Keymate Logo

Security - Keymate Blog

Category: Security

Fine-Grained Authorization for AI Agents: How It Works in Production

Fine-Grained Authorization for AI Agents: How It Works in Production

How Keymate enforces fine-grained authorization for AI agents: declarative policies, a centralized engine, and consistent design-time/runtime enforcement.
Hüseyin Akdoğan

June 2026

Why AI Agents Need Fine-Grained Authorization

Why AI Agents Need Fine-Grained Authorization

Authentication tells us who the agent is. The harder question is what data it can reach, under what conditions, and on whose behalf. The April 2026 PocketOS incident, in which an autonomous coding agent deleted a production database in nine seconds, showed what happens when no one is answering it.
Hüseyin Akdoğan

May 2026

AI Agent Authorization: From Java Day Demo to Open Source Toolkit

AI Agent Authorization: From Java Day Demo to Open Source Toolkit

At Java Day Istanbul 2026, we asked one question: once an AI agent has a valid token, who decides what data it can reach? This post recaps what we showed on stage, what we open-sourced afterwards, and how the deeper blog series picks up the thread.
Hüseyin Akdoğan

May 2026

Beyond the Default Image: Hardening Keycloak for Enterprise Production

Beyond the Default Image: Hardening Keycloak for Enterprise Production

The default Keycloak image is a strong baseline, not a hardened production runtime. Here is how we rebuilt it on Wolfi OS, with three-tier CVE management, non-root execution, and a Quarkus-optimized runtime.
Ali Tuğrul Pınar

April 2026

Beyond Bearer Tokens: Implementing DPoP for Modern Enterprise Identity

Beyond Bearer Tokens: Implementing DPoP for Modern Enterprise Identity

Bearer tokens are like cash: anyone who holds them can spend them. DPoP (RFC 9449) binds tokens to cryptographic keys so stolen tokens become useless. Here is how we implemented it.
Eren Kan

April 2026