Skip to main content
OAuth is an advanced room-secret workflow. Use it when a room service or participant needs MeshAgent to:
  • request a user OAuth token
  • store the resulting credential as a room secret
  • refresh that credential when possible
  • retrieve the latest valid token for offline use
If you just need to put an API key or token into a room service, start with Room Secrets instead.

Core OAuth methods

  • request_oauth_token: Request a token, or reuse/refresh one if a valid credential already exists
  • provide_oauth_authorization: Complete or reject the pending authorization request
  • get_offline_oauth_token: Retrieve the latest valid stored token for background use

How the OAuth flow works

  1. Your agent or service calls request_oauth_token.
  2. MeshAgent checks whether a valid credential already exists for that room and identity.
  3. If a credential is missing or expired, MeshAgent asks the target participant to authorize access.
  4. The client app completes the provider sign-in flow and calls provide_oauth_authorization.
  5. MeshAgent stores the resulting credential as a room secret and can later refresh or reuse it.

Permissions

OAuth uses the room-secrets system, but it has one extra permission layer. When a service or participant joins a room, it does so with a participant token that declares which APIs it may call. For OAuth, request_oauth_token and get_offline_oauth_token check the caller’s SecretsGrant, which acts as an allow-list of OAuth endpoints and client IDs.
  • If the runtime has not narrowed the grant, the default service path uses an empty SecretsGrant.
  • If you want to restrict which providers a service can use, add explicit OAuthEndpoint entries.
Provider and endpoint details change over time, so the examples here use placeholder domains rather than provider-specific URLs. 
from meshagent.api.participant_token import ApiScope, OAuthEndpoint, SecretsGrant

token.add_api_grant(
    ApiScope(
        secrets=SecretsGrant(
            request_oauth_token=[
                OAuthEndpoint(
                    endpoint="https://provider.example.com/oauth/*",
                    client_id="YOUR_CLIENT_ID",
                )
            ]
        )
    )
)
You can express the same restriction in a service manifest:
yaml
ports:
  - num: *
    type: meshagent.callable
    endpoints:
      - path: /my-agent
        identity: my-agent
        api:
          secrets:
            request_oauth_token:
              - endpoint: https://provider.example.com/oauth/*
                client_id: YOUR_CLIENT_ID
If a SecretsGrant exists but no entry matches the requested provider, MeshAgent rejects the OAuth request with a permission error. Other room-secret operations such as set_secret, get_secret, list_secrets, delete_secret, request_secret, and provide_secret are scoped by the caller identity and delegation fields rather than by OAuth endpoint allow-lists.