solace-agent-mesh 1.6.1__py3-none-any.whl → 1.13.2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of solace-agent-mesh might be problematic. Click here for more details.

Files changed (481) hide show
  1. solace_agent_mesh/agent/adk/alembic/README +74 -0
  2. solace_agent_mesh/agent/adk/alembic/env.py +77 -0
  3. solace_agent_mesh/agent/adk/alembic/script.py.mako +28 -0
  4. solace_agent_mesh/agent/adk/alembic/versions/e2902798564d_adk_session_db_upgrade.py +52 -0
  5. solace_agent_mesh/agent/adk/alembic.ini +112 -0
  6. solace_agent_mesh/agent/adk/app_llm_agent.py +26 -0
  7. solace_agent_mesh/agent/adk/artifacts/filesystem_artifact_service.py +165 -1
  8. solace_agent_mesh/agent/adk/artifacts/s3_artifact_service.py +163 -0
  9. solace_agent_mesh/agent/adk/callbacks.py +852 -109
  10. solace_agent_mesh/agent/adk/embed_resolving_mcp_toolset.py +234 -36
  11. solace_agent_mesh/agent/adk/intelligent_mcp_callbacks.py +52 -5
  12. solace_agent_mesh/agent/adk/mcp_content_processor.py +1 -1
  13. solace_agent_mesh/agent/adk/models/lite_llm.py +77 -21
  14. solace_agent_mesh/agent/adk/models/oauth2_token_manager.py +24 -137
  15. solace_agent_mesh/agent/adk/runner.py +85 -20
  16. solace_agent_mesh/agent/adk/schema_migration.py +88 -0
  17. solace_agent_mesh/agent/adk/services.py +94 -18
  18. solace_agent_mesh/agent/adk/setup.py +281 -65
  19. solace_agent_mesh/agent/adk/stream_parser.py +231 -37
  20. solace_agent_mesh/agent/adk/tool_wrapper.py +3 -0
  21. solace_agent_mesh/agent/protocol/event_handlers.py +472 -137
  22. solace_agent_mesh/agent/proxies/a2a/app.py +3 -2
  23. solace_agent_mesh/agent/proxies/a2a/component.py +572 -75
  24. solace_agent_mesh/agent/proxies/a2a/config.py +80 -4
  25. solace_agent_mesh/agent/proxies/base/app.py +3 -2
  26. solace_agent_mesh/agent/proxies/base/component.py +188 -22
  27. solace_agent_mesh/agent/proxies/base/proxy_task_context.py +3 -1
  28. solace_agent_mesh/agent/sac/app.py +91 -3
  29. solace_agent_mesh/agent/sac/component.py +591 -157
  30. solace_agent_mesh/agent/sac/patch_adk.py +8 -16
  31. solace_agent_mesh/agent/sac/task_execution_context.py +146 -4
  32. solace_agent_mesh/agent/tools/__init__.py +3 -0
  33. solace_agent_mesh/agent/tools/audio_tools.py +3 -3
  34. solace_agent_mesh/agent/tools/builtin_artifact_tools.py +710 -171
  35. solace_agent_mesh/agent/tools/deep_research_tools.py +2161 -0
  36. solace_agent_mesh/agent/tools/dynamic_tool.py +2 -0
  37. solace_agent_mesh/agent/tools/peer_agent_tool.py +82 -15
  38. solace_agent_mesh/agent/tools/time_tools.py +126 -0
  39. solace_agent_mesh/agent/tools/tool_config_types.py +57 -2
  40. solace_agent_mesh/agent/tools/web_search_tools.py +279 -0
  41. solace_agent_mesh/agent/tools/web_tools.py +125 -17
  42. solace_agent_mesh/agent/utils/artifact_helpers.py +248 -6
  43. solace_agent_mesh/agent/utils/context_helpers.py +17 -0
  44. solace_agent_mesh/assets/docs/404.html +6 -6
  45. solace_agent_mesh/assets/docs/assets/css/{styles.906a1503.css → styles.8162edfb.css} +1 -1
  46. solace_agent_mesh/assets/docs/assets/js/05749d90.19ac4f35.js +1 -0
  47. solace_agent_mesh/assets/docs/assets/js/15ba94aa.e186750d.js +1 -0
  48. solace_agent_mesh/assets/docs/assets/js/15e40e79.434bb30f.js +1 -0
  49. solace_agent_mesh/assets/docs/assets/js/17896441.e612dfb4.js +1 -0
  50. solace_agent_mesh/assets/docs/assets/js/2279.550aa580.js +2 -0
  51. solace_agent_mesh/assets/docs/assets/js/{17896441.a5e82f9b.js.LICENSE.txt → 2279.550aa580.js.LICENSE.txt} +6 -0
  52. solace_agent_mesh/assets/docs/assets/js/240a0364.83e37aa8.js +1 -0
  53. solace_agent_mesh/assets/docs/assets/js/2987107d.a80604f9.js +1 -0
  54. solace_agent_mesh/assets/docs/assets/js/2e32b5e0.2f0db237.js +1 -0
  55. solace_agent_mesh/assets/docs/assets/js/3a6c6137.7e61915d.js +1 -0
  56. solace_agent_mesh/assets/docs/assets/js/3ac1795d.7f7ab1c1.js +1 -0
  57. solace_agent_mesh/assets/docs/assets/js/3ff0015d.e53c9b78.js +1 -0
  58. solace_agent_mesh/assets/docs/assets/js/41adc471.0e95b87c.js +1 -0
  59. solace_agent_mesh/assets/docs/assets/js/4667dc50.bf2ad456.js +1 -0
  60. solace_agent_mesh/assets/docs/assets/js/49eed117.493d6f99.js +1 -0
  61. solace_agent_mesh/assets/docs/assets/js/{509e993c.4c7a1a6d.js → 509e993c.a1fbf45a.js} +1 -1
  62. solace_agent_mesh/assets/docs/assets/js/547e15cc.8e6da617.js +1 -0
  63. solace_agent_mesh/assets/docs/assets/js/55b7b518.29d6e75d.js +1 -0
  64. solace_agent_mesh/assets/docs/assets/js/5b8d9c11.d4eb37b8.js +1 -0
  65. solace_agent_mesh/assets/docs/assets/js/5c2bd65f.1ee87753.js +1 -0
  66. solace_agent_mesh/assets/docs/assets/js/60702c0e.a8bdd79b.js +1 -0
  67. solace_agent_mesh/assets/docs/assets/js/631738c7.fa471607.js +1 -0
  68. solace_agent_mesh/assets/docs/assets/js/64195356.09dbd087.js +1 -0
  69. solace_agent_mesh/assets/docs/assets/js/66d4869e.30340bd3.js +1 -0
  70. solace_agent_mesh/assets/docs/assets/js/6a520c9d.b6e3f2ce.js +1 -0
  71. solace_agent_mesh/assets/docs/assets/js/6aaedf65.7253541d.js +1 -0
  72. solace_agent_mesh/assets/docs/assets/js/6ad8f0bd.a5b36a60.js +1 -0
  73. solace_agent_mesh/assets/docs/assets/js/6d84eae0.fd23ba4a.js +1 -0
  74. solace_agent_mesh/assets/docs/assets/js/71da7b71.374b9d54.js +1 -0
  75. solace_agent_mesh/assets/docs/assets/js/729898df.7249e9fd.js +1 -0
  76. solace_agent_mesh/assets/docs/assets/js/7e294c01.7c5f6906.js +1 -0
  77. solace_agent_mesh/assets/docs/assets/js/8024126c.e3467286.js +1 -0
  78. solace_agent_mesh/assets/docs/assets/js/81a99df0.7ed65d45.js +1 -0
  79. solace_agent_mesh/assets/docs/assets/js/82fbfb93.161823a5.js +1 -0
  80. solace_agent_mesh/assets/docs/assets/js/8b032486.91a91afc.js +1 -0
  81. solace_agent_mesh/assets/docs/assets/js/924ffdeb.975e428a.js +1 -0
  82. solace_agent_mesh/assets/docs/assets/js/94e8668d.16083b3f.js +1 -0
  83. solace_agent_mesh/assets/docs/assets/js/9bb13469.4523ae20.js +1 -0
  84. solace_agent_mesh/assets/docs/assets/js/a7d42657.a956689d.js +1 -0
  85. solace_agent_mesh/assets/docs/assets/js/a94703ab.3e5fbcb3.js +1 -0
  86. solace_agent_mesh/assets/docs/assets/js/ab9708a8.3e563275.js +1 -0
  87. solace_agent_mesh/assets/docs/assets/js/ad87452a.9d73dad6.js +1 -0
  88. solace_agent_mesh/assets/docs/assets/js/c93cbaa0.0e0d8baf.js +1 -0
  89. solace_agent_mesh/assets/docs/assets/js/cab03b5b.6a073091.js +1 -0
  90. solace_agent_mesh/assets/docs/assets/js/cbe2e9ea.07e170dd.js +1 -0
  91. solace_agent_mesh/assets/docs/assets/js/da0b5bad.b62f7b08.js +1 -0
  92. solace_agent_mesh/assets/docs/assets/js/dd817ffc.c37a755e.js +1 -0
  93. solace_agent_mesh/assets/docs/assets/js/dd81e2b8.b682e9c2.js +1 -0
  94. solace_agent_mesh/assets/docs/assets/js/de915948.44a432bc.js +1 -0
  95. solace_agent_mesh/assets/docs/assets/js/e04b235d.06d23db6.js +1 -0
  96. solace_agent_mesh/assets/docs/assets/js/e1b6eeb4.deb2b62e.js +1 -0
  97. solace_agent_mesh/assets/docs/assets/js/e3d9abda.1476f570.js +1 -0
  98. solace_agent_mesh/assets/docs/assets/js/e6f9706b.acc800d3.js +1 -0
  99. solace_agent_mesh/assets/docs/assets/js/e92d0134.c147a429.js +1 -0
  100. solace_agent_mesh/assets/docs/assets/js/ee0c2fe7.94d0a351.js +1 -0
  101. solace_agent_mesh/assets/docs/assets/js/f284c35a.cc97854c.js +1 -0
  102. solace_agent_mesh/assets/docs/assets/js/ff4d71f2.74710fc1.js +1 -0
  103. solace_agent_mesh/assets/docs/assets/js/main.d634009f.js +2 -0
  104. solace_agent_mesh/assets/docs/assets/js/runtime~main.27bb82a7.js +1 -0
  105. solace_agent_mesh/assets/docs/docs/documentation/components/agents/index.html +68 -68
  106. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/artifact-management/index.html +50 -50
  107. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/audio-tools/index.html +42 -42
  108. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/data-analysis-tools/index.html +55 -55
  109. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/embeds/index.html +82 -68
  110. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/image-tools/index.html +81 -0
  111. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/index.html +67 -50
  112. solace_agent_mesh/assets/docs/docs/documentation/components/builtin-tools/research-tools/index.html +136 -0
  113. solace_agent_mesh/assets/docs/docs/documentation/components/cli/index.html +178 -144
  114. solace_agent_mesh/assets/docs/docs/documentation/components/gateways/index.html +43 -42
  115. solace_agent_mesh/assets/docs/docs/documentation/components/index.html +20 -18
  116. solace_agent_mesh/assets/docs/docs/documentation/components/orchestrator/index.html +23 -23
  117. solace_agent_mesh/assets/docs/docs/documentation/components/platform-service/index.html +33 -0
  118. solace_agent_mesh/assets/docs/docs/documentation/components/plugins/index.html +45 -45
  119. solace_agent_mesh/assets/docs/docs/documentation/components/projects/index.html +182 -0
  120. solace_agent_mesh/assets/docs/docs/documentation/components/prompts/index.html +147 -0
  121. solace_agent_mesh/assets/docs/docs/documentation/components/proxies/index.html +208 -125
  122. solace_agent_mesh/assets/docs/docs/documentation/components/speech/index.html +52 -0
  123. solace_agent_mesh/assets/docs/docs/documentation/deploying/debugging/index.html +28 -49
  124. solace_agent_mesh/assets/docs/docs/documentation/deploying/deployment-options/index.html +29 -30
  125. solace_agent_mesh/assets/docs/docs/documentation/deploying/index.html +14 -14
  126. solace_agent_mesh/assets/docs/docs/documentation/deploying/kubernetes/index.html +47 -0
  127. solace_agent_mesh/assets/docs/docs/documentation/deploying/kubernetes/kubernetes-deployment-guide/index.html +197 -0
  128. solace_agent_mesh/assets/docs/docs/documentation/deploying/logging/index.html +90 -0
  129. solace_agent_mesh/assets/docs/docs/documentation/deploying/observability/index.html +17 -16
  130. solace_agent_mesh/assets/docs/docs/documentation/deploying/proxy_configuration/index.html +49 -0
  131. solace_agent_mesh/assets/docs/docs/documentation/developing/create-agents/index.html +38 -38
  132. solace_agent_mesh/assets/docs/docs/documentation/developing/create-gateways/index.html +162 -171
  133. solace_agent_mesh/assets/docs/docs/documentation/developing/creating-python-tools/index.html +67 -49
  134. solace_agent_mesh/assets/docs/docs/documentation/developing/creating-service-providers/index.html +17 -17
  135. solace_agent_mesh/assets/docs/docs/documentation/developing/evaluations/index.html +51 -51
  136. solace_agent_mesh/assets/docs/docs/documentation/developing/index.html +22 -22
  137. solace_agent_mesh/assets/docs/docs/documentation/developing/structure/index.html +27 -27
  138. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/bedrock-agents/index.html +135 -135
  139. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/custom-agent/index.html +66 -66
  140. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/event-mesh-gateway/index.html +51 -51
  141. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/mcp-integration/index.html +50 -38
  142. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/mongodb-integration/index.html +86 -86
  143. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/rag-integration/index.html +51 -51
  144. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/rest-gateway/index.html +24 -24
  145. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/slack-integration/index.html +30 -30
  146. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/sql-database/index.html +44 -44
  147. solace_agent_mesh/assets/docs/docs/documentation/developing/tutorials/teams-integration/index.html +115 -0
  148. solace_agent_mesh/assets/docs/docs/documentation/enterprise/agent-builder/index.html +86 -0
  149. solace_agent_mesh/assets/docs/docs/documentation/enterprise/connectors/index.html +67 -0
  150. solace_agent_mesh/assets/docs/docs/documentation/enterprise/index.html +23 -19
  151. solace_agent_mesh/assets/docs/docs/documentation/enterprise/installation/index.html +40 -37
  152. solace_agent_mesh/assets/docs/docs/documentation/enterprise/openapi-tools/index.html +324 -0
  153. solace_agent_mesh/assets/docs/docs/documentation/enterprise/rbac-setup-guide/index.html +112 -87
  154. solace_agent_mesh/assets/docs/docs/documentation/enterprise/secure-user-delegated-access/index.html +440 -0
  155. solace_agent_mesh/assets/docs/docs/documentation/enterprise/single-sign-on/index.html +87 -64
  156. solace_agent_mesh/assets/docs/docs/documentation/enterprise/wheel-installation/index.html +62 -0
  157. solace_agent_mesh/assets/docs/docs/documentation/getting-started/architecture/index.html +44 -44
  158. solace_agent_mesh/assets/docs/docs/documentation/getting-started/index.html +39 -37
  159. solace_agent_mesh/assets/docs/docs/documentation/getting-started/introduction/index.html +30 -30
  160. solace_agent_mesh/assets/docs/docs/documentation/getting-started/try-agent-mesh/index.html +18 -18
  161. solace_agent_mesh/assets/docs/docs/documentation/getting-started/vibe_coding/index.html +62 -0
  162. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/artifact-storage/index.html +311 -0
  163. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/configurations/index.html +39 -42
  164. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/index.html +14 -14
  165. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/installation/index.html +27 -25
  166. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/large_language_models/index.html +69 -69
  167. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/run-project/index.html +72 -72
  168. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/session-storage/index.html +251 -0
  169. solace_agent_mesh/assets/docs/docs/documentation/installing-and-configuring/user-feedback/index.html +88 -0
  170. solace_agent_mesh/assets/docs/docs/documentation/migrations/a2a-upgrade/a2a-gateway-upgrade-to-0.3.0/index.html +42 -42
  171. solace_agent_mesh/assets/docs/docs/documentation/migrations/a2a-upgrade/a2a-technical-migration-map/index.html +20 -20
  172. solace_agent_mesh/assets/docs/docs/documentation/migrations/platform-service-split/index.html +85 -0
  173. solace_agent_mesh/assets/docs/lunr-index-1768329217460.json +1 -0
  174. solace_agent_mesh/assets/docs/lunr-index.json +1 -1
