Agent Auth - Quickstart Guide

Get started with Agent Auth in minutes. Learn how to create your first connection, authenticate users, and execute tools.

Agent Auth will help enable your AI Agents to take actions in real world applications on behalf of your users. Scalekit automatically handles authorizing your users to grant access to third party applications like Gmail, Calendar, Slack, Notion etc and using our pre-built connectors, lets your AI Agent execute actions like fetching emails, creating calendar events, updating notion pages, sending alerts via Slack etc.

This quickstart guide will show you how to get started with Agent Auth in just a few minutes. You’ll learn how to set up connections, authenticate users, and fetch tokens for your users

What you’ll build

In this quickstart, you’ll build a simple tool calling program that:

Authenticates a user with GMail to authenticate their Gmail account via OAuth 2.0
Fetches last 5 unread emails from the user’s inbox

Prerequisites

Before you start, make sure you have:

Scalekit API credentials (Client ID and Client Secret)
Development environment (Node.js, Python, or similar)

Step 1: Set up your environment

First, install the Scalekit Python SDK and initialize the client with your API credentials: Get Your credentials from Scalekit dashboard at app.scalekit.com Developers-> Settings -> API Credentials

Python
Node.js

pip install scalekit-sdk-python

npm install @scalekit-sdk/node@2.2.0-beta.1

Python
Node.js

import scalekit.client
import os
from dotenv import load_dotenv
load_dotenv()

scalekit = scalekit.client.ScalekitClient(
    client_id=os.getenv("SCALEKIT_CLIENT_ID"),
    client_secret=os.getenv("SCALEKIT_CLIENT_SECRET"),
    env_url=os.getenv("SCALEKIT_ENV_URL"),
)
actions = scalekit.actions

import { ScalekitClient } from '@scalekit-sdk/node';
import 'dotenv/config';

const scalekitClient = new ScalekitClient(
  process.env.SCALEKIT_ENV_URL,
  process.env.SCALEKIT_CLIENT_ID,
  process.env.SCALEKIT_CLIENT_SECRET
);

const { connectedAccounts, tools } = scalekitClient;

Step 2: Create a connected account

Let’s authorize a user to access their Gmail account by creating a connected account. This represents the user’s connection to their Gmail account:

Python
Node.js

1
# Create a connected account for user if it doesn't exist already
2
response = actions.get_or_create_connected_account(
3
    connection_name="gmail",
4
    identifier="user_123" #unique identifier for your connected account. can be replaced with your system's user ID
5
)
6
connected_account = response.connected_account
7
print(f'Connected account created: {connected_account.id}')

1
// Create a connected account for user if it doesn't exist already
2
const response = await connectedAccounts.getOrCreateConnectedAccount({
3
  connector: 'gmail',
4
  identifier: 'user_123', // unique identifier for your connected account. can be replaced with your system's user ID
5
});
6

7
const connectedAccount = response.connectedAccount;
8
console.log('Connected account created:', connectedAccount?.id);

Step 3: Authenticate the user

Inorder to execute any tools on behalf of the user, the user first needs to grant authorization to access their gmail account. Scalekit automatically handles the entire OAuth workflow with the Gmail provider, gets the access token, refreshes the access token periodically based on the refresh token etc.

If the user’s access token is expired, Scalekit will automatically refresh the access token using the refresh token. At any time, you can check the authorization status of the connected account and determine if the user needs to re-authorize the connection.

Python
Node.js

1
# If the user hasn't yet authorized the gmail connection or if the user's access token is expired, generate a link for them to authorize the connection
2
if(connected_account.status != "ACTIVE"):
3
      print(f"gmail is not connected: {connected_account.status}")
4
      link_response = actions.get_authorization_link(
5
          connection_name="gmail",
6
          identifier="user_123"
7
      )
8
      print(f"🔗click on the link to authorize gmail", link_response.link)
9
      input(f"⎆ Press Enter after authorizing gmail...")
10

11
# In a real app, redirect the user to this URL so that the user can complete the authentication process for their gmail account

1
// If the user hasn't yet authorized the gmail connection or if the user's access token is expired, generate a link for them to authorize the connection
2
if (connectedAccount?.status !== 'ACTIVE') {
3
  console.log('gmail is not connected:', connectedAccount?.status);
4
  const linkResponse = await connectedAccounts.getMagicLinkForConnectedAccount({
5
    connector: 'gmail',
6
    identifier: 'user_123',
7
  });
8
  console.log('🔗 click on the link to authorize gmail', linkResponse.link);
9
  // In a real app, redirect the user to this URL so that the user can complete the authentication process for their gmail account
10
}

Step 4: Fetch oauth tokens for your user

Now that the user has successfully authorized the gmail connection, You can fetch the latest access token and refresh token for the user’s connected account anytime you want. scalekit will keep the token refreshed periodically so that you always have the latest valid access token to make API calls on behalf of the user.

