The example below shows how an AI agent can be built using [Volcano SDK](https://volcano.dev/)Volcano SDK with minimal code, while still interacting with backend services in a controlled way.

The agent is created by first configuring an LLM, then defining an MCP (Model Context Protocol) endpoint that represents a promotions service. The agent executes in clear, sequential steps. Context is automatically preserved between steps, and tool selection is handled by the framework rather than manual wiring. From the developer’s point of view, the code describes *what the agent is trying to do, not how to manage every interaction*.

### Volcano SDK vs. traditional frameworks

Unlike complex frameworks like LangChain that often require verbose chain definitions, Volcano SDK focuses on intent-based definitions. For example, where other frameworks might require manual state management for a multi-turn conversation, Volcano SDK automatically handles the context window, allowing developers to focus purely on business logic.

[Volcano SDK is designed to remove friction from agent development](https://konghq.com/blog/product-releases/volcano)Volcano SDK is designed to remove friction from agent development. Instead of writing custom function-calling logic, maintaining large prompt templates, or manually passing context between calls, developers define intent through simple chained steps. The SDK manages state, tool invocation, and execution flow automatically.

This makes agents easier to reason about and safer to evolve over time. As requirements change, steps can be added or adjusted without rewriting the core logic. Most importantly, the SDK keeps application code clean by pushing complexity into a well-defined agent runtime rather than scattering it across services.

While Volcano SDK focuses on agent behavior, [DataKit](https://developer.konghq.com/plugins/datakit/)DataKit focuses on data and API orchestration. MCP endpoints exposed to agents are powered by DataKit, which acts as a controlled aggregation layer in front of backend systems.

### MCP vs. direct API calls

A common question developers ask is: "Why use MCP instead of allowing the LLM to call APIs directly?" The answer lies in security and decoupling. Direct API access (like OpenAI function calling against raw endpoints) exposes your internal schema to the model. By using DataKit to expose resources via MCP, you create a sanitized "view" of your data specifically for the AI, preventing it from hallucinating parameters that could crash internal services.

Instead of allowing an LLM to interact directly with databases or internal APIs, DataKit exposes task-specific, curated interfaces. These interfaces can combine multiple services, apply business rules, enforce schemas, and return only the data that is appropriate for an agent to see.

This separation is critical. It ensures that business logic remains deterministic and auditable, while agents remain consumers of governed capabilities rather than free-form explorers of internal systems.

Sitting in front of DataKit is the [Kong AI Gateway with MCP Proxy](https://konghq.com/blog/engineering/ai-gateway-mcp-gateway-mcp-server-breakdown)Kong AI Gateway with MCP Proxy, which brings enterprise-grade governance to agent workflows. This allows Kong to encapsulate any existing API, or in this case, the Datakit workflow, as an MCP server without additional code. The MCP Proxy can also simply proxy to existing MCP servers. This allows Kong to then enforce authentication, authorization, rate limits, and observability for MCP traffic in the same way it does for traditional APIs. 

Specifically, this gateway layer solves several critical security challenges:

1. - **Rate Limiting for Agents**: Prevent an agent from running up costs or overwhelming services by enforcing token-based or request-based limits.
2. - **Authentication**: Ensure that only authorized agents can access specific MCP tools, regardless of what the LLM "wants" to do.
3. - **Observability**: Log every tool call and data access attempt for compliance auditing.

This allows organisations to scale their agentic use cases, without necessarily scaling the effort of development and total cost of ownership as the AI gateway takes care of encapsulating existing [APIs as MCP servers](https://konghq.com/blog/product-releases/enterprise-mcp-gateway)APIs as MCP servers without additional development effort.

Crucially,[ Kong AI Gateway](https://konghq.com/products/kong-ai-gateway) Kong AI Gateway  controls which MCP tools an agent can invoke and under what conditions. Even if an LLM attempts prompt injection or tries to escalate its privileges, it cannot access capabilities that are not explicitly exposed through MCP endpoints. Security is enforced at the protocol and gateway level, not by trusting the model to behave correctly.

This turns MCP into a safe execution boundary rather than a soft guideline.

Together, these components form a clean and composable architecture. Volcano SDK defines agent intent and execution flow. DataKit orchestrates and governs backend APIs. Kong MCP Proxy enforces security, policy, and visibility. The LLM operates within tightly controlled boundaries, consuming only the capabilities it has been explicitly granted.

Each layer has a single responsibility, and none of them leak unnecessary complexity into application code.

### Building Secure AI Agents: Key Takeaways 

This architecture allows teams to move quickly without sacrificing safety. Developers can build and iterate on agents rapidly. Platform teams retain control over data access and policy enforcement. Security teams gain visibility and confidence that AI systems cannot bypass controls through clever prompting.

Here’s a quickstart you can try out here in this [GitHub](https://github.com/eugenetan01/kong-datakit-mcp-quickstart/tree/master/kong-datakit-mcp-quickstart)GitHub link, that does the entire flow of exposing an api orchestration workflow as an MCP server without additional code via Kong, to [securing the MCP and LLM interactions with semantic guardrails](https://konghq.com/blog/product-releases/securing-observing-governing-mcp-servers-with-ai-gateway)securing the MCP and LLM interactions with semantic guardrails. 

Rather than embedding AI logic everywhere, this approach creates a platform for AI—one that is scalable, auditable, and ready for real-world production use.

Ready to see this architecture in action?[ Book a demo today](https://www.google.com/search?q=%23) Book a demo today to discover how Kong’s MCP Proxy and Volcano SDK can help you deploy secure, production-grade AI agents in minutes.

### **How does Kong AI Gateway secure LLM tool calls?**

Kong AI Gateway secures tool calls by acting as a proxy between the LLM and your backend services (exposed via MCP). It enforces authentication, authorization, and rate limits on every request. Additionally, it can apply semantic guardrails to detect and block prompt injection attacks before they reach your internal APIs.

### **What is the difference between MCP and OpenAI function calling?**

OpenAI function calling is a mechanism for the model to request data, but it often requires direct connectivity to your APIs. Model Context Protocol (MCP) is a standardized interface that decouples the model from the backend. When combined with DataKit and Kong, MCP ensures the model only interacts with a sanitized, governed "view" of your data, rather than raw API endpoints.

### **Can I use existing APIs with the Model Context Protocol?**

Yes. A key benefit of using Kong AI Gateway with MCP Proxy is the ability to encapsulate existing REST or GraphQL APIs as MCP servers without writing additional code. This allows you to scale AI agent workflows using your current infrastructure while maintaining security policies.

### **How do I prevent prompt injection in enterprise AI agents?**

Preventing prompt injection requires a layered approach. By using the Kong AI Gateway, you can enforce semantic validation on both incoming prompts and outgoing tool calls. If an LLM attempts to output a command that violates your security policy (e.g., deleting data), the Gateway blocks the request at the protocol level.

### **Does Volcano SDK replace LangChain?**

Volcano SDK is an alternative to frameworks like LangChain, focusing specifically on simplicity and secure agent orchestration. While LangChain offers a broad ecosystem for experimentation, Volcano SDK is designed for building deterministic, production-grade agents with built-in state management and clear separation of concerns.