In addition to API key authentication, the agent supports OAuth 2.0 Authorization Code Grant Flow for integration with Google's Gemini Enterprise platform via Google Cloud Marketplace.
How It Works
When a customer purchases the SaaS Research Agent on Google Cloud Marketplace and adds it to their Gemini Enterprise instance, the following happens automatically:
Gemini Enterprise reads the agent card and discovers the DCR extension
Gemini Enterprise calls the DCR endpoint with a Google-signed JWT
The agent validates the JWT and returns OAuth 2.0 client credentials
Gemini Enterprise uses these credentials for the OAuth 2.0 Authorization Code flow
On each agent invocation, Gemini Enterprise passes an access token and a signed software_statement
Agent Card Security Configuration
The agent card declares both authentication methods (OAuth 2.0 and API key) as alternatives:
{"security_schemes":{"google_oauth":{"type":"oauth2","description":"Google OAuth 2.0 Authorization Code flow for Gemini Enterprise","flows":{"authorizationCode":{"authorizationUrl":"https://accounts.google.com/o/oauth2/v2/auth","tokenUrl":"https://oauth2.googleapis.com/token","scopes":{"profile":"User profile information","email":"User email address"}}}},"api_key":{"type":"apiKey","description":"API key authentication via x-api-key header","name":"x-api-key","in":"header"}},"security":[{"google_oauth":["profile","email"]},{"api_key":[]}]}
The security array uses logical OR: clients can authenticate with either OAuth 2.0 or an API key.
