@mastra/mcp-docs-server 1.2.2-alpha.9 → 1.2.3-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/.docs/docs/{harness → agent-controller}/modes.md +19 -19
  2. package/.docs/docs/agent-controller/overview.md +128 -0
  3. package/.docs/docs/agent-controller/session.md +143 -0
  4. package/.docs/docs/{harness → agent-controller}/subagents.md +12 -12
  5. package/.docs/docs/agent-controller/threads-and-state.md +141 -0
  6. package/.docs/docs/{harness → agent-controller}/tool-approvals.md +23 -23
  7. package/.docs/docs/agents/channels.md +47 -0
  8. package/.docs/docs/server/auth/google.md +281 -0
  9. package/.docs/docs/server/auth.md +2 -1
  10. package/.docs/models/gateways/vercel.md +3 -1
  11. package/.docs/models/index.md +1 -1
  12. package/.docs/models/providers/baseten.md +1 -1
  13. package/.docs/models/providers/fireworks-ai.md +2 -1
  14. package/.docs/models/providers/friendli.md +3 -1
  15. package/.docs/models/providers/llmgateway.md +1 -2
  16. package/.docs/models/providers/nebius.md +3 -2
  17. package/.docs/models/providers/opencode-go.md +1 -1
  18. package/.docs/models/providers/ovhcloud.md +1 -2
  19. package/.docs/models/providers/scaleway.md +2 -1
  20. package/.docs/models/providers/tinfoil.md +77 -0
  21. package/.docs/models/providers/togetherai.md +3 -2
  22. package/.docs/models/providers/xiaomi-token-plan-ams.md +4 -6
  23. package/.docs/models/providers/xiaomi-token-plan-cn.md +4 -6
  24. package/.docs/models/providers/xiaomi-token-plan-sgp.md +4 -6
  25. package/.docs/models/providers/xiaomi.md +4 -7
  26. package/.docs/models/providers.md +1 -0
  27. package/.docs/reference/{harness/harness-class.md → agent-controller/agent-controller-class.md} +106 -106
  28. package/.docs/reference/{harness → agent-controller}/session.md +97 -91
  29. package/.docs/reference/agents/channels.md +3 -1
  30. package/.docs/reference/agents/durable-agent.md +30 -3
  31. package/.docs/reference/auth/google.md +355 -0
  32. package/.docs/reference/channels/channel-provider.md +65 -0
  33. package/.docs/reference/channels/slack-provider.md +226 -0
  34. package/.docs/reference/index.md +5 -2
  35. package/CHANGELOG.md +28 -0
  36. package/package.json +6 -6
  37. package/.docs/docs/harness/overview.md +0 -128
  38. package/.docs/docs/harness/session.md +0 -143
  39. package/.docs/docs/harness/threads-and-state.md +0 -141
@@ -203,9 +203,13 @@ interface PrepareResult {
203
203
 
204
204
  **activeTools** (`string[]`): Restricts execution to the named subset of the agent's tools.
205
205
 
206
- **modelSettings** (`object`): Model-specific settings such as temperature.
206
+ **modelSettings** (`object`): Model-specific settings such as temperature. Credential-bearing headers (\`Authorization\`, \`X-Api-Key\`, and similar) are stripped from the serialized snapshot before it crosses process boundaries.
207
207
 
208
- **requireToolApproval** (`boolean`): Require approval for all tool calls, which suspends the run until resumed.
208
+ **stopWhen** (`AgentExecutionOptions['stopWhen']`): Predicate or composition that ends the agentic loop early. The closure rides on the in-process run registry; cross-process resumes degrade to \`maxSteps\` only.
209
+
210
+ **system** (`string | string[]`): Additional system message appended after the agent instructions and before user messages.
211
+
212
+ **requireToolApproval** (`boolean | ((args: { toolName: string; args: unknown; requestContext: RequestContext; workspace?: string }) => boolean | Promise<boolean>)`): Require approval for tool calls. Pass \`true\` or \`false\` to gate all or none, or a function for per-call policy. Function-form policies live on the in-process run registry; cross-process resumes fall back to a \`true\` shadow.
209
213
 
