OAuth Handled Automatically

Every team building AI agents hits the same wall: OAuth. You need to handle authorization codes, exchange them for tokens, store them securely, refresh them before they expire, and rotate credentials when things go wrong.

With Hexel Tool Gateway, your agent code never touches any of this. Here's how it works:

Hierarchical Auth Configs

Auth configurations cascade from platform defaults down to workspace-level overrides. A customer can bring their own OAuth app credentials at the org level — no infrastructure changes needed.

Encrypted Credential Storage

All tokens are encrypted at rest using AES-256. Only the Auth service holds the ENCRYPTION_MASTER_KEY. The Execution service receives decrypted credentials just-in-time for each call.

Per-Agent Credential Pinning

Using agent_tool_bindings, you can scope which credentials each agent uses. Agent A calls Salesforce with one set of credentials, Agent B uses different ones — all through the same gateway endpoint.

Auto-Refresh

When a token approaches expiry, the gateway automatically refreshes it using the stored refresh_token. Your agent never sees a 401. If refresh fails, the gateway surfaces a clear "credentials expired" status in the execution response — no silent failures.

What this means for your codebase:

Before: 80-120 lines of OAuth plumbing per integration (token storage, refresh logic, error handling, retry on 401).

After: Zero lines. You call `client.execute("TOOL_SLUG", input={...})` and credentials are resolved, decrypted, and injected automatically.