OAuth per tool
Gmail tool: read scope. Calendar tool: write scope. Not user's master account credential.
Advertisement
Consent screen
User approves each tool's scope. Recurring prompt for sensitive scopes. Similar to mobile app permissions.
Advertisement
Token vault
Short-lived tokens fetched at tool call time. Vault stores refresh tokens. Rotation automatic.