Skip to main content
When a tool needs to act on behalf of the signed-in user — reading their calendar, sending email from their account, or accessing a SaaS workspace — declare an oauth config on the tool. IMP handles the authorization-code flow including PKCE, token storage per user, and automatic retry after the user consents. Your execute function receives the access token as inputs.oauth.accessToken.

Prerequisites

What IMP handles for you

When oauth is declared on a tool:
  1. Authorization URL construction — IMP builds the authorization URL from authorizationUrl, clientId, scopes, and extraAuthParams, adding PKCE challenge parameters (code_challenge, code_challenge_method) when pkce: true.
  2. Token exchange — After the user completes the consent screen, the platform’s /oauth/callback route receives the code and exchanges it for an access and refresh token using tokenUrl, clientId, and clientSecret — server-side only.
  3. Token storage — Tokens are stored per (provider, userId) pair. Tools that share a provider key share the same token — one consent screen per provider per user.
  4. Injection — On every authenticated tool call where a valid token exists, IMP injects oauth into inputs before calling execute.
  5. Authorization URL fallback — When no valid token exists for the calling user, IMP short-circuits execute and returns an authorization URL. The agent surfaces this URL to the user (“Click here to connect your calendar”). After the user consents, IMP retries the original tool call with the fresh token.
Your code only needs to declare the OAuth config and use inputs.oauth.accessToken.

What you will build

A calendar events tool that reads upcoming events from a generic OAuth-protected calendar API. The tool uses a standard authorization-code + PKCE flow.
1

Register the OAuth app with your provider

Before writing code, create an OAuth 2.0 application in your calendar provider’s developer console:
  • Redirect URIhttps://your-imp-backend.example.com/oauth/callback
  • Scopes — read-only calendar access (e.g. calendar:read or https://provider.example.com/auth/calendar.readonly)
Note the Client ID and Client Secret. Store them as environment variables:
.env
2

Build the calendar events tool

src/tools/calendar-events.ts
The oauth object injected into inputs has this shape:
3

Understand the authorization URL fallback

When the agent calls calendar_events for a user who has not yet authorized:
  1. IMP checks its token store for a valid (example_calendar, userId) token.
  2. No token found — IMP builds the authorization URL and returns it as the tool result, skipping execute.
  3. The agent surfaces the URL to the user: “To list your calendar events, please authorize access: [link]”.
  4. The user clicks the link, completes the OAuth consent screen at the provider, and is redirected to /oauth/callback on your IMP server.
  5. IMP exchanges the authorization code for tokens and stores them.
  6. On the next tool call (or when the agent retries), IMP finds the token and injects oauth.accessToken into execute.
You do not need to handle this fallback in your code — IMP manages it entirely.
4

Share tokens across tools

Multiple tools that access the same provider (for example, a create_calendar_event tool alongside calendar_events) should share the same provider key so the user only goes through the consent screen once:
Because both tools share provider: "example_calendar", a user who authorized calendarEventsTool already has a token for createCalendarEventTool.
When tools share a provider, they also share the same token. Make sure the combined scopes of all tools using the provider are requested during the initial authorization. If a tool needs an additional scope that was not in the original consent, the user will need to re-authorize.
5

Register on the app

src/exulu.ts
Enable the tools in the agent workbench and set any config params. The OAuth flow is handled transparently — no additional server configuration is needed beyond setting CALENDAR_CLIENT_ID and CALENDAR_CLIENT_SECRET in your environment.

What you built

  • A calendar events tool with ExuluOauthConfig that handles the full authorization-code + PKCE flow.
  • An execute function that uses inputs.oauth.accessToken injected by the framework.
  • A shared provider key so multiple calendar tools reuse the same user token.

Next steps

ExuluTool — configuration

Full ExuluOauthConfig reference — every field and the injected ExuluOauthToolContext type.

Custom tools

Build tools without OAuth using Zod schemas and admin config params.

Tool approvals

How users see and approve tool calls in the chat interface.