  175. solace_agent_mesh/assets/docs/search-doc-1768329217460.json +1 -0
  176. solace_agent_mesh/assets/docs/search-doc.json +1 -1
  177. solace_agent_mesh/assets/docs/sitemap.xml +1 -1
  178. solace_agent_mesh/cli/__init__.py +1 -1
  179. solace_agent_mesh/cli/commands/add_cmd/__init__.py +3 -1
  180. solace_agent_mesh/cli/commands/add_cmd/agent_cmd.py +6 -1
  181. solace_agent_mesh/cli/commands/add_cmd/proxy_cmd.py +100 -0
  182. solace_agent_mesh/cli/commands/docs_cmd.py +4 -1
  183. solace_agent_mesh/cli/commands/eval_cmd.py +1 -1
  184. solace_agent_mesh/cli/commands/init_cmd/__init__.py +15 -0
  185. solace_agent_mesh/cli/commands/init_cmd/directory_step.py +1 -1
  186. solace_agent_mesh/cli/commands/init_cmd/env_step.py +30 -3
  187. solace_agent_mesh/cli/commands/init_cmd/orchestrator_step.py +3 -4
  188. solace_agent_mesh/cli/commands/init_cmd/platform_service_step.py +85 -0
  189. solace_agent_mesh/cli/commands/init_cmd/webui_gateway_step.py +16 -3
  190. solace_agent_mesh/cli/commands/plugin_cmd/add_cmd.py +2 -1
  191. solace_agent_mesh/cli/commands/plugin_cmd/catalog_cmd.py +1 -0
  192. solace_agent_mesh/cli/commands/plugin_cmd/create_cmd.py +3 -3
  193. solace_agent_mesh/cli/commands/run_cmd.py +64 -49
  194. solace_agent_mesh/cli/commands/tools_cmd.py +315 -0
  195. solace_agent_mesh/cli/main.py +15 -0
  196. solace_agent_mesh/client/webui/frontend/static/assets/{authCallback-BTf6dqwp.js → authCallback-KnKMP_vb.js} +1 -1
  197. solace_agent_mesh/client/webui/frontend/static/assets/client-DpBL2stg.js +25 -0
  198. solace_agent_mesh/client/webui/frontend/static/assets/main-Cd498TV2.js +435 -0
  199. solace_agent_mesh/client/webui/frontend/static/assets/main-rSf8Vu29.css +1 -0
  200. solace_agent_mesh/client/webui/frontend/static/assets/vendor-CGk8Suyh.js +565 -0
  201. solace_agent_mesh/client/webui/frontend/static/auth-callback.html +3 -3
  202. solace_agent_mesh/client/webui/frontend/static/index.html +4 -4
  203. solace_agent_mesh/client/webui/frontend/static/mockServiceWorker.js +336 -0
  204. solace_agent_mesh/client/webui/frontend/static/ui-version.json +6 -0
  205. solace_agent_mesh/common/a2a/events.py +2 -1
  206. solace_agent_mesh/common/a2a/protocol.py +5 -0
  207. solace_agent_mesh/common/a2a/types.py +2 -1
  208. solace_agent_mesh/common/a2a_spec/schemas/artifact_creation_progress.json +23 -6
  209. solace_agent_mesh/common/a2a_spec/schemas/feedback_event.json +51 -0
  210. solace_agent_mesh/common/agent_registry.py +38 -11
  211. solace_agent_mesh/common/data_parts.py +144 -4
  212. solace_agent_mesh/common/error_handlers.py +83 -0
  213. solace_agent_mesh/common/exceptions.py +24 -0
  214. solace_agent_mesh/common/oauth/__init__.py +17 -0
  215. solace_agent_mesh/common/oauth/oauth_client.py +408 -0
  216. solace_agent_mesh/common/oauth/utils.py +50 -0
  217. solace_agent_mesh/common/rag_dto.py +156 -0
  218. solace_agent_mesh/common/sac/sam_component_base.py +97 -19
  219. solace_agent_mesh/common/sam_events/event_service.py +2 -2
  220. solace_agent_mesh/common/services/employee_service.py +1 -1
  221. solace_agent_mesh/common/utils/embeds/constants.py +1 -0
  222. solace_agent_mesh/common/utils/embeds/converter.py +1 -8
  223. solace_agent_mesh/common/utils/embeds/modifiers.py +4 -28
  224. solace_agent_mesh/common/utils/embeds/resolver.py +152 -31
  225. solace_agent_mesh/common/utils/embeds/types.py +9 -0
  226. solace_agent_mesh/common/utils/log_formatters.py +20 -0
  227. solace_agent_mesh/common/utils/mime_helpers.py +12 -5
  228. solace_agent_mesh/common/utils/pydantic_utils.py +90 -3
  229. solace_agent_mesh/common/utils/rbac_utils.py +69 -0
  230. solace_agent_mesh/common/utils/templates/__init__.py +8 -0
  231. solace_agent_mesh/common/utils/templates/liquid_renderer.py +210 -0
  232. solace_agent_mesh/common/utils/templates/template_resolver.py +161 -0
  233. solace_agent_mesh/config_portal/backend/common.py +12 -0
  234. solace_agent_mesh/config_portal/frontend/static/client/assets/_index-CljP4_mv.js +103 -0
  235. solace_agent_mesh/config_portal/frontend/static/client/assets/{components-Rk0n-9cK.js → components-CaC6hG8d.js} +22 -22
  236. solace_agent_mesh/config_portal/frontend/static/client/assets/{entry.client-mvZjNKiz.js → entry.client-H_TM0YBt.js} +3 -3
  237. solace_agent_mesh/config_portal/frontend/static/client/assets/{index-DzNKzXrc.js → index-CnFykb2v.js} +16 -16
  238. solace_agent_mesh/config_portal/frontend/static/client/assets/manifest-f8439d40.js +1 -0
  239. solace_agent_mesh/config_portal/frontend/static/client/assets/root-BIMqslJB.css +1 -0
  240. solace_agent_mesh/config_portal/frontend/static/client/assets/root-mJmTIdIk.js +10 -0
  241. solace_agent_mesh/config_portal/frontend/static/client/index.html +3 -3
  242. solace_agent_mesh/core_a2a/service.py +3 -2
  243. solace_agent_mesh/gateway/adapter/__init__.py +1 -0
  244. solace_agent_mesh/gateway/adapter/base.py +170 -0
  245. solace_agent_mesh/gateway/adapter/types.py +230 -0
  246. solace_agent_mesh/gateway/base/app.py +39 -2
  247. solace_agent_mesh/gateway/base/auth_interface.py +103 -0
  248. solace_agent_mesh/gateway/base/component.py +1027 -151
  249. solace_agent_mesh/gateway/generic/__init__.py +1 -0
  250. solace_agent_mesh/gateway/generic/app.py +50 -0
  251. solace_agent_mesh/gateway/generic/component.py +894 -0
  252. solace_agent_mesh/gateway/http_sse/alembic/env.py +0 -7
  253. solace_agent_mesh/gateway/http_sse/alembic/versions/20251023_add_project_users_table.py +72 -0
  254. solace_agent_mesh/gateway/http_sse/alembic/versions/20251023_add_soft_delete_and_search.py +109 -0
  255. solace_agent_mesh/gateway/http_sse/alembic/versions/20251024_add_default_agent_to_projects.py +26 -0
  256. solace_agent_mesh/gateway/http_sse/alembic/versions/20251024_add_projects_table.py +135 -0
  257. solace_agent_mesh/gateway/http_sse/alembic/versions/20251108_create_prompt_tables_with_sharing.py +154 -0
  258. solace_agent_mesh/gateway/http_sse/alembic/versions/20251115_add_parent_task_id.py +32 -0
  259. solace_agent_mesh/gateway/http_sse/alembic/versions/20251126_add_background_task_fields.py +47 -0
  260. solace_agent_mesh/gateway/http_sse/alembic/versions/20251202_add_versioned_fields_to_prompts.py +52 -0
  261. solace_agent_mesh/gateway/http_sse/alembic.ini +0 -36
  262. solace_agent_mesh/gateway/http_sse/app.py +40 -11
  263. solace_agent_mesh/gateway/http_sse/component.py +285 -160
  264. solace_agent_mesh/gateway/http_sse/dependencies.py +149 -114
  265. solace_agent_mesh/gateway/http_sse/main.py +68 -450
  266. solace_agent_mesh/gateway/http_sse/repository/__init__.py +19 -1
  267. solace_agent_mesh/gateway/http_sse/repository/chat_task_repository.py +2 -2
  268. solace_agent_mesh/gateway/http_sse/repository/entities/project.py +81 -0
  269. solace_agent_mesh/gateway/http_sse/repository/entities/project_user.py +47 -0
  270. solace_agent_mesh/gateway/http_sse/repository/entities/session.py +26 -3
  271. solace_agent_mesh/gateway/http_sse/repository/entities/task.py +7 -0
  272. solace_agent_mesh/gateway/http_sse/repository/feedback_repository.py +47 -0
  273. solace_agent_mesh/gateway/http_sse/repository/interfaces.py +114 -6
  274. solace_agent_mesh/gateway/http_sse/repository/models/__init__.py +13 -0
  275. solace_agent_mesh/gateway/http_sse/repository/models/project_model.py +51 -0
  276. solace_agent_mesh/gateway/http_sse/repository/models/project_user_model.py +75 -0
  277. solace_agent_mesh/gateway/http_sse/repository/models/prompt_model.py +159 -0
  278. solace_agent_mesh/gateway/http_sse/repository/models/session_model.py +8 -2
  279. solace_agent_mesh/gateway/http_sse/repository/models/task_model.py +8 -1
  280. solace_agent_mesh/gateway/http_sse/repository/project_repository.py +172 -0
  281. solace_agent_mesh/gateway/http_sse/repository/project_user_repository.py +186 -0
  282. solace_agent_mesh/gateway/http_sse/repository/session_repository.py +177 -11
  283. solace_agent_mesh/gateway/http_sse/repository/task_repository.py +86 -2
  284. solace_agent_mesh/gateway/http_sse/routers/agent_cards.py +38 -7
  285. solace_agent_mesh/gateway/http_sse/routers/artifacts.py +256 -58
  286. solace_agent_mesh/gateway/http_sse/routers/auth.py +168 -134
  287. solace_agent_mesh/gateway/http_sse/routers/config.py +302 -8
  288. solace_agent_mesh/gateway/http_sse/routers/dto/project_dto.py +69 -0
  289. solace_agent_mesh/gateway/http_sse/routers/dto/prompt_dto.py +255 -0
  290. solace_agent_mesh/gateway/http_sse/routers/dto/requests/project_requests.py +48 -0
  291. solace_agent_mesh/gateway/http_sse/routers/dto/requests/session_requests.py +14 -1
  292. solace_agent_mesh/gateway/http_sse/routers/dto/responses/base_responses.py +1 -1
  293. solace_agent_mesh/gateway/http_sse/routers/dto/responses/project_responses.py +31 -0
  294. solace_agent_mesh/gateway/http_sse/routers/dto/responses/session_responses.py +5 -2
  295. solace_agent_mesh/gateway/http_sse/routers/dto/responses/version_responses.py +31 -0
  296. solace_agent_mesh/gateway/http_sse/routers/feedback.py +133 -2
  297. solace_agent_mesh/gateway/http_sse/routers/people.py +2 -2
  298. solace_agent_mesh/gateway/http_sse/routers/projects.py +768 -0
  299. solace_agent_mesh/gateway/http_sse/routers/prompts.py +1416 -0
  300. solace_agent_mesh/gateway/http_sse/routers/sessions.py +167 -7
  301. solace_agent_mesh/gateway/http_sse/routers/speech.py +355 -0
  302. solace_agent_mesh/gateway/http_sse/routers/sse.py +131 -8
  303. solace_agent_mesh/gateway/http_sse/routers/tasks.py +670 -18
  304. solace_agent_mesh/gateway/http_sse/routers/users.py +1 -1
  305. solace_agent_mesh/gateway/http_sse/routers/version.py +343 -0
  306. solace_agent_mesh/gateway/http_sse/routers/visualization.py +92 -9
  307. solace_agent_mesh/gateway/http_sse/services/audio_service.py +1227 -0
  308. solace_agent_mesh/gateway/http_sse/services/background_task_monitor.py +186 -0
  309. solace_agent_mesh/gateway/http_sse/services/data_retention_service.py +1 -1
  310. solace_agent_mesh/gateway/http_sse/services/feedback_service.py +1 -1
  311. solace_agent_mesh/gateway/http_sse/services/project_service.py +930 -0
  312. solace_agent_mesh/gateway/http_sse/services/prompt_builder_assistant.py +303 -0
  313. solace_agent_mesh/gateway/http_sse/services/session_service.py +361 -12
  314. solace_agent_mesh/gateway/http_sse/services/task_logger_service.py +354 -4
  315. solace_agent_mesh/gateway/http_sse/session_manager.py +15 -15
  316. solace_agent_mesh/gateway/http_sse/sse_manager.py +286 -166
  317. solace_agent_mesh/gateway/http_sse/utils/artifact_copy_utils.py +370 -0
  318. solace_agent_mesh/gateway/http_sse/utils/stim_utils.py +41 -1
  319. solace_agent_mesh/services/__init__.py +0 -0
  320. solace_agent_mesh/services/platform/__init__.py +29 -0
  321. solace_agent_mesh/services/platform/alembic/env.py +85 -0
  322. solace_agent_mesh/services/platform/alembic/script.py.mako +28 -0
  323. solace_agent_mesh/services/platform/alembic.ini +109 -0
  324. solace_agent_mesh/services/platform/api/__init__.py +3 -0
  325. solace_agent_mesh/services/platform/api/dependencies.py +154 -0
  326. solace_agent_mesh/services/platform/api/main.py +314 -0
  327. solace_agent_mesh/services/platform/api/middleware.py +51 -0
  328. solace_agent_mesh/services/platform/api/routers/__init__.py +33 -0
  329. solace_agent_mesh/services/platform/api/routers/health_router.py +31 -0
  330. solace_agent_mesh/services/platform/app.py +215 -0
  331. solace_agent_mesh/services/platform/component.py +777 -0
  332. solace_agent_mesh/shared/__init__.py +14 -0
  333. solace_agent_mesh/shared/api/__init__.py +42 -0
  334. solace_agent_mesh/shared/auth/__init__.py +26 -0
  335. solace_agent_mesh/shared/auth/dependencies.py +204 -0
  336. solace_agent_mesh/shared/auth/middleware.py +347 -0
  337. solace_agent_mesh/shared/database/__init__.py +20 -0
  338. solace_agent_mesh/{gateway/http_sse/shared → shared/database}/base_repository.py +1 -1
  339. solace_agent_mesh/{gateway/http_sse/shared → shared/database}/database_exceptions.py +1 -1
  340. solace_agent_mesh/{gateway/http_sse/shared → shared/database}/database_helpers.py +1 -1
  341. solace_agent_mesh/shared/exceptions/__init__.py +36 -0
  342. solace_agent_mesh/{gateway/http_sse/shared → shared/exceptions}/exception_handlers.py +19 -5
  343. solace_agent_mesh/shared/utils/__init__.py +21 -0
  344. solace_agent_mesh/templates/logging_config_template.yaml +48 -0
  345. solace_agent_mesh/templates/main_orchestrator.yaml +12 -1
  346. solace_agent_mesh/templates/platform.yaml +49 -0
  347. solace_agent_mesh/templates/plugin_readme_template.md +3 -25
  348. solace_agent_mesh/templates/plugin_tool_config_template.yaml +109 -0
  349. solace_agent_mesh/templates/proxy_template.yaml +62 -0
  350. solace_agent_mesh/templates/webui.yaml +148 -6
  351. solace_agent_mesh/tools/web_search/__init__.py +18 -0
  352. solace_agent_mesh/tools/web_search/base.py +84 -0
  353. solace_agent_mesh/tools/web_search/google_search.py +247 -0
  354. solace_agent_mesh/tools/web_search/models.py +99 -0
  355. {solace_agent_mesh-1.6.1.dist-info → solace_agent_mesh-1.13.2.dist-info}/METADATA +31 -12
  356. solace_agent_mesh-1.13.2.dist-info/RECORD +591 -0
  357. {solace_agent_mesh-1.6.1.dist-info → solace_agent_mesh-1.13.2.dist-info}/WHEEL +1 -1
  358. solace_agent_mesh/agent/adk/adk_llm.txt +0 -232
  359. solace_agent_mesh/agent/adk/adk_llm_detail.txt +0 -566
  360. solace_agent_mesh/agent/adk/artifacts/artifacts_llm.txt +0 -171
  361. solace_agent_mesh/agent/adk/models/models_llm.txt +0 -142
  362. solace_agent_mesh/agent/agent_llm.txt +0 -378
  363. solace_agent_mesh/agent/agent_llm_detail.txt +0 -1702
  364. solace_agent_mesh/agent/protocol/protocol_llm.txt +0 -81
  365. solace_agent_mesh/agent/protocol/protocol_llm_detail.txt +0 -92
  366. solace_agent_mesh/agent/sac/sac_llm.txt +0 -189
  367. solace_agent_mesh/agent/sac/sac_llm_detail.txt +0 -200
  368. solace_agent_mesh/agent/testing/testing_llm.txt +0 -57
  369. solace_agent_mesh/agent/testing/testing_llm_detail.txt +0 -68
  370. solace_agent_mesh/agent/tools/tools_llm.txt +0 -263
  371. solace_agent_mesh/agent/tools/tools_llm_detail.txt +0 -274
  372. solace_agent_mesh/agent/utils/utils_llm.txt +0 -138
