Agents, Access, and the Future of Machine Identity — Nick Nisi (WorkOS) + Lizzie Siegle (Cloudflare)

00:00:00.000 | -

00:00:02.000 | - Hi, I'm Lizzy.

00:00:16.340 | I'm a developer advocate at CloudFlare.

00:00:19.040 | - And I'm Nick.

00:00:19.880 | I'm a developer experience engineer at WorkOS.

00:00:23.760 | - Yes, so at CloudFlare, I make a lot of AI demos,

00:00:27.120 | AI MCP servers, anyone here also making any of those?

00:00:32.120 | Agents?

00:00:34.300 | Nice, of course, should've guessed, 'cause conference.

00:00:37.580 | So I've been having fun making agents and MCP servers

00:00:40.720 | that act on behalf of me.

00:00:42.540 | I built an agent to auto vote in the NBA finals for me,

00:00:46.740 | and then I got blocked, eventually.

00:00:48.560 | Anyways, I booked tennis courts in San Francisco,

00:00:52.440 | 'cause Lord knows that is hard enough to do already.

00:00:55.440 | So I think that's a great agent use case.

00:00:57.740 | Agent that acts for me,

00:00:59.220 | automates some of the tedious parts of my life,

00:01:01.800 | things that I want to do.

00:01:03.660 | However, that does beg the question,

00:01:05.500 | how do you control what they're allowed to do?

00:01:09.060 | - Yeah, and we're moving so fast with all of this

00:01:12.640 | and having fun getting it to do things.

00:01:14.740 | You know, GitHub MCP is one of my favorites,

00:01:16.620 | because I can just get it going and have it read reviews for me,

00:01:21.280 | read diffs for me, and just help me manage GitHub,

00:01:24.840 | which is really awesome, but it's very developer-centric,

00:01:27.760 | obviously, it's GitHub, but MCPs in general,

00:01:30.300 | like, you have to go and edit this JSON file and do that,

00:01:33.120 | and it's really tough to, like, I have to give it a pat,

00:01:36.260 | and, you know, that's an advanced use case for non-developers.

00:01:40.560 | And so we really need a way to let these tools act on our behalf,

00:01:44.940 | but in a more traditional way that's easy for end users

00:01:49.440 | to be able to set that up.

00:01:50.660 | And so, yeah, that's what we do at WorkOS.

00:01:55.140 | We do, like, authorization and user management,

00:01:58.120 | and, like, the main point of this talk is to really help drive the idea

00:02:03.280 | that we need, like, the same kind of credentials and authorization

00:02:07.080 | that we do with user-facing projects.

00:02:09.220 | We need the agents to do that as well as a start,

00:02:11.900 | and then we have a lot of places that we can go with this

00:02:14.320 | as we get more fine-grained.

00:02:15.500 | But really, the point is that OAuth really just isn't for humans

00:02:20.560 | anymore.

00:02:20.860 | It's for our agents acting on our behalf.

00:02:23.140 | And you know what else agents need?

00:02:28.300 | Memory, persistent storage.

00:02:31.680 | Anyone here use Cloudflare?

00:02:34.760 | You think you know what Cloudflare does?

00:02:36.560 | No.

00:02:37.180 | I'm here to tell you that you do not.

00:02:38.600 | People are like, oh, you do security, CDN,

00:02:43.720 | DDoS protection, bot management.

00:02:45.880 | We do so much more.

00:02:47.240 | We have compute Cloudflare workers.

00:02:48.720 | We can host your code on the edge.

00:02:51.300 | We host AI models you can run imprints on.

00:02:54.580 | Vectorize, we have a vector database, a SQL database.

00:02:57.640 | Durable objects, which is what we use in our agent's framework

00:03:01.680 | to maintain memory.

00:03:03.300 | Very important.

00:03:05.020 | And video streaming, image optimization, so much more.

00:03:09.760 | If you use Cloudflare workers, we have bindings.

00:03:12.340 | Bindings let you interact from your web app, from your website,

00:03:16.300 | from your agent as well.

