oauth config on the tool. IMP handles the authorization-code flow including PKCE, token storage per user, and automatic retry after the user consents. Your execute function receives the access token as inputs.oauth.accessToken.
Prerequisites
- Completed Custom tools — you know how to build an
ExuluTool. - Read ExuluTool — configuration — the OAuth section explains
ExuluOauthConfig.
What IMP handles for you
Whenoauth is declared on a tool:
- Authorization URL construction — IMP builds the authorization URL from
authorizationUrl,clientId,scopes, andextraAuthParams, adding PKCE challenge parameters (code_challenge,code_challenge_method) whenpkce: true. - Token exchange — After the user completes the consent screen, the platform’s
/oauth/callbackroute receives the code and exchanges it for an access and refresh token usingtokenUrl,clientId, andclientSecret— server-side only. - Token storage — Tokens are stored per
(provider, userId)pair. Tools that share aproviderkey share the same token — one consent screen per provider per user. - Injection — On every authenticated tool call where a valid token exists, IMP injects
oauthintoinputsbefore callingexecute. - Authorization URL fallback — When no valid token exists for the calling user, IMP short-circuits
executeand returns an authorization URL. The agent surfaces this URL to the user (“Click here to connect your calendar”). After the user consents, IMP retries the original tool call with the fresh token.
inputs.oauth.accessToken.
What you will build
A calendar events tool that reads upcoming events from a generic OAuth-protected calendar API. The tool uses a standard authorization-code + PKCE flow.1
Register the OAuth app with your provider
Before writing code, create an OAuth 2.0 application in your calendar provider’s developer console:
- Redirect URI —
https://your-imp-backend.example.com/oauth/callback - Scopes — read-only calendar access (e.g.
calendar:readorhttps://provider.example.com/auth/calendar.readonly)
.env
2
Build the calendar events tool
src/tools/calendar-events.ts
oauth object injected into inputs has this shape:3
Understand the authorization URL fallback
When the agent calls
calendar_events for a user who has not yet authorized:- IMP checks its token store for a valid
(example_calendar, userId)token. - No token found — IMP builds the authorization URL and returns it as the tool result, skipping
execute. - The agent surfaces the URL to the user: “To list your calendar events, please authorize access: [link]”.
- The user clicks the link, completes the OAuth consent screen at the provider, and is redirected to
/oauth/callbackon your IMP server. - IMP exchanges the authorization code for tokens and stores them.
- On the next tool call (or when the agent retries), IMP finds the token and injects
oauth.accessTokenintoexecute.
4
Share tokens across tools
Multiple tools that access the same provider (for example, a Because both tools share
create_calendar_event tool alongside calendar_events) should share the same provider key so the user only goes through the consent screen once:provider: "example_calendar", a user who authorized calendarEventsTool already has a token for createCalendarEventTool.5
Register on the app
src/exulu.ts
CALENDAR_CLIENT_ID and CALENDAR_CLIENT_SECRET in your environment.What you built
- A calendar events tool with
ExuluOauthConfigthat handles the full authorization-code + PKCE flow. - An
executefunction that usesinputs.oauth.accessTokeninjected by the framework. - A shared
providerkey so multiple calendar tools reuse the same user token.
Next steps
ExuluTool — configuration
Full ExuluOauthConfig reference — every field and the injected ExuluOauthToolContext type.
Custom tools
Build tools without OAuth using Zod schemas and admin config params.
Tool approvals
How users see and approve tool calls in the chat interface.