Configuring OAuth 2.0/2.1 Authentication for tools
You can use OAuth 2.0/2.1 Authorization Code flow to enable delegated authentication for API or MCP tools. This lets agents act on behalf of users by prompting them to sign in and granting access to user-specific data. Refer to Adding capabilities to agents for more information.
When you interact with the agent, it will prompt you to sign in before it begins responding to your request. If there are multiple systems the agent needs access to, the agent will ask you to sign in to each system. You can click cancel and retry authorization. The authorization timeout is set to 10 minutes.
Important considerations
- PKCE (Proof Key for Code Exchange) is supported for enhanced security.
- Delegated authentication is only available in conversational agents. Agent step and agents using Structured mode are not supported since the flow requires a multi-turn conversation to authenticate.
Required setup
- Register your app with your identity provider (Salesforce, Google, Okta, AWS, etc.).
- Add the following callback/redirect URI in your provider's OAuth settings.
https://ai-agent-garden.datalake-prod.boomi.com/api/v1/oauth/callback
Configuring fields
| Settings | Description | Required? |
|---|---|---|
| Grant Type | Only the Authorization Code grant type is supported. | Required |
| Client ID / Secret | Generated when registering your app with your identity provider. | Required |
| Authorization Server URL | The provider's authorization endpoint, e.g. https://hostname/services/oauth2/authorize. | Required |
| Access Token URL | The provider's token endpoint, e.g. https://hostname/services/oauth2/token. | Required |
| Scopes | Space-separated list of OAuth scopes to further restrict agent access. This is useful when you are using the same OAuth settings for multiple agents and applications and you want to further restrict an agent to specific actions. If left blank, the agent uses the scopes configured in the identity provider. Example: api web visualforce. | Optional |
| Authorization Request Parameters | Parameters to control user reauthentication, e.g prompt=consent. | Optional |
| Access Token Request Parameters | Parameters for token retrieval, e.g. format=xml. | Optional |
Testing and debugging authentication
When you test your agent, access the agent's trace to see details about authentication issues. Refer to Testing and debugging agents to learn more.
You can test MCP server authentication during configuration. Refer to Connecting to an MCP server to learn more.