00:03:17.720 | Because our agents and MCB servers are kind of similar in that you

00:03:21.980 | can use bindings to interact with other Cloudflare products.

00:03:26.280 | And also just like, of course, you can use other companies' products

00:03:29.400 | as well.

00:03:30.940 | And of course, now we have a free tier.

00:03:32.600 | Durable objects used to not be free.

00:03:35.860 | Now you can use it.

00:03:36.800 | And I know startups who use Cloudflare who do not pay us.

00:03:39.380 | And they make money.

00:03:40.380 | Yeah, I digress.

00:03:42.380 | But yeah, all of these pieces, they really help to--

00:03:45.560 | they just bent naturally into building these agents.

00:03:47.960 | Because they'll deliver the code to where you're at.

00:03:50.380 | And you can use the durable objects to store persistence on them.

00:03:54.380 | And you can also use things like authorization

00:03:57.660 | to make sure-- and there's a whole OAuth framework

00:04:01.200 | with Cloudflare's agents framework that lets you set up

00:04:05.820 | that authorization so that you can easily know who the worker is--

00:04:10.520 | or the agent is acting on behalf of.

00:04:12.280 | Yeah.

00:04:12.780 | So--

00:04:17.520 | And this agenda will be made available at the end

00:04:20.280 | in the GitHub repo.

00:04:21.640 | It's a markdown file.

00:04:22.700 | So we did build an MCP server using Cloudflare

00:04:28.140 | and using WorkOS.

00:04:29.600 | And it's just a very basic one.

00:04:31.520 | You'll be able to check it out.

00:04:32.380 | And you can use it and run it today, which is really awesome.

00:04:35.780 | And we're just going to deploy it real quick.

00:04:37.560 | So I'll just do npm run deploy, which

00:04:42.920 | will run Wrangler to deploy that.

00:04:45.240 | And as soon as it's out there, we'll

00:04:48.140 | be able to see it in my compute here.

00:04:52.140 | Oops, I was just there.

00:04:53.200 | That's the Cloudflare dashboard.

00:04:54.660 | And it's also very easily to run locally as well,

00:04:58.400 | with like npm run or Wrangler run, something similar.

00:05:01.980 | So a few seconds ago, we've got it deployed.

00:05:04.860 | And going back to the terminal, it gave me a URL here.

00:05:09.960 | And so I can just copy my worker's URL.

00:05:12.220 | And I'm going to go over to my client, Claude.

00:05:14.980 | And I'm just going to hit this button and say Add Integration.

00:05:19.040 | And it's going to pop up.

00:05:20.040 | I'll make this big.

00:05:22.220 | And I can go Add Integration.

00:05:23.540 | And I'll just say, I want to add mcp.shop.

00:05:26.540 | Ho, ho, ho, what could it be?

00:05:28.880 | Naming things is hard.

00:05:30.560 | I'm just tacking on it, slash mcp onto there.

00:05:33.600 | And now I've got mcp.shop.

00:05:35.860 | And I'm going to connect.

00:05:37.500 | And so once I connect, this is pulling up

00:05:39.640 | and allowing me to tell the agent who to act on behalf of--

00:05:44.440 | me, in this case.

00:05:45.920 | So I'm going to sign in with GitHub.

00:05:47.960 | It's going to do its thing.

00:05:50.880 | And then Claude is refreshed.

00:05:54.580 | And now it can act on behalf of me.

00:05:56.900 | And can we see the tools?

00:05:58.160 | Yeah.

00:05:58.660 | So what should we ask?

00:06:04.720 | Let's order a shirt.

00:06:09.000 | Let's order a shirt.

00:06:10.080 | I love shirts.

00:06:10.800 | Yo, I hear I can get a shirt.

00:06:17.380 | Get a shirt from you.

00:06:19.120 | Live demos in an LLM.

00:06:25.860 | Wi-Fi don't fail us.

00:06:27.020 | So it's running.

