The Wild West of Agent Auth Just Got a Sheriff
Most of you are currently running AI agents like it’s 1998 and you just discovered the chmod 777 command. You’re stuffing raw Stripe API keys into .env files, hoping a clever prompt injection doesn't drain your corporate treasury by Tuesday morning. It is a house of cards built on top of a dumpster fire, and we all know it.
Every time you share an MCP configuration with a teammate, you’re basically handing over the keys to the kingdom and pinky-promising they won’t do anything stupid. This manual wiring is exactly what the founder of Stack, a solo developer out of Stockholm, realized while putting his kids to bed. He saw the gap between Jensen Huang’s vision of 100 agents per employee and the terrifying reality of zero accountability.
Stack isn't just another wrapper; it’s a bid to become the "passport office" and the "secure courier" for the agentic era. If we are moving toward a world where agents talk to agents, we need more than just a shared Bitwarden folder. We need a way to prove who an agent is, what it's allowed to touch, and exactly who authorized it to do so.
I spent the last week digging into the technical guts of this tool to see if it’s a legitimate infrastructure play or just another ephemeral layer in the AI stack. This Stack the control plane for AI agents review covers the architectural choices, the friction points, and whether a solo founder can actually compete with a16z-backed giants. Spoiler: the "spy movie" metaphors actually hold up under scrutiny.
What is Stack?
Stack the control plane for AI agents is an identity and security infrastructure service that provides cryptographic passports, proxy-based credential management, and tamper-evident audit trails for autonomous systems — solving the critical gap between raw LLM capabilities and enterprise-grade security requirements for agentic workflows.
It aims to be the glue between the human who wants a task done and the swarm of agents actually doing the work. It operates primarily as an MCP (Model Context Protocol) server, making it trivial to plug into existing environments like Claude. Instead of your agent holding a raw key, it holds a "passport" that Stack verifies on every single move.
The project is currently a solo effort, which brings both the agility of a focused vision and the inherent risk of a single point of failure. While competitors like Keycard or Descope have raised tens of millions, Stack is betting on a specific technical philosophy: zero trust and sealed execution. It’s built for developers who are tired of "cowboying" their environment variables and want a legitimate audit trail.
The "Passport" System: Identity That Actually Travels
The core of Stack is built on EdDSA cryptographic passports. In plain English, these are signed JWTs that act as a verifiable identity for your agent. When you authorize an agent, you aren't just giving it a token; you’re giving it a scope that it can prove to any other service without that service needing to call Stack’s home base.
One of the smartest design choices here is the delegation limit. An agent can delegate a task to a sub-agent, but that sub-agent can only have a narrower scope than its parent. This chain can go up to four "hops" deep, preventing the infinite recursion of permissions that usually leads to a security nightmare.
If you've ever dealt with EdDSA (Edwards-curve Digital Signature Algorithm), you know it’s fast and secure. Stack uses this to ensure that even if an agent is compromised, its passport is only valid for its specific mission and specific timeframe. You can revoke these passports in about 60 seconds via a Redis-backed global blacklist.
What’s missing, however, is a more granular way to handle "emergency" stops. Right now, it’s mostly all-or-nothing for a specific passport. I’d like to see a way to "pause" a delegation chain without killing the parent agent entirely. Still, compared to the current "raw key" status quo, this is light-years ahead.
Proxy Mode: Keeping the Keys Out of the LLM’s Hands
The biggest vulnerability in AI right now is the agent seeing the raw API key. If the agent knows the key, a prompt injection can trick the agent into revealing that key or using it for an unauthorized purpose. Stack solves this with a Proxy Credential Mode that is honestly the highlight of the platform.
In this mode, the agent never actually sees your Stripe, AWS, or GitHub keys. Instead, it sends the request through Stack’s network boundary. Stack identifies the agent via its passport, injects the real credential into the HTTP header, and passes the request to the final destination. The agent is essentially "blind" to the secret it is using.