210
214
  **autoResumeSuspendedTools** (`boolean`): Automatically resume tools that suspended, instead of waiting for an external \`resume()\` call.
211
215
 
@@ -217,10 +221,26 @@ interface PrepareResult {
217
221
 
218
222
  **structuredOutput** (`object`): Structured output configuration.
219
223
 
220
- **untilIdle** (`boolean | { maxIdleMs?: number }`): When set, keeps the stream open across background-task continuations until the agent is idle. Pass \`true\` for the default 5-minute idle timeout, or \`{ maxIdleMs }\` to customise. Equivalent to the deprecated \`streamUntilIdle()\` method.
224
+ **untilIdle** (`boolean | { maxIdleMs?: number }`): When set, keeps the stream open across background-task continuations until the agent is idle. Pass \`true\` for the default 5-minute idle timeout, or \`{ maxIdleMs }\` to customise. Equivalent to the deprecated \`streamUntilIdle()\` method. Also supported on \`resume()\`.
225
+
226
+ **disableBackgroundTasks** (`boolean`): Disable background-task dispatch for this run. Background-eligible tools execute inline instead.
227
+
228
+ **tracingOptions** (`AgentExecutionOptions['tracingOptions']`): Tracing metadata, tags, trace ID, parent span ID, and \`requestContextKeys\` forwarded to the agent and model spans. Fully JSON-serializable.
229
+
230
+ **actor** (`AgentExecutionOptions['actor']`): Per-call actor signal forwarded to FGA checks and tool execution.
231
+
232
+ **transform** (`AgentExecutionOptions['transform']`): Per-invocation tool payload transform policy. The \`transformToolPayload\` closure lives on the in-process run registry; only the JSON-safe \`targets\` shadow is serialized.
233
+
234
+ **prepareStep** (`AgentExecutionOptions['prepareStep']`): Per-step preparation hook invoked as a \`PrepareStepProcessor\` at the start of every iteration. Closure-only — stored on the in-process run registry. Cross-process resumes lose the hook.
235
+
236
+ **isTaskComplete** (`AgentExecutionOptions['isTaskComplete']`): Per-call completion policy. Scorer instances and \`onComplete\` live on the in-process run registry; the JSON-safe primitives (\`strategy\`, \`timeout\`, \`parallel\`, \`suppressFeedback\`, \`scorerNames\`) are serialized for cross-process observability.
237
+
238
+ **delegation** (`AgentExecutionOptions['delegation']`): Sub-agent delegation hooks (\`onDelegationStart\`, \`onDelegationComplete\`, \`messageFilter\`). Callbacks are baked into the sub-agent tool wrappers at prepare time. Cross-process resumes lose the callbacks.
221
239
 
222
240
  **versions** (`object`): Version overrides for sub-agent delegation.
223
241
 
242
+ **abortSignal** (`AbortSignal`): External abort signal. Forwarded to the durable run's internal \`AbortController\`, so either source can cancel the run. Cross-process resumes cannot recover the signal — pass a fresh one to \`resume()\` if you need post-resume abortability.
243
+
224
244
  **onChunk** (`(chunk: ChunkType) => void | Promise<void>`): Called for each streamed chunk.
225
245
 
226
246
  **onStepFinish** (`(result: AgentStepFinishEventData) => void | Promise<void>`): Called when a step in the agentic loop finishes.
@@ -231,6 +251,10 @@ interface PrepareResult {
231
251
 
232
252
  **onSuspended** (`(data: AgentSuspendedEventData) => void | Promise<void>`): Called when the run suspends, for example for tool approval.
233
253
 
254
+ **onAbort** (`AgentExecutionOptions['onAbort']`): Called when the run is aborted via \`abortSignal\` or \`result.abort()\`.
255
+
256
+ **onIterationComplete** (`AgentExecutionOptions['onIterationComplete']`): Called after every agentic-loop iteration with the latest \`messageList\`, \`finishReason\`, and \`isFinal\` flag. Observation-only on durable agents: returning \`continue: false\` or feedback does not influence the loop.
257
+
234
258
  `resume()` and `observe()` accept the same lifecycle callbacks (`onChunk`, `onStepFinish`, `onFinish`, `onError`, `onSuspended`). `observe()` also accepts an `offset` to control where replay starts.
235
259
 
