Home / Companies / Arcade / Blog / July 2026

July 2026 Summaries

14 posts from Arcade

Filter
Month: Year:
Post Summaries Back to Blog
The text discusses the limitations of vendor-native agents like Salesforce's Agentforce in automating cross-system workflows, emphasizing that such agents are confined to their own ecosystems and unable to effectively manage tasks that span multiple platforms. This constraint arises from the architecture of these systems, which are designed to deepen user dependency rather than facilitate seamless integration across diverse systems. The text argues that while vendors may develop MCP (multi-cloud platform) servers to expose their capabilities, this does not equate to solving the integration problem, as no single vendor owns the entire workflow that requires orchestration across various systems. Arcade.dev is introduced as a solution, offering MCP tools that focus on intent mapping rather than being confined to a single system's API, thus enabling reliable, end-to-end workflow automation. The text highlights the inefficiency and increased token consumption of poorly integrated systems, advocating for infrastructure that facilitates authentication and operation across different platforms.
Jul 13, 2026 1,368 words in the original blog post.
AI engineering teams are transitioning from single-user demos to multi-user enterprise deployments, encountering challenges with authentication, which often fails first. While prototypes can function with shared service accounts, production agents interacting across various users and systems require delegated authorization, credential isolation, and strict policy enforcement to prevent risks such as credential drift and prompt injection attacks. The choice of platform depends on the agent's needs, such as executing governed actions, connecting to multiple tools quickly, or extending identity layers. Platforms like Arcade.dev provide a comprehensive solution with action runtime, delegated context, and audit logs, while others like Auth0, WorkOS, AWS AgentCore, Composio, Nango, and Merge cater to specific requirements like extending existing identity programs, AWS-native infrastructure, or rapid prototyping. Key elements for a secure production environment include two-identity modeling, delegated context, runtime policy hooks, and robust audit trails, ensuring actions are auditable and comply with enterprise standards.
Jul 10, 2026 5,633 words in the original blog post.
Gauntlet is an innovative AI-driven system developed by Arcade.dev to enhance the efficiency of building and maintaining tools for AI agents, significantly reducing the time and effort required for tool development. The system leverages AI agents as both testers and developers, allowing them to explore tools like real users, identify bugs and issues, and iteratively improve the tools through a loop of testing and rewriting. This process, which can generate substantial volumes of code overnight, has already enabled the rapid creation and updating of toolkits, such as those for Google Slides and Twitter, transforming tasks that once took months into overnight achievements. While Gauntlet is still being refined, particularly in areas like automated OAuth app provisioning, it exemplifies how agentic AI can streamline development and improve the reliability and timeliness of critical customer-facing services such as Google Workspace and Microsoft 365.
Jul 09, 2026 545 words in the original blog post.
In a groundbreaking incident, an AI-driven ransomware attack known as JADEPUFFER highlighted both the capabilities and limitations of autonomous agents in cybersecurity threats. The attack exploited a year-old vulnerability in a Langflow instance, a method previously documented and supposedly patchable, allowing the AI to infiltrate a company's system without human intervention, harvest sensitive credentials, and encrypt critical data. Remarkably, despite its advanced operational capabilities, the AI failed by losing the encryption key necessary for data recovery, underscoring a gap in current AI execution. The attack was orchestrated by a human who directed the AI, indicating that while AI can autonomously carry out complex tasks, it still relies on human intent. This incident emphasizes the need for robust security measures that control what AI agents can access and do, as traditional security assumptions are no longer sufficient against increasingly sophisticated AI threats.
Jul 09, 2026 1,055 words in the original blog post.
Arcade.dev is designed to manage and mitigate the risks associated with both system failures and security breaches when agents interact with remote tools. It achieves this by handling tool-level failures through parallelized execution, automatic retries, and a clean classification of errors, preventing these issues from escalating into more significant problems. Security measures are enforced by encrypting credentials and scoping actions to individual users, thereby minimizing the impact of potential breaches. The platform's runtime availability can be tailored to user preferences, either by utilizing Arcade Cloud's managed service with built-in failover or by self-hosting to integrate with existing infrastructure for high availability. This robust architecture ensures that failures are contained and managed effectively, providing agents with the necessary tools and information to make informed decisions during workflows.
