Your research agent works great in Jupyter. Then it leaks API keys in a stack trace, forgets what it researched two messages ago, and returns three citations, two of which link to pages that do not exist. Your manager asks why the "AI research assistant" is making up sources, and you realize the demo that impressed everyone last month has become a liability. Research agents have a unique set of production challenges that generic agent deployment guides do not address. They interact with multiple external APIs (search engines, academic databases, news services), each requiring different authentication methods. They conduct iterative research where the answer to one query shapes the next, demanding conversation context that most agent frameworks discard between turns. And they must provide source attribution that is not just plausible but verifiable, because a hallucinated citation in a research report destroys trust permanently. In this talk, I will show you: • How API credentials leak through error messages, logs, and agent responses, and how API gateways prevent this by isolating credentials from agent code entirely • How identity management services provide per-user, per-session credentials that expire automatically, eliminating the hardcoded API keys buried in environment variables • How to maintain conversation context across a multi-turn research session so the agent builds on its own findings rather than starting over each turn • How to implement source verification that checks every citation before including it, confirming the URL exists, the content matches the claim, and the source is accessible • A live demo: building a research agent that conducts iterative web research, maintains full conversation context, and returns structured responses where every source is verified You will walk away with: • A security architecture for research agents that handles credentials through API gateways and identity management, not environment variables • Patterns for

Outline: • The Research Agent That Became a Liability • Securing Credentials with API Gateways • Persistent Conversation Context • Source Verification That Actually Works • The Complete Research Agent and Resources