Agent ExplorerBeta

OAuth Authentication

Agent Explorer supports OAuth 2.0 for communicating with agents that require authentication.

When Authentication is Required

Agents may require authentication when:

  • The AgentCard specifies an authentication object with schemes
  • API calls return 401 Unauthorized
  • The agent requires a user identity token

Supported Flows

FlowUse Case
authorization_codeStandard web app flow with user consent
client_credentialsServer-to-server (no user involved)
implicitLegacy browser-based flow
passwordDirect username/password grant

Configuration

In the project Settings tab, configure OAuth:

  1. Select the OAuth flow type
  2. Enter Client ID and Client Secret
  3. Enter the Authorization URL and Token URL
  4. Specify required Scopes (space-separated)
  5. Save the configuration

Authorization Code Flow

  1. Agent Explorer redirects to the authorization server
  2. User grants permission
  3. Explorer receives an authorization code via callback
  4. Code is exchanged for access and refresh tokens
  5. Tokens are used automatically for all API calls

Token Management

Agent Explorer handles the full token lifecycle:

  • Secure Storage — Tokens encrypted with AES-256-GCM before database storage
  • Automatic Refresh — Expired tokens are refreshed automatically using the refresh token
  • Revocation — Tokens can be revoked from the Settings tab

Authentication Status

The project header displays the current OAuth state:

  • Authenticated — Valid token is present
  • Not Authenticated — No token or expired without refresh token
  • Auth Required — Agent requires authentication to proceed

Security

  • OAuth client secrets are encrypted with AES-256-GCM before storage
  • CSRF protection via state parameter on authorization code flows
  • Use HTTPS in production
  • Request minimal scopes necessary for your use case