Python
Node.js

1
# Fetch recent emails
2
response = actions.get_connected_account(
3
        connection_name="gmail",
4
        identifier="user_123"
5
)
6

7
connected_account = response.connected_account
8

9
tokens = connected_account.authorization_details["oauth_token"]
10
access_token = tokens["access_token"]
11
refresh_token = tokens["refresh_token"]
12

13
print("access token:",access_token)
14
print("refresh token:",refresh_token)

1
const accountResponse = await connectedAccounts.getConnectedAccountByIdentifier({
2
  connector: 'gmail',
3
  identifier: 'user@example.com',
4
});
5

6
const authDetails = accountResponse?.connectedAccount?.authorizationDetails;
7
const accessToken = (authDetails && authDetails.details?.case === "oauthToken")
8
  ? authDetails.details.value?.accessToken
9
  : undefined;
10
const refreshToken = (authDetails && authDetails.details?.case === "oauthToken")
11
  ? authDetails.details.value?.refreshToken
12
  : undefined;
13

14
console.log('Connected account:', accountResponse);
15
console.log('accessToken:', accessToken);
16
console.log('refreshToken:', refreshToken);

Step 5: Call the Google Gmail API to fetch last 5 unread emails

Now that the user is authenticated and you have the access token, you can execute the Gmail API to fetch the last 5 unread emails from the user’s inbox. Below example directly calls the Gmail API. but use the gmail SDK or any other HTTP client of your choice to make the API calls.

Python
Node.js

1
# Fetch 5 unread emails using Gmail API
2
headers = {
3
    "Authorization": f"Bearer {access_token}", #use the access token obtained above
4
}
5

6
list_url = "https://gmail.googleapis.com/gmail/v1/users/me/messages"
7
params = {
8
    "q": "is:unread",
9
    "maxResults": 5,
10
}
11

12
list_response = requests.get(list_url, headers=headers, params=params)
13
messages = list_response.json().get("messages", [])
14

15
print(f"\nFound {len(messages)} unread emails:\n")
16

17
#fetch details for each email and print them
18
for msg in messages:
19
    msg_url = f"{list_url}/{msg['id']}"
20
    msg_response = requests.get(msg_url, headers=headers, params={"format": "metadata", "metadataHeaders": ["From", "Subject", "Date"]})
21
    msg_data = msg_response.json()
22

23
    headers_list = msg_data.get("payload", {}).get("headers", [])
24
    subject = next((h["value"] for h in headers_list if h["name"] == "Subject"), "No Subject")
25
    sender = next((h["value"] for h in headers_list if h["name"] == "From"), "Unknown")
26
    date = next((h["value"] for h in headers_list if h["name"] == "Date"), "Unknown")
27

28
    print(f"From: {sender}")
29
    print(f"Subject: {subject}")
30
    print(f"Date: {date}")
31
    print(f"Snippet: {msg_data.get('snippet', '')}")
32
    print("-" * 50)

1
// Fetch 5 unread emails using Gmail API
2
const listUrl = 'https://gmail.googleapis.com/gmail/v1/users/me/messages';
3
const params = new URLSearchParams({ q: 'is:unread', maxResults: '5' });
4

5
const listResponse = await fetch(`${listUrl}?${params}`, {
6
  headers: { Authorization: `Bearer ${accessToken}` }, // use the access token obtained above
7
});
8
const listData = await listResponse.json();
9
const messages = listData.messages ?? [];
10

11
console.log(`\nFound ${messages.length} unread emails:\n`);
12

13
// fetch details for each email and print them
14
for (const msg of messages) {
15
  const msgResponse = await fetch(
16
    `${listUrl}/${msg.id}?format=metadata&metadataHeaders=From&metadataHeaders=Subject&metadataHeaders=Date`,
17
    { headers: { Authorization: `Bearer ${accessToken}` } }
18
  );
19
  const msgData = await msgResponse.json();
20

21
  const headersList = msgData.payload?.headers ?? [];
22
  const subject = headersList.find((h) => h.name === 'Subject')?.value ?? 'No Subject';
23
  const sender = headersList.find((h) => h.name === 'From')?.value ?? 'Unknown';
24
  const date = headersList.find((h) => h.name === 'Date')?.value ?? 'Unknown';
25

26
  console.log(`From: ${sender}`);
27
  console.log(`Subject: ${subject}`);
28
  console.log(`Date: ${date}`);
29
  console.log(`Snippet: ${msgData.snippet ?? ''}`);
30
  console.log('-'.repeat(50));
31
}

Congratulations!

Congratulations! You’ve successfully implemented a program that executes API on behalf of a user using Agent Auth. This can be extended to any number of connections and scalekit will handle the authentication and token management for you.