MCP Tools Reference: ces.googleapis.com

string

Required. The resource name of the app to create a toolset in.

string

Optional. The ID to use for the toolset, which will become the final component of the toolset's resource name. If not provided, a unique ID will be automatically assigned for the toolset.

object (Toolset)

Required. The toolset to create.

string

Identifier. The unique identifier of the toolset. Format: projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}

string

Optional. The display name of the toolset. Must be unique within the same app.

string

Optional. The description of the toolset.

string (Timestamp format)

Output only. Timestamp when the toolset was created.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string (Timestamp format)

Output only. Timestamp when the toolset was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.

enum (ExecutionType)

Optional. The execution type of the tools in the toolset.

object (ToolFakeConfig)

Optional. Configuration for tools behavior in fake mode.

object (McpToolset)

Optional. A toolset that contains a list of tools that are offered by the MCP server.

object (OpenApiToolset)

Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.

object (ConnectorToolset)

Optional. A toolset that generates tools from an Integration Connectors Connection.

string

Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.

object (ApiAuthentication)

Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.

object (ServiceDirectoryConfig)

Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.

object (TlsConfig)

Optional. The TLS configuration. Includes the custom server certificates that the client should trust.

object (ApiKeyConfig)

Optional. Config for API key auth.

object (OAuthConfig)

Optional. Config for OAuth.

object (ServiceAgentIdTokenAuthConfig)

Optional. Config for ID token auth generated from CES service agent.

object (ServiceAccountAuthConfig)

Optional. Config for service account authentication.

object (BearerTokenConfig)

Optional. Config for bearer token auth.

string

Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.

string

Required. The name of the SecretManager secret version resource storing the API key. Format: projects/{project}/secrets/{secret}/versions/{version}

Note: You should grant roles/secretmanager.secretAccessor role to the CES service agent service-<PROJECT-NUMBER>@gcp-sa-ces.iam.gserviceaccount.com.

enum (RequestLocation)

Required. Key location in the request.

enum (OauthGrantType)

Required. OAuth grant types.

string

Required. The client ID from the OAuth provider.

string

Required. The name of the SecretManager secret version resource storing the client secret. Format: projects/{project}/secrets/{secret}/versions/{version}

Note: You should grant roles/secretmanager.secretAccessor role to the CES service agent service-<PROJECT-NUMBER>@gcp-sa-ces.iam.gserviceaccount.com.

string

Required. The token endpoint in the OAuth provider to exchange for an access token.

string

Optional. The OAuth scopes to grant.

string

Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the Authorization header of the request.

The service account must have the roles/iam.serviceAccountTokenCreator role granted to the CES service agent service-<PROJECT-NUMBER>@gcp-sa-ces.iam.gserviceaccount.com.

string

Optional. The OAuth scopes to grant. If not specified, the default scope https://www.googleapis.com/auth/cloud-platform is used.

string

Required. The bearer token. Must be in the format $context.variables.<name_of_variable>.

string

Required. The name of Service Directory service. Format: projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}. Location of the service directory must be the same as the location of the app.

object (CaCert)

Required. Specifies a list of allowed custom CA certificates for HTTPS verification.

string

Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.

string (bytes format)

Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")

A base64-encoded string.

string

Required. The OpenAPI schema of the toolset.

object (ApiAuthentication)

Optional. Authentication information required by the API.

object (TlsConfig)

Optional. The TLS configuration. Includes the custom server certificates

object (ServiceDirectoryConfig)

Optional. Service Directory configuration.

boolean

Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.

string

Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.

string

Required. The full resource name of the referenced Integration Connectors Connection. Format: projects/{project}/locations/{location}/connections/{connection}

object (EndUserAuthConfig)

Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. Note: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override

object (Action)

Required. The list of connector actions/entity operations to generate tools for.

object (Oauth2AuthCodeConfig)

Oauth 2.0 Authorization Code authentication.

object (Oauth2JwtBearerConfig)

JWT Profile Oauth 2.0 Authorization Grant authentication.

string

Required. Oauth token parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Required. Issuer parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Required. Subject parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Required. Client parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.

string

Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.

string

ID of a Connection action for the tool to use.

object (EntityOperation)

Entity operation configuration for the tool to use.

string

Required. ID of the entity.

enum (OperationType)

Required. Operation to perform on the entity.