00:06:30.240 | And it recognized that it has tools available now

00:06:32.780 | from mcp.shop.

00:06:33.580 | So it's going to list the inventory.

00:06:35.480 | We'll go ahead and let it run.

00:06:38.360 | Yeah, there's an MCP shirt.

00:06:43.400 | You can get it for free.

00:06:45.360 | And you can pick your size.

00:06:46.740 | And then all it needs is just your company name and your mailing

00:06:50.040 | address.

00:06:51.000 | And so I'll say, give me--

00:06:54.960 | I'll say, XL and 123 Main Street.

00:07:01.120 | Bellevue, Nebraska.

00:07:03.080 | There's a Bellevue, Nebraska.

00:07:04.040 | And we'll do that.

00:07:07.100 | Oh, it needs my company name.

00:07:15.740 | That's so LinkedIn.

00:07:16.500 | Duh.

00:07:17.000 | Might be my company name is WorkOS Duh now.

00:07:22.300 | So we'll let that run.

00:07:27.800 | I'm not sure thinking about it.

00:07:38.300 | It's confirmed it.

00:07:41.560 | Done.

00:07:42.180 | And there's my order number.

00:07:43.300 | It's going to be sent to that address.

00:07:44.880 | And I'm going to say, ooh, what is the order info?

00:07:49.920 | So I can see what--

00:07:52.540 | is my name or my company name WorkOS Duh?

00:07:57.100 | I kind of hope it is.

00:07:58.560 | Human in the loop.

00:08:00.060 | Need to confirm.

00:08:02.240 | No, I got it.

00:08:03.360 | Ah.

00:08:03.860 | Right.

00:08:05.680 | That was totally me, not Claude.

00:08:07.160 | So yeah, I was able to order a shirt.

00:08:10.640 | And you can as well.

00:08:12.240 | But that's just a piece of it.

00:08:14.080 | So when we ran this, it's going into--

00:08:19.100 | close that.

00:08:20.760 | If we go into my Cloudflare platform here and go

00:08:23.740 | to storage, KV, I've got an orders here.

00:08:28.200 | This is key value storage.

00:08:29.620 | Yep.

00:08:30.740 | And there is the data from the order.

00:08:35.360 | So now I've got that saved off.

00:08:36.920 | I can use that.

00:08:38.340 | And it was all through that interface.

00:08:39.740 | So we really just gave Claude the tools that it needed.

00:08:43.940 | And it was able to act on my behalf.

00:08:45.980 | And I can go back in and I can say, can you tell me

00:08:50.620 | what you know about me?

00:08:54.000 | So we've got to get user info.

00:09:02.760 | And this is really just going to give me mostly

00:09:05.040 | the Jot information.

00:09:06.100 | What's on my JWT that Claude now knows about me.

00:09:11.520 | So it knows my name.

00:09:12.260 | It knows my email address.

00:09:13.560 | In my Jot, I have my favorite song in there, "Careless Whisperer."

00:09:18.780 | Now I will give you a rendition.

00:09:21.600 | And so from there, it also knows that I have admin permissions.

00:09:26.140 | So I have SHA admin access because that's in my roles and permissions.

00:09:32.620 | The other cool thing that you can do with the CloudFuller piece of it, and because your MCP

00:09:39.520 | server is a durable object, you can also store data directly on that that's located on that.

00:09:46.360 | You want to explain that?

00:09:47.620 | So durable objects, tough name.

00:09:50.360 | If you search Twitter, people tweet about how they're like, "This is a bad name.

00:09:54.100 | Change the name."

00:09:55.100 | But very fast storage.

00:09:57.160 | You can spin them up per user.

00:09:59.780 | They're close to the user as well for faster retrieval and storage.

00:10:04.580 | So what I did is I just asked it to change the demo mode to band.

00:10:10.540 | And that ran a tool in the MCP server itself that is just going in, and on the context that's

00:10:21.540 | associated with this worker object, it's just changing the mode to band.

00:10:26.100 | And so now I've got that, and now I can say, "I want another shirt, please."