This creates a massive safety net. If an agent starts acting weird, you revoke the passport at the Stack level, and the agent immediately loses access to the external API, even if it’s still running. You don't have to scramble to rotate your actual Stripe keys; you just kill the middleman's permission.
The trade-off here is latency. Routing every API call through a proxy adds milliseconds. For most agentic workflows—which are already waiting on LLM inference—this is a rounding error. But if you’re building a high-frequency trading bot or a real-time monitoring tool, you’ll feel the lag.
The "Drop-off": Secure Hoffs Without Trust
The founder uses a "spy movie" metaphor for agent-to-agent communication: the dead drop. In Stack, this is an encrypted handoff between Agent A and Agent B. Agent A drops a package (a JSON payload) with a specific schema and a Time-To-Live (TTL) setting.
Agent B picks it up using its own passport. The key here is that neither agent needs to trust the other. They only need to trust the Stack control plane to handle the custody transfer. Once Agent B collects the payload, it is deleted from Stack’s temporary storage, ensuring no data lingers longer than necessary.
This is a massive improvement over passing sensitive data through LLM context windows. We’ve all seen how LLM context management can get messy and leak data across turns. By moving the "heavy lifting" of data transfer out of the prompt and into an encrypted side-channel, Stack keeps the context window clean and the data secure.
I tested this with a simple two-agent flow: a "researcher" agent and a "writer" agent. The researcher dropped a 50KB JSON file of raw data into a Stack drop-off. The writer agent picked it up, validated it against a schema, and generated the report. It worked without a hitch, and the raw data never had to be re-processed by the LLM during the handoff.
Your First 15 Minutes With Stack
Getting started is surprisingly frictionless for a tool that handles such complex security. You don't need a credit card, which is a breath of fresh air in 2026. You sign up at their site, grab an API key, and run a single command to add it to your Claude MCP setup.
The command looks like this: claude mcp add stack --transport http https://mcp.getstack.run/mcp --header "Authorization: Bearer YOUR_API_KEY". Once that’s in, your Claude instance is "Stack-aware." You can start asking it to create identities or store credentials immediately.
The documentation is currently a bit sparse, which is expected for a solo-founder project. You’ll find yourself digging through the HN threads or the basic landing page for specific schema requirements. If you aren't comfortable with JSON schemas (Ajv) or EdDSA concepts, the learning curve might feel a bit steep initially.
However, once the MCP server is connected, the agent does a lot of the heavy lifting. You can tell the agent, "Store this GitHub key in Stack and only allow it to be used for the next hour," and it handles the underlying API calls to the control plane. It’s a very "developer-first" experience that doesn't force you into a bloated UI.
Pricing: Is the Control Plane Affordable?
Stack is currently leaning heavily on a generous free tier to build a user base. This is a classic move for a solo founder trying to gain traction against funded competitors. You can get started with the full suite of identity and proxy features without spending a dime.
The pricing for higher volumes isn't publicly listed as a rigid table yet, but the "Keycard" ($38M) and "Descope" ($88M) models suggest where this is going. Expect a per-invocation or per-active-agent fee. There is also a mention of "Agent Commerce" using Nevermined, which implies a small cut of transactions if you use Stack to buy or sell agent skills.
For now, the cost is essentially zero for developers and small teams. The real "cost" is the platform risk. If you build your entire agent infrastructure on Stack, you are betting on the longevity of a single developer in Stockholm. For a side project or a startup, that’s fine; for an enterprise, it’s a conversation for the legal department.
Check the official pricing page for updates, as this is likely to change as the "Agent Commerce" features roll out. If you're looking for enterprise AI tools, the free tier is a perfect sandbox to prove the concept before committing.
