"Web Development to Deployment and Operations (3/8) — How Far Should You Trust APIs, MCP, and Vibe Coding?"

Building features quickly is getting easier. Deciding what to build yourself, what to hand off to external services, and what must still be verified by you is becoming harder and more important.

Key Takeaways

  • APIs are the basic unit of feature connection, while MCP can be understood as a structured layer for tool access and control.
  • Vibe coding increases speed dramatically, but speed alone does not create an operationally trustworthy system.
  • The more external capability you connect, the more authentication, cost, failure handling, permissions, and data boundaries matter.
  • Good development is not just about connecting things quickly. It is also about deciding what stays under direct control and what gets delegated.

Why APIs are the default connection unit

Modern web applications rarely implement everything from scratch. Payments, authentication, email delivery, maps, search, and model inference are often borrowed from external services. The most common way to borrow those capabilities is through an API.

An API is more than a data pipe. It is also a responsibility boundary. Your application decides what inputs it will send, what outputs it expects, and what it will do when the request fails. The external service provides functionality inside that contract.

Using an API therefore means more than adding a feature. It means accepting a boundary and designing around it.

What MCP tries to organize

As the number of tools and connected systems grows, direct one-off integrations become harder to manage. Questions appear quickly: which tool should be used, under which permission model, with what input and output format, and under what constraints?

MCP is useful here as a structuring layer. It gives models and agents a more consistent way to discover and use tools instead of treating every connection as a special case. Once many tools exist, the design of the tool surface becomes an operational concern in its own right.

For beginners, the most practical way to think about MCP is not as an abstract standard first, but as a governance layer for external tool use. It helps prevent tool integration from becoming a pile of undocumented exceptions.

Why vibe coding is powerful and risky at the same time

Vibe coding has obvious strengths. It helps people assemble working feature flows quickly, learn faster, and get past the inertia of a blank project. For prototypes, that speed can be extremely valuable.

Operationally, however, the weak points are also clear. Fast-generated code may not explain why it is structured the way it is. Authentication, fallback handling, cost control, and permission separation are often incomplete or inconsistent. A system that "runs" is not automatically a system that can be trusted.

That does not make vibe coding a bad practice by default. It makes it a signal that verification responsibility must become sharper. The less a developer built deliberately, the more deliberately the result must be checked.

What should be delegated and what should stay inside

The key question around APIs and tool layers is not personal taste. It is responsibility allocation.

Some capabilities are usually better delegated to external services: model inference, payment processing, email delivery, and other standardized functions with high infrastructure cost. Other capabilities are often safer to keep closer to the product core: permission decisions, critical business rules, and sensitive data transformation.

A simple operating rule looks like this:

  • Standardized commodity functions are strong candidates for external APIs.
  • Core rules that define product trust should stay under tighter internal control.
  • Sensitive data should be processed inside the narrowest possible boundary.

This is how connection design becomes system design.

Why failure design matters more than connection speed

Once an external API is attached, failure stops being exceptional. Latency spikes, quota limits, expired credentials, temporary outages, and cost surprises all become normal operational scenarios. This is true for AI APIs and non-AI SaaS integrations alike.

That changes the important questions:

  • What does the user see if this call fails?
  • How many retries are acceptable?
  • How is cost limited?
  • Where are logs and traces kept?
  • How is unauthorized tool access prevented?

Without answers to those questions, a successful connection is closer to a demo than a service.

A common misunderstanding about MCP

Beginners sometimes assume that a tool layer such as MCP replaces ordinary API knowledge. It does not. Underneath the abstraction, the real service APIs, authentication methods, network requests, JSON payloads, and error contracts still exist.

That means MCP is not a substitute for understanding HTTP, auth, data formats, and failure behavior. It is valuable precisely because those lower-level realities need a cleaner operational surface once tool count grows.

The natural learning order is usually this: understand APIs first, then understand why a structured tool layer becomes useful when integrations multiply.

What must be verified before fast-connected features go live

Before a quickly assembled integration reaches production, the following checks matter at minimum:

  • Are the input and output formats fixed and predictable?
  • Are authentication and permission boundaries explicit?
  • Is there a fallback or degraded path when the dependency fails?
  • Are cost and call volume constrained?
  • Is sensitive data kept out of unnecessarily broad external flows?