  373. solace_agent_mesh/agent/utils/utils_llm_detail.txt +0 -149
  374. solace_agent_mesh/assets/docs/assets/js/15ba94aa.932dd2db.js +0 -1
  375. solace_agent_mesh/assets/docs/assets/js/17896441.a5e82f9b.js +0 -2
  376. solace_agent_mesh/assets/docs/assets/js/240a0364.7eac6021.js +0 -1
  377. solace_agent_mesh/assets/docs/assets/js/2e32b5e0.33f5d75b.js +0 -1
  378. solace_agent_mesh/assets/docs/assets/js/3a6c6137.f5940cfa.js +0 -1
  379. solace_agent_mesh/assets/docs/assets/js/3ac1795d.76654dd9.js +0 -1
  380. solace_agent_mesh/assets/docs/assets/js/3ff0015d.2be20244.js +0 -1
  381. solace_agent_mesh/assets/docs/assets/js/547e15cc.2cbb060a.js +0 -1
  382. solace_agent_mesh/assets/docs/assets/js/55b7b518.f2b1d1ba.js +0 -1
  383. solace_agent_mesh/assets/docs/assets/js/5c2bd65f.eda4bcb2.js +0 -1
  384. solace_agent_mesh/assets/docs/assets/js/631738c7.a8b1ef8b.js +0 -1
  385. solace_agent_mesh/assets/docs/assets/js/6a520c9d.ba015d81.js +0 -1
  386. solace_agent_mesh/assets/docs/assets/js/6ad8f0bd.f4b15f3b.js +0 -1
  387. solace_agent_mesh/assets/docs/assets/js/6d84eae0.4a5fbf39.js +0 -1
  388. solace_agent_mesh/assets/docs/assets/js/71da7b71.38583438.js +0 -1
  389. solace_agent_mesh/assets/docs/assets/js/8024126c.56e59919.js +0 -1
  390. solace_agent_mesh/assets/docs/assets/js/81a99df0.07034dd9.js +0 -1
  391. solace_agent_mesh/assets/docs/assets/js/82fbfb93.139a1a1f.js +0 -1
  392. solace_agent_mesh/assets/docs/assets/js/924ffdeb.8095e148.js +0 -1
  393. solace_agent_mesh/assets/docs/assets/js/94e8668d.b5ddb7a1.js +0 -1
  394. solace_agent_mesh/assets/docs/assets/js/9bb13469.dd1c9b54.js +0 -1
  395. solace_agent_mesh/assets/docs/assets/js/a94703ab.0438dbc2.js +0 -1
  396. solace_agent_mesh/assets/docs/assets/js/ab9708a8.3e6dd091.js +0 -1
  397. solace_agent_mesh/assets/docs/assets/js/c93cbaa0.eaff365e.js +0 -1
  398. solace_agent_mesh/assets/docs/assets/js/da0b5bad.d08a9466.js +0 -1
  399. solace_agent_mesh/assets/docs/assets/js/dd817ffc.0aa9630a.js +0 -1
  400. solace_agent_mesh/assets/docs/assets/js/dd81e2b8.d590bc9e.js +0 -1
  401. solace_agent_mesh/assets/docs/assets/js/de915948.27d6b065.js +0 -1
  402. solace_agent_mesh/assets/docs/assets/js/e3d9abda.6b9493d0.js +0 -1
  403. solace_agent_mesh/assets/docs/assets/js/e6f9706b.e74a984d.js +0 -1
  404. solace_agent_mesh/assets/docs/assets/js/e92d0134.cf6d6522.js +0 -1
  405. solace_agent_mesh/assets/docs/assets/js/f284c35a.42f59cdd.js +0 -1
  406. solace_agent_mesh/assets/docs/assets/js/ff4d71f2.15b02f97.js +0 -1
  407. solace_agent_mesh/assets/docs/assets/js/main.b12eac43.js +0 -2
  408. solace_agent_mesh/assets/docs/assets/js/runtime~main.e268214e.js +0 -1
  409. solace_agent_mesh/assets/docs/lunr-index-1761248203150.json +0 -1
  410. solace_agent_mesh/assets/docs/search-doc-1761248203150.json +0 -1
  411. solace_agent_mesh/cli/commands/add_cmd/add_cmd_llm.txt +0 -250
  412. solace_agent_mesh/cli/commands/init_cmd/init_cmd_llm.txt +0 -365
  413. solace_agent_mesh/cli/commands/plugin_cmd/plugin_cmd_llm.txt +0 -305
  414. solace_agent_mesh/client/webui/frontend/static/assets/client-CaY59VuC.js +0 -25
  415. solace_agent_mesh/client/webui/frontend/static/assets/main-B32noGmR.js +0 -342
  416. solace_agent_mesh/client/webui/frontend/static/assets/main-DHJKSW1S.css +0 -1
  417. solace_agent_mesh/client/webui/frontend/static/assets/vendor-BEmvJSYz.js +0 -405
  418. solace_agent_mesh/common/a2a/a2a_llm.txt +0 -182
  419. solace_agent_mesh/common/a2a/a2a_llm_detail.txt +0 -193
  420. solace_agent_mesh/common/a2a_spec/a2a_spec_llm.txt +0 -407
  421. solace_agent_mesh/common/a2a_spec/a2a_spec_llm_detail.txt +0 -736
  422. solace_agent_mesh/common/a2a_spec/schemas/schemas_llm.txt +0 -313
  423. solace_agent_mesh/common/common_llm.txt +0 -251
  424. solace_agent_mesh/common/common_llm_detail.txt +0 -2562
  425. solace_agent_mesh/common/middleware/middleware_llm.txt +0 -174
  426. solace_agent_mesh/common/middleware/middleware_llm_detail.txt +0 -185
  427. solace_agent_mesh/common/sac/sac_llm.txt +0 -71
  428. solace_agent_mesh/common/sac/sac_llm_detail.txt +0 -82
  429. solace_agent_mesh/common/sam_events/sam_events_llm.txt +0 -104
  430. solace_agent_mesh/common/sam_events/sam_events_llm_detail.txt +0 -115
  431. solace_agent_mesh/common/services/providers/providers_llm.txt +0 -80
  432. solace_agent_mesh/common/services/services_llm.txt +0 -363
  433. solace_agent_mesh/common/services/services_llm_detail.txt +0 -459
  434. solace_agent_mesh/common/utils/embeds/embeds_llm.txt +0 -220
  435. solace_agent_mesh/common/utils/utils_llm.txt +0 -336
  436. solace_agent_mesh/common/utils/utils_llm_detail.txt +0 -572
  437. solace_agent_mesh/config_portal/frontend/static/client/assets/_index-ByU1X1HD.js +0 -98
  438. solace_agent_mesh/config_portal/frontend/static/client/assets/manifest-61038fc6.js +0 -1
  439. solace_agent_mesh/config_portal/frontend/static/client/assets/root-BWvk5-gF.js +0 -10
  440. solace_agent_mesh/config_portal/frontend/static/client/assets/root-DxRwaWiE.css +0 -1
  441. solace_agent_mesh/core_a2a/core_a2a_llm.txt +0 -90
  442. solace_agent_mesh/core_a2a/core_a2a_llm_detail.txt +0 -101
  443. solace_agent_mesh/gateway/base/base_llm.txt +0 -224
  444. solace_agent_mesh/gateway/base/base_llm_detail.txt +0 -235
  445. solace_agent_mesh/gateway/gateway_llm.txt +0 -373
  446. solace_agent_mesh/gateway/gateway_llm_detail.txt +0 -3885
  447. solace_agent_mesh/gateway/http_sse/alembic/alembic_llm.txt +0 -295
  448. solace_agent_mesh/gateway/http_sse/alembic/versions/versions_llm.txt +0 -155
  449. solace_agent_mesh/gateway/http_sse/components/components_llm.txt +0 -105
  450. solace_agent_mesh/gateway/http_sse/http_sse_llm.txt +0 -299
  451. solace_agent_mesh/gateway/http_sse/http_sse_llm_detail.txt +0 -3278
  452. solace_agent_mesh/gateway/http_sse/repository/entities/entities_llm.txt +0 -263
  453. solace_agent_mesh/gateway/http_sse/repository/models/models_llm.txt +0 -266
  454. solace_agent_mesh/gateway/http_sse/repository/repository_llm.txt +0 -340
  455. solace_agent_mesh/gateway/http_sse/routers/dto/dto_llm.txt +0 -346
  456. solace_agent_mesh/gateway/http_sse/routers/dto/requests/requests_llm.txt +0 -83
  457. solace_agent_mesh/gateway/http_sse/routers/dto/responses/responses_llm.txt +0 -107
  458. solace_agent_mesh/gateway/http_sse/routers/routers_llm.txt +0 -314
  459. solace_agent_mesh/gateway/http_sse/services/services_llm.txt +0 -297
  460. solace_agent_mesh/gateway/http_sse/shared/__init__.py +0 -146
  461. solace_agent_mesh/gateway/http_sse/shared/shared_llm.txt +0 -285
  462. solace_agent_mesh/gateway/http_sse/utils/utils_llm.txt +0 -47
  463. solace_agent_mesh/llm.txt +0 -228
  464. solace_agent_mesh/llm_detail.txt +0 -2835
  465. solace_agent_mesh/solace_agent_mesh_llm.txt +0 -362
  466. solace_agent_mesh/solace_agent_mesh_llm_detail.txt +0 -8599
  467. solace_agent_mesh/templates/logging_config_template.ini +0 -45
  468. solace_agent_mesh/templates/templates_llm.txt +0 -147
  469. solace_agent_mesh-1.6.1.dist-info/RECORD +0 -525
  470. /solace_agent_mesh/assets/docs/assets/js/{main.b12eac43.js.LICENSE.txt → main.d634009f.js.LICENSE.txt} +0 -0
  471. /solace_agent_mesh/{gateway/http_sse/shared → shared/api}/auth_utils.py +0 -0
  472. /solace_agent_mesh/{gateway/http_sse/shared → shared/api}/pagination.py +0 -0
  473. /solace_agent_mesh/{gateway/http_sse/shared → shared/api}/response_utils.py +0 -0
  474. /solace_agent_mesh/{gateway/http_sse/shared → shared/exceptions}/error_dto.py +0 -0
  475. /solace_agent_mesh/{gateway/http_sse/shared → shared/exceptions}/exceptions.py +0 -0
  476. /solace_agent_mesh/{gateway/http_sse/shared → shared/utils}/enums.py +0 -0
  477. /solace_agent_mesh/{gateway/http_sse/shared → shared/utils}/timestamp_utils.py +0 -0
  478. /solace_agent_mesh/{gateway/http_sse/shared → shared/utils}/types.py +0 -0
  479. /solace_agent_mesh/{gateway/http_sse/shared → shared/utils}/utils.py +0 -0
  480. {solace_agent_mesh-1.6.1.dist-info → solace_agent_mesh-1.13.2.dist-info}/entry_points.txt +0 -0
  481. {solace_agent_mesh-1.6.1.dist-info → solace_agent_mesh-1.13.2.dist-info}/licenses/LICENSE +0 -0
solace_agent_mesh/assets/docs/docs/documentation/enterprise/secure-user-delegated-access/index.html ADDED
@@ -0,0 +1,440 @@
1
+ <!doctype html>
2
+ <html lang="en" dir="ltr" class="docs-wrapper plugin-docs plugin-id-default docs-version-current docs-doc-page docs-doc-id-documentation/enterprise/secure-user-delegated-access" data-has-hydrated="false">
3
+ <head>
4
+ <meta charset="UTF-8">
5
+ <meta name="generator" content="Docusaurus v3.9.2">
6
+ <title data-rh="true">Secure User Delegated Access | Solace Agent Mesh</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://solacelabs.github.io/solace-agent-mesh/img/logo.png"><meta data-rh="true" name="twitter:image" content="https://solacelabs.github.io/solace-agent-mesh/img/logo.png"><meta data-rh="true" property="og:url" content="https://solacelabs.github.io/solace-agent-mesh/docs/documentation/enterprise/secure-user-delegated-access"><meta data-rh="true" property="og:locale" content="en"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Secure User Delegated Access | Solace Agent Mesh"><meta data-rh="true" name="description" content="This guide walks you through configuring Secure User Delegated Access for Agent Mesh Enterprise. You will learn how to enable users to authenticate with remote MCP tools using their own credentials through OAuth2, providing enhanced security and user-specific access control."><meta data-rh="true" property="og:description" content="This guide walks you through configuring Secure User Delegated Access for Agent Mesh Enterprise. You will learn how to enable users to authenticate with remote MCP tools using their own credentials through OAuth2, providing enhanced security and user-specific access control."><link data-rh="true" rel="icon" href="/solace-agent-mesh/img/logo.png"><link data-rh="true" rel="canonical" href="https://solacelabs.github.io/solace-agent-mesh/docs/documentation/enterprise/secure-user-delegated-access"><link data-rh="true" rel="alternate" href="https://solacelabs.github.io/solace-agent-mesh/docs/documentation/enterprise/secure-user-delegated-access" hreflang="en"><link data-rh="true" rel="alternate" href="https://solacelabs.github.io/solace-agent-mesh/docs/documentation/enterprise/secure-user-delegated-access" hreflang="x-default"><script data-rh="true" type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Agent Mesh Enterprise","item":"https://solacelabs.github.io/solace-agent-mesh/docs/documentation/enterprise/"},{"@type":"ListItem","position":2,"name":"Secure User Delegated Access","item":"https://solacelabs.github.io/solace-agent-mesh/docs/documentation/enterprise/secure-user-delegated-access"}]}</script><link rel="stylesheet" href="/solace-agent-mesh/assets/css/styles.8162edfb.css">
7
+ <script src="/solace-agent-mesh/assets/js/runtime~main.27bb82a7.js" defer="defer"></script>
8
+ <script src="/solace-agent-mesh/assets/js/main.d634009f.js" defer="defer"></script>
9
+ </head>
10
+ <body class="navigation-with-keyboard">
11
+ <svg style="display: none;"><defs>
12
+ <symbol id="theme-svg-external-link" viewBox="0 0 24 24"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"/></symbol>
13
+ </defs></svg>
14
+ <script>!function(){var t=function(){try{return new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}}()||function(){try{return window.localStorage.getItem("theme")}catch(t){}}();document.documentElement.setAttribute("data-theme",t||(window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light")),document.documentElement.setAttribute("data-theme-choice",t||"system")}(),function(){try{const c=new URLSearchParams(window.location.search).entries();for(var[t,e]of c)if(t.startsWith("docusaurus-data-")){var a=t.replace("docusaurus-data-","data-");document.documentElement.setAttribute(a,e)}}catch(t){}}()</script><div id="__docusaurus"><link rel="preload" as="image" href="/solace-agent-mesh/img/logo.png"><link rel="preload" as="image" href="/solace-agent-mesh/img/solace-logo.png"><div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="theme-layout-navbar navbar navbar--fixed-top"><div class="navbar__inner"><div class="theme-layout-navbar-left navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/solace-agent-mesh/docs/documentation/getting-started"><div class="navbar__logo"><img src="/solace-agent-mesh/img/logo.png" alt="Solace Agent Mesh Logo" class="themedComponent_mlkZ themedComponent--light_NVdE"><img src="/solace-agent-mesh/img/logo.png" alt="Solace Agent Mesh Logo" class="themedComponent_mlkZ themedComponent--dark_xIcU"></div><b class="navbar__title text--truncate">Solace Agent Mesh</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/solace-agent-mesh/docs/documentation/getting-started/">Documentation</a></div><div class="theme-layout-navbar-right navbar__items navbar__items--right"><a href="https://github.com/SolaceLabs/solace-agent-mesh/" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="system mode" aria-label="Switch between dark and light mode (currently system mode)"><svg viewBox="0 0 24 24" width="24" height="24" aria-hidden="true" class="toggleIcon_g3eP lightToggleIcon_pyhR"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" aria-hidden="true" class="toggleIcon_g3eP darkToggleIcon_wfgR"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" aria-hidden="true" class="toggleIcon_g3eP systemToggleIcon_QzmC"><path fill="currentColor" d="m12 21c4.971 0 9-4.029 9-9s-4.029-9-9-9-9 4.029-9 9 4.029 9 9 9zm4.95-13.95c1.313 1.313 2.05 3.093 2.05 4.95s-0.738 3.637-2.05 4.95c-1.313 1.313-3.093 2.05-4.95 2.05v-14c1.857 0 3.637 0.737 4.95 2.05z"></path></svg></button></div><div class="navbarSearchContainer_Bca1"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input id="search_input_react" type="search" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="theme-layout-main main-wrapper mainWrapper_z2l0"><div class="docsWrapper_hBAB"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docRoot_UBD9"><aside class="theme-doc-sidebar-container docSidebarContainer_YfHR"><div class="sidebarViewport_aRkj"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/solace-agent-mesh/docs/documentation/getting-started/"><span title="Getting Started" class="categoryLinkLabel_W154">Getting Started</span></a><button aria-label="Collapse sidebar category &#x27;Getting Started&#x27;" aria-expanded="true" type="button" class="clean-btn menu__caret"></button></div><ul class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/getting-started/introduction"><span title="What is Agent Mesh?" class="linkLabel_WmDU">What is Agent Mesh?