ODAI connects to third-party services on behalf of the user through OAuth 2.0. After completing a flow, ODAI stores the resulting tokens securely and uses them automatically when the relevant agent is invoked.
Supported services
| Service | Capabilities | Protocol |
|---|
| Google (Gmail, Calendar, Docs, Drive) | Email, events, documents, spreadsheets, presentations | OAuth 2.0 |
| Plaid | Bank account balances and transactions | OAuth 2.0 (via Plaid Link) |
Google OAuth flow
Connecting a Google account grants ODAI access to Gmail, Google Calendar, Google Docs, Google Drive, Sheets, and Slides.
Permissions requested
ODAI requests the following Google OAuth scopes:
| Scope | Purpose |
|---|
userinfo.email | Identify the Google account |
userinfo.profile | Retrieve the user’s name and profile picture |
calendar.events.owned | Read and write calendar events |
gmail.send | Send emails |
gmail.modify | Read, label, and manage email |
documents | Read and write Google Docs |
docs | Google Docs API access |
drive | Read and manage Google Drive files |
spreadsheets.readonly | Read Google Sheets |
presentations.readonly | Read Google Slides |
Step 1: Initiate the flow
Send a POST request to /google_access_request with your Firebase ID token and the Google account email you want to connect:
POST /google_access_request HTTP/1.1
Authorization: <firebase-id-token>
Content-Type: application/x-www-form-urlencoded
[email protected]
Step 2: Redirect to Google
Navigate your user to GET /auth/google/login with your Firebase ID token:
GET /auth/google/login?token=<firebase-id-token> HTTP/1.1
Step 3: Callback and token storage
After the user approves, Google redirects to /auth/google/callback. The server:
- Exchanges the authorization code for an access token and refresh token
- Retrieves the Google account’s email, name, and profile picture
- Encrypts the token with the user’s KMS key
- Stores the encrypted token in Firestore
- Marks the user’s account as connected to Google
- Redirects the user to the original
redirect_uri
You can connect multiple Google accounts. Each account is stored separately and identified by its email address. The first account connected becomes the default.
Token refresh
Google OAuth tokens are refreshed automatically when they expire. ODAI stores the refresh_token alongside the access token, so re-authentication is not required unless the user revokes access through their Google account settings.
Disconnecting Google
To disconnect a Google account, the integration status is set to false in the user’s Firestore document. The stored tokens are cleared as part of this operation.
Plaid flow
Connecting a bank account through Plaid gives ODAI read access to account balances and transaction history.
Permissions requested
ODAI requests the following Plaid products:
| Product | Purpose |
|---|
transactions | Transaction history |
auth | Account and routing numbers |
Step 1: Create a Link token
Send a POST request to /auth/plaid/create_link_token with your Firebase ID token:
POST /auth/plaid/create_link_token HTTP/1.1
Authorization: <firebase-id-token>
link_token from Plaid:
{
"link_token": "link-sandbox-...",
"expiration": "2025-01-01T00:00:00Z",
"request_id": "..."
}
Step 2: Open Plaid Link
Use the link_token to initialize Plaid Link in your frontend. Plaid handles the bank selection and credential entry. On success, Plaid returns a public_token.
const handler = Plaid.create({
token: linkToken,
onSuccess: (publicToken, metadata) => {
// Exchange the public token
exchangeToken(publicToken);
},
});
handler.open();
Step 3: Exchange the public token
Send a POST request to /auth/plaid/set_access_token with the public token from Plaid Link:
POST /auth/plaid/set_access_token HTTP/1.1
Authorization: <firebase-id-token>
Content-Type: application/x-www-form-urlencoded
public_token=public-sandbox-...
Viewing connected accounts
Retrieve the list of connected bank accounts:
GET /auth/plaid/accounts HTTP/1.1
Authorization: <firebase-id-token>
{
"accounts": [
{
"bank_name": "Chase",
"mask": [{"name": "Checking", "mask": "1234"}],
"id": "uuid"
}
]
}
Disconnecting a bank account
Remove a specific bank account by its id:
DELETE /auth/plaid/accounts/{account_id} HTTP/1.1
Authorization: <firebase-id-token>
In development, ODAI connects to Plaid’s Sandbox environment. In production, it connects to Plaid’s Production environment. Use Plaid’s sandbox credentials and test institutions during local development.