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

boolean

Optional. Whether the tool is using fake mode.

object (CodeBlock)

Optional. Code block which will be executed instead of a real tool call.

string

Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.

string

Identifier. The unique identifier of the toolset. Format: projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}

string

Optional. The display name of the toolset. Must be unique within the same app.

string

Optional. The description of the toolset.

string (Timestamp format)

Output only. Timestamp when the toolset was created.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string (Timestamp format)

Output only. Timestamp when the toolset was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.

enum (ExecutionType)

Optional. The execution type of the tools in the toolset.

object (ToolFakeConfig)

Optional. Configuration for tools behavior in fake mode.

object (McpToolset)

Optional. A toolset that contains a list of tools that are offered by the MCP server.

object (OpenApiToolset)

Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.

object (ConnectorToolset)

Optional. A toolset that generates tools from an Integration Connectors Connection.

string

Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.

object (ApiAuthentication)

Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.

object (ServiceDirectoryConfig)

Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.

object (TlsConfig)

Optional. The TLS configuration. Includes the custom server certificates that the client should trust.

object (ApiKeyConfig)

Optional. Config for API key auth.

object (OAuthConfig)

Optional. Config for OAuth.

object (ServiceAgentIdTokenAuthConfig)

Optional. Config for ID token auth generated from CES service agent.

object (ServiceAccountAuthConfig)

Optional. Config for service account authentication.

object (BearerTokenConfig)

Optional. Config for bearer token auth.

string

Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.

string

Required. The name of the SecretManager secret version resource storing the API key. Format: projects/{project}/secrets/{secret}/versions/{version}

Note: You should grant roles/secretmanager.secretAccessor role to the CES service agent service-<PROJECT-NUMBER>@gcp-sa-ces.iam.gserviceaccount.com.

enum (RequestLocation)

Required. Key location in the request.

enum (OauthGrantType)

Required. OAuth grant types.

string

Required. The client ID from the OAuth provider.

string

Required. The name of the SecretManager secret version resource storing the client secret. Format: projects/{project}/secrets/{secret}/versions/{version}

Note: You should grant roles/secretmanager.secretAccessor role to the CES service agent service-<PROJECT-NUMBER>@gcp-sa-ces.iam.gserviceaccount.com.

string

Required. The token endpoint in the OAuth provider to exchange for an access token.

string

Optional. The OAuth scopes to grant.

string

Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the Authorization header of the request.

The service account must have the roles/iam.serviceAccountTokenCreator role granted to the CES service agent service-<PROJECT-NUMBER>@gcp-sa-ces.iam.gserviceaccount.com.

string

Optional. The OAuth scopes to grant. If not specified, the default scope https://www.googleapis.com/auth/cloud-platform is used.

string

Required. The bearer token. Must be in the format $context.variables.<name_of_variable>.

string

Required. The name of Service Directory service. Format: projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}. Location of the service directory must be the same as the location of the app.

object (CaCert)

Required. Specifies a list of allowed custom CA certificates for HTTPS verification.

string

Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.

string (bytes format)

Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")

A base64-encoded string.

string

Required. The OpenAPI schema of the toolset.

object (ApiAuthentication)

Optional. Authentication information required by the API.

object (TlsConfig)

Optional. The TLS configuration. Includes the custom server certificates

object (ServiceDirectoryConfig)

Optional. Service Directory configuration.

boolean

Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.

string

Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.

string

Required. The full resource name of the referenced Integration Connectors Connection. Format: projects/{project}/locations/{location}/connections/{connection}

object (EndUserAuthConfig)

Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. Note: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override

object (Action)

Required. The list of connector actions/entity operations to generate tools for.

object (Oauth2AuthCodeConfig)

Oauth 2.0 Authorization Code authentication.

object (Oauth2JwtBearerConfig)

JWT Profile Oauth 2.0 Authorization Grant authentication.

string

Required. Oauth token parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Required. Issuer parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Required. Subject parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Required. Client parameter name to pass through. Must be in the format $context.variables.<name_of_variable>.

string

Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.

string

Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.

string

ID of a Connection action for the tool to use.

object (EntityOperation)

Entity operation configuration for the tool to use.

string

Required. ID of the entity.

enum (OperationType)

Required. Operation to perform on the entity.

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

boolean

Optional. Whether the tool is using fake mode.

object (CodeBlock)

Optional. Code block which will be executed instead of a real tool call.

string

Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.