The cached client-credentials access token (when the agent declares
oauth_client_credentials). These tokens are refreshed via secret
re-exchange, not the MCP SDK's refresh_token grant, so the bearer
path is the correct transport — there is no "refresh on 401" hook
the SDK can use, and the call path pre-refreshes them anyway.
The static auth_token.
Tokens from the authorization-code flow (oauth_tokens without
oauth_client_credentials) are handled separately by the OAuth provider
path in ProtocolClient.callTool and intentionally do NOT surface here.
Get authentication token for an agent.
Returns, in order:
oauth_client_credentials). These tokens are refreshed via secret re-exchange, not the MCP SDK'srefresh_tokengrant, so the bearer path is the correct transport — there is no "refresh on 401" hook the SDK can use, and the call path pre-refreshes them anyway.auth_token.Tokens from the authorization-code flow (
oauth_tokenswithoutoauth_client_credentials) are handled separately by the OAuth provider path inProtocolClient.callTooland intentionally do NOT surface here.