Claude agents can finally connect to enterprise APIs without leaking credentials

Anthropic has released two security features designed to enable enterprise AI agents to access internal APIs and databases without exposing authentication credentials to the agent itself.

The problem is straightforward. Most production deployments embed authentication tokens directly within agents as they execute tool calls. If an agent becomes compromised or behaves unpredictably, attackers gain direct access to those credentials and the systems they protect. This fundamental security gap has prevented many enterprises from deploying AI agents at scale.

Anthropic's solution consists of two complementary capabilities for Claude Managed Agents. Self-hosted sandboxes allow teams to execute tool calls within their own infrastructure rather than Anthropic's cloud environment. This keeps sensitive operations behind the enterprise's security perimeter and gives organizations direct control over execution. MCP tunnels represent the second layer, connecting agents to private Model Context Protocol servers without storing credentials in the agent's context window at all.

The MCP tunnel approach is particularly elegant. Instead of the agent holding authentication tokens, the tunnel manages credentials separately on the infrastructure side. The agent requests access to a resource, but the actual authentication happens outside the agent's memory and request chain. This architectural shift means a compromised agent cannot steal credentials because it never possessed them in the first place.

These features address a critical blocker for enterprise adoption. Companies with strict compliance requirements, sensitive data, and complex authentication systems have hesitated to deploy autonomous agents precisely because existing solutions forced them to choose between agent capability and security. Most selected security.

The sandboxes and MCP tunnels work together to create a defensible architecture. Self-hosted execution keeps data flows within corporate networks. Isolated credential management prevents the agent from becoming a liability. Tool calls execute in controlled environments rather than untrusted agent memory.

Anthropic positions these capabilities as table stakes for enterprise agent deployment. Without them, agents remain useful only for non-critical tasks in controlled environments. With these additions