</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/getting-started/try-agent-mesh"><span title="Try Agent Mesh" class="linkLabel_WmDU">Try Agent Mesh</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/getting-started/architecture"><span title="Architecture Overview" class="linkLabel_WmDU">Architecture Overview</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/getting-started/vibe_coding"><span title="Vibe Coding" class="linkLabel_WmDU">Vibe Coding</span></a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/solace-agent-mesh/docs/documentation/components/"><span title="Components" class="categoryLinkLabel_W154">Components</span></a><button aria-label="Expand sidebar category &#x27;Components&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/solace-agent-mesh/docs/documentation/installing-and-configuring/"><span title="Installing and Configuring Agent Mesh" class="categoryLinkLabel_W154">Installing and Configuring Agent Mesh</span></a><button aria-label="Expand sidebar category &#x27;Installing and Configuring Agent Mesh&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/solace-agent-mesh/docs/documentation/developing/"><span title="Developing with Agent Mesh" class="categoryLinkLabel_W154">Developing with Agent Mesh</span></a><button aria-label="Expand sidebar category &#x27;Developing with Agent Mesh&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/solace-agent-mesh/docs/documentation/deploying/"><span title="Deploying Agent Mesh" class="categoryLinkLabel_W154">Deploying Agent Mesh</span></a><button aria-label="Expand sidebar category &#x27;Deploying Agent Mesh&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/solace-agent-mesh/docs/documentation/migrations/platform-service-split"><span title="Migrations" class="categoryLinkLabel_W154">Migrations</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist menu__link--active" href="/solace-agent-mesh/docs/documentation/enterprise/"><span title="Agent Mesh Enterprise" class="categoryLinkLabel_W154">Agent Mesh Enterprise</span></a><button aria-label="Collapse sidebar category &#x27;Agent Mesh Enterprise&#x27;" aria-expanded="true" type="button" class="clean-btn menu__caret"></button></div><ul class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/installation"><span title="Installing Agent Mesh Enterprise" class="linkLabel_WmDU">Installing Agent Mesh Enterprise</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/wheel-installation"><span title="Running from Wheel File" class="linkLabel_WmDU">Running from Wheel File</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/agent-builder"><span title="Agent Builder" class="linkLabel_WmDU">Agent Builder</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/connectors/"><span title="Connectors" class="linkLabel_WmDU">Connectors</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/rbac-setup-guide"><span title="Setting Up RBAC" class="linkLabel_WmDU">Setting Up RBAC</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/single-sign-on"><span title="Enabling SSO" class="linkLabel_WmDU">Enabling SSO</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/secure-user-delegated-access"><span title="Secure User Delegated Access" class="linkLabel_WmDU">Secure User Delegated Access</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/solace-agent-mesh/docs/documentation/enterprise/openapi-tools"><span title="OpenAPI Tools" class="linkLabel_WmDU">OpenAPI Tools</span></a></li></ul></li></ul></nav></div></div></aside><main class="docMainContainer_TBSr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs"><li class="breadcrumbs__item"><a class="breadcrumbs__link" href="/solace-agent-mesh/docs/documentation/enterprise/"><span>Agent Mesh Enterprise</span></a></li><li class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link">Secure User Delegated Access</span></li></ul></nav><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Secure User Delegated Access</h1></header><p>This guide walks you through configuring Secure User Delegated Access for Agent Mesh Enterprise. You will learn how to enable users to authenticate with remote MCP tools using their own credentials through OAuth2, providing enhanced security and user-specific access control.</p>
15
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="table-of-contents">Table of Contents<a href="#table-of-contents" class="hash-link" aria-label="Direct link to Table of Contents" title="Direct link to Table of Contents" translate="no">​</a></h2>
16
+ <ul>
17
+ <li class=""><a href="#overview" class="">Overview</a></li>
18
+ <li class=""><a href="#understanding-secure-user-delegated-access" class="">Understanding Secure User Delegated Access</a></li>
19
+ <li class=""><a href="#prerequisites" class="">Prerequisites</a></li>
20
+ <li class=""><a href="#configuration-steps" class="">Configuration Steps</a></li>
21
+ <li class=""><a href="#security-considerations" class="">Security Considerations</a></li>
22
+ <li class=""><a href="#best-practices" class="">Best Practices</a></li>
23
+ <li class=""><a href="#troubleshooting" class="">Troubleshooting</a></li>
24
+ </ul>
25
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="overview">Overview<a href="#overview" class="hash-link" aria-label="Direct link to Overview" title="Direct link to Overview" translate="no">​</a></h2>
26
+ <p>Secure User Delegated Access allows users to interact with remote MCP (Model Context Protocol) tools using their own credentials rather than shared service credentials. When a user needs to access a remote MCP tool configured in an agent, they complete an OAuth2 authentication flow with the MCP provider&#x27;s authorization server. This provides user-specific credentials that are securely stored and managed by Agent Mesh Enterprise.</p>
27
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="why-use-secure-user-delegated-access">Why Use Secure User Delegated Access<a href="#why-use-secure-user-delegated-access" class="hash-link" aria-label="Direct link to Why Use Secure User Delegated Access" title="Direct link to Why Use Secure User Delegated Access" translate="no">​</a></h3>
28
+ <p>This feature provides several important benefits for enterprise deployments:</p>
29
+ <p><strong>Enhanced Security</strong>: Each user authenticates with their own credentials, eliminating shared service accounts and reducing the blast radius of compromised credentials. All API calls to remote services are made in the context of the authenticated user.</p>
30
+ <p><strong>Audit and Compliance</strong>: User-specific credentials create clear audit trails showing exactly which user performed which actions. This is essential for compliance requirements and security investigations.</p>
31
+ <p><strong>Fine-Grained Access Control</strong>: MCP providers can enforce their own access policies based on the authenticated user&#x27;s permissions. Users only access resources they are authorized to use within the remote service.</p>
32
+ <p><strong>Credential Lifecycle Management</strong>: User credentials can be individually revoked at the MCP provider level without affecting other users. This simplifies offboarding and incident response.</p>
33
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="supported-mcp-providers">Supported MCP Providers<a href="#supported-mcp-providers" class="hash-link" aria-label="Direct link to Supported MCP Providers" title="Direct link to Supported MCP Providers" translate="no">​</a></h3>
34
+ <p>Agent Mesh Enterprise supports remote MCP servers that implement the OAuth2.1 authentication flow. The following providers have been tested and validated:</p>
35
+ <ul>
36
+ <li class=""><strong>Atlassian MCP Server</strong>: Access Jira, Confluence, and other Atlassian services</li>
37
+ <li class=""><strong>Stripe MCP Server</strong>: Interact with Stripe payment and billing APIs</li>
38
+ <li class=""><strong>Cloudflare MCP Server</strong>: Manage Cloudflare resources and configurations</li>
39
+ <li class=""><strong>Canva MCP Server</strong>: Access Canva design and content APIs</li>
40
+ </ul>
41
+ <p>The feature works with both SSE (Server-Sent Events) and HTTP streaming remote MCP server types.</p>
42
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="understanding-secure-user-delegated-access">Understanding Secure User Delegated Access<a href="#understanding-secure-user-delegated-access" class="hash-link" aria-label="Direct link to Understanding Secure User Delegated Access" title="Direct link to Understanding Secure User Delegated Access" translate="no">​</a></h2>
43
+ <p>Before you configure this feature, you need to understand how it works and how credentials flow through the system.</p>
44
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="how-the-oauth2-flow-works">How the OAuth2 Flow Works<a href="#how-the-oauth2-flow-works" class="hash-link" aria-label="Direct link to How the OAuth2 Flow Works" title="Direct link to How the OAuth2 Flow Works" translate="no">​</a></h3>
45
+ <p>When a user attempts to use an MCP tool that requires OAuth2 authentication, Agent Mesh Enterprise initiates the following flow:</p>
46
+ <ol>
47
+ <li class="">
48
+ <p><strong>Authentication Challenge</strong>: The user&#x27;s request triggers an authentication check. If no valid credentials exist for this user and MCP tool combination, the system prompts the user to authenticate.</p>
49
+ </li>
50
+ <li class="">
51
+ <p><strong>OAuth2 Authorization</strong>: The user is redirected to the MCP provider&#x27;s authorization server (for example, Atlassian or Stripe). The user logs in using their credentials for that service and grants permission for Agent Mesh Enterprise to access their resources.</p>
52
+ </li>
53
+ <li class="">
54
+ <p><strong>Authorization Code Exchange</strong>: After successful authentication, the provider redirects back to Agent Mesh Enterprise with an authorization code. The system exchanges this code for access tokens at the provider&#x27;s token endpoint.</p>
55
+ </li>
56
+ <li class="">
57
+ <p><strong>Credential Storage</strong>: Agent Mesh Enterprise stores the access token (and refresh token if provided) in the credential service. Credentials are encrypted at rest (when using a database) and isolated per agent, user, and MCP tool.</p>
58
+ </li>
59
+ <li class="">
60
+ <p><strong>Authenticated Requests</strong>: Subsequent requests to the MCP tool use the stored credentials automatically. The user does not need to re-authenticate unless credentials expire or are revoked.</p>
61
+ </li>
62
+ <li class="">
63
+ <p><strong>Token Refresh</strong>: If the MCP provider supports refresh tokens and an access token expires, Agent Mesh Enterprise automatically obtains a new access token without requiring user interaction.</p>
64
+ </li>
65
+ </ol>
66
+ <p>From an administrator&#x27;s perspective, this flow is transparent once configured. Users experience a one-time authentication prompt per MCP tool, after which their access works seamlessly.</p>
67
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="credential-storage">Credential Storage<a href="#credential-storage" class="hash-link" aria-label="Direct link to Credential Storage" title="Direct link to Credential Storage" translate="no">​</a></h3>
68
+ <p>Agent Mesh Enterprise manages user credentials through a dedicated credential service with several important characteristics:</p>
69
+ <p><strong>Encryption at Rest</strong>: When using database persistence, all stored credentials are automatically encrypted using the agent&#x27;s unique identifier as the encryption key. This ensures that credentials cannot be used if extracted from database storage. Memory-based storage does not persist credentials to disk.</p>
70
+ <p><strong>Multi-Tenant Isolation</strong>: Credentials are scoped to the combination of agent ID, user identity, and MCP tool. Credentials for one agent cannot be accessed by another agent, even for the same user and tool. This provides strong isolation in multi-tenant deployments.</p>
71
+ <p><strong>Configurable Expiration</strong>: You can configure a time-to-live (TTL) for stored credentials. After the TTL expires, Agent Mesh Enterprise removes credentials from storage, requiring users to re-authenticate. This reduces the risk of long-lived credential compromise.</p>
72
+ <p><strong>Persistence Options</strong>: Credentials can be stored in memory (for development or ephemeral deployments) or in a database (for production deployments where credentials should survive agent restarts).</p>
73
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="credential-lifecycle">Credential Lifecycle<a href="#credential-lifecycle" class="hash-link" aria-label="Direct link to Credential Lifecycle" title="Direct link to Credential Lifecycle" translate="no">​</a></h3>
74
+ <p>Understanding the credential lifecycle helps you plan operational procedures:</p>
75
+ <ol>
76
+ <li class="">
77
+ <p><strong>Acquisition</strong>: Credentials are acquired when a user first authenticates with an MCP provider through the OAuth2 flow.</p>
78
+ </li>
79
+ <li class="">
80
+ <p><strong>Active Use</strong>: Stored credentials are used automatically for all subsequent requests to that MCP tool by that user.</p>
81
+ </li>
82
+ <li class="">
83
+ <p><strong>Expiration</strong>: Credentials expire either through TTL timeout (configured by you) or token expiration (set by the MCP provider). Agent Mesh Enterprise attempts to refresh expired tokens if refresh tokens are available.</p>
84
+ </li>
85
+ <li class="">
86
+ <p><strong>Revocation</strong>: Users or administrators can revoke credentials at the MCP provider level. When Agent Mesh Enterprise attempts to use revoked credentials, the request fails and the user must re-authenticate.</p>
87
+ </li>
88
+ <li class="">
89