Those checks apply whether the tool is an AI model, a search service, or a general SaaS integration. Operations are judged less by what was connected than by how well that connection is controlled.

Why the next boundary is data

Once API and tool connections are understood, the next question becomes unavoidable: where does the data go, how is it cleaned, and how is it reshaped before returning to the user?

That is where CRUD stops being enough. The next article uses Supabase to show why preprocessing, postprocessing, and access rules matter just as much as storage itself.

References

  • Model Context Protocol, Introduction — https://modelcontextprotocol.io/introduction
  • Anthropic Docs, Model Context Protocol (MCP) — https://docs.anthropic.com/en/docs/claude-code/mcp
  • IETF, RFC 6749: The OAuth 2.0 Authorization Framework — https://www.rfc-editor.org/rfc/rfc6749
  • IETF, RFC 9700: Best Current Practice for OAuth 2.0 Security — https://www.rfc-editor.org/rfc/rfc9700

This is Part 3 of the Web Development to Deployment and Operations series.

Series overview: Series index

๋Œ“๊ธ€

๋Œ“๊ธ€ ์“ฐ๊ธฐ

์ด ๋ธ”๋กœ๊ทธ์˜ ์ธ๊ธฐ ๊ฒŒ์‹œ๋ฌผ

Agent Memory Engine (2/10) — Building an AI Agent Memory System with SQLite Alone

← 1/10 SQLite Memory Engine f… ๐Ÿ“š Series Index 3/10 memcore Completed → A memory engine that runs without daemons, without dependencies, anywhere ํ•ต์‹ฌ ์š”์•ฝ This post covers how to design an AI agent memory engine (memcore) on a single-file SQLite backend. - Structure: 25 modules, ~6,464 lines, 22 DB tables - Principles: no daemon, single-file portability, no required external dependencies, host-agnostic - Core techniques: 4-layer hybrid search (topic · vector · FTS5 · LIKE), U-tag dialectic-based confidence evolution, ingestion-layer bias rejection rules What This Post Covers One approach to building AI agent memory without a server or cloud vector DB. Specifically: (1) the limitations of text-file-based memory, (2) vector DB alternatives compared and selection criteria, (3) how to layer search tiers, (4) how to evolve confidence scores over time, and (5) how to block biased memory accumulation at the ingestion stage. Design Principles: Why Single-File SQLite Text-file-based ...
Read more »

"ML Foundations (9/9) — PyTorch vs TensorFlow, and the Road to Local LLMs"

์ด๋ฏธ์ง€
← 8/9 Deep Learning Architec… ๐Ÿ“š Series Index (series end) The final part. So far we've focused on models. Now we focus on the tools that actually run them . We'll lay out the philosophical difference between PyTorch and TensorFlow, and trace how Hugging Face transformers , llama.cpp , MLX , and Ollama built the bridge to running large language models on your own machine. By the end you should have the full mental model of "download a pretrained LLM and serve it locally." 0. Learning Objectives Explain the eager-vs-graph difference between PyTorch and TensorFlow. Explain, in graph terms, how autograd automates the backward pass. Use Hugging Face transformers ' AutoModel , AutoTokenizer , and pipeline abstractions. Describe llama.cpp's GGUF quantization, INT4 inference, and CPU-first flow. Describe Apple MLX's use of unified memory and how it differs from PyTorch. Run a local LLM with Ollama and call it through an OpenAI-compatible API. ...
Read more »

"RAG Core Study (14/26) — Evaluation Sets with RAGAS & DeepEval"

์ด๋ฏธ์ง€
Series overview: Series index ๐Ÿ“š Series Index Without an evaluation set, every RAG improvement is a story, not evidence. RAG systems fail in more than one place: retrieval, context selection, answer generation, and grounding. That means "looks better" is not a metric. Part 14 explains how to build a golden dataset , how RAGAS and DeepEval fit into the workflow, and why teams must separate retrieval quality from answer quality if they want tuning decisions to hold up. 0. Prerequisites Part 13 reranking — system quality now depends on multi-stage ranking. Part 1 grounding — a correct-looking answer is not enough. Part 12 Hybrid — multiple retrieval settings need comparison on fixed data. 1. Learning Objectives Build a small but useful golden dataset for RAG. Distinguish retrieval metrics from answer metrics . Use RAGAS and DeepEval in the right roles. Avoid the common traps in judge-model-based evaluation. 2. ํ•ต์‹ฌ ์š”์•ฝ An evaluation set for RAG is ...
Read more »

