AgentVault Server SDK - OAuth2 Agent Example¶
This example demonstrates how to build an A2A agent that requires OAuth2 Client Credentials authentication using the agentvault-server-sdk and FastAPI.
Components¶
.env.example: Example environment variables for setting the mock Client ID and Secret the server will accept.agent-card.json: Describes the agent, specifying theoauth2auth scheme and the/tokenendpoint URL.requirements.txt: Python dependencies (fastapi,uvicorn,agentvault-server-sdk,python-dotenv).src/oauth_agent_example/agent.py: Defines the simpleOAuthProtectedAgentlogic.src/oauth_agent_example/main.py:- Sets up the FastAPI application.
- Includes the SDK's A2A router at
/a2a. - Adds a custom
POST /tokenendpoint to handle the OAuth2 Client Credentials grant flow, validating against environment variables. - Adds a FastAPI dependency (
verify_token) usingHTTPBearerto protect the/a2arouter, ensuring requests have a valid mock Bearer token obtained from/token. - Includes the required SDK exception handlers.
Setup¶
- Navigate: Open your terminal in this directory (
examples/oauth_agent_example). - Install Dependencies: Create and activate a virtual environment, then install the requirements. Note: This installs the SDK and core library from your local source tree.
- Configure Server Credentials:
- Copy
.env.exampleto.env. - Review the
MOCK_CLIENT_IDandMOCK_CLIENT_SECRETin.env. These are the credentials the server will expect the client to provide to the/tokenendpoint. You can change them if desired.
- Copy
Running the Server¶
Start the FastAPI server using Uvicorn. It will load the credentials from the .env file.
--reload: Enables auto-reloading for development.
* --port 8002: Specifies the port (matches agent-card.json).
The server should start, hosting the /a2a endpoint and the /token endpoint.
Configuring Client Credentials¶
Before you can interact with this agent using agentvault_cli, you need to configure the client-side credentials that match the ones the server expects.
- Open a NEW terminal window/tab (keep the server running).
- Activate the AgentVault virtual environment if you haven't already (
source .venv/bin/activateor similar). -
Use
agentvault config set: Use theservice_identifierfromagent-card.json(example-oauth-agent) and the--oauth-configureflag. Enter the same Client ID and Secret that are defined in the server's.envfile when prompted.agentvault config set example-oauth-agent --oauth-configure # --> Enter OAuth Client ID for 'example-oauth-agent': test-client-id-123 # --> Enter OAuth Client Secret for 'example-oauth-agent': ************************ # --> Confirm OAuth Client Secret for 'example-oauth-agent': ************************ # SUCCESS: OAuth credentials for 'example-oauth-agent' stored successfully in keyring.
Testing with AgentVault CLI¶
Now that the server is running and client credentials are configured, you can test the interaction:
Expected Behavior:
- The
agentvaultclient library (used by the CLI) will load the agent card. - It sees the
oauth2scheme and thetokenUrl. - It uses the
KeyManagerto retrieve the Client ID/Secret you configured forexample-oauth-agent. - It makes a
POSTrequest tohttp://localhost:8002/tokenwith the credentials. - The server's
/tokenendpoint validates the credentials against the.envfile and returns a mock access token. - The client library receives the token.
- It makes the
POSTrequest tohttp://localhost:8002/a2afor thetasks/sendmethod, including theAuthorization: Bearer <mock_access_token>header. - The server's
verify_tokendependency validates the token. - The SDK router calls the agent's
handle_task_sendmethod. - The agent starts the task and sends back SSE events confirming authentication worked.
You should see output similar to the Basic Echo example, but the underlying process involves the OAuth token exchange. If authentication fails (e.g., wrong client credentials configured), the run command will report an authentication error.