236
260
  ## DurableAgentStreamResult
@@ -245,6 +269,7 @@ interface DurableAgentStreamResult<OUTPUT = undefined> {
245
269
  threadId?: string
246
270
  resourceId?: string
247
271
  cleanup: () => void
272
+ abort: () => void
248
273
  }
249
274
  ```
250
275
 
@@ -260,6 +285,8 @@ interface DurableAgentStreamResult<OUTPUT = undefined> {
260
285
 
261
286
  **cleanup** (`() => void`): Unsubscribes from PubSub and clears registry entries for the run. Call it when done with the run.
262
287
 
288
+ **abort** (`() => void`): Aborts the run by flipping the internal \`AbortController\`. Surfaces as an \`AbortError\` inside the durable LLM-execution step and fires the \`onAbort\` callback. Safe to call after the run has finished — a no-op in that case.
289
+
263
290
  ## Related
264
291
 
265
292
  - [`createInngestAgent()`](https://mastra.ai/reference/agents/inngest-agent)
@@ -0,0 +1,355 @@
1
+ # MastraAuthGoogle & MastraRBACGoogle class
2
+
3
+ ## MastraAuthGoogle class
4
+
5
+ The `MastraAuthGoogle` class provides authentication for Mastra using Google Workspace. It implements an OAuth 2.0 / OIDC login flow with encrypted session cookies, verifies Google ID tokens, and integrates with the Mastra server using the `auth` option.
6
+
7
+ ### Usage example
8
+
9
+ ```typescript
10
+ import { Mastra } from '@mastra/core'
11
+ import { MastraAuthGoogle } from '@mastra/auth-google'
12
+
13
+ export const mastra = new Mastra({
14
+ server: {
15
+ auth: new MastraAuthGoogle({
16
+ clientId: process.env.GOOGLE_CLIENT_ID,
17
+ clientSecret: process.env.GOOGLE_CLIENT_SECRET,
18
+ redirectUri: process.env.GOOGLE_REDIRECT_URI,
19
+ allowedDomains: ['example.com'],
20
+ }),
21
+ },
22
+ })
23
+ ```
24
+
25
+ > **Note:** You can omit the constructor parameters if you have the appropriately named environment variables set. In that case, use `new MastraAuthGoogle()` without any arguments.
26
+
27
+ ### Constructor parameters
28
+
29
+ **clientId** (`string`): Google OAuth client ID. (Default: `process.env.GOOGLE_CLIENT_ID`)
30
+
31
+ **clientSecret** (`string`): Google OAuth client secret. Required for Studio SSO. (Default: `process.env.GOOGLE_CLIENT_SECRET`)
32
+
33
+ **redirectUri** (`string`): OAuth redirect URI for the SSO callback. Must match the redirect URI configured in your Google Cloud OAuth client. (Default: `process.env.GOOGLE_REDIRECT_URI`)
34
+
35
+ **scopes** (`string[]`): OAuth scopes requested during the login flow. (Default: `['openid', 'profile', 'email']`)
36
+
37
+ **allowedDomains** (`string | string[]`): Allowed Google Workspace hosted domains. Mastra validates these against the verified \`hd\` claim. (Default: `process.env.GOOGLE_ALLOWED_DOMAINS`)
38
+
39
+ **hostedDomain** (`string`): Hosted-domain login hint passed to Google as \`hd\`. This is a hint only and is not used for authorization. (Default: `process.env.GOOGLE_HOSTED_DOMAIN or the single allowed domain`)
40
+
41
+ **session** (`GoogleSessionOptions`): Session cookie configuration.
42
+
43
+ **session.cookieName** (`string`): Name of the session cookie.
44
+
45
+ **session.cookieMaxAge** (`number`): Cookie max age in seconds.
46
+
47
+ **session.cookiePassword** (`string`): Password for encrypting session cookies. Must be at least 32 characters. If not set, an auto-generated value is used in development that does not survive restarts.
48
+
49
+ **session.secureCookies** (`boolean`): Set the \`Secure\` flag on session cookies.
50
+
51
+ **name** (`string`): Custom name for the auth provider instance. (Default: `'google'`)
52
+
53
+ ### Environment variables
54
+
55
+ The following environment variables are automatically used when constructor options aren't provided:
56
+
57
+ **GOOGLE\_CLIENT\_ID** (`string`): Google OAuth client ID from your Google Cloud OAuth client.
58
+
59
