User Sources
A User Source connects an Gateway to your OIDC identity provider. When a gateway uses a User Source, your end users sign in with their own at your identity provider. They don’t need Arcade accounts.
What is a User Source?
Arcade distinguishes between two kinds of :
- Arcade are the people who build and manage your project in the Arcade dashboard. They sign in with Arcade .
- End are the people who call your agent or application, which in turn calls your Gateway.
A Source tells Arcade where your end users come from. When a gateway uses a User Source, Arcade redirects end users to your identity provider to sign in, then uses the resulting OIDC token to identify them on every gateway request.
User Sources are project-bound. You create one in a project, then attach it to any Gateway in that . One Source can back many gateways.
When to use a User Source
Arcade Gateways support three ways to authenticate end :
| Mode | Best for |
|---|---|
| Arcade Auth | Development, testing, and internal use, when every end user has an Arcade account |
| User Source (recommended for production) | Production agents whose end users have their own accounts in your OIDC identity provider |
| Arcade Headers (fallback) | MCP clients that can’t run a browser-based OAuth flow |
See MCP Gateway authentication for the full comparison and for how to pick an authentication mode when creating a gateway.
Register an OAuth client at your identity provider
Before you create a Source in Arcade, register a confidential OAuth client at your identity provider (Auth0, Okta, Entra ID, Stytch, Clerk, and so on). The client must use the Authorization Code flow with PKCE.
Register the following redirect URL on that client:
https://cloud.arcade.dev/oauth2/intermediate_callbackThis URL is the same for every User Source, every , and every Arcade customer. Your identity provider will redirect end back to this URL after they sign in, and Arcade exchanges the resulting code for an ID token.
Once you finish registering the client, copy the issuer URL, client ID, and client secret. You’ll provide them to Arcade in the next step.
Create a User Source
Open the User Sources dashboard
Go to the User Sources dashboard for your and click Create Source.
Fill in the User Source details
Provide the following:
- Name: A short, human-readable name for this connection. For example,
Okta production. - Description (optional): Free-form notes about the connection.
- Issuer URL: The OIDC issuer URL from your identity provider, for example
https://accounts.example.com. Arcade matches this against theissclaim on incoming tokens, so it must exactly match what your identity provider issues. - Client ID: The client ID of the OAuth client you registered with your identity provider.
- Client Secret: The matching client secret. Arcade stores it encrypted and never returns it through the API or dashboard.
- Subject Claim: The JWT claim Arcade uses as the end ’s stable identifier. Defaults to
sub.
Save the User Source
Click Create. The new Source appears in the list with Active status and is ready to attach to an Gateway.
Use a User Source on an MCP Gateway
You attach a User Source to an Gateway when you create or edit the gateway, not as a separate step on the User Source itself. One User Source can back multiple gateways in the same .
See Create via Dashboard for how to pick a Source when configuring a gateway’s authentication.
Manage User Sources
Edit a User Source
You can change a Source’s name, description, issuer URL, client ID, or subject claim at any time from the User Sources dashboard. Saving the changes affects every gateway that uses this User Source on its next request.
Rotate the client secret
To rotate the client secret:
- Open the Source in the dashboard.
- Enter the new secret in the Client Secret field.
- Save.
The field is blank in edit mode and only updates when you fill it in, so editing other fields does not affect the stored secret.
Rotate the client secret in your identity provider first, then update it in Arcade. There’s a short window where token exchange fails if Arcade’s stored secret doesn’t match the one your provider expects.
Deactivate a User Source
Set a Source’s status to Inactive to take it out of rotation. You can only deactivate a User Source after every Gateway that uses it is itself deactivated or deleted. If an active gateway still references the source, the dashboard blocks deactivation and tells you how many gateways still depend on it.
To deactivate a Source, deactivate or delete the dependent gateways first, then change the User Source’s status to Inactive.
Delete a User Source
Deleting a Source is permanent. As with deactivation, you can only delete a User Source when no active gateway references it. The dashboard blocks the action until you deactivate or remove the dependent gateways.
Next steps
- MCP Gateway authentication for a comparison of Arcade Auth, Sources, and Arcade Headers
- Connect to MCP clients to point your client at a gateway that uses a Source