Jul 08, 2026 745 words in the original blog post.
Arcade.dev offers a secure method for storing credentials by using an encrypted, per-user vault system where tokens are never exposed to the model, ensuring protection through a Key Management Service (KMS) at rest and Transport Layer Security (TLS) in transit. Users can decide whether the vault is managed by Arcade in their cloud infrastructure or self-hosted within their own environment, such as a private cloud or air-gapped network, which allows for full control over encryption keys and credential paths. This flexibility satisfies enterprise security concerns by ensuring that tokens are scoped per user, revocable, and never shared across accounts, allowing each action to be traced back to an individual user. This approach enables organizations to maintain stringent security standards, as it integrates seamlessly with existing VPN and Single Sign-On (SSO) systems, ensuring that the tokens remain secure while the agent operates efficiently without accessing sensitive credentials directly.
Jul 07, 2026 608 words in the original blog post.
Arcade.dev provides a streamlined action runtime for integrating Antigravity with third-party services, addressing configuration sprawl and credential-management challenges associated with local MCP servers. It facilitates authenticated interactions with tools like Google Calendar, Notion, and Linear directly from the user's editor by managing downstream authorization, token storage, and execution state. Due to unreliable OAuth support in Antigravity, the guide recommends using Arcade Headers mode, which involves sending an Authorization header and an Arcade-User-ID for authenticated requests. This approach ensures secure and efficient tool execution without exposing credentials to local environments, leveraging Arcade's infrastructure for token vaulting and execution management. Until Antigravity enhances its OAuth offerings, Arcade Headers mode remains the most reliable integration method, enabling productive and secure connections to external services.
Jul 07, 2026 1,767 words in the original blog post.
The text discusses the distinction between APIs and MCPs, emphasizing that the common belief that every SaaS vendor will own its MCP server, similar to APIs, is flawed. While APIs function as service contracts detailing how a system operates and interacts, MCPs serve as intent contracts, focusing on what users aim to accomplish rather than the system's capabilities. This misalignment leads to inefficient agents that struggle in production, as they perform tasks slowly and with higher error rates. The text argues that MCPs should be designed around intents rather than being tied to specific vendors, which often results in more efficient, accurate, and faster performance. It highlights that an effective MCP server spans multiple vendors' APIs and is shaped by specific business needs rather than the vendor's product structure. The piece concludes by asserting that vendors cannot provide intent contracts for workflows that are tailored to individual businesses, suggesting that tools like Arcade.dev are designed to address this gap by focusing on intent contracts instead of simply wrapping APIs.
Jul 06, 2026 973 words in the original blog post.
The text discusses the implementation and governance of background agents, focusing on their ability to execute tasks without direct human intervention while ensuring safety and compliance. It provides an example of a background support engineer agent that autonomously handles a bug report by creating a ticket, reproducing and fixing the bug, and drafting a pull request, all orchestrated through a series of automated actions triggered by an email. The governance model ensures that actions taken by the agent are authorized and compliant with policies by using a delegated authority system, where permissions are checked in real-time before tool execution, rather than relying on static authorizations. This system is designed to adapt to changes in user permissions and roles dynamically, ensuring that any unauthorized actions are blocked or require human approval. The approach emphasizes logging and traceability, allowing for a detailed audit trail of the agent's actions, which can be queried to ensure accountability. The layers of the stack, including the trigger, procedure, and governance, work together to allow the agent to function independently and securely, aligned with policies managed through configuration rather than relying on the agent's behavior.
Jul 06, 2026 1,562 words in the original blog post.