+ **GOOGLE\_CLIENT\_SECRET** (`string`): Google OAuth client secret. Required for the SSO authorization code flow.
60
+
61
+ **GOOGLE\_REDIRECT\_URI** (`string`): OAuth redirect URI for the SSO callback.
62
+
63
+ **GOOGLE\_COOKIE\_PASSWORD** (`string`): Password for encrypting session cookies. Must be at least 32 characters.
64
+
65
+ **GOOGLE\_ALLOWED\_DOMAINS** (`string`): Comma-separated Google Workspace hosted domains to allow.
66
+
67
+ **GOOGLE\_HOSTED\_DOMAIN** (`string`): Hosted-domain login hint passed to Google during SSO login.
68
+
69
+ ### Authentication flow
70
+
71
+ `MastraAuthGoogle` authenticates requests in the following order:
72
+
73
+ 1. **Session cookie**: When SSO is enabled, reads the encrypted session cookie and decrypts it. If the session is valid and not expired, the user is authenticated.
74
+ 2. **Google ID token fallback**: If no valid session cookie is present, verifies the `Authorization` header token against Google's JWKS endpoint.
75
+
76
+ After authentication, `authorizeUser` checks that the user has a valid Google user ID, the token-derived expiration has not passed, and the user's verified `hd` claim matches `allowedDomains` when domains are configured.
77
+
78
+ ### Authentication methods
79
+
80
+ #### `authenticateToken(token, request?)`
81
+
82
+ Authenticates a Google ID token. When SSO is enabled, this method checks the encrypted session cookie before it verifies the Bearer token.
83
+
84
+ ```typescript
85
+ const user = await auth.authenticateToken(idToken, request)
86
+ ```
87
+
88
+ Returns: `Promise<GoogleUser | null>`
89
+
90
+ #### `getCurrentUser(request)`
91
+
92
+ Returns the authenticated user from a session cookie or Bearer Google ID token.
93
+
94
+ ```typescript
95
+ const user = await auth.getCurrentUser(request)
96
+ ```
97
+
98
+ Returns: `Promise<GoogleUser | null>`
99
+
100
+ #### `authorizeUser(user)`
101
+
102
+ Returns `true` when the user has an ID, has not expired, and matches `allowedDomains` when domains are configured.
103
+
104
+ ```typescript
105
+ const allowed = auth.authorizeUser(user)
106
+ ```
107
+
108
+ Returns: `boolean`
109
+
110
+ #### `getUser(userId)`
111
+
112
+ Returns `null`. Google ID tokens are verified directly, so this provider does not perform user lookup by ID.
113
+
114
+ ```typescript
115
+ const user = await auth.getUser(userId)
116
+ ```
117
+
118
+ Returns: `Promise<GoogleUser | null>`
119
+
120
+ ### `GoogleUser` type
121
+
122
+ The `GoogleUser` type extends the base `EEUser` interface with Google-specific fields:
123
+
124
+ **id** (`string`): Mastra user ID. Uses the Google \`sub\` claim.
125
+
126
+ **googleId** (`string`): Google Account subject identifier.
127
+
128
+ **email** (`string`): User email address.
129
+
130
+ **name** (`string`): User display name from Google profile claims.
131
+
132
+ **avatarUrl** (`string`): URL to the user's Google profile picture.
133
+
134
+ **hostedDomain** (`string`): Google Workspace hosted domain from the verified \`hd\` claim.
135
+
136
+ **expiresAt** (`Date`): Verified ID token expiration time, when available.
137
+
138
+ **emailVerified** (`boolean`): Whether Google reports the email address as verified.
139
+
140
+ **groups** (`string[]`): Optional pre-resolved Google Workspace group role IDs.
141
+
142
+ ## MastraRBACGoogle class
143
+
144
+ The `MastraRBACGoogle` class maps Google Workspace groups to Mastra permissions. It fetches user groups from the Google Admin SDK Directory API and resolves them against a configurable role mapping. Use it with `MastraAuthGoogle` or any other auth provider.
145
+
146
+ > **Note:** RBAC requires a valid Enterprise Edition license. It works without a license in development so you can try it locally, but you'll need a license for production. [Contact sales](https://mastra.ai/contact) for more information.
