This sample demonstrates how to use auth_config on a FunctionNode to require user authentication before the node runs.
When a node has auth_config, the workflow automatically:
- Pauses the node and emits an
adk_request_credentialFunctionCall event - The invocation ends — the node is marked as waiting
- The client sends a new request with the credential as a FunctionResponse
- The workflow stores the credential in session state and re-runs the node
The ADK web UI (adk web) handles step 3 automatically — it recognizes auth
requests and presents an auth dialog. If you use a custom client, you need to
handle the adk_request_credential FunctionCall and respond with the credential
yourself.
This sample uses API key authentication (the simplest credential type).
This sample uses a mock weather lookup. No external API key or server is needed. When the auth UI prompts for a key, you can enter any value (e.g., my-test-key-123).
Send any message (e.g., go) to start the workflow.
graph TD
START --> fetch_weather[fetch_weather <br/>pauses for auth on first run]
fetch_weather --> summarize
-
Define an
AuthConfigwith the auth scheme and credential type:from google.adk.auth.auth_tool import AuthConfig from google.adk.auth.auth_credential import AuthCredential, AuthCredentialTypes auth_config = AuthConfig( auth_scheme=APIKey(**{'in': APIKeyIn.header, 'name': 'X-Api-Key'}), raw_auth_credential=AuthCredential( auth_type=AuthCredentialTypes.API_KEY, api_key='placeholder', ), credential_key='weather_api_key', )
-
Use the
@nodedecorator withauth_configandrerun_on_resume=True:@node(auth_config=auth_config, rerun_on_resume=True) def fetch_weather(ctx: Context): ...
-
Inside the function, retrieve the credential from
ctx:def fetch_weather(ctx: Context): cred = ctx.get_auth_response(auth_config) api_key = cred.api_key # Use api_key to call your API...
The same auth_config pattern works with OAuth2 and OpenID Connect. The key
differences:
- Auth scheme: Use
OAuth2(fromfastapi.openapi.models) instead ofAPIKey. Configure the authorization and token URLs in the OAuth2 flows. - Raw credential: Set
auth_type=AuthCredentialTypes.OAUTH2and provideclient_id,client_secret, andredirect_uriin theoauth2field. - Web UI flow: The ADK web UI recognizes OAuth2 auth requests and opens
an authorization popup automatically. The user authenticates with the
provider, and the UI sends the full
AuthConfigresponse back. No special handling is needed in the node. - Token exchange: The framework automatically exchanges the authorization
code for an access token via
AuthHandler.exchange_auth_token().
from fastapi.openapi.models import OAuth2, OAuthFlowAuthorizationCode, OAuthFlows
auth_config = AuthConfig(
auth_scheme=OAuth2(
flows=OAuthFlows(
authorizationCode=OAuthFlowAuthorizationCode(
authorizationUrl='https://provider.com/authorize',
tokenUrl='https://provider.com/token',
scopes={'read': 'Read access'},
)
)
),
raw_auth_credential=AuthCredential(
auth_type=AuthCredentialTypes.OAUTH2,
oauth2=OAuth2Auth(
client_id='YOUR_CLIENT_ID',
client_secret='YOUR_CLIENT_SECRET',
redirect_uri='http://localhost:8000/callback',
),
),
credential_key='my_oauth_credential',
)