Integrating OAuth into Gram Functions is a simple process.

Accessing the token

const gram = new Gram({
  envSchema: {
    GOOGLE_ACCESS_TOKEN: z.string().describe("Google OAuth2 access token"),
  },
  authInput: {
    oauthVariable: "GOOGLE_ACCESS_TOKEN",
  },
})
  .tool({
    name: "search_files",
    description:
      "Search for PDF files in Google Drive. Takes a search query and returns matching files based on their filename.",
  },
  async execute(ctx, input) {
    const token = ctx.env.GOOGLE_ACCESS_TOKEN;
    return fetch(`https://www.googleapis.com/drive/v3/files`, {
      headers: { Authorization: `Bearer ${token}` },
    });
  },
});

The authInput object is used to specify which environment varibale should be populated with the OAuth token. Gram will then handle the OAuth exchange and automatically supply the token to your function.

Note that this will only work if you follow the steps below to enable OAuth for your MCP server.

Adding OAuth to your MCP server

Configuring OAuth for a toolset containing Gram Functions is the same as configuring OAuth for any other toolset. You can follow the steps in our guide to get started.

Caveats

Only one managed OAuth provider can be attached to an MCP server. However, other security schemes defined in your OpenAPI spec (API keys, bearer tokens, etc.) are still accepted alongside OAuth — users can authenticate with whichever method they prefer. See Multiple security schemes for details.

Toolsets can contain any number of tools that do not require OAuth alongside tools that use a single OAuth provider.