Keycard Workshop @ AI Engineer World's Fair

Your agents are reaching for real tools and real data. The risk isn't the capable agent, it's the standing secret it holds. One long-lived API key sitting in an agent's environment is one prompt injection or Shai-Hulud away from being read out. At AI Engineer World's Fair , Keycard is running a hands-on workshop where you build the answer on your own machine. We'll serve lunch and then you'll build a custom support-escalation MCP server in TypeScript (Express, Streamable HTTP) , and lock down both the server and everything it touches with Keycard , end to end. You'll leave having built a server with three tools: Read support tickets , where the user's identity is swapped for a read-only credential so no standing key ever sits in your server Escalate to engineering , where an LLM scrubs the PII before posting a clean issue to Linear using a write-scoped credential Delete an escalation , which asks for a scope your policy refuses to grant What you'll learn: Why standing secrets are the real risk in agentic systems, and how to build them so your server never holds one How to give each…