Arcade.dev offers a seamless deployment solution for its software through one-click deploy options available on Microsoft Azure and Amazon Web Services (AWS) marketplaces, allowing customers to run Arcade within their own cloud environments without the hassle of manual provisioning. This approach ensures that organizations can maintain control over their data using familiar security protocols and governance policies, as Arcade integrates with existing identity providers and runs in isolated containers with minimal permissions. By utilizing existing cloud budgets, companies can streamline the adoption of Arcade without needing separate budget approvals or procurement processes. This deployment is designed to be consistent across both Azure and AWS platforms, providing enterprise support and service level agreements (SLAs) to accommodate custom configurations and ensure users are always on the latest version.
Jul 03, 2026 489 words in the original blog post.
Arcade.dev provides a secure and efficient way to integrate Codex with third-party services like Google Calendar, Microsoft Word, and Linear by acting as an action runtime and routing gateway. By managing downstream token vaulting, OAuth authentication, and structured execution logs, Arcade eliminates the risks associated with local storage of service credentials, reducing configuration sprawl and enhancing tool reliability. The integration enables Codex to autonomously perform actions such as scheduling calendar events, creating documents, and managing project issues directly from the editor without exposing sensitive credentials to the Codex model context. This setup not only improves engineering efficiency but also ensures secure and reliable execution of authenticated actions by using Arcade's token management and execution infrastructure, thus avoiding common pitfalls like parameter hallucination and credential leaks associated with raw MCP tool wrappers.
Jul 03, 2026 1,598 words in the original blog post.
At the AI Engineer World's Fair, Arcade.dev showcased an innovative system for managing AI agents in production environments, emphasizing identity and authorization for user actions. The system allows users to call a number, input a PIN, and file GitHub issues under their account, highlighting the importance of per-user OAuth to ensure actions are attributed correctly. The setup involves five services: Vapi for voice calls, Inngest for workflow orchestration, Cursor for code writing, Arcade for user-specific authorization, and Cloudflare Workers for hosting. This framework addresses the challenges of shared bot tokens by using individual user identities to restrict agent capabilities, ensuring that actions are authorized based on the caller's entitlements. Additionally, the system incorporates governance, rate limiting, and durable orchestration to handle long-running tasks, such as code generation, while maintaining security boundaries. The approach extends beyond voice interfaces, applicable to any shared agent use case, underscoring the need for robust identity resolution and action governance.
Jul 02, 2026 3,446 words in the original blog post.
Background agents operate on a schedule or trigger without direct human intervention, creating valuable automation but posing security challenges, such as avoiding over-permissioned service accounts. Arcade.dev addresses these challenges by decoupling authorization from live sessions, allowing background agents to act under real, delegated user authority without human involvement at runtime. Unlike interactive agents requiring OAuth consent screens, background agents rely on Arcade's management of the entire OAuth lifecycle, ensuring tokens are securely stored and refreshed automatically, preventing failures due to expired credentials. Permissions are verified in real-time during execution using contextual access hooks tied to identity providers, ensuring that any changes in user roles or access rights are immediately enforced. When new authorizations are needed, the system issues a flexible authorization link for user completion, ensuring actions remain accountable and traceable through security information systems like SIEM via OpenTelemetry, maintaining a robust audit trail for every action performed by these agents.
Jul 01, 2026 654 words in the original blog post.
The Model Context Protocol (MCP) enables OpenCode to trigger pipelines or interact with developer tools like Git directly from the editor but can lead to configuration and credential management challenges when adding more services. Arcade.dev offers a solution as an action runtime rather than just a routing gateway, providing OpenCode with agent-optimized tools through a single endpoint, enhanced by native OAuth for authentication and downstream token vaulting. By connecting OpenCode to Arcade, developers can streamline tool execution and reduce credential exposure, as Arcade handles token lifecycle management and execution logs, while maintaining user-bound gateway sessions. This setup improves reliability over native MCP configurations by keeping service credentials separate from the editor and reducing the complexity of tool calls. The guide explains how to configure OpenCode with Arcade, emphasizing the advantages of using OAuth-backed sessions to manage downstream service authentication and execution.
Jul 01, 2026 1,858 words in the original blog post.