00:10:32.320 | And it's going to try and run it.

00:10:37.380 | I'll just always allow that now.

00:10:42.020 | And it was able to check that, and it said, "Absolutely not.

00:10:45.880 | Go away."

00:10:46.880 | Wave.

00:10:49.600 | And so we can mix what it knows about me with what it has stored about me on the durable

00:10:55.620 | object, and that's unique for every user of it.

00:10:58.680 | And then I can do things like change it again.

00:11:02.220 | So if I say, "Pretty please," it might have a "pretty please" tool available.

00:11:09.280 | If you want to build your own MCP servers on cloud players, it's going to let me.

00:11:16.340 | And I just ordered another shirt.

00:11:17.340 | If you want to build your own MCP servers on cloud player, you can click to deploy your own with

00:11:25.240 | no authorization, so it's authless.

00:11:26.400 | authless.

00:11:27.460 | So probably don't do that, but it is very quick to do so.

00:11:34.460 | You click, "Click to deploy," it generates a GitHub repo for you, you get clone that, and then

00:11:41.520 | you edit your own tools.

00:11:43.520 | you get clone that, and they give you some tools to begin with, so it's very fast.

00:11:50.580 | But again, that is authless.

00:11:59.640 | do, do, do, auth.

00:12:00.700 | And it's still quick to deploy as well with auth, just slightly less fast.

00:12:06.700 | Yeah.

00:12:07.700 | And the beauty of this is that we're bringing the pretty simple tools.

00:12:14.700 | This is just a no auth flow being added to an MCP, and MCP is effectively just an API.

00:12:20.360 | So we're just getting it caught up with the tools that we already have for humans, but it's

00:12:25.620 | important to get this ready to go for these tools to act on our behalf as well.

00:12:31.100 | And where we can see this going in the future is much more fine-grained authorization, where

00:12:35.120 | it's maybe authorizing per-line changes, or per-tool changes, or even maybe authorizing

00:12:41.680 | the networks, the connections between things, and just doing...

00:12:46.800 | As we see it growing to doing thousands of tasks on our behalf, this auth piece is going

00:12:52.420 | to be very important, and especially the audit trail as well.

00:12:56.020 | And we can get that with auth tools too, just to make sure that we can see why this interacted

00:13:02.220 | this way, on whose behalf was it on, and what was the end result?

00:13:06.300 | Where did it fail?

00:13:07.300 | Where did it go wrong?

00:13:08.660 | Things like that.

00:13:09.660 | Think of your users not as users, but as deputies.

00:13:12.980 | They have access to tools, and they can use and also misuse them as well.

00:13:17.520 | Sometimes I think I trust people.

00:13:19.540 | Like I do a live demo, and I'm like, "Let's see user input."

00:13:25.120 | People sometimes do not nice inputs.

00:13:27.740 | Yeah.

00:13:28.740 | Yeah.

00:13:29.740 | So get out there and deputize your own tools.

00:13:33.860 | We have this repo available.

00:13:35.240 | There is the code, a QR code, for this repo.

00:13:38.500 | Also the top QR code is to get...

00:13:39.820 | Get your own shirt.

00:13:40.820 | A shirt?

00:13:41.820 | Yeah.

00:13:42.820 | Or you can just go to mcp.shop, which you'll run the same workflow that I just ran.

00:13:48.060 | It doesn't have the Pretty Please tool in it though, unfortunately.

00:13:50.460 | It'll just do it, even if you're mean to it.

00:13:53.460 | But you can order a shirt for the low, low price of $0.

00:13:57.220 | So go check it out and get an MCP t-shirt.

00:13:59.800 | And if you want to add your own Pretty Please tool, check out the code in the second QR code.

00:14:05.020 | And we can't wait to see what MCP servers you build with auth.

00:14:07.860 | Thank you.

00:14:08.860 | Thank you.

00:14:10.860 | Thank you for listening.

00:14:11.860 | Thank you.

00:14:12.860 | We'll see you next time.