+ <p><strong>Deletion</strong>: Credentials are marked as deleted when they expire (TTL timeout), but are retained in the persistence layer for audit purposes. With memory storage, credentials are removed from storage when the agent is restarted.</p>
90
+ </li>
91
+ </ol>
92
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="prerequisites">Prerequisites<a href="#prerequisites" class="hash-link" aria-label="Direct link to Prerequisites" title="Direct link to Prerequisites" translate="no">​</a></h2>
93
+ <p>Before you configure Secure User Delegated Access, ensure you have the following in place:</p>
94
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="mcp-provider-access">MCP Provider Access<a href="#mcp-provider-access" class="hash-link" aria-label="Direct link to MCP Provider Access" title="Direct link to MCP Provider Access" translate="no">​</a></h3>
95
+ <p>Some MCP providers require administrative access to authorize Agent Mesh Enterprise before users can authenticate. The requirements vary by provider:</p>
96
+ <p><strong>Example providers requiring domain authorization</strong> (Atlassian, Stripe, Canva):</p>
97
+ <ul>
98
+ <li class="">Administrative access to the MCP provider&#x27;s admin console</li>
99
+ <li class="">Ability to add your Agent Mesh Enterprise domain to the provider&#x27;s authorized domains list</li>
100
+ </ul>
101
+ <p><strong>Example providers without administrative requirements</strong> (Cloudflare):</p>
102
+ <ul>
103
+ <li class="">No administrative setup required</li>
104
+ <li class="">Users can authenticate directly through the OAuth2 flow</li>
105
+ </ul>
106
+ <p>Check the specific requirements for your chosen MCP provider.</p>
107
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="callback-uri-configuration">Callback URI Configuration<a href="#callback-uri-configuration" class="hash-link" aria-label="Direct link to Callback URI Configuration" title="Direct link to Callback URI Configuration" translate="no">​</a></h3>
108
+ <p>Your Agent Mesh Enterprise deployment must be accessible via a stable URL for OAuth2 callbacks. During the OAuth2 flow, users are redirected to the MCP provider for authentication, then redirected back to this callback URI.</p>
109
+ <p>You will configure this callback URI as an environment variable (see <a href="#configure-oauth2-callback-uri" class="">Configure OAuth2 Callback URI</a>). For providers requiring domain authorization (for example: Atlassian, Stripe, Canva), you will also register this domain in the provider&#x27;s admin console.</p>
110
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="database-setup-for-production">Database Setup (For Production)<a href="#database-setup-for-production" class="hash-link" aria-label="Direct link to Database Setup (For Production)" title="Direct link to Database Setup (For Production)" translate="no">​</a></h3>
111
+ <p>For production deployments, you should use SQL persistence to ensure credentials survive agent restarts. You need:</p>
112
+ <ul>
113
+ <li class="">A supported SQL database (SQLite, PostgreSQL, MySQL, or other SQL database supported by SQLAlchemy)</li>
114
+ <li class="">Appropriate database credentials and connection information</li>
115
+ <li class="">Sufficient storage for credential data</li>
116
+ </ul>
117
+ <p>See <a href="#configure-session-service-type" class="">Configure Session Service Type</a> for details on setting up persistence. For development or testing, you can use memory storage, but credentials will be lost when the agent restarts.</p>
118
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="configuration-steps">Configuration Steps<a href="#configuration-steps" class="hash-link" aria-label="Direct link to Configuration Steps" title="Direct link to Configuration Steps" translate="no">​</a></h2>
119
+ <p>Configuring Secure User Delegated Access involves several steps: configuring credential storage and lifecycle, optionally configuring the trust manager for enhanced security, and configuring your MCP tools with OAuth2 authentication.</p>
120
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="step-1-configure-credential-storage-and-lifecycle">Step 1: Configure Credential Storage and Lifecycle<a href="#step-1-configure-credential-storage-and-lifecycle" class="hash-link" aria-label="Direct link to Step 1: Configure Credential Storage and Lifecycle" title="Direct link to Step 1: Configure Credential Storage and Lifecycle" translate="no">​</a></h3>
121
+ <p>The credential service is automatically created and manages storage, retrieval, and lifecycle of user credentials. You configure it through environment variables and your session service configuration.</p>
122
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="configure-credential-time-to-live">Configure Credential Time-to-Live<a href="#configure-credential-time-to-live" class="hash-link" aria-label="Direct link to Configure Credential Time-to-Live" title="Direct link to Configure Credential Time-to-Live" translate="no">​</a></h4>
123
+ <p>Set the credential TTL to control how long credentials remain valid in storage:</p>
124
+ <div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">export SECRETS_TTL_SECONDS=86400 # 24 hours</span><br></span></code></pre></div></div>
125
+ <p>The TTL value is specified in seconds. Common values include:</p>
126
+ <ul>
127
+ <li class=""><code>3600</code> - 1 hour (high security, frequent re-authentication)</li>
128
+ <li class=""><code>86400</code> - 24 hours (balance of security and convenience)</li>
129
+ <li class=""><code>604800</code> - 7 days (low security, infrequent re-authentication)</li>
130
+ <li class=""><code>2592000</code> - 30 days (default if not specified)</li>
131
+ </ul>
132
+ <p>Choose a TTL based on your security requirements and user experience considerations. Shorter TTLs require users to re-authenticate more frequently but reduce the window of exposure for compromised credentials.</p>
133
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="configure-oauth2-callback-uri">Configure OAuth2 Callback URI<a href="#configure-oauth2-callback-uri" class="hash-link" aria-label="Direct link to Configure OAuth2 Callback URI" title="Direct link to Configure OAuth2 Callback URI" translate="no">​</a></h4>
134
+ <p>Set the callback URI where MCP providers will redirect users after authentication:</p>
135
+ <div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">export OAUTH_TOOL_REDIRECT_URI=https://my.domain.com/api/v1/auth/tool/callback</span><br></span></code></pre></div></div>
136
+ <p>Replace <code>https://my.domain.com</code> with your actual Agent Mesh Enterprise domain.</p>
137
+ <p><strong>Important</strong>: The path <code>/api/v1/auth/tool/callback</code> must not be changed. This is the required callback endpoint path.</p>
138
+ <p>This URL must:</p>
139
+ <ul>
140
+ <li class="">Match exactly what you register with your MCP provider (for providers requiring domain authorization)</li>
141
+ <li class="">Use HTTPS in production (HTTP is only acceptable for local development)</li>
142
+ <li class="">Be accessible from users&#x27; browsers</li>
143
+ </ul>
144
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="configure-session-service-type">Configure Session Service Type<a href="#configure-session-service-type" class="hash-link" aria-label="Direct link to Configure Session Service Type" title="Direct link to Configure Session Service Type" translate="no">​</a></h4>
145
+ <p>User credentials are stored in the same database configured for session storage. For details on configuring session storage, see the <a class="" href="/solace-agent-mesh/docs/documentation/installing-and-configuring/session-storage">Session Storage documentation</a>.</p>
146
+ <p>Memory storage does not persist credentials across agent restarts. Use this only for development and testing.</p>
147
+ <p><strong>Important</strong>: Ensure each agent has its own database to maintain proper credential isolation between agents.</p>
148
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="step-2-configure-trust-manager-recommended">Step 2: Configure Trust Manager (Recommended)<a href="#step-2-configure-trust-manager-recommended" class="hash-link" aria-label="Direct link to Step 2: Configure Trust Manager (Recommended)" title="Direct link to Step 2: Configure Trust Manager (Recommended)" translate="no">​</a></h3>
149
+ <p>The trust manager provides critical security for Secure User Delegated Access by cryptographically verifying user identities throughout the system. It ensures that credentials can only be accessed by the user who created them, preventing unauthorized access even if agent communication is compromised.</p>
150
+ <p><strong>Enabling the trust manager is strongly recommended for production deployments.</strong></p>
151
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="understanding-trust-manager">Understanding Trust Manager<a href="#understanding-trust-manager" class="hash-link" aria-label="Direct link to Understanding Trust Manager" title="Direct link to Understanding Trust Manager" translate="no">​</a></h4>
152
+ <p>The trust manager uses public/private key cryptography to verify user identity:</p>
153
+ <ol>
154
+ <li class=""><strong>Gateway Authentication</strong>: The WebUI Gateway verifies the user&#x27;s identity during login (via SSO or other authentication)</li>
155
+ <li class=""><strong>Cryptographic Signing</strong>: The gateway cryptographically signs each user&#x27;s identity using its private key</li>
156
+ <li class=""><strong>Agent Verification</strong>: When an agent receives a request, it uses the gateway&#x27;s public key to verify the signed identity</li>
157
+ <li class=""><strong>Credential Access Control</strong>: The agent only grants access to credentials if the verified identity matches the credential owner</li>
158
+ </ol>
159
+ <p>This cryptographic verification ensures that:</p>
160
+ <ul>
161
+ <li class="">User identities cannot be forged or tampered with in transit</li>
162
+ <li class="">Each user can only access their own credentials</li>
163
+ <li class="">Compromised agents cannot access other users&#x27; credentials</li>
164
+ <li class="">All credential operations have verifiable audit trails</li>
165
+ </ul>
166
+ <p><strong>The trust manager must be enabled on both the WebUI Gateway and all agents</strong> to function correctly.</p>
167
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="enable-trust-manager-on-sse-gateway">Enable Trust Manager on SSE Gateway<a href="#enable-trust-manager-on-sse-gateway" class="hash-link" aria-label="Direct link to Enable Trust Manager on SSE Gateway" title="Direct link to Enable Trust Manager on SSE Gateway" translate="no">​</a></h4>
168
+ <p>Add the trust manager configuration to your SSE Gateway configuration:</p>
169
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token comment" style="color:rgb(98, 114, 164)"># In your gateway configuration</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token key atrule">trust_manager</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">enabled</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">true</span><br></span></code></pre></div></div>
170
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="enable-trust-manager-on-agents">Enable Trust Manager on Agents<a href="#enable-trust-manager-on-agents" class="hash-link" aria-label="Direct link to Enable Trust Manager on Agents" title="Direct link to Enable Trust Manager on Agents" translate="no">​</a></h4>
171
+ <p>Add the same trust manager configuration to each agent&#x27;s configuration:</p>
172
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token comment" style="color:rgb(98, 114, 164)"># In each agent&#x27;s configuration YAML</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token key atrule">trust_manager</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">enabled</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">true</span><br></span></code></pre></div></div>
173
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="example-configuration">Example Configuration<a href="#example-configuration" class="hash-link" aria-label="Direct link to Example Configuration" title="Direct link to Example Configuration" translate="no">​</a></h4>
174
+ <p>Here is an example showing the trust manager full configuration (default values) on the gateway:</p>
175
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token comment" style="color:rgb(98, 114, 164)"># webui_gateway.yaml</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token key atrule">apps</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> a2a_webui_app</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">app_config</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token comment" style="color:rgb(98, 114, 164)"># ... other configuration ...</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">trust_manager</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">enabled</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">true</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">card_publish_interval_seconds</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token number">10</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">card_expiration_days</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token number">7</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">verification_mode</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">&quot;permissive&quot;</span><span class="token plain"> </span><span class="token comment" style="color:rgb(98, 114, 164)"># or &quot;strict&quot; for production</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">clock_skew_tolerance_seconds</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token number">300</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">enable_time_validation</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">true</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">jwt_default_ttl_seconds</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token number">3600</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">jwt_max_ttl_seconds</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token number">86400</span><br></span></code></pre></div></div>
