Configuring OAuth settings
You can use OAuth 2.0/2.1 Authorization Code flow to enable delegated authentication for API or MCP tools. This lets agents act on behalf of users by prompting them to sign in and granting access to user-specific data. Refer to Identifying and adding capabilities to agents for more information.
When you interact with the agent, it will prompt you to sign in before it begins responding to your request. If there are multiple systems the agent needs access to, the agent will ask you to sign in to each system. You can click cancel and retry authorization. The authorization timeout is set to 10 minutes.
Important considerations
- PKCE (Proof Key for Code Exchange) is supported for enhanced security.
- Delegated authentication is only available in conversational agents. Agent step and agents using Structured mode are not supported since the flow requires a multi-turn conversation to authenticate.
Required setup
- Register your app with your identity provider (Salesforce, Google, Okta, AWS, etc.).
- Add the following callback/redirect URI in your provider's OAuth settings.
https://ai-agent-garden.datalake-prod.boomi.com/api/v1/oauth/callback
Configuring fields
| Setting | Description | Required? |
|---|---|---|
| Grant Type | Agentstudio only supports the Authorization Code grant type. | Required |
| Client ID | Enter the Client ID generated when you registered your app with your identity provider. For example, OAuth settings in Salesforce, Okta, or Google. | Required |
| Client Secret | Enter the Client Secret generated when you registered your app with your identity provider. For example, OAuth settings in Salesforce, Okta, or Google Console. | Required |
| Authorization Server URL | Enter the OAuth authorization URL given by your application, such as https://mcp.notion.com/authorize. | Required |
| Scopes | If you added scopes in your application's OAuth settings (which may be required by the application), you can further restrict those scopes here so that the agent only accesses some resources enabled by your OAuth credentials. This is useful when you are using the same OAuth settings for multiple agents and applications and you want to further restrict an agent to specific actions. To list the scopes, enter the scope from your OAuth settings followed by a space such as, api web. | Optional |
| Authorization Server request parameters | Enter any required or optional authorization request parameters for your application's authorization server. For example, an authorization server may offer request parameters, such as prompt with the option to use consent as the value to specify how the authorization server prompts the user for re-authentication and re-approval. Refer to your application's documentation for details. | Optional |
| Access token URL | Enter the OAuth token URL give by your application such as, https://mcp.notion.com/token. | Required |
| Access Token request parameters | Enter any token request parameters to specify information that is passed when an access token is requested by the system. For example, Salesforce allows a format parameter and xml value to specify that return format should be in XML. | Optional |
