Keycard Workshop @ AI Engineer World's Fair

​Your agents are reaching for real tools and real data. The risk isn't the capable agent, it's the standing secret it holds. One long-lived API key sitting in an agent's environment is one prompt injection or Shai Halud away from being read out.

​At AI Engineer World's Fair, Keycard is running a hands-on workshop where you build the answer on your own machine. We'll serve lunch and then you'll build a custom support-escalation MCP server in TypeScript (Express, Streamable HTTP), and lock down both the server and everything it touches with Keycard, end to end.

​You'll leave having built a server with three tools:

• ​Read support tickets, where the user's identity is swapped for a read-only credential so no standing key ever sits in your server

• ​Escalate to engineering, where an LLM scrubs the PII before posting a clean issue to Linear using a write-scoped credential

• ​Delete an escalation, which asks for a scope your policy refuses to grant

​What you'll learn:

• ​Why standing secrets are the real risk in agentic systems, and how to build them so your server never holds one

• ​How to give each tool exactly the access it needs, and nothing more

• ​How to trace every hop of an agent delegation chain in a complete audit trail

• ​How to set policy that blocks an over-permissioned action

​Bring a laptop with Node and npm, a GitHub account, and your local coding agent (Claude Code, Cursor, Codex, or Copilot). TypeScript familiarity is strongly preferred.

​You'll walk out with a governed escalation server you built, and a clear pattern for securing every agent you ship next. Join us if you're building MCP servers or agentic systems and want to learn how to control access to your server and the resources behind it.