Set up OAuth for a sandboxed MCP connector (Google / Microsoft 365)

Field-by-field OAuth setup for sandboxed (uvx / npx) MCP connectors that sign each user in—covers the OAuth client settings, per-user token delivery, standard Google and Microsoft 365 recipes, and using $SECRET_KEY so secrets stay write-only.

Some Sandboxed (uvx / npx) MCP servers act as the signed-in user (for example Google Sheets, Google Docs, Slack, Microsoft 365). Each employee connects their own account, and Harriet runs the server's tools with that person's token. This article shows exactly which fields to fill in and where.

There are two halves to the setup, and they do different jobs:

OAuth client settings — how Harriet signs users in and stores their tokens.
Per-user OAuth delivery — how Harriet passes each stored token into the MCP process when tools run.

Fill in both. Configure everything in Company settings → Integrations; never ask employees to paste secrets.

1. OAuth client settings (how Harriet signs users in)

Create an OAuth app with your provider (Google Cloud console, or Microsoft Entra ID / Azure) and add Harriet's callback as an authorized redirect URI. Then set, on the connector:

Field	What to enter
Require per-user OAuth	On. Each user connects their own account.
OAuth client ID	The client ID from your provider's OAuth app.
OAuth client secret	The client secret. See Keeping secrets write-only below.
OAuth scope	Space-separated scopes the server needs (include a refresh/offline scope—see recipes).
OAuth authorize URL (override)	Your provider's authorize endpoint (see recipes).
OAuth token URL (override)	Your provider's token endpoint (see recipes).

When a user later opens Profile → Integrations and connects, Harriet runs this flow and stores their tokens on their behalf.

2. Per-user OAuth delivery (how the token reaches the server)

This is set in the Sandbox section, separately from the OAuth client settings:

Per-user OAuth env var name — the environment variable the MCP package reads its credential from. Check the package README for the exact name.
Per-user OAuth delivery — choose how the token is supplied:
- Token file — Harriet writes a Google authorized_user JSON (with the refresh token and client details) to a file and sets the env var to that file path. Use for servers that load a token file and refresh themselves (most Google Python servers). You do not need to add the client ID/secret separately—they travel inside the token file.
- Access token value — Harriet sets the env var to the bearer token string directly (no file). Use for servers that take a token as an env var value (Slack, Microsoft 365). Harriet refreshes the token on its side and injects a fresh one.

Standard Google recipe (Sheets, Docs, Drive)

OAuth client settings:

Require per-user OAuth: on
OAuth client ID / secret: from your Google OAuth client
OAuth scope: the Google API scopes you need (e.g. https://www.googleapis.com/auth/drive), and keep Google's default offline behavior so a refresh token is issued
OAuth authorize URL: https://accounts.google.com/o/oauth2/auth
OAuth token URL: https://oauth2.googleapis.com/token

Per-user delivery:

Per-user OAuth delivery: Token file
Per-user OAuth env var name: the package's token variable, for example TOKEN_PATH (Sheets) or GOOGLE_DOCS_MCP_TOKEN (Docs)

You do not need a separate credentials file or client ID/secret environment variable—the token file Harriet writes already contains them.

Standard Microsoft 365 recipe

OAuth client settings:

Require per-user OAuth: on
OAuth client ID / secret: from your Microsoft Entra (Azure) app registration (a confidential client with a secret)
OAuth scope: the Microsoft Graph scopes you need plus offline_access so a refresh token is issued
OAuth authorize URL: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize
OAuth token URL: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token

Per-user delivery:

Per-user OAuth delivery: Access token value
Per-user OAuth env var name: MS365_MCP_OAUTH_TOKEN

Slack-style servers follow the same pattern as Microsoft 365: Access token value with the package's token variable (e.g. SLACK_MCP_XOXP_TOKEN).

Keeping secrets write-only ($SECRET_KEY)

Harriet stores secrets encrypted and never displays them back—the OAuth client secret box is write-only, so once saved it cannot be read out of the UI by anyone (including admins). To rotate, type a new value and save.

You can also reference the secret without typing it into a field, using the $SECRET_KEY placeholder:

On OAuth client secret, tick Use integration secret key. Harriet stores $SECRET_KEY and substitutes the integration's main secret key at sign-in time—so the literal secret never appears in the connector config.
Inside any environment variable or credential file value, the text $SECRET_KEY is replaced with the integration's secret key when the server runs. This lets you keep a secret out of the visible config even when a package wants it embedded in a JSON file or env var (for example a value like {"client_secret": "$SECRET_KEY"}).

$SECRET_KEY only resolves inside the OAuth client secret field, environment variables, and credential files. It is not substituted in other fields such as OAuth client ID, OAuth scope, the URL overrides, or the command/arguments. If a value still shows the literal $SECRET_KEY after the server runs, the integration's secret key has not been set.

Finish and verify

Save the connector.
Connect your own account under Profile → Integrations to provide a test token.
Use Sync tools to confirm Harriet can reach the server and discover its tools. For per-user OAuth servers you must be connected first—otherwise sync reports that you need to connect your account.
Set Tool permissions (including confirmation gates for risky actions) and attach the connector to the right skills and groups.

See also How to create an MCP connector (Company settings), How does MCP authorization work and what credentials are stored?, and MCP from GitHub and registries—sandboxed connectors vs skill packages.