User Sources
A User Source is the connection between an Gateway and your OIDC identity provider. When a gateway uses a , Arcade redirects each end user to your identity provider to sign in and then identifies them by an OIDC subject claim on every gateway request.
What is a User Source?
Use a when your end users already have identities in your own identity system, such as Entra ID, Okta, Auth0, Clerk, Stytch, or a similar OIDC provider. A User Source plugs that identity directly into your gateway, so Arcade doesn’t have to know about your end users ahead of time and you don’t have to provision them into Arcade.
A is deliberately separate from any identity provider you use for Arcade admin sign-in. The User Source identifies the Users of your gateways (end users), while the Arcade admin sign-in provider identifies the Arcade that manage your . Keeping the two distinct means you can govern your administrators and your end users with different identity systems and different policies.
User Sources are project-bound. You create one in a project, then attach it to any Gateway in that project. One can back many gateways, so gateways serving different purposes can share the same end-user identity system without duplicating the configuration.
When to use a User Source
Arcade Gateways support three ways to authenticate end :
| Mode | Best for |
|---|---|
| Arcade Auth | Development, testing, and internal use, when every end user is a member of your Arcade project |
| User Source (recommended for production) | Production agents whose end users have identities in your OIDC identity provider |
| Arcade Headers (fallback) | MCP clients that can’t run a browser-based OAuth flow |
See MCP Gateway authentication for the full comparison and for how to pick an authentication mode when creating a gateway.
Register an OAuth client at your identity provider
Before you create a in Arcade, register a confidential OAuth client at your identity provider. The client must use the Authorization Code flow with PKCE.
Configure the redirect URL
Set the redirect URL on the OAuth client to https://cloud.arcade.dev/oauth2/intermediate_callback.
Your identity provider will redirect end back to this URL after they sign in, and Arcade exchanges the resulting code for an ID token.
Copy the client credentials
From your identity provider, copy the issuer URL, client ID, and client secret. You’ll provide them to Arcade in the next section.
Create a User Source
Open the User Sources dashboard
Go to the User Sources dashboard for your and click Create .
Fill in the User Source details
Provide the following:
- Name: A short, human-readable name for this connection. For example,
Corporate Identity. - Description (optional): Free-form notes about the connection. These notes are visible to other members of your Arcade and are never shown to end .
- Issuer URL: The OIDC issuer URL from your identity provider, for example
https://accounts.example.com. Arcade matches this against theissclaim on incoming tokens, so it must exactly match what your identity provider issues. - Client ID: The client ID of the OAuth client you registered with your identity provider.
- Client Secret: The matching client secret. Arcade stores it encrypted and never returns it through the API or dashboard.
- Subject Claim: The JWT claim Arcade uses as the end ’s stable identifier. Defaults to
sub.
Save the User Source
Click Create. The new appears in the list with Active status and is ready to attach to an Gateway.
Use a User Source on an MCP Gateway
You attach a User Source to an Gateway when you create or edit the gateway. One can back multiple gateways in the same , so you can reuse the same end-user identity system across every gateway you build for those users.
See Create via Dashboard for how to pick a User Source when configuring a gateway’s authentication. The Gateways guide covers the gateway’s consent-skip allowlist if you want trusted MCP clients to bypass the Arcade consent screen.
Manage User Sources
Edit a User Source
You can change a ’s name, description, issuer URL, client ID, or subject claim at any time from the User Sources dashboard. Saving the changes affects every gateway that uses this User Source on its next request.
Rotate the client secret
To rotate the client secret:
- Open the in the dashboard.
- Enter the new secret in the Client Secret field.
- Save.
The field is blank in edit mode and only updates when you fill it in, so editing other fields does not affect the stored secret.
Rotate the client secret in your identity provider first, then update it in Arcade. There’s a short window where token exchange fails if Arcade’s stored secret doesn’t match the one your provider expects.
Deactivate a User Source
Set a ’s status to Inactive to take it out of rotation. You can only deactivate a User Source after every Gateway that uses it is itself deactivated or deleted. If an active gateway still references the source, the dashboard blocks deactivation and tells you how many gateways still depend on it.
To deactivate a , deactivate or delete the dependent gateways first, then change the User Source’s status to Inactive.
Delete a User Source
Deleting a is permanent. As with deactivation, you can only delete a User Source when no active gateway references it. The dashboard blocks the action until you deactivate or remove the dependent gateways.
Next steps
- MCP Gateway authentication for a comparison of Arcade Auth, , and Arcade Headers
- Connect to MCP clients to point your client at a gateway that uses a