147
+
148
+ ### Usage example
149
+
150
+ Use `MastraRBACGoogle` alongside an auth provider by passing it to the `rbac` option:
151
+
152
+ ```typescript
153
+ import { Mastra } from '@mastra/core'
154
+ import { MastraAuthGoogle, MastraRBACGoogle } from '@mastra/auth-google'
155
+
156
+ export const mastra = new Mastra({
157
+ server: {
158
+ auth: new MastraAuthGoogle(),
159
+ rbac: new MastraRBACGoogle({
160
+ serviceAccount: {
161
+ clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
162
+ privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
163
+ subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
164
+ },
165
+ roleMapping: {
166
+ 'admins@example.com': ['*'],
167
+ 'engineering@example.com': ['agents:*', 'workflows:*', 'tools:*'],
168
+ 'viewers@example.com': ['agents:read', 'workflows:read'],
169
+ _default: [],
170
+ },
171
+ }),
172
+ },
173
+ })
174
+ ```
175
+
176
+ To use Google Workspace RBAC with a different auth provider, pass a `getUserKey` function to resolve the Google Directory API user key from the other provider's user object:
177
+
178
+ ```typescript
179
+ import { Mastra } from '@mastra/core'
180
+ import { MastraAuthAuth0 } from '@mastra/auth-auth0'
181
+ import { MastraRBACGoogle } from '@mastra/auth-google'
182
+
183
+ export const mastra = new Mastra({
184
+ server: {
185
+ auth: new MastraAuthAuth0(),
186
+ rbac: new MastraRBACGoogle({
187
+ getUserKey: user => user.email,
188
+ serviceAccount: {
189
+ clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
190
+ privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
191
+ subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
192
+ },
193
+ roleMapping: {
194
+ 'engineering@example.com': ['agents:*', 'workflows:*'],
195
+ 'admins@example.com': ['*'],
196
+ _default: [],
197
+ },
198
+ }),
199
+ },
200
+ })
201
+ ```
202
+
203
+ ### Constructor parameters
204
+
205
+ **roleMapping** (`RoleMapping`): Maps Google Workspace group role IDs to arrays of Mastra permission strings. Use \`'\_default'\` to assign permissions to users who do not match any group. Supports wildcards like \`'\*'\` (full access) and \`'agents:\*'\` (all agent actions).
206
+
207
+ **accessToken** (`string`): Pre-obtained Workspace Directory API access token.
208
+
209
+ **getAccessToken** (`() => Promise<string> | string`): Callback that returns a Workspace Directory API access token.
210
+
211
+ **serviceAccount** (`GoogleWorkspaceServiceAccount`): Service account credentials for domain-wide delegated Directory API access.
212
+
213
+ **serviceAccount.clientEmail** (`string`): Google service account email.
214
+
215
+ **serviceAccount.privateKey** (`string`): PEM-encoded private key. Escaped \`\n\` values from .env files are supported.
216
+
217
+ **serviceAccount.privateKeyId** (`string`): Optional private key ID.
218
+
219
+ **serviceAccount.subject** (`string`): Workspace administrator user to impersonate with domain-wide delegation.
220
+
221
+ **serviceAccount.scopes** (`string[]`): OAuth scopes for the service account token.
222
+
223
+ **getUserKey** (`(user: unknown) => string | undefined`): Extract the Directory API \`userKey\` from an authenticated user. Defaults to \`user.email\`.
224
+
225
+ **mapGroupToRoles** (`(group: GoogleWorkspaceGroup) => string[]`): Map a Google Workspace group to role IDs. Defaults to \`\[group.email]\`.
226
+
227
+ **cache** (`PermissionCacheOptions`): Configure the LRU cache for group lookups.
228
+
229
+ **cache.maxSize** (`number`): Maximum number of users to cache.
230
+
231
+ **cache.ttlMs** (`number`): Time-to-live in milliseconds.
232
+
233
+ ### RBAC methods
234
+
235
+ #### `getRoles(user)`
236
+
237
+ Returns Google Workspace group role IDs for a user.
238
+
239
+ ```typescript
240
+ const roles = await rbac.getRoles(user)
241
+ ```
242
+
243
