Security
Third-party SaaS OAuth for agents
The difficult part of connecting agents to third-party SaaS is not drawing an OAuth button. It is preserving user identity across consent, scopes, refresh rotation, revocation, permissions, and audit logs. Astrail keeps that lifecycle at the hosted MCP boundary so provider tokens never enter prompts or pass through from the caller.
Implementation
Path to ship.
Guide
Internal OBO and third-party SaaS are different problems
Inside one Microsoft Entra tenant, an MCP resource server can validate a user token minted for its own audience and exchange it on-behalf-of for a downstream internal API. Keep that audience validation and OBO exchange in the identity layer that owns those app registrations.
Slack, Google, GitHub, Stripe, HubSpot, and other third-party systems do not accept your internal OBO chain. They require separate provider consent and per-user grants. That cross-provider lifecycle is the problem Astrail is designed to operate.
Guide
No token passthrough
The agent authenticates to Astrail with an Astrail API key scoped to an end user and actor role. Astrail rejects mismatched identity headers, requires that user's matching provider grant, and injects that decrypted token for the mapped upstream request. End-user OAuth calls never fall back to a workspace-wide provider identity.
A client-provided bearer token is never forwarded to a provider. This prevents one caller token from silently becoming every downstream identity and keeps provider credentials out of model context, browser storage, and logs.
Guide
Provider boundaries are explicit
Astrail derives OAuth authorization and token endpoints from the imported API contract and binds every grant to a fingerprint of that scheme, those endpoints, and the upstream API origin. Changing the provider or API origin requires a new connection instead of silently reusing an old token.
Known SaaS providers enforce approved OAuth hosts. For custom providers, the dashboard shows the exact authorization, token, and API origins and requires an explicit trust confirmation before Astrail accepts a client secret or starts consent.
Guide
Scopes fail closed
Generated tools preserve operation-level OAuth scope requirements from the API contract. Before execution, Astrail compares those requirements with the scopes recorded on the selected end-user grant.
If no allowed OAuth alternative is satisfied, the provider token is withheld and the tool returns oauth_insufficient_scope with required_scopes and missing_scopes. The user can reconnect with the smallest additional consent needed instead of granting broad access by default.
FAQ
Common questions.
Should the agent hold the provider token?
No. The agent should authenticate to the MCP boundary. Astrail keeps the provider token encrypted server-side and injects it only for the selected upstream request.
Does Astrail replace Entra on-behalf-of exchange?
No. OBO is a strong fit for same-tenant internal APIs. Astrail focuses on third-party SaaS where each provider requires its own consent, token lifecycle, scopes, and revocation behavior.
What happens when the user did not grant a required scope?
Astrail withholds the token and returns oauth_insufficient_scope with the missing scope names before any provider request executes.