What it does
When enabled, the Navigator exposes aget_authentication_link MCP tool to your agent. This tool returns:
- The authentication status of the current user — whether they need to authenticate, are fully authenticated, or no authentication is required
- An authentication link the user can click to authenticate with any servers they haven’t connected to yet
- A list of unauthenticated servers so the agent knows which services are not yet available
How to enable
Ensure user-level auth servers exist
In-Chat Authentication requires at least one server instance in the project that uses user-level authentication (not project-level). This is because the authentication link is for individual users to provide their own credentials.
The In-Chat Authentication toggle is only available when the project has at least one user-level auth server connected. If all user-level servers are removed from a project, In-Chat Authentication is automatically disabled.
How it works
- Default auth link — when In-Chat Authentication is enabled, Caylex creates a default authentication link for the project. This link includes all user-level server instances in the project and does not expire. It automatically stays in sync as servers are added or removed.
-
Agent calls
get_authentication_link— during a conversation, the agent can call this tool to check if the current user needs to authenticate. The tool looks up the user’s authentication status for each user-level server in the project. -
Response to the agent — the tool returns one of three statuses:
authentication_needed— the user has not authenticated with one or more servers. The response includes the auth link and the list of unauthenticated server names.fully_authenticated— the user has authenticated with all available user-level servers.no_auth_required— the project has no user-level auth servers (all servers use project-level auth or no auth).
- User authenticates — the agent shares the link with the user. The user clicks it, signs in, and authenticates with the listed servers through the guided flow.
-
Verification — the agent can call
get_authentication_linkagain to confirm the user has completed authentication. The unauthenticated servers list will reflect the latest state.
Example conversation flow
Important notes
- Available MCP Servers list — the list of servers shown in the agent’s tool descriptions only includes servers the user has already authenticated into. After authenticating via the link, new servers become immediately available for tool execution within the current conversation, but they will not appear in the tool description list until a new session is started.
- Automatic sync — the default auth link automatically updates when user-level servers are added to or removed from the project. You do not need to manually manage it.
- Auto-disable — if all user-level auth servers are removed from a project, In-Chat Authentication is automatically disabled on all navigator instances in that project.
Preview the auth link
When In-Chat Authentication is enabled, you can preview the authentication link directly from the Navigator Instance settings page. Click the link icon next to the toggle to open the authentication page and see exactly what your users will see.When to enable In-Chat Authentication
| Scenario | Recommendation |
|---|---|
| Users interact with the agent before authenticating with all servers | Enable — lets the agent guide users through auth on the spot |
| All servers use project-level auth (shared credentials) | Not applicable — no user-level auth needed |
| Users always authenticate before their first conversation | Optional — the agent can still use it as a fallback for expired credentials |
| Agent is deployed in a controlled environment where auth is pre-configured | Disable — unnecessary overhead |