Where Stack Shines — and Where It Frustrates
| What Works | What Doesn't |
|---|---|
| Proxy mode keeps raw API keys away from LLM prompts. | Solo founder risk; the project could vanish if the dev gets bored. |
| EdDSA passports allow for offline verification and speed. | Documentation is thin and requires technical intuition. |
| Tamper-evident audit logs provide a "black box" for agents. | Proxying adds minor latency to every external API call. |
| MCP integration makes it a 30-second setup for Claude users. | No mobile app or GUI for managing identities yet. |
| Secure handoffs prevent data leakage in context windows. | The 4-hop limit might be restrictive for massive swarms. |
Stack vs. The Giants: A Competitive Comparison
The market for agent infrastructure is exploding. On one side, you have the "Identity" players like Descope who are trying to adapt human auth for bots. On the other, you have "Tooling" players like Composio who focus on making integrations easy. Stack is trying to sit right in the middle, providing both the identity and the secure pipe.
Compared to Keycard, Stack feels more like a developer tool and less like a corporate compliance product. Keycard is great if you have a massive budget and need a sales team to hold your hand. Stack is better if you want to run a command and have a working proxy in two minutes. It’s the difference between a legacy ERP and a well-crafted CLI tool.
| Feature | Stack | Keycard | Composio |
|---|---|---|---|
| Primary Focus | Identity & Control Plane | Scoped Credentials | Tool Integrations |
| Auth Method | EdDSA JWT Passports | Scoped API Tokens | OAuth / Basic Auth |
| Audit Trail | Hash-chained (Tamper-evident) | Standard Logs | Execution Logs |
| Proxy Mode | Yes (Network Boundary) | Partial | No |
| Agent Commerce | Yes (Nevermined) | No | No |
| Setup Speed | < 5 Minutes | Enterprise Onboarding | Moderate |
| Funding | Solo / Bootstrapped | $38M (a16z) | $29M |
If you need deep tool integrations (e.g., "connect my agent to 500 different SaaS apps"), Composio is still the better choice. They’ve done the hard work of mapping out those APIs. But if you already know which APIs you're using and you're worried about security and identity, Stack is the superior architectural choice.
Choose Keycard only if you are in a highly regulated industry where "nobody ever got fired for buying a16z-backed software." For everyone else—especially those building autonomous agent workflows—Stack offers a more modern, cryptographic approach to the problem.
Frequently Asked Questions
Is Stack the control plane for AI agents free?
Yes, there is a generous free tier that requires no credit card. It’s designed for developers to test the identity and proxy features without upfront costs.
How does Stack prevent prompt injection?
It doesn't stop the injection itself, but it limits the damage. Because the agent only sees a "passport" and not the raw API key, an attacker cannot steal your credentials even if they compromise the agent's logic.
Who owns Stack?
Stack is currently built and owned by a solo founder based in Stockholm. It is not currently backed by major VC funding, which is reflected in its lean, developer-centric design.
Does it work with agents other than Claude?
While the marketing emphasizes the Claude MCP integration, any agent that can make HTTP calls and handle JWTs can use Stack’s control plane. The MCP server is just the most convenient entry point.
Is the audit log really tamper-evident?
Yes, Stack uses a hash-chained audit log where each entry references the hash of the previous one. This means you cannot alter an old log entry without breaking the entire chain, similar to a blockchain's structure.
The Verdict: A Must-Try for Serious Agent Devs
Stack is the first tool I’ve seen that treats AI agents like the security liabilities they actually are. It moves past the "it just works" phase of AI and into the "how do we not get hacked" phase. The "Passport" and "Drop-off" metaphors aren't just marketing fluff; they represent a solid cryptographic foundation for agentic swarms.
If you are a solo dev or part of a small team building autonomous systems, you should be using this. The risk of a raw key leak is too high, and the cost of implementing Stack is basically zero. It brings a level of professionalism to agent development that has been sorely lacking.
However, if you are an enterprise looking for a 10-year support contract and a massive suite of pre-built integrations, you might find Stack a bit too "early days." The documentation needs work, and the solo-founder status is a valid concern for long-term stability.
Final Rating: 4.2/5 stars
Ready to Try Stack the control plane for AI agents?
You've seen the full picture. Now test it yourself — visit the official site to get started.
Visit Stack the control plane for AI agents →Editorial Standards
This article was reviewed for accuracy by the Pidune editorial team. We maintain editorial independence — see our editorial standards and privacy policy.