API Security for AI Agents: Securing MCP, Function Calling & Tool Use
AI Agents as API Consumers
APIs were designed for human-driven applications — a user clicks a button, the app sends a request. AI agents fundamentally change this model. An autonomous agent can discover, call, and chain API endpoints without human intervention, at machine speed, with unpredictable behavior.
The Shift: Traditional API security assumes a human in the loop. AI agents remove that assumption. They can call thousands of endpoints per minute, probe for vulnerabilities, exploit business logic, and exfiltrate data — all while following their programmed instructions "correctly."
How AI Agents Interact with APIs
| Interaction Model | Description | Security Implications |
|---|---|---|
| Function Calling | OpenAI/Anthropic format — model decides which function to call | Agent can call any registered function |
| MCP (Model Context Protocol) | Standardized tool/resource protocol | MCP servers expose entire toolsets |
| LangChain/LlamaIndex Tools | Framework-specific tool wrappers | Tool definitions include execution logic |
| Direct API Calls | Agent constructs HTTP requests | Full API surface is accessible |
| Browser Use | Agent controls a browser to interact with web UIs | Bypasses API-level controls entirely |
Securing Function Calling
The Function Calling Security Model
When you register functions with an AI model (OpenAI, Anthropic, etc.), the model decides which functions to call based on user input. This creates a critical security boundary:
User Input → [AI Model] → Function Selection → [Your Code] → Side Effects
^ ^
| |
Prompt injection Insufficient validation
can redirect function can cause damage
selection
Secure Function Registration
// VULNERABLE — Overly broad function with no constraints
const tools = [{
name: "database_query",
description: "Execute any SQL query on the database",
parameters: {
query: { type: "string", description: "SQL query to execute" }
}
}];
// SECURE — Constrained, specific functions with validation
const tools = [{
name: "get_user_orders",
description: "Get orders for the currently authenticated user",
parameters: {
status: {
type: "string",
enum: ["pending", "shipped", "delivered", "cancelled"],
description: "Filter by order status"
},
limit: {
type: "number",
minimum: 1,
maximum: 50,
description: "Maximum orders to return"
}
}
}];
// Function implementation with security checks
async function getUserOrders(params: any, context: AgentContext) {
// 1. Validate parameters against schema
const validated = OrderQuerySchema.parse(params);
// 2. Enforce user scope — agent can only see current user's data
const orders = await Order.find({
userId: context.authenticatedUserId, // Never from params!
status: validated.status,
}).limit(validated.limit);
// 3. Filter sensitive fields from response
return orders.map(o => ({
id: o.id,
status: o.status,
total: o.total,
createdAt: o.createdAt,
// Exclude: internalNotes, costPrice, supplierInfo
}));
}
Function Calling Security Rules
- Design functions with least privilege — Each function should do one thing with minimal permissions
- Never pass user identity via parameters — Extract from the authenticated session/token
- Validate all parameters server-side — The AI model can be manipulated to send unexpected values
- Use enums and strict types — Avoid freeform string parameters where possible
- Implement function-level rate limiting — Separate from API-level rate limiting
- Log every function invocation — Full audit trail including parameters and results
- Require human confirmation for destructive actions — DELETE, financial transactions, data modifications
Securing MCP Servers
MCP Server Threat Model
| Threat | Attack Vector | Mitigation |
|---|---|---|
| Malicious MCP server | User installs backdoored server from untrusted source | Server vetting, code review, allowlisted registries |
| Tool name collision | Two MCP servers register tools with same name | Namespace enforcement, deterministic resolution |
| Excessive permissions | MCP server requests filesystem, network, exec access | Principle of least privilege, capability-based security |
| Data exfiltration | MCP tool sends data to external endpoints | Network isolation, egress filtering |
| Prompt injection via tools | Tool returns injected instructions in response | Output sanitization, instruction hierarchy |
MCP Server Hardening Checklist
□ Run MCP servers in isolated containers (no host filesystem access)
□ Network: allowlist only required outbound connections
□ No shell execution capability unless absolutely required
□ Read-only filesystem access where possible
□ Environment variables: only pass required credentials
□ Validate all tool inputs against strict JSON schemas
□ Sanitize all tool outputs (strip potential injection patterns)
□ Log every tool invocation with full context
□ Implement per-tool rate limiting
□ Set resource limits (CPU, memory, execution time)
□ Code review all third-party MCP servers before installation
□ Pin MCP server versions (no auto-updates in production)
Rate Limiting for AI Agents
Traditional rate limiting (requests per minute per IP) doesn't work well for AI agents. You need agent-aware rate limiting:
// Agent-aware rate limiting middleware
const agentRateLimiter = {
// Per-agent limits (identified by API key or OAuth client)
perAgent: {
requestsPerMinute: 60,
tokensPerMinute: 100000, // LLM token budget
toolCallsPerMinute: 30, // Function/tool invocations
writeOperationsPerMinute: 10, // Mutations
costPerDay: 50.00, // Dollar budget limit
},
// Per-user-per-agent limits (agent acting on behalf of a user)
perUserPerAgent: {
requestsPerMinute: 20,
dataRecordsPerMinute: 100, // Records accessed
writeOperationsPerHour: 25,
},
// Global safety limits
global: {
maxConcurrentAgentSessions: 100,
maxAgentChainDepth: 3, // Agent spawning sub-agents
emergencyShutdownOnAnomalyScore: 0.95,
},
};
Monitoring AI Agent API Usage
Track these signals to detect compromised or misbehaving AI agents:
| Signal | Normal | Suspicious |
|---|---|---|
| Endpoint diversity | Calls 3-5 endpoints per task | Systematically probes all endpoints |
| Error rate | < 2% | > 20% (probing for vulnerabilities) |
| Data volume | Requests typical data sets | Attempts to enumerate all records |
| Time between requests | Human-initiated cadence | Machine-speed continuous requests |
| Tool call patterns | Predictable per task type | Random or scanning pattern |
| Cross-user access | Never | Attempts to access other users' data |
Further Reading
- OWASP Top 10 for Agentic AI — Complete agentic AI risk framework
- Securing Generative AI APIs — MCP and Shadow AI security
- AI Agent IAM — Identity management for agents
- API Security Trends 2026 — Broader API threat landscape
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
Secure API Design Patterns: A Developer's Guide
Learn the essential security patterns every API developer should implement, from authentication to rate limiting.
AI Security: Complete Guide to LLM Vulnerabilities, Attacks & Defense Strategies 2025
Master AI and LLM security with comprehensive coverage of prompt injection, jailbreaks, adversarial attacks, data poisoning, model extraction, and enterprise-grade defense strategies for ChatGPT, Claude, and LLaMA.
JWT Security: Vulnerabilities, Best Practices & Implementation Guide
Comprehensive JWT security guide covering token anatomy, common vulnerabilities, RS256 vs HS256, refresh tokens, and secure implementation patterns.