Skip to main content

Overview

Passthrough authentication is an advanced mode where your AI agent sends credentials with each request instead of Tadata storing them. This gives you full control over credential management but comes with limitations.
Most users don’t need passthrough. The standard authentication model (Tadata stores credentials) is simpler and supports multi-source toolsets.Only use passthrough if you have specific requirements around credential storage or OAuth app ownership.

How Passthrough Works

Standard Authentication (Default)

AI Agent → Tadata (has stored credentials) → Services (Linear, Slack, GitHub)

Passthrough Authentication

AI Agent (has credentials) → Tadata (passes through) → Service (single source only)
In passthrough mode:
  1. AI agent obtains credentials (OAuth token or API key)
  2. AI agent sends credentials with each tool execution request
  3. Tadata passes credentials through to the service without storing
  4. Service validates and responds

Key Limitation

Passthrough toolsets are limited to ONE connector (one API source).You cannot mix multiple sources in a passthrough toolset. For example:
  • ❌ Slack + Linear + GitHub (requires standard auth)
  • ✅ Just Linear (passthrough works)
  • ✅ Just your custom API (passthrough works)
For multi-source workflows, use standard authentication.

OAuth Passthrough

Requirements

To use OAuth passthrough, you must:
  • Control the OAuth resource - Have your own OAuth app registered with the service
  • Handle OAuth flow - Your AI agent must implement the OAuth authorization code flow
  • Manage tokens - Your agent handles token refresh and expiration

When to Use

Use OAuth passthrough if:
  • You’ve already built your own OAuth app and want to use it
  • You need custom OAuth scopes not provided by Tadata’s OAuth apps
  • You want OAuth tokens to never leave your control
  • You’re integrating a single-source toolset only

Setup

1

Register OAuth App

Register your OAuth application with the service (Linear, GitHub, etc.)
  • Set redirect URI to your agent’s callback handler
  • Note client ID and client secret
2

Configure Toolset

In Tadata, create a toolset and enable passthrough mode:
  • Select the connector (e.g., Linear)
  • Choose Passthrough Authentication
  • Select OAuth as passthrough type
  • Provide OAuth configuration (authorization URL, token URL, scopes)
3

Implement OAuth in Agent

Your AI agent must:
  • Redirect users to authorization URL
  • Handle callback with authorization code
  • Exchange code for access + refresh tokens
  • Store tokens securely
  • Send access token with each tool request to Tadata
4

Send Tokens with Requests

When executing tools, include OAuth token in request headers:
Authorization: Bearer <your-access-token>

Token Format

Tadata expects OAuth tokens in the Authorization header: 
POST https://your-toolset.mcp.tadata.com/execute
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

{
  "tool": "create_issue",
  "parameters": { ... }
}

API Key Passthrough

Requirements

No special requirements. The AI agent just needs the API key.

When to Use

Use API key passthrough if:
  • You don’t want Tadata to store API keys
  • You need different API keys per user/agent
  • You want full control over key rotation
  • You’re integrating a single-source toolset only

Setup

1

Get API Key

Retrieve API key from the service or generate one for your custom API
2

Configure Toolset

In Tadata, create a toolset and enable passthrough mode:
  • Select the connector or bring your own API
  • Choose Passthrough Authentication
  • Select API Key as passthrough type
  • Specify header name (e.g., Authorization, X-API-Key)
  • Specify header prefix (e.g., Bearer , Token , or none)
3

Store Key in Agent

Your AI agent stores the API key securely (environment variable, secrets manager, etc.)
4

Send Key with Requests

When executing tools, include API key in request headers as configured

API Key Format

Tadata expects API keys in the configured header. Examples: Bearer Token: 
POST https://your-toolset.mcp.tadata.com/execute
Authorization: Bearer sk_live_abc123xyz789
Content-Type: application/json
Custom Header: 
POST https://your-toolset.mcp.tadata.com/execute
X-API-Key: abc123xyz789
Content-Type: application/json

Security Considerations

In passthrough mode, credentials are sent with every request:
  • All communication is over HTTPS (required)
  • Credentials are not logged by Tadata
  • Credentials are passed directly to the target service
Ensure your AI agent also stores credentials securely.
You are responsible for token refresh.For OAuth passthrough:
  • Monitor access token expiration
  • Implement refresh token flow
  • Handle refresh failures gracefully
Standard authentication handles this automatically.
Each request includes credentials, so rate limiting applies per credential:
  • Multiple agents using the same API key share rate limits
  • Consider using separate API keys per agent if needed
Actions appear under the credential owner:
  • OAuth: Actions appear under the user who authorized
  • API Key: Actions appear under the API key owner/service account
Use service accounts for clearer audit trails.

Comparison: Standard vs. Passthrough

FeatureStandard (Tadata stores)Passthrough
Multi-source toolsets✅ Yes (Slack + Linear + GitHub)❌ No (one connector only)
Setup complexity✅ Simple (click Connect)⚠️ Complex (implement OAuth/manage keys)
Credential storageTadata (encrypted)AI agent (you manage)
Token refresh✅ Automatic❌ Manual (you handle)
OAuth appTadata’s OAuth appsYour OAuth app (required for OAuth)
Per-user credentials✅ Yes (connect per user)✅ Yes (agent manages)
Use caseMost toolsets, multi-source workflowsAdvanced, single-source, full control

Troubleshooting

Symptoms: Tools fail with 401 despite providing credentialsCauses:
  • Credential format incorrect (missing prefix, wrong header)
  • OAuth token expired (you need to refresh)
  • API key invalid or revoked
Solutions:
  • Verify credential format matches configuration
  • Check token expiration and refresh if needed
  • Test credentials directly against service API (curl/Postman)
  • Review Tadata passthrough configuration (header name, prefix)
Symptoms: Error when trying to add multiple connectors to passthrough toolsetCause: Passthrough mode only supports single-source toolsetsSolution: Use standard authentication (Tadata stores credentials) for multi-source toolsets
Symptoms: Access tokens expire and tools failCause: In passthrough mode, you are responsible for token refreshSolution:
  • Implement refresh token flow in your AI agent
  • Monitor token expiration and refresh proactively
  • Or switch to standard authentication for automatic refresh
Question: How do I use different credentials for different users?Answer: In passthrough mode, each agent instance can send different credentials. Your agent should:
  1. Store credentials per user
  2. Include the appropriate user’s credentials with each request
  3. Ensure proper isolation and security
Alternatively, use standard authentication and have each user connect their own account in Tadata.

Next Steps

Authentication Overview

Understand standard authentication (recommended for most users)

Bring Your Own API

Add custom APIs with OpenAPI specs

Test in Playground

Verify passthrough authentication works

View Analytics

Monitor tool usage and errors