"ML Foundations (8/9) — Deep Learning Architectures: CNN, RNN, Attention"

์ด๋ฏธ์ง€
← 7/9 Deep Learning Training ๐Ÿ“š Series Index 9/9 PyTorch vs TensorFlow → What did we keep adding on top of an MLP? Vision went CNN, sequences went RNN/LSTM, and eventually both converged on Attention and the Transformer. Each architecture is easier to remember if you read it as what it gave up to gain something else . This part is the one-line summary of the decisive inflection points: LeNet → AlexNet → ResNet → LSTM → Attention → Transformer. 0. Learning Objectives Explain why CNN's convolution, pooling, and weight sharing match images so well. Trace what got unblocked from LeNet → AlexNet → VGG → ResNet as depth grew. State BPTT for RNNs and the vanishing/exploding gradient problem. Write the LSTM gate equations (forget, input, output) with intuition. Write the attention formula in query/key/value form and the scaled dot-product variant. State the precise reasons Transformers replaced RNNs (parallelism + long-range dependencies). 1. ํ•ต์‹ฌ ์š”์•ฝ CNN : weight sharin...
Read more »

"ML Foundations (7/9) — Deep Learning Training: Optimizers, Regularization, Initialization"

← 6/9 Neural Networks ๐Ÿ“š Series Index 8/9 Deep Learning Architec… → Building an MLP, as we did in Part 6, is not the same as getting it to train well . The right optimizer, regularization, initialization, and learning rate — when these line up, deep networks converge. When they don't, the network refuses to learn at all. This part is the catalog of those crafts, with formulas, paper citations, and code in one place. 0. Learning Objectives Compare and write the update rules for SGD, Momentum, Nesterov, and Adam. Explain how Dropout, BatchNorm, and LayerNorm work and where they belong in a model. Derive the variance formulas for Xavier and He initialization and match them to activations. Implement step, cosine, and warmup learning-rate schedules in PyTorch. Explain why gradient clipping is effectively required for RNNs and Transformers. Diagnose the most common training failures (NaN, plateau, overfitting) and apply first-line fixes. 1. ํ•ต์‹ฌ ์š”์•ฝ SGD : \(w \leftarro...
Read more »

OpenClaw to Hermes Migration (2/13) — What to Preserve, Partially Port, or Discard

← 1/13 Current Structure Inve… ๐Ÿ“š Series Index 3/13 What Moves to Hermes → A code review record classifying operational scripts into three tiers: preserve, partial-preserve, and discard. What This Post Covers An asset classification framework (preserve / partial-preserve / discard) for migrating a legacy agent system to a successor A concrete case applying the Strangler Fig + Subset Migration strategy to a memory pipeline Classification results evaluated across LOC, external dependencies, and replaceability axes A method for slimming down a bloated single file (1,310 LOC) using the migration as a natural entry point Problem Definition: Port Everything or Cut Deep? The OpenClaw inventory comprises multiple agents, multiple scheduler/daemon processes, and multiple operational scripts. When moving to the successor system, Hermes, the choice is not binary. A full port carries accumulated technical debt along with it; a minimal port discards hard-won domain logic. Code-revie...
Read more »

AI Agents I Built (5/7) — Building an Automated Blogger API Publishing System

← 4/7 My Life Organizer Agent ๐Ÿ“š Series Index 6/7 Dual → Designing a Markdown-Based Auto-Publish Pipeline with Blogger API v3 + OAuth 2.0 Key Summary Blogger API v3 + OAuth 2.0 enables a pipeline that converts Markdown files into publishable HTML posts blogger_publish.py handles the full flow — frontmatter parsing → body cleanup → HTML conversion → CSS injection → API post — in a single script For bulk publishing, quota management (delay, retry, TOC suppression) is the critical design concern Platform Selection Criteria API access is mandatory for AI agent-driven content publishing. A comparison of platforms: Platform API Cost AdSense Decision WordPress.com REST API Paid plan required Paid only Cost overhead Ghost REST API Self-hosted or paid Manual setup Ops overhead Blogger v3 API Free Native integration Adopted Blogger is free, exposes a REST API, and integrates natively with AdSense. For personal blog automation, this combination i...
Read more »