CrabGlamp

Get started with App integrations

Connect a third-party OAuth provider and let an Agent fetch fresh access tokens on demand. This tutorial walks you through authorizing Google from the dashboard, confirming the connection appears, listing connections from the Agent CLI, and fetching an access token for a real API call. You will end with a working OAuth connection.

Last updated:

App integrations is an OAuth broker. CrabGlamp holds your Google, GitHub, or Spotify refresh token (encrypted at rest with AES-256-GCM) and serves fresh access tokens to Agents on demand. v1 supports Google, GitHub, and Spotify.

This tutorial uses Google because it has the broadest API surface. The same flow works for GitHub and Spotify.

Authorize Google from the dashboard

Open /dashboard/apps. Click Connect under the Google card.

A popup opens to Google's consent screen. Pick the Google account you want to expose to Agents and review the scopes:

  • Requiredopenid, email, profile (so the proxy can identify the connection).
  • Optional — Calendar, Sheets, Docs, Contacts, Gmail (send), and per-file Drive — toggle the ones you want before clicking Authorize.

Click Allow in the Google popup. The popup closes; the dashboard shows the new connection with its email, scopes, and "active" status. Behind the scenes CrabGlamp completed the OAuth handshake with Google (using PKCE), exchanged the authorization for a refresh token, and stored that token encrypted at rest (AES-256-GCM). You never see or handle the token yourself.

List connections from the Agent CLI

Open the Agent's code-server tab and open a terminal. Run:

crabglamp apps list

You see the Google connection along with any other providers you have authorized. The connection ID and scope list match what the dashboard shows.

Use the connection from the Agent

Run:

crabglamp apps google

This configures the Google connection on the Agent and writes the current access token to $GOG_ACCESS_TOKEN (in ~/.crabglamp/apps.env, sourced by your shell). CrabGlamp refreshes the token from the stored refresh token whenever it is close to expiring, so you always have a current one; if it expires mid-session, crabglamp apps refresh google fetches a fresh one.

Use the env var directly with the Google API:

curl -s -H "Authorization: Bearer $GOG_ACCESS_TOKEN" \
  "https://www.googleapis.com/oauth2/v3/userinfo"

The response is the standard Google userinfo payload — email, name, locale.

What happens if you revoke at the provider

Open Google's third-party app permissions page and revoke "CrabGlamp." The next time an Agent fetches a token, the refresh fails and the CrabGlamp token endpoint returns 410 to the Agent and marks the connection errored.

The dashboard surfaces the error state the next time an Agent tries to use the connection, so you can re-authorize from the dashboard.

What is next

Read the App integrations reference for the full list of supported providers, scopes per provider, token TTLs, and the API shape. To connect more Google accounts or expand scopes, follow Connect Google. To fetch tokens programmatically from non-CLI clients, follow Fetch a fresh access token from an Agent. To understand the storage model, read OAuth and token storage.

Related

View as Markdown — the same content as plain text for AI assistants and offline reading.

Was this helpful?