> Allowing an execution environment to also access MCPs, tools, and user data requires careful design to where API keys are stored, and how tools are exposed.
If your tools are calling APIs on-behalf of users, it's better to use OAuth flows to enable users of the app to give explicit consent to the APIs/scopes they want the tools to access. That way, tools use scoped tokens to make calls instead of hard to manage, maintain API keys (or even client credentials).
If the apps the AI assistant is trying to connect to support OAuth 2.0, it's easy to setup a social connection (or a custom social connection) with Auth0 (Auth for GenAI). It allows you to connect to hundreds of API services, and configure the granularity of scopes you want to set at a per connection level.
Checkout the step-by-step quickstart [1] if you want to go through calling the Google Calendar API from an AI agent (Vercel AI SDK based in this case). There are also how-tos for other frameworks like LangGraph, GenKit, LlamaIndex, etc. Async authorization is also supported via CIBA (Client-Initiated Backchannel Authentication).
You can also secure remote MCP servers [1] with Auth0.