+ Returns: `Promise<string[]>`
244
+
245
+ #### `getPermissions(user)`
246
+
247
+ Returns Mastra permissions resolved from Google Workspace groups and `roleMapping`.
248
+
249
+ ```typescript
250
+ const permissions = await rbac.getPermissions(user)
251
+ ```
252
+
253
+ Returns: `Promise<string[]>`
254
+
255
+ #### `hasPermission(user, permission)`
256
+
257
+ Checks whether a user has a permission.
258
+
259
+ ```typescript
260
+ const canReadAgents = await rbac.hasPermission(user, 'agents:read')
261
+ ```
262
+
263
+ Returns: `Promise<boolean>`
264
+
265
+ #### `hasRole(user, role)`
266
+
267
+ Checks whether a user resolved to a specific Google Workspace group role.
268
+
269
+ ```typescript
270
+ const isAdmin = await rbac.hasRole(user, 'admins@example.com')
271
+ ```
272
+
273
+ Returns: `Promise<boolean>`
274
+
275
+ #### `hasAllPermissions(user, permissions)`
276
+
277
+ Checks whether a user has every requested permission.
278
+
279
+ ```typescript
280
+ const canManageAgents = await rbac.hasAllPermissions(user, ['agents:read', 'agents:update'])
281
+ ```
282
+
283
+ Returns: `Promise<boolean>`
284
+
285
+ #### `hasAnyPermission(user, permissions)`
286
+
287
+ Checks whether a user has at least one requested permission.
288
+
289
+ ```typescript
290
+ const canReadSomething = await rbac.hasAnyPermission(user, ['agents:read', 'workflows:read'])
291
+ ```
292
+
293
+ Returns: `Promise<boolean>`
294
+
295
+ #### `getAvailableRoles()`
296
+
297
+ Returns the role IDs configured in `roleMapping`, excluding `_default`.
298
+
299
+ ```typescript
300
+ const roles = await rbac.getAvailableRoles()
301
+ ```
302
+
303
+ Returns: `Promise<{ id: string; name: string }[]>`
304
+
305
+ #### `getPermissionsForRole(roleId)`
306
+
307
+ Returns the permissions configured for a role ID.
308
+
309
+ ```typescript
310
+ const permissions = await rbac.getPermissionsForRole('engineering@example.com')
311
+ ```
312
+
313
+ Returns: `Promise<string[]>`
314
+
315
+ #### `clearCache()`
316
+
317
+ Clears all cached Google Workspace group lookups.
318
+
319
+ ```typescript
320
+ rbac.clearCache()
321
+ ```
322
+
323
+ Returns: `void`
324
+
325
+ #### `clearUserCache(userKey)`
326
+
327
+ Clears the cached group lookup for one Directory API user key, such as an email address.
328
+
329
+ ```typescript
330
+ rbac.clearUserCache('user@example.com')
331
+ ```
332
+
333
+ Returns: `void`
334
+
335
+ #### `getCacheStats()`
336
+
337
+ Returns the current group lookup cache size and maximum size.
338
+
339
+ ```typescript
340
+ const stats = rbac.getCacheStats()
341
+ ```
342
+
343
+ Returns: `{ size: number; maxSize: number }`
344
+
345
+ ### Additional configuration
346
+
347
+ `MastraRBACGoogle` uses `GET https://admin.googleapis.com/admin/directory/v1/groups?userKey=...` and handles pagination. Provide a service account with domain-wide delegation for production Google Workspace deployments, or pass `accessToken` / `getAccessToken` if your application already manages Google API tokens.
348
+
349
+ If `user.groups` is already an array, `MastraRBACGoogle` uses that value and does not call the Directory API. An empty `groups` array means the user has no Google group roles and resolves to `_default` permissions when `_default` is configured.
350
+
351
+ `MastraRBACGoogle` does not automatically read service-account environment variables. Pass service-account credentials through the `serviceAccount` option, or pass `accessToken` / `getAccessToken`.
352
+
353
+ ## Related
354
+
355
+ [Google auth docs](https://mastra.ai/docs/server/auth/google)
@@ -0,0 +1,65 @@
1
+ # ChannelProvider
2
+
3
+ `ChannelProvider` is the interface that platform integrations implement to connect agents to a messaging platform. A provider owns the full lifecycle of an integration: app provisioning and OAuth, webhook routing and event handling, adapter creation and agent wiring, and credential management.
