AgentConfig - auth passthrough between agents.

[johnkrzywanek]

Hi, hope that it's the right place to ask questions about this, but it's not clear from the Agent Config docs.

My goal is to have a root_agent and a few sub_agents, where those sub_agents will be connected to MCP servers ( ideally via ADK's included MCPToolkit).

An external client will send a prompt to the root_agent along with the Authorization: Bearer token in a header. I'd like for this auth token to be passed to sub_agents and then also passed through to the MCP server, which will use it to authorize to an upstream API.

Is something like this possible with the current Agent Config implementation? If so, how exactly should I configure this?

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: Yes, it is possible to pass authentication tokens from a root_agent to sub_agents and then to an MCP server. You can achieve this by configuring the auth_scheme and auth_credential properties on your MCPToolset.

---

Hi @johnkrzywanek,

Thanks for your question. What you're describing is a common and supported pattern in ADK. Here’s a more detailed explanation of how you can achieve this:

Authentication in ADK

The ADK framework has a robust system for handling authentication. The two key components you'll be working with are AuthScheme and AuthCredential. You can configure these on your tools to handle various authentication methods, including OAuth 2.0, which seems relevant to your use case. You can find more details in the ADK Authentication Documentation.

Passing Authentication to MCP Tools

The MCPToolset is designed to work with the ADK's authentication framework. When you initialize an MCPToolset, you can pass auth_scheme and auth_credential objects to it. These are then passed down to the individual MCPTool instances.

Here is a conceptual example:

from google.adk.tools.auth_schemes import Oauth2
from google.adk.tools.credentials import UserCredential
from google.adk.tools.mcp_tool import MCPToolset

# Define the OAuth 2.0 scheme for your MCP server
# The authorization_url and token_url would be for your upstream API
oauth_scheme = Oauth2(
    authorization_url="https://your-auth-server.com/auth",
    token_url="https://your-auth-server.com/token",
    scopes=["your:scope"],
)

# Use UserCredential to indicate that the tool should use the user's identity
# The ADK will handle the flow of obtaining the token from the user
user_credential = UserCredential()

# Initialize your MCPToolset with the auth configuration
mcp_toolset = MCPToolset(
    # ... other parameters
    auth_scheme=oauth_scheme,
    auth_credential=user_credential,
)

# Your sub-agent would then use this toolset

Agent-to-Agent (A2A) Authentication

For a concrete example of how to handle authentication between agents, I highly recommend you look at the A2A OAuth Authentication Sample Agent. You can find it here: A2A Auth Sample README.

This sample demonstrates how a remote agent can surface an OAuth authentication request to a local agent, which then handles the user-interactive login flow. This is very similar to your scenario where the root_agent needs to provide the authentication for the sub_agent.

Putting It All Together

In your setup:

1. The root_agent would receive the initial request with the Authorization: Bearer <token> header.
2. You will need to have a mechanism to make this token available to the sub_agent's context. The A2A sample gives you a good pattern to follow.
3. The sub_agent's MCPToolset should be configured with the appropriate auth_scheme and auth_credential (as shown in the code snippet above).
4. When a tool in the MCPToolset is called, the ADK's authentication framework will be invoked. If you've correctly passed the token, it should be used to make the authenticated call to the MCP server.

For more details on MCP tools, you can refer to the MCP Tools Documentation.

I hope this helps you get started! Let us know if you have any more questions.

---

References:
[1] ADK Tools Authentication
[2] A2A OAuth Authentication Sample
[3] MCP Tools

[johnkrzywanek]

Sorry, it seems you did not get my question right, I'm asking about if it's possible in the codeless, YAML Agent Config part of the SDK, not the Python code.