Skip to main content
Server authentication determines how your end users (the people interacting with your AI agents) authenticate with external MCP servers like GitHub, Slack, or Linear. It directly affects how your agents access external data. This is separate from platform authentication, which controls how you and your tools access Caylex itself.

Two levels of server auth

Caylex supports two levels of authentication for each server:
Each end user provides their own credentials for the server. When the agent executes a tool on behalf of a user, the Navigator uses that user’s personal credentials.How it works:
  • Each user authenticates individually via an Auth Link
  • The Navigator stores each user’s credentials separately
  • Tool calls use the credentials of the specific user identified by x-user-email
Best for:
  • Personal data services (email, calendar, personal notes)
  • Services where each user has their own account (GitHub, Slack)
  • Scenarios requiring per-user data isolation and audit trails
Example: Your agent accesses a user’s Gmail inbox. Each user authenticates with their own Google account, and the agent only sees that user’s emails.
You can mix auth levels within a project. For example, use user-level auth for Gmail (personal emails) and project-level auth for your company CRM (shared data), all in the same project.

Supported auth methods

Caylex supports the following authentication methods for connecting to external MCP servers:
MethodDescriptionCredential storage
OAuthStandard OAuth 2.0 flow with PKCE supportTokens managed by identity provider
HeaderAPI keys or Bearer tokens sent as HTTP headersEncrypted in AWS Parameter Store
PathCredentials embedded in the URL pathEncrypted in AWS Parameter Store
QueryCredentials passed as URL query parametersEncrypted in AWS Parameter Store
No AuthNo authentication requiredN/A
Caylex never stores raw secrets in its database. OAuth tokens are managed by the identity provider, and all other credentials are stored in AWS Parameter Store. The database only stores references (paths) to the encrypted values.

How auth flows at runtime

When your agent invokes a tool through the Caylex Navigator, the authentication flow happens automatically:
  1. Your agent sends a tool invocation to the Navigator with the x-api-key and x-user-email headers
  2. The Navigator identifies the navigator instance, project, and user
  3. The Navigator retrieves the user’s credentials for the target server
  4. Credentials are injected into the request (as headers, path parameters, query parameters, or OAuth tokens)
  5. The tool is executed on the external server and the result is returned to your agent
Your agent never sees or handles credentials directly.

Next steps

Auth Links

Create shareable links to authenticate users with your servers.

Managing Users

View user auth status and manage access.