176
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="secure-solace-broker-provisioning-for-trust-manager">Secure Solace Broker Provisioning for Trust Manager<a href="#secure-solace-broker-provisioning-for-trust-manager" class="hash-link" aria-label="Direct link to Secure Solace Broker Provisioning for Trust Manager" title="Direct link to Secure Solace Broker Provisioning for Trust Manager" translate="no">​</a></h4>
177
+ <p>When using the trust manager, you should configure the Solace broker with proper credentials and ACLs to ensure secure trust card publishing. This prevents components from impersonating each other.</p>
178
+ <p><strong>Distinct Credentials Per Component</strong></p>
179
+ <p>Each gateway and agent instance should have its own unique broker credentials:</p>
180
+ <ul>
181
+ <li class="">Each gateway instance requires unique <code>client_username</code> and <code>client_password</code></li>
182
+ <li class="">Each agent instance requires unique <code>client_username</code> and <code>client_password</code></li>
183
+ <li class="">Never share credentials between different component instances</li>
184
+ </ul>
185
+ <p><strong>ACL Configuration for Trust Card Publishing</strong></p>
186
+ <p>Configure Access Control Lists (ACLs) on your Solace broker to restrict which topics each component can publish to:</p>
187
+ <p><strong>For Gateway instances:</strong></p>
188
+ <p>Only the specific gateway instance is allowed to publish on its trust card topic:</p>
189
+ <div class="language-text codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">Topic: {namespace}/a2a/v1/trust/gateway/{gateway_broker_client_username}</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Permission: Publish (allow only for this gateway&#x27;s client username)</span><br></span></code></pre></div></div>
190
+ <p><strong>For Agent instances:</strong></p>
191
+ <p>Only the specific agent instance is allowed to publish on its trust card topic:</p>
192
+ <div class="language-text codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">Topic: {namespace}/a2a/v1/trust/agent/{agent_broker_client_username}</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Permission: Publish (allow only for this agent&#x27;s client username)</span><br></span></code></pre></div></div>
193
+ <p>Where:</p>
194
+ <ul>
195
+ <li class=""><code>{namespace}</code> is your configured namespace (e.g., <code>a2a/dev</code> or <code>a2a/prod</code>)</li>
196
+ <li class=""><code>{gateway_broker_client_username}</code> is the unique broker username for the gateway</li>
197
+ <li class=""><code>{agent_broker_client_username}</code> is the unique broker username for each agent</li>
198
+ </ul>
199
+ <p><strong>Example ACL Configuration:</strong></p>
200
+ <p>If your namespace is <code>a2a/prod</code>, gateway username is <code>webui-gateway-01</code>, and agent username is <code>employee-agent-01</code>:</p>
201
+ <div class="language-text codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Gateway ACL</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Topic: a2a/prod/a2a/v1/trust/gateway/webui-gateway-01</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Client Username: webui-gateway-01</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Permission: Publish</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Agent ACL</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Topic: a2a/prod/a2a/v1/trust/agent/employee-agent-01</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Client Username: employee-agent-01</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Permission: Publish</span><br></span></code></pre></div></div>
202
+ <p>These ACLs ensure that:</p>
203
+ <ul>
204
+ <li class="">Components cannot publish trust cards pretending to be other components</li>
205
+ <li class="">Trust card verification remains cryptographically secure</li>
206
+ <li class="">Compromised credentials for one component cannot affect other components</li>
207
+ </ul>
208
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="step-3-configure-mcp-tools-with-oauth2-authentication">Step 3: Configure MCP Tools with OAuth2 Authentication<a href="#step-3-configure-mcp-tools-with-oauth2-authentication" class="hash-link" aria-label="Direct link to Step 3: Configure MCP Tools with OAuth2 Authentication" title="Direct link to Step 3: Configure MCP Tools with OAuth2 Authentication" translate="no">​</a></h3>
209
+ <p>To use Secure User Delegated Access, you must configure your MCP tools to use OAuth2 authentication and provide a manifest of available tools.</p>
210
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="basic-mcp-tool-structure">Basic MCP Tool Structure<a href="#basic-mcp-tool-structure" class="hash-link" aria-label="Direct link to Basic MCP Tool Structure" title="Direct link to Basic MCP Tool Structure" translate="no">​</a></h4>
211
+ <p>An MCP tool configuration with OAuth2 authentication follows this structure:</p>
212
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token key atrule">tools</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain"> </span><span class="token key atrule">tool_type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> mcp</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">connection_params</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> sse </span><span class="token comment" style="color:rgb(98, 114, 164)"># or streamable-http</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">&quot;https://mcp.example.com/v1/sse&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">auth</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> oauth2</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">manifest</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> exampleTool</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">description</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> Example tool description</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">inputSchema</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> object</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">properties</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">{</span><span class="token punctuation" style="color:rgb(248, 248, 242)">}</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">additionalProperties</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">false</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">$schema</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain">//json</span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain">schema.org/draft</span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain">07/schema</span><span class="token comment" style="color:rgb(98, 114, 164)">#</span><br></span></code></pre></div></div>
213
+ <p>The key components are:</p>
214
+ <p><strong><code>tool_type: mcp</code></strong>: Identifies this as an MCP tool configuration.</p>
215
+ <p><strong><code>connection_params</code></strong>: Specifies how to connect to the remote MCP server:</p>
216
+ <ul>
217
+ <li class=""><code>type</code>: Either <code>sse</code> (Server-Sent Events) or <code>streamable-http</code></li>
218
+ <li class=""><code>url</code>: The endpoint URL for the MCP server</li>
219
+ </ul>
220
+ <p><strong><code>auth</code></strong>: Specifies the authentication type:</p>
221
+ <ul>
222
+ <li class=""><code>type: oauth2</code>: Enables OAuth2 user delegated access for this tool</li>
223
+ </ul>
224
+ <p><strong><code>manifest</code></strong>: Defines the tools available from this MCP server (explained below).</p>
225
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="understanding-the-manifest-requirement">Understanding the Manifest Requirement<a href="#understanding-the-manifest-requirement" class="hash-link" aria-label="Direct link to Understanding the Manifest Requirement" title="Direct link to Understanding the Manifest Requirement" translate="no">​</a></h4>
226
+ <p>Due to limitations in the MCP protocol, Agent Mesh Enterprise cannot automatically discover available tools from OAuth2-protected MCP servers. The OAuth2 flow requires user interaction, which prevents the automatic tool discovery process from working.</p>
227
+ <p>To work around this limitation, you must provide a manifest that lists the tools available from the MCP server. This manifest is identical to what the MCP server would return from its tools list command.</p>
228
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="obtaining-the-manifest">Obtaining the Manifest<a href="#obtaining-the-manifest" class="hash-link" aria-label="Direct link to Obtaining the Manifest" title="Direct link to Obtaining the Manifest" translate="no">​</a></h4>
229
+ <p>You can obtain the manifest in several ways:</p>
230
+ <p><strong>Method 1: Use MCP Provider Documentation</strong></p>
231
+ <p>Many MCP providers document their available tools. Check the provider&#x27;s documentation for a list of tools and their schemas.</p>
232
+ <p><strong>Method 2: Use MCP Inspector</strong></p>
233
+ <p>Use a tool like <a href="https://github.com/modelcontextprotocol/inspector" target="_blank" rel="noopener noreferrer" class="">MCP Inspector</a> to connect to the MCP server and retrieve the output of the tools list command. You can then use this output directly as your manifest configuration.</p>
234
+ <h4 class="anchor anchorTargetStickyNavbar_Vzrq" id="manifest-format">Manifest Format<a href="#manifest-format" class="hash-link" aria-label="Direct link to Manifest Format" title="Direct link to Manifest Format" translate="no">​</a></h4>
235
+ <p>Each tool in the manifest follows this format:</p>
236
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> toolName</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">description</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> Tool description explaining what it does</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">inputSchema</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> object</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">properties</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">parameterName</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> string</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">description</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> Parameter description</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">required</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain"> parameterName</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">additionalProperties</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">false</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">$schema</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain">//json</span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain">schema.org/draft</span><span class="token punctuation" style="color:rgb(248, 248, 242)">-</span><span class="token plain">07/schema</span><span class="token comment" style="color:rgb(98, 114, 164)">#</span><br></span></code></pre></div></div>
237
+ <p>The <code>inputSchema</code> is a standard JSON Schema (draft-07) that defines what parameters the tool accepts. This schema is used for validation and to help the AI model understand how to call the tool.</p>
238
+ <p><strong>Note</strong>: Complete sample MCP configurations are available in the <a href="https://github.com/SolaceLabs/solace-agent-mesh/tree/main/examples/agents/remote-mcp" target="_blank" rel="noopener noreferrer" class="">examples/agents/remote-mcp directory</a> for each of the tested remote MCP providers (Atlassian, Stripe, Cloudflare, Canva) to simplify setup.</p>
239
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="step-4-deploy-configuration">Step 4: Deploy Configuration<a href="#step-4-deploy-configuration" class="hash-link" aria-label="Direct link to Step 4: Deploy Configuration" title="Direct link to Step 4: Deploy Configuration" translate="no">​</a></h3>
240
+ <p>After configuring credential storage, trust manager, and MCP tools, deploy these configurations to your Agent Mesh Enterprise installation. Ensure that:</p>
241
+ <ul>
242
+ <li class="">Configuration files with MCP tool definitions are accessible to the agents</li>
243
+ <li class="">Environment variables (<code>SECRETS_TTL_SECONDS</code>, <code>OAUTH_TOOL_REDIRECT_URI</code>) are set</li>
244
+ <li class="">Database URLs are configured if using SQL persistence</li>
245
+ <li class="">The installation is restarted to load the new configuration</li>
246
+ </ul>
247
+ <p>After deployment, test the OAuth2 flow by attempting to use an OAuth2-enabled MCP tool. Users should be prompted to authenticate with the MCP provider.</p>
248
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="security-considerations">Security Considerations<a href="#security-considerations" class="hash-link" aria-label="Direct link to Security Considerations" title="Direct link to Security Considerations" translate="no">​</a></h2>
249
+ <p>Secure User Delegated Access involves storing and managing user credentials, which requires careful attention to security. This section outlines the security features built into the system and additional measures you should implement.</p>
250
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="encryption-at-rest">Encryption at Rest<a href="#encryption-at-rest" class="hash-link" aria-label="Direct link to Encryption at Rest" title="Direct link to Encryption at Rest" translate="no">​</a></h3>
251
+ <p>When using SQL persistence, all stored credentials are automatically encrypted before being written to the database. Agent Mesh Enterprise uses the agent&#x27;s unique identifier as the encryption key, ensuring that credentials cannot be used if extracted from storage.</p>
252
+ <p>This encryption is automatic and requires no configuration. However, it means that:</p>
253
+ <ul>
254
+ <li class="">Credentials encrypted by one agent cannot be decrypted by another agent</li>
255
+ <li class="">If an agent&#x27;s unique identifier changes, existing credentials become inaccessible</li>
256
