including parameters, headers, and body schemas.
- Data Formats: The supported data types and serialization formats (e.g., JSON, XML).
- Authentication and Security Schemes: How users or applications are authorized to access the API and the security mechanisms in place.
- Error Handling and Responses: How the API communicates errors and the types of error responses to expect.
- Data Models/Schemas: Definitions of the data structures used within the API.
API specifications are often written in machine-readable formats like YAML or JSON, using standards such as the OpenAPI Specification (OAS). This allows for automation in generating documentation, client libraries, and even test cases, streamlining the development process and ensuring consistency in API design and implementation.
But like a building that has blueprints, until it’s built and occupied you have an incomplete understanding of the inhabitants and how they live and work in the structure. API specs are similar. Once you’re able to study API requests, the data that flows to them, and their delivered responses you can build a much more robust contextual understanding of a given application and its APIs.
Cequence API Security has long utilized ML and AI to power the automatic generation of API specs for our customers. This has proven to be a very popular capability, saving untold manhours of time while producing high-quality, consistent specifications.
These same API specs can be used to create an MCP server, informing how MCP accesses application functionality. Your application can now interact with an agent and can start to do work – all true – but that’s just “good”. If you want “great”, you’ve got to augment that API spec with business context.
Much like when you use ChatGPT and give it a prompt, it comes back with an answer that more often than not isn’t quite right. So, you improve the prompt. It comes back with a slightly better answer and again you refine your prompt. Eventually, it comes back with a better answer. You gotta do this constantly to get a great result.
The results that AI agents are able to get from AI-ready applications follows a similar path –a basic API spec enables MCP servers to connect to applications using the MCP protocol. Agents can interact with your applications and can start to do work – but that’s just “good”. If you want “great”, you’ve got to augment that API spec with business context.
Enter Enhanced API Specs
For years Cequence has been monitoring and analyzing API traffic and using ML and AI to understand user behavior and business context to deliver more accurate and effective Application, API, and AI security. This same understanding (analysis of API traffic) enables us to augment the API spec – endow it with an understanding of business context – and like magic, your agents instantaneously deliver vastly superior results. Best of all, it’s evergreen because we’re constantly watching the traffic so as things evolve and more is learned we further improve that spec so you’re constantly getting a better result without any human intervention needed.
In the end, everything performs better, faster, and more predictably. And, as an added bonus, fewer calls get made so you now spend fewer tokens, making it cheaper as well.
```yaml
description: <p>Retrieves a list of all admin roles. To learn more, see <a href="/zia/about-role-management" target="_blank">About Role Management</a>.</p>
``````yamldescription: |-
Lists all AdminRoles resources with filtering and pagination support.
Critical for inventory management and bulk operations. This is a
specialized endpoint for specific use cases. Critical for security
governance and access control management. Directly impacts compliance
with SOX, GDPR, and internal security policies
EXAMPLES:
• List all adminRoles for inventory management
• Search adminRoles by criteria for bulk operations
Agent Instructions: Use query parameters for filtering and pagination.
Expect array responses with metadata. Verify role permissions align
with least-privilege principle. Include valid authentication token
in Authorization header.
Business Context: Required for role-based access control audits
and compliance reporting
Parameter Guidance: Use ‘page’ and ‘pageSize’ for pagination.
Apply filters to reduce response size. Include Content-Type header
for requests with body. Use Accept header to specify response format.
```
These enhanced specs are shared with the Cequence AI Gateway offering a number of benefits over basic specs. First, because the enhanced specs provide much richer context, agents are better able to know which APIs will do exactly what they need. Second, enabling the agent to accurately get what it needs reduces the number of API calls, improves agent performance, and cuts down on cost.
Platform Power
Arguably, the Cequence AI Gateway is all about enablement, helping organizations unlock the promise of agentic AI productivity by easily and safely connecting agents to enterprise and SaaS applications. But the best solutions will leverage the broader Cequence platform, benefiting from access to automatically-generated, enhanced API specs that boost agentic AI performance, accuracy, and cost effectiveness. And, on the security side, UAP provides protection from agent-fueled attacks, abuse, and fraud against all applications and APIs, including those connected to the AI Gateway.
Making sure authentication, authorization, and security are all accounted for up front reduces wasted effort and produces an enterprise-class result with only a modest level of additional effort.
