Securing Enterprise API Connections with Claude Agents: A Practical Guide to Self-Hosted Sandboxes and MCP Tunnels
Overview
Enterprises are eager to deploy AI agents that interact with internal APIs and databases, but a critical security gap has slowed adoption: credentials travel with the agent. In traditional setups, the agent carries authentication tokens within its context during tool execution. If the agent is compromised or misbehaves, those keys are exposed, potentially leading to data breaches or unauthorized actions. Anthropic addresses this with two new capabilities for Claude Managed Agents: self-hosted sandboxes and MCP tunnels. Together, they move credential control to the network boundary, keeping sensitive tokens away from the agent’s runtime. This guide walks you through understanding, setting up, and troubleshooting these features to build a secure enterprise AI integration.
Prerequisites
- Claude Managed Agents account (with access to public beta features)
- Infrastructure setup: A compute environment within your enterprise network (e.g., a Kubernetes cluster, virtual machines, or AWS ECS) to host sandboxes.
- Network gateway: A lightweight, outbound-only gateway (e.g., a reverse proxy or AWS PrivateLink endpoint) for MCP tunnels.
- API credentials: For the internal systems the agent will call (these will be configured in the sandbox environment, not in the agent).
- Basic familiarity: Understanding of authentication mechanisms, API gateways, and Claude Managed Agents orchestration.
Step-by-Step Instructions
1. Establish Self-Hosted Sandboxes
Self-hosted sandboxes let you run tool execution inside your own infrastructure perimeter, while the agent loop remains on Anthropic’s platform. This separation ensures credentials never pass through the agent.
- Define a sandbox resource
In your Claude Managed Agents console, navigate to the Sandboxes section and click Create New Sandbox. Provide a name and select the Self-hosted option. - Configure compute parameters
Specify the Docker image or runtime environment your tools require. For example:sandbox: type: self-hosted image: my-registry/tool-executor:latest resources: cpu: "2" memory: "4Gi" network: allowed_outbound: ["*.internal-api.example.com"] credentials: - secret: "my-api-key" env_var: "API_KEY" - Deploy the sandbox agent
Install the Anthropic-provided sandbox agent on your infrastructure. For Kubernetes:
Ensure the agent has outbound connectivity to Anthropic’s orchestration endpoint (no inbound ports required).kubectl apply -f sandbox-deployment.yaml - Verify the connection
In the console, your sandbox should show as Active. Test with a simple tool call (e.g., a read-only API request). The tool output should appear without the agent ever seeing the credential.
2. Set Up MCP Tunnels (Research Preview)
MCP tunnels connect agents to private MCP servers without exposing credentials in the agent’s context. They work as lightweight outbound-only gateways.
- Deploy the MCP tunnel gateway
Download the tunnel daemon from Anthropic’s official repository. Run on a server inside your network:
Themcp-tunnel start --endpoint wss://tunnel.anthropic.com --allowed-credentials "*"--allowed-credentialsflag can be scoped to specific credential patterns (e.g., only production API keys). - Configure the MCP server
Ensure your private MCP server (e.g., one handlingjson-converterordata-fetchtools) is accessible to the tunnel gateway. The gateway will forward encrypted requests only. - Bind the tunnel to a tool
In the Claude agent configuration, assign the tunnel as the transport for selected tools:tools: - name: fetch-sales-data mcp_tunnel: my-sales-tunnel server: tcp://private-mcp:8080 - Test end-to-end
Invoke the tool through the agent. The tunnel negotiates authentication using the credential stored in the gateway, not in the agent. Monitor logs for any credential leaks.
3. Orchestrate with Split Architecture
The key architectural distinction is that the agent loop runs on Anthropic infrastructure while tool execution runs on your system. This split improves both security and performance.
- Use sandboxes for execution: All tool code runs in your sandbox environment, so you control which resources are accessed and how credentials rotate.
- Use tunnels for connection: MCP tunnels handle the networking layer, ensuring credentials never enter the agent’s context window.
- Monitor separately: Enable logging for both the sandbox and the tunnel to detect anomalies.
Common Mistakes
- Leaving credentials in agent prompts
Even with sandboxes, avoid hardcoding credentials in tool definitions or system prompts. Always reference them via environment variables defined in the sandbox config. - Ignoring network isolation
If your sandbox has unrestricted outbound access, a malicious tool call could exfiltrate data. Restrict allowed outbound domains to only those needed. - Not rotating credentials
Sandbox credentials persist until you update them. Set up automated rotation around the same schedule as your API keys. - Deploying tunnels without encryption
MCP tunnels rely on TLS. Ensure your gateway and MCP server use valid certificates; otherwise, credentials could be intercepted. - Mixing sandbox and agent roles
Do not try to run the agent loop inside the sandbox. The whole benefit comes from separation; keep them distinct.
Summary
By implementing self-hosted sandboxes and MCP tunnels with Claude Managed Agents, enterprises can securely connect AI agents to internal APIs without exposing credentials. This guide covered the prerequisites, step-by-step setup for sandboxes and tunnels, and common pitfalls to avoid. The result is a robust architecture where agents orchestrate tasks without holding the keys—credential control moves to the network boundary. Start with sandboxes (available in public beta) and explore MCP tunnels (research preview) to build a future-proof enterprise AI security posture.