+ <li class="">Database backups contain encrypted credentials that are useless without the agent</li>
257
+ </ul>
258
+ <p>For additional security, ensure your database is stored on encrypted storage volumes provided by your infrastructure (for example, encrypted EBS volumes in AWS, encrypted persistent disks in GCP).</p>
259
+ <p><strong>Note</strong>: Memory-based storage does not persist credentials to disk, so encryption at rest does not apply. Memory storage should only be used for development and testing.</p>
260
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="trust-manager-for-identity-verification">Trust Manager for Identity Verification<a href="#trust-manager-for-identity-verification" class="hash-link" aria-label="Direct link to Trust Manager for Identity Verification" title="Direct link to Trust Manager for Identity Verification" translate="no">​</a></h3>
261
+ <p>The trust manager provides defense-in-depth by verifying user identity on every credential operation. This prevents several attack scenarios:</p>
262
+ <p><strong>Credential Theft via Agent Compromise</strong>: If an attacker compromises an agent and attempts to retrieve another user&#x27;s credentials, the trust manager validates the user&#x27;s identity token and denies access.</p>
263
+ <p><strong>Man-in-the-Middle Attacks</strong>: The trust manager validates that identity tokens are signed by a trusted issuer, preventing token forgery.</p>
264
+ <p><strong>Replay Attacks</strong>: Identity tokens include expiration times, limiting the window for replay attacks.</p>
265
+ <p>To maximize trust manager security:</p>
266
+ <ul>
267
+ <li class="">Always enable trust manager (<code>enabled: true</code>) in production</li>
268
+ <li class="">Monitor trust manager logs for denied access attempts</li>
269
+ </ul>
270
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="credential-aging-and-expiration">Credential Aging and Expiration<a href="#credential-aging-and-expiration" class="hash-link" aria-label="Direct link to Credential Aging and Expiration" title="Direct link to Credential Aging and Expiration" translate="no">​</a></h3>
271
+ <p>The <code>SECRETS_TTL_SECONDS</code> configuration provides defense against long-lived credential compromise. By setting an appropriate TTL, you ensure that:</p>
272
+ <ul>
273
+ <li class="">Stolen credentials have a limited lifetime</li>
274
+ <li class="">Terminated users&#x27; credentials expire automatically</li>
275
+ <li class="">Users periodically re-authenticate, allowing detection of account compromise</li>
276
+ </ul>
277
+ <p>The default TTL is 30 days (2592000 seconds) if not specified.</p>
278
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="provider-side-revocation">Provider-Side Revocation<a href="#provider-side-revocation" class="hash-link" aria-label="Direct link to Provider-Side Revocation" title="Direct link to Provider-Side Revocation" translate="no">​</a></h3>
279
+ <p>MCP providers can revoke user credentials at any time through their own admin consoles. This provides an additional security control:</p>
280
+ <p><strong>User Offboarding</strong>: When a user leaves the organization, revoke their access at the MCP provider level (Atlassian, Stripe, etc.) in addition to removing their access to Agent Mesh Enterprise.</p>
281
+ <p><strong>Incident Response</strong>: If you suspect credential compromise, immediately revoke access at the MCP provider level. This blocks credential use even before they expire in Agent Mesh Enterprise.</p>
282
+ <p><strong>Audit Compliance</strong>: Provider-side revocation creates audit logs in the provider&#x27;s system, which may be required for compliance purposes.</p>
283
+ <p>Document your incident response procedures to include MCP provider credential revocation as a standard step.</p>
284
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="network-security">Network Security<a href="#network-security" class="hash-link" aria-label="Direct link to Network Security" title="Direct link to Network Security" translate="no">​</a></h3>
285
+ <p>Secure User Delegated Access involves network communication between users, Agent Mesh Enterprise, and MCP providers. Implement these network security measures:</p>
286
+ <p><strong>Use HTTPS Everywhere</strong>: All communication must use HTTPS in production:</p>
287
+ <ul>
288
+ <li class="">User to Agent Mesh Enterprise: HTTPS</li>
289
+ <li class="">Agent Mesh Enterprise to MCP providers: HTTPS</li>
290
+ <li class="">MCP provider redirects back to Agent Mesh Enterprise: HTTPS</li>
291
+ </ul>
292
+ <p><strong>Internal Communication Security</strong>: If using the trust manager, ensure communication between agents and the SSE gateway is encrypted and authenticated.</p>
293
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="logging-and-monitoring">Logging and Monitoring<a href="#logging-and-monitoring" class="hash-link" aria-label="Direct link to Logging and Monitoring" title="Direct link to Logging and Monitoring" translate="no">​</a></h3>
294
+ <p>Enable comprehensive logging to detect and respond to security issues.</p>
295
+ <p><strong>Anomalous Patterns</strong>: Monitor for unusual patterns such as:</p>
296
+ <ul>
297
+ <li class="">Multiple failed authentication attempts from a single user</li>
298
+ <li class="">Credential access from unusual IP addresses or locations</li>
299
+ <li class="">Rapid credential creation/deletion cycles</li>
300
+ </ul>
301
+ <p>Integrate these logs with your SIEM (Security Information and Event Management) system for centralized monitoring and alerting.</p>
302
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="best-practices">Best Practices<a href="#best-practices" class="hash-link" aria-label="Direct link to Best Practices" title="Direct link to Best Practices" translate="no">​</a></h2>
303
+ <p>Following these best practices helps you deploy Secure User Delegated Access securely and reliably.</p>
304
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="always-enable-trust-manager-in-production">Always Enable Trust Manager in Production<a href="#always-enable-trust-manager-in-production" class="hash-link" aria-label="Direct link to Always Enable Trust Manager in Production" title="Direct link to Always Enable Trust Manager in Production" translate="no">​</a></h3>
305
+ <p>The trust manager provides critical defense-in-depth security. Always enable it in production deployments:</p>
306
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token key atrule">trust_manager</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">enabled</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token boolean important">true</span><br></span></code></pre></div></div>
307
+ <p>Only disable the trust manager in development or testing environments where security is not a concern.</p>
308
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="use-sql-persistence-in-production">Use SQL Persistence in Production<a href="#use-sql-persistence-in-production" class="hash-link" aria-label="Direct link to Use SQL Persistence in Production" title="Direct link to Use SQL Persistence in Production" translate="no">​</a></h3>
309
+ <p>Memory persistence is only suitable for development and testing. Production deployments must use SQL persistence:</p>
310
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token key atrule">session_service</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">type</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">&quot;sql&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">database_url</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> $</span><span class="token punctuation" style="color:rgb(248, 248, 242)">{</span><span class="token plain">AGENT_DATABASE_URL</span><span class="token punctuation" style="color:rgb(248, 248, 242)">}</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">default_behavior</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">&quot;PERSISTENT&quot;</span><br></span></code></pre></div></div>
311
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="set-appropriate-ttl-values">Set Appropriate TTL Values<a href="#set-appropriate-ttl-values" class="hash-link" aria-label="Direct link to Set Appropriate TTL Values" title="Direct link to Set Appropriate TTL Values" translate="no">​</a></h3>
312
+ <p>Choose TTL values based on your security requirements and user experience considerations.</p>
313
+ <p>Never exceed 30 days (2592000 seconds). Document your TTL policy and rationale in your security documentation.</p>
314
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="configure-separate-session-storage-per-agent">Configure Separate Session Storage Per Agent<a href="#configure-separate-session-storage-per-agent" class="hash-link" aria-label="Direct link to Configure Separate Session Storage Per Agent" title="Direct link to Configure Separate Session Storage Per Agent" translate="no">​</a></h3>
315
+ <p>Each agent should have its own session storage database, which will automatically be used for credential storage as well.</p>
316
+ <p>This isolation provides defense-in-depth and simplifies multi-tenant deployments. See the <a class="" href="/solace-agent-mesh/docs/documentation/installing-and-configuring/session-storage">Session Storage documentation</a> for more details on configuring session storage.</p>
317
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="use-https-in-production">Use HTTPS in Production<a href="#use-https-in-production" class="hash-link" aria-label="Direct link to Use HTTPS in Production" title="Direct link to Use HTTPS in Production" translate="no">​</a></h3>
318
+ <p>Configure HTTPS for all endpoints in production:</p>
319
+ <ul>
320
+ <li class="">Set <code>OAUTH_TOOL_REDIRECT_URI</code> to an HTTPS URL</li>
321
+ <li class="">Configure SSL certificates for Agent Mesh Enterprise</li>
322
+ <li class="">Verify that MCP providers use HTTPS endpoints</li>
323
+ <li class="">Never use HTTP in production (only acceptable for local development)</li>
324
+ </ul>
325
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="troubleshooting">Troubleshooting<a href="#troubleshooting" class="hash-link" aria-label="Direct link to Troubleshooting" title="Direct link to Troubleshooting" translate="no">​</a></h2>
326
+ <p>This section addresses common issues you may encounter when configuring or operating Secure User Delegated Access.</p>
327
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="oauth2-authentication-flow-fails">OAuth2 Authentication Flow Fails<a href="#oauth2-authentication-flow-fails" class="hash-link" aria-label="Direct link to OAuth2 Authentication Flow Fails" title="Direct link to OAuth2 Authentication Flow Fails" translate="no">​</a></h3>
328
+ <p><strong>Symptoms</strong>: Users report that they are redirected to the MCP provider but never redirected back to Agent Mesh Enterprise, or they see an error after attempting to authenticate.</p>
329
+ <p><strong>Possible Causes and Solutions</strong>:</p>
330
+ <ol>
331
+ <li class="">
332
+ <p><strong>Incorrect Callback URI</strong>:</p>
333
+ <ul>
334
+ <li class=""><strong>Verify</strong>: Check that <code>OAUTH_TOOL_REDIRECT_URI</code> exactly matches the redirect URI registered with the MCP provider.</li>
335
+ <li class=""><strong>Common mistake</strong>: Mismatched protocols (HTTP vs HTTPS), missing ports, trailing slashes.</li>
336
+ <li class=""><strong>Solution</strong>: Update either the environment variable or the MCP provider configuration to match exactly.</li>
337
+ </ul>
338
+ </li>
339
+ <li class="">
340
+ <p><strong>Domain Not Authorized</strong> (For providers requiring domain authorization):</p>
341
+ <ul>
342
+ <li class=""><strong>Verify</strong>: Check that your domain is listed in the MCP provider&#x27;s authorized domains for MCP access.</li>
343
+ <li class=""><strong>Solution</strong>: Add your domain to the provider&#x27;s authorized domain list following their documentation.</li>
344
+ </ul>
345
+ </li>
346
+ </ol>
347
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="credentials-not-persisting-across-restarts">Credentials Not Persisting Across Restarts<a href="#credentials-not-persisting-across-restarts" class="hash-link" aria-label="Direct link to Credentials Not Persisting Across Restarts" title="Direct link to Credentials Not Persisting Across Restarts" translate="no">​</a></h3>
348
+ <p><strong>Symptoms</strong>: Users must re-authenticate every time the agent restarts, even though SQL persistence is configured.</p>
349
+ <p><strong>Possible Causes and Solutions</strong>:</p>
350
+ <ol>
351
+ <li class=""><strong>Memory Storage Configured Instead of SQL</strong>:<!-- -->
352
+ <ul>
353
+ <li class=""><strong>Verify</strong>: Check the agent configuration to ensure <code>session_service.type</code> is set to <code>&quot;sql&quot;</code>, not <code>&quot;memory&quot;</code>.</li>
354
+ <li class=""><strong>Solution</strong>: Update the configuration and restart the agent.</li>
355
+ </ul>
356
+ </li>
357
+ </ol>
358
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="trust-manager-denying-access">Trust Manager Denying Access<a href="#trust-manager-denying-access" class="hash-link" aria-label="Direct link to Trust Manager Denying Access" title="Direct link to Trust Manager Denying Access" translate="no">​</a></h3>
359
+ <p><strong>Symptoms</strong>: Users receive &quot;Access Denied&quot; errors when attempting to use MCP tools, or logs show trust manager access denials.</p>
360
+ <p><strong>Possible Causes and Solutions</strong>:</p>
361
+ <ol>
362
+ <li class=""><strong>Trust Manager Not Configured on All Components</strong>:<!-- -->
363
+ <ul>
364
+ <li class=""><strong>Verify</strong>: Ensure trust manager is enabled on both the SSE Gateway and all agents.</li>
365
+ <li class=""><strong>Solution</strong>: Add trust manager configuration to all component configurations and restart.</li>
366
+ </ul>
367
+ </li>
368
+ </ol>
369
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="credentials-expire-too-quickly-or-too-slowly">Credentials Expire Too Quickly or Too Slowly<a href="#credentials-expire-too-quickly-or-too-slowly" class="hash-link" aria-label="Direct link to Credentials Expire Too Quickly or Too Slowly" title="Direct link to Credentials Expire Too Quickly or Too Slowly" translate="no">​</a></h3>
