Skip to content

feat: oauth tokens stored in aws secrets / parameters or mongodb #10168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: oauth tokens stored in aws secrets / parameters or mongodb #10168

wants to merge 1 commit into from
+3,150 −62

Conversation

@owengo
Copy link
Contributor

@owengo owengo commented Oct 17, 2025

Pull Request Template

⚠️ Before Submitting a PR, Please Review:

  • Please ensure that you have thoroughly read and understood the Contributing Docs before submitting your Pull Request.

⚠️ Documentation Updates Notice:

  • Kindly note that documentation updates are managed in this repository: librechat.ai

Summary

The change implements an interface to store oauth tokens / refresh_tokens in aws secrets or aws parameters ( free! ) instead of the mongodb database.

It's a proposal for:
#9864

Imagine you have a mcp server like "google_workspace_mcp" on your instance, the refresh_tokens ( ie: permanent, never expiring passwords-like ) for all the critical google workspace feature for all of your user will be stored in the database. If, for some reason you're not at ease with that this PR allows to store in aws secret or aws parameters instead, where you can manage access / audit etc.

Change Type

Please delete any irrelevant options.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • Translation update

Testing

The librechat backend must have access to the storage ( aws secrets or aws parameters ) you choose, there are various ways for this.

Then, when you use an MCP server with oauth, verify the tokens are stocked on the cloud storage instead of the database.

Test Configuration:

Checklist

Please delete any irrelevant options.

At this time this PR is a draft but it's fully functional

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • I have made pertinent documentation changes
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes
  • Any changes dependent on mine have been merged and published in downstream modules.
  • A pull request for updating the documentation has been submitted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@owengo @olivierhub