Skip to content
- Credentials are short-lived and scoped by capability.
- Issuance requires requester context.
- Sandbox receives scoped header injection, not raw long-lived tokens.
- Auth links are delivered privately to the requesting user.
- Token exchange occurs server-side.
- OAuth completion can resume the original request path.
- Never log raw token values.
- Never place secrets in skill files.
- Credential failures must surface clear operator-visible errors.
credential_unavailable with OAuth required.- stale/insufficient provider token access (401/403 post-issuance).
- provider misconfiguration (client ID/secret/redirect URL mismatch).