Giving Agents Real-World Access: The Integration Marketplace

The moment you give an AI agent access to a real API, everything changes. It's no longer a chatbot that generates text — it's an actor that can send emails, publish content, create calendar events, and modify files. That power is the whole point of agents, but it comes with a question most frameworks ignore: how do you manage credentials safely when dozens of agents across an organization each need different levels of access to different services?

We built the Integration Marketplace to answer that question. It's a secure OAuth layer that gives each agent scoped, encrypted access to third-party services — without sharing tokens, without storing plaintext secrets, and without requiring users to trust a single agent with everything.

Per-Agent Token Isolation

Most platforms store OAuth tokens per user or per organization. We store them per agent. Every token in the system is scoped to a composite key: org_id + user_id + provider + agent_id. A Marketing Agent that posts to Instagram cannot read your Google Drive. A PR Review Agent with GitHub access cannot send emails through Gmail. Each agent gets exactly the permissions it needs and nothing more.

Our integration-service handles the full OAuth lifecycle through six RPC methods: GetOAuthUrl generates authorization URLs with HMAC-signed state parameters. HandleOAuthCallback exchanges auth codes for tokens and stores them encrypted. GetAccessToken transparently refreshes expired tokens before returning them. ListIntegrations and GetIntegration expose metadata without ever surfacing raw tokens. DisconnectIntegration revokes and deletes everything cleanly.

Tokens at rest are encrypted with AES-256-GCM. The service supports automatic refresh — when an agent requests a token that's about to expire, the refresh happens transparently. It also handles incremental authorization: if an agent needs additional Google scopes beyond what was originally granted, the service detects the gap and returns a new authorization URL instead of failing silently.

Instagram Marketing Agent

The first agent we built on top of this infrastructure is the Marketing Agent — a fully autonomous content pipeline for Instagram. It runs a seven-stage workflow: Research trends and product context via web search and knowledge retrieval. Plan the content concept, visual direction, and target audience. Generate images through our ai-gateway-service. Compose captions with hashtags within Instagram's 2,200-character limit. Review against brand guidelines. Publish via the instagram-mcp server. Analyze engagement metrics 24 hours later.

The instagram-mcp server exposes ten tools: instagram_publish_photo, instagram_publish_carousel, instagram_publish_reel, instagram_publish_story for publishing, instagram_get_account_insights and instagram_get_media_insights for analytics, instagram_list_media for content management, instagram_reply_comment for engagement, and instagram_get_profile and instagram_validate_token for account management. The agent chains these tools through the AOS task graph — each stage is a node in a directed acyclic graph with typed artifacts flowing between them.

Google Workspace: 17 Tools Across Three Services

The google-workspace-mcp server gives agents deep access to Gmail, Google Drive, and Google Calendar — 17 tools in total. On the Gmail side: list messages with filters, read full message content, send HTML emails, reply in-thread with proper headers, manage labels, and toggle read status. On Drive: list files by folder, search by name and MIME type, read Google Docs and Sheets as text, create new files, and inspect permissions. On Calendar: list events with time range filters, create events with attendees, update and delete events, and check free/busy availability across multiple people.

Authentication flows through the integration-service. When an agent needs to access Google APIs, it calls GetAccessToken with its agent ID. The service returns a valid token — refreshing it first if needed — which gets injected as the x-google-access-token header on the MCP connection. The agent never sees or handles raw OAuth tokens. It just calls tools.

Durable Execution Makes It Work

None of this would be practical without our Agent Operating System's durable execution layer. A Marketing Agent run that researches, generates images, composes captions, and publishes might take several minutes. If the image generation step fails or the OAuth token needs re-authorization, the run doesn't crash — it moves to a WAITING state, emits an oauth_required event with the re-auth URL, and resumes when the user re-authorizes.

Runs stream structured events in real time: node_status_changed, node_tool_call, artifact_produced, evaluation_completed. Our Agent Runs UI renders these as a live view — you can watch the Marketing Agent research trends, see the generated image appear as an artifact, read the composed caption, and track the Instagram publish call in real time.

What's Next

We currently support Google, GitHub, and Instagram/Meta as integration providers. Slack, Linear, Jira, Notion, and Figma are next. Each new provider follows the same pattern: build an MCP server that exposes typed tools, register the OAuth flow in the integration-service, and agents can use it immediately. The per-agent isolation, encrypted storage, and automatic refresh come for free.

The Integration Marketplace turns agents from isolated text generators into connected actors that can operate across your real tools. And the per-agent token model ensures that scaling from one agent to a hundred doesn't mean scaling your attack surface along with it.