4
+
5
+ Register providers on the `Mastra` constructor under `channels`, keyed by an id you choose. Each provider's routes are merged into the server's API routes automatically, and `initialize()` runs during Mastra startup.
6
+
7
+ ```typescript
8
+ import { Mastra } from '@mastra/core/mastra'
9
+ import { SlackProvider } from '@mastra/slack'
10
+
11
+ export const mastra = new Mastra({
12
+ channels: {
13
+ slack: new SlackProvider({
14
+ refreshToken: process.env.SLACK_REFRESH_TOKEN!,
15
+ baseUrl: process.env.MASTRA_BASE_URL,
16
+ }),
17
+ },
18
+ })
19
+ ```
20
+
21
+ The provider's `baseUrl` is the public URL the platform sends webhooks and events to. In production this is your deployed Mastra server URL. For local development, the platform can't reach `http://localhost:4111`, so run a tunnel (such as [cloudflared](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) or [ngrok](https://ngrok.com/)) and point `baseUrl` at the tunnel URL (for example `https://abc123.trycloudflare.com`) so events reach your local dev process.
22
+
23
+ [`SlackProvider`](https://mastra.ai/reference/channels/slack-provider) is the first built-in implementation. Build a custom provider by implementing this interface.
24
+
25
+ ## Properties
26
+
27
+ **id** (`string`): Unique identifier for this channel type, for example 'slack' or 'discord'. Used as the key when routing events and looking the provider up from Mastra.
28
+
29
+ ## Methods
30
+
31
+ **getRoutes** (`() => ApiRoute[]`): Returns the API routes for this channel (OAuth, webhooks, events). These are merged into the server's apiRoutes automatically.
32
+
33
+ **initialize** (`() => Promise<void>`): Called during Mastra initialization after all agents are registered. Use it for async setup such as restoring active installations. Does not provision new apps.
34
+
35
+ **configure** (`(credentials: Record<string, unknown> | null) => void | Promise<void>`): Provides or clears platform credentials at runtime. Pass null to clear credentials and delete stored tokens.
36
+
37
+ **getInfo** (`() => ChannelPlatformInfo`): Returns discovery metadata for the editor UI: platform name, configuration status, and the connect options schema.
38
+
39
+ **connect** (`(agentId: string, options?: Record<string, unknown>) => Promise<ChannelConnectResult>`): Connects an agent to the platform. Returns a discriminated result describing the authorization flow required to finish the connection.
40
+
41
+ **disconnect** (`(agentId: string) => Promise<void>`): Disconnects an agent from the platform. Deletes the platform app and cleans up stored state.
42
+
43
+ **listInstallations** (`() => Promise<ChannelInstallationInfo[]>`): Lists active installations for this platform. Returns public info only, never secrets.
44
+
45
+ ## Accessing a provider
46
+
47
+ Access a registered provider through the `channels` getter, keyed by the id you registered it under. The getter is typed from the constructor config, so `mastra.channels.slack` is the concrete provider with its full method surface.
48
+
49
+ ```typescript
50
+ await mastra.channels.slack.configure({ refreshToken })
51
+ ```
52
+
53
+ When the key is only known at runtime, look the provider up by string id instead. `getChannelProvider` takes the concrete type as a generic, and `getChannelProviders` returns every registered provider keyed by id.
54
+
55
+ ```typescript
56
+ import type { SlackProvider } from '@mastra/slack'
57
+
58
+ const slack = mastra.getChannelProvider<SlackProvider>('slack')
59
+ const all = mastra.getChannelProviders()
60
+ ```
61
+
62
+ ## Related
63
+
64
+ - [SlackProvider](https://mastra.ai/reference/channels/slack-provider)
65
+ - [Channels](https://mastra.ai/docs/agents/channels)