370
+ <p><strong>Symptoms</strong>: Users report that they need to re-authenticate too frequently, or credentials remain valid longer than expected.</p>
371
+ <p><strong>Possible Causes and Solutions</strong>:</p>
372
+ <ol>
373
+ <li class="">
374
+ <p><strong>TTL Not Set Correctly</strong>:</p>
375
+ <ul>
376
+ <li class=""><strong>Verify</strong>: Check the <code>SECRETS_TTL_SECONDS</code> environment variable value.</li>
377
+ <li class=""><strong>Solution</strong>: Update the environment variable to the desired TTL and restart the agent.</li>
378
+ </ul>
379
+ </li>
380
+ <li class="">
381
+ <p><strong>MCP Provider Token Expiration</strong>:</p>
382
+ <ul>
383
+ <li class=""><strong>Note</strong>: Even if your TTL is long, MCP providers may issue short-lived tokens.</li>
384
+ <li class=""><strong>Verify</strong>: Check the MCP provider&#x27;s token expiration policy.</li>
385
+ <li class=""><strong>Solution</strong>: This is controlled by the MCP provider and cannot be changed. Ensure refresh tokens are working correctly to automatically renew expired tokens.</li>
386
+ </ul>
387
+ </li>
388
+ <li class="">
389
+ <p><strong>Refresh Tokens Not Working</strong>:</p>
390
+ <ul>
391
+ <li class=""><strong>Verify</strong>: Check that the MCP provider issues refresh tokens and that Agent Mesh Enterprise is configured to use them.</li>
392
+ <li class=""><strong>Diagnostic</strong>: Look for token refresh attempts in the logs.</li>
393
+ <li class=""><strong>Solution</strong>: Ensure the OAuth2 scope includes <code>offline_access</code> or equivalent for the provider.</li>
394
+ </ul>
395
+ </li>
396
+ </ol>
397
+ <h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="manifest-configuration-errors">Manifest Configuration Errors<a href="#manifest-configuration-errors" class="hash-link" aria-label="Direct link to Manifest Configuration Errors" title="Direct link to Manifest Configuration Errors" translate="no">​</a></h3>
398
+ <p><strong>Symptoms</strong>: MCP tools are not available, or the AI model reports that tools are missing or incorrectly defined.</p>
399
+ <p><strong>Possible Causes and Solutions</strong>:</p>
400
+ <ol>
401
+ <li class="">
402
+ <p><strong>Manifest Missing or Empty</strong>:</p>
403
+ <ul>
404
+ <li class=""><strong>Verify</strong>: Check that the <code>manifest</code> section in your MCP tool configuration is populated.</li>
405
+ <li class=""><strong>Solution</strong>: Add the manifest with tool definitions as described in the Configuration Steps section.</li>
406
+ </ul>
407
+ </li>
408
+ <li class="">
409
+ <p><strong>Manifest Format Errors</strong>:</p>
410
+ <ul>
411
+ <li class=""><strong>Verify</strong>: Ensure the manifest follows the correct YAML structure and JSON Schema format.</li>
412
+ <li class=""><strong>Common mistakes</strong>: Missing required fields (<code>name</code>, <code>description</code>, <code>inputSchema</code>), invalid JSON Schema.</li>
413
+ <li class=""><strong>Solution</strong>: Validate your manifest structure against the examples in this document.</li>
414
+ </ul>
415
+ </li>
416
+ <li class="">
417
+ <p><strong>JSON Schema Version Issues</strong>:</p>
418
+ <ul>
419
+ <li class=""><strong>Note</strong>: Manifests typically use the <code>http://json-schema.org/draft-07/schema#</code> standard. However, some LLM providers may require the newer <code>https://json-schema.org/specification-links#2020-12</code> specification, which can lead to errors at inference time.</li>
420
+ <li class=""><strong>Solution</strong>: Check your LLM provider&#x27;s requirements and adjust the <code>$schema</code> field in your manifest accordingly.</li>
421
+ </ul>
422
+ </li>
423
+ </ol>
424
+ <p>If you encounter issues, check the latest Agent Mesh Enterprise documentation or enable debug logging to review detailed error information:</p>
425
+ <div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token key atrule">log</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">stdout_log_level</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> DEBUG</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token key atrule">log_file_level</span><span class="token punctuation" style="color:rgb(248, 248, 242)">:</span><span class="token plain"> DEBUG</span><br></span></code></pre></div></div>
426
+ <h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="conclusion">Conclusion<a href="#conclusion" class="hash-link" aria-label="Direct link to Conclusion" title="Direct link to Conclusion" translate="no">​</a></h2>
427
+ <p>Secure User Delegated Access provides enhanced security and user-specific access control for Agent Mesh Enterprise deployments using remote MCP tools. By following the configuration steps, security considerations, and best practices in this guide, you can deploy this feature securely and reliably.</p>
428
+ <p>Key takeaways:</p>
429
+ <ul>
430
+ <li class="">Always enable the trust manager in production for defense-in-depth security</li>
431
+ <li class="">Use SQL persistence to ensure credentials survive agent restarts</li>
432
+ <li class="">Set appropriate TTL values balancing security and user experience</li>
433
+ <li class="">Configure database-per-agent isolation for multi-tenant security</li>
434
+ <li class="">Follow provider-specific setup instructions carefully</li>
435
+ <li class="">Implement comprehensive monitoring and logging</li>
436
+ <li class="">Maintain regular security reviews of your configuration</li>
437
+ </ul>
438
+ <p>Remember to keep your configuration updated as MCP providers evolve their APIs and authentication requirements, and regularly review your security posture to ensure continued protection of user credentials.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="row margin-top--sm theme-doc-footer-edit-meta-row"><div class="col noPrint_WFHX"><a href="https://github.com/SolaceLabs/solace-agent-mesh/edit/main/docs/docs/documentation/enterprise/secure-user-delegated-access.md" target="_blank" rel="noopener noreferrer" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_JAkA"></div></div></footer></article><nav class="docusaurus-mt-lg pagination-nav" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/solace-agent-mesh/docs/documentation/enterprise/single-sign-on"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Enabling SSO</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/solace-agent-mesh/docs/documentation/enterprise/openapi-tools"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OpenAPI Tools</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#table-of-contents" class="table-of-contents__link toc-highlight">Table of Contents</a></li><li><a href="#overview" class="table-of-contents__link toc-highlight">Overview</a><ul><li><a href="#why-use-secure-user-delegated-access" class="table-of-contents__link toc-highlight">Why Use Secure User Delegated Access</a></li><li><a href="#supported-mcp-providers" class="table-of-contents__link toc-highlight">Supported MCP Providers</a></li></ul></li><li><a href="#understanding-secure-user-delegated-access" class="table-of-contents__link toc-highlight">Understanding Secure User Delegated Access</a><ul><li><a href="#how-the-oauth2-flow-works" class="table-of-contents__link toc-highlight">How the OAuth2 Flow Works</a></li><li><a href="#credential-storage" class="table-of-contents__link toc-highlight">Credential Storage</a></li><li><a href="#credential-lifecycle" class="table-of-contents__link toc-highlight">Credential Lifecycle</a></li></ul></li><li><a href="#prerequisites" class="table-of-contents__link toc-highlight">Prerequisites</a><ul><li><a href="#mcp-provider-access" class="table-of-contents__link toc-highlight">MCP Provider Access</a></li><li><a href="#callback-uri-configuration" class="table-of-contents__link toc-highlight">Callback URI Configuration</a></li><li><a href="#database-setup-for-production" class="table-of-contents__link toc-highlight">Database Setup (For Production)</a></li></ul></li><li><a href="#configuration-steps" class="table-of-contents__link toc-highlight">Configuration Steps</a><ul><li><a href="#step-1-configure-credential-storage-and-lifecycle" class="table-of-contents__link toc-highlight">Step 1: Configure Credential Storage and Lifecycle</a></li><li><a href="#step-2-configure-trust-manager-recommended" class="table-of-contents__link toc-highlight">Step 2: Configure Trust Manager (Recommended)</a></li><li><a href="#step-3-configure-mcp-tools-with-oauth2-authentication" class="table-of-contents__link toc-highlight">Step 3: Configure MCP Tools with OAuth2 Authentication</a></li><li><a href="#step-4-deploy-configuration" class="table-of-contents__link toc-highlight">Step 4: Deploy Configuration</a></li></ul></li><li><a href="#security-considerations" class="table-of-contents__link toc-highlight">Security Considerations</a><ul><li><a href="#encryption-at-rest" class="table-of-contents__link toc-highlight">Encryption at Rest</a></li><li><a href="#trust-manager-for-identity-verification" class="table-of-contents__link toc-highlight">Trust Manager for Identity Verification</a></li><li><a href="#credential-aging-and-expiration" class="table-of-contents__link toc-highlight">Credential Aging and Expiration</a></li><li><a href="#provider-side-revocation" class="table-of-contents__link toc-highlight">Provider-Side Revocation</a></li><li><a href="#network-security" class="table-of-contents__link toc-highlight">Network Security</a></li><li><a href="#logging-and-monitoring" class="table-of-contents__link toc-highlight">Logging and Monitoring</a></li></ul></li><li><a href="#best-practices" class="table-of-contents__link toc-highlight">Best Practices</a><ul><li><a href="#always-enable-trust-manager-in-production" class="table-of-contents__link toc-highlight">Always Enable Trust Manager in Production</a></li><li><a href="#use-sql-persistence-in-production" class="table-of-contents__link toc-highlight">Use SQL Persistence in Production</a></li><li><a href="#set-appropriate-ttl-values" class="table-of-contents__link toc-highlight">Set Appropriate TTL Values</a></li><li><a href="#configure-separate-session-storage-per-agent" class="table-of-contents__link toc-highlight">Configure Separate Session Storage Per Agent</a></li><li><a href="#use-https-in-production" class="table-of-contents__link toc-highlight">Use HTTPS in Production</a></li></ul></li><li><a href="#troubleshooting" class="table-of-contents__link toc-highlight">Troubleshooting</a><ul><li><a href="#oauth2-authentication-flow-fails" class="table-of-contents__link toc-highlight">OAuth2 Authentication Flow Fails</a></li><li><a href="#credentials-not-persisting-across-restarts" class="table-of-contents__link toc-highlight">Credentials Not Persisting Across Restarts</a></li><li><a href="#trust-manager-denying-access" class="table-of-contents__link toc-highlight">Trust Manager Denying Access</a></li><li><a href="#credentials-expire-too-quickly-or-too-slowly" class="table-of-contents__link toc-highlight">Credentials Expire Too Quickly or Too Slowly</a></li><li><a href="#manifest-configuration-errors" class="table-of-contents__link toc-highlight">Manifest Configuration Errors</a></li></ul></li><li><a href="#conclusion" class="table-of-contents__link toc-highlight">Conclusion</a></li></ul></div></div></div></div></main></div></div></div><footer class="theme-layout-footer footer footer--dark"><div class="container container-fluid"><div class="row footer__links"><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Solace Agent Mesh</div><ul class="footer__items clean-list"><li class="footer__item"><a class="footer__link-item" href="/solace-agent-mesh/docs/documentation/getting-started">Documentation</a></li><li class="footer__item"><a href="https://github.com/SolaceLabs/solace-agent-mesh/" target="_blank" rel="noopener noreferrer" class="footer__link-item">GitHub<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://github.com/SolaceLabs/solace-agent-mesh-core-plugins/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Official Plugins<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li></ul></div><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Company</div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://solace.com/products/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Products<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://solace.com/contact/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Contact<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://solace.com/support/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Support<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://solace.com/legal/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Privacy and Legal<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li></ul></div><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Community</div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://www.linkedin.com/company/solacedotcom/" target="_blank" rel="noopener noreferrer" class="footer__link-item">LinkedIn<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://github.com/SolaceLabs" target="_blank" rel="noopener noreferrer" class="footer__link-item">GitHub<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://www.youtube.com/SolaceSystems" target="_blank" rel="noopener noreferrer" class="footer__link-item">YouTube<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://twitter.com/solacedotcom" target="_blank" rel="noopener noreferrer" class="footer__link-item">X<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li></ul></div></div><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/solace-agent-mesh/img/solace-logo.png" alt="Solace Logo" class="footer__logo themedComponent_mlkZ themedComponent--light_NVdE" width="10%" height="10%"><img src="/solace-agent-mesh/img/solace-logo.png" alt="Solace Logo" class="footer__logo themedComponent_mlkZ themedComponent--dark_xIcU" width="10%" height="10%"></div><div class="footer__copyright">Solace Agent Mesh. Copyright © 2026 Solace. Version: 1.13.2</div></div></div></footer></div>
439
+ </body>
440
+ </html>