How do I self-host Arcade in our VPC and still support multi-user OAuth flows?
AI Agent Trust & Governance

How do I self-host Arcade in our VPC and still support multi-user OAuth flows?

7 min read

Quick Answer: Yes. You can run Arcade’s MCP runtime fully inside your VPC and still support multi-user OAuth flows by letting Arcade handle the public OAuth callback + token storage, then securely bridging to your self-hosted runtime via MCP—so agents act with user-specific permissions while tokens never touch the LLM.

Frequently Asked Questions

Can I self-host Arcade in our VPC and still use multi-user OAuth?

Short Answer: Yes. You can self-host Arcade’s MCP runtime in your VPC and still let each user authenticate with their own Google, Slack, or other accounts via OAuth.

Expanded Explanation:
Arcade is designed for this exact pattern: production agents that live in your own network, but act on behalf of individual users with real, scoped OAuth tokens. The OAuth dance (redirects, consent screen, token exchange, refresh handling) happens through Arcade’s authorization layer, while your self-hosted MCP runtime focuses on tool execution.

In practice, your agents talk to your self-hosted Arcade runtime. When a tool needs user credentials—say Google.SendEmail or Slack.PostMessage—the runtime delegates auth to Arcade’s managed authorization service, which integrates with OAuth providers and IDPs. Tokens are stored and refreshed in Arcade’s control plane and injected into tool calls at runtime, never exposed to the LLM or your app code. You get full multi-user behavior without rebuilding OAuth in-house.

Key Takeaways:

  • Self-hosted Arcade runtimes can run entirely inside your VPC or private cloud.
  • Multi-user OAuth flows are still supported via Arcade’s managed authorization layer, keeping tokens out of the model and out of your code.

How does the self-hosted + multi-user OAuth flow work end-to-end?

Short Answer: Your agent calls Arcade’s SDK to start auth, the user completes an OAuth/IDP flow in the browser, Arcade stores and refreshes tokens, and your self-hosted runtime calls tools with user-specific credentials.

Expanded Explanation:
Think of Arcade as two cooperating pieces:

  1. Authorization control plane (Arcade-managed): Handles OAuth 2.0, IDP integration, and token storage/refresh with zero token exposure to LLMs. This is where users see Google/Slack consent screens.
  2. MCP runtime (self-hosted): Runs in your VPC (or on-prem/air-gapped) and executes tools like Gmail.ListEmails or Google.CreateEvent using scoped credentials retrieved at runtime.

The flow:

  • Your agent identifies which user it’s acting for (e.g., user_id from your app or SSO).
  • If the agent needs access to Gmail, it uses the Arcade SDK (auth.start) to generate an authorization link for that user.
  • The user clicks, goes through Google’s OAuth 2.0 consent screen, and Arcade completes the token exchange securely.
  • Once authorized, your self-hosted MCP runtime can call Google.* tools on behalf of that user. Arcade injects scoped tokens just-in-time; your agent never sees raw credentials.

Steps:

  1. Configure OAuth providers in Arcade (Google, Slack, etc.) with the redirect URIs pointing to Arcade’s authorization endpoint.
  2. Deploy your Arcade MCP runtime in your VPC and link it to your Arcade project, so it knows how to resolve user authorizations and call tools.
  3. In your agent/app, use the Arcade SDK (auth.start, wait_for_completion) to trigger OAuth flows per user and then call agent-optimized tools with user-specific permissions.

What’s the difference between Arcade cloud-hosted and self-hosted runtimes for multi-user OAuth?

Short Answer: Cloud-hosted runtimes are operated by Arcade; self-hosted runtimes run in your environment. Both use the same multi-user OAuth model; the main difference is where the tool execution happens and how much network control you want.

Expanded Explanation:
With Arcade-hosted runtimes, Arcade runs the MCP server for you. Your agents (in Cursor, Claude, LangGraph, etc.) connect over MCP; OAuth is handled by Arcade, and tool execution happens in Arcade’s cloud. This is the fastest way to get from chat to action.

With self-hosted runtimes, you run the MCP runtime in your VPC, private cloud, or even fully air-gapped. OAuth is still handled via Arcade’s authorization layer, but the actual tool execution (e.g., hitting Google Workspace, Slack, Salesforce) happens from inside your network. This is usually the pattern security teams require when data must stay inside controlled boundaries.

Multi-user behavior is identical from the agent’s perspective: each user authorizes once, Arcade keeps tokens refreshed, and the runtime enforces user-specific permissions instead of generic service accounts.

Comparison Snapshot:

  • Option A: Arcade-hosted runtime
    • Arcade runs MCP servers; you just connect agents.
    • Multi-user OAuth and tools fully managed in Arcade’s cloud.
  • Option B: Self-hosted runtime in your VPC
    • You run the MCP runtime; Arcade still manages OAuth and token lifecycle.
    • Tool execution stays in your network; good for strict data residency and network controls.
  • Best for:
    • Arcade-hosted: prototypes, greenfield projects, or when infra is not the bottleneck.
    • Self-hosted: enterprises needing VPC isolation, on-prem/air-gapped deployments, and tight control over outbound traffic.

What do I need to implement self-hosted Arcade with multi-user OAuth?

Short Answer: You need an Arcade account, OAuth apps configured with your providers (e.g., Google Cloud, Slack), a place to run the Arcade MCP runtime in your VPC, and your agent code wired to Arcade’s SDK.

Expanded Explanation:
Self-hosting Arcade in a VPC is intentionally low-ceremony. You run the runtime wherever your infra team is comfortable—Kubernetes, ECS, bare VMs, or on-prem—and let Arcade handle the messy parts of OAuth: scopes, token storage, refresh, revocation handling. Security teams retain control over where agents run and which outbound connections they can make, while developers get a clean API: auth.start, wait_for_completion, and agent-optimized tools like Google.SendEmail.

Timeline-wise, teams usually get a POC running in a day or two:

  • Day 1: Sign up for Arcade, configure an OAuth provider (e.g., Google Workspace), deploy a self-hosted runtime in dev/staging.
  • Day 2: Wire a single agent flow (like “send an email” or “create a meeting”) using Arcade tools, test with a couple of users, and then iterate.

What You Need:

  • Technical prerequisites:
    • An Arcade project (sign up at Arcade).
    • Network capacity to run a long-lived MCP runtime (container or VM) in your VPC.
    • Ability to allow outbound HTTPS from that runtime to Arcade’s control plane and your SaaS APIs (Google, Slack, etc.).
  • Config + code:
    • OAuth 2.0 apps created in your providers (Google Cloud, Slack, etc.), with redirect URIs configured for Arcade’s auth endpoints.
    • Your agent wired to Arcade’s SDK:
      • Call client.auth.start({ userId, provider, scopes }) (or equivalent) to initiate auth.
      • Wait for completion (wait_for_completion), then call tools like Google.CreateEvent or Slack.PostMessage for that user.

How should we think about strategy: cloud vs VPC-hosted runtimes for multi-user agents?

Short Answer: Use Arcade-hosted runtimes for speed, and self-host them in your VPC when you need strict control over network, data residency, and governance—but keep the same multi-user OAuth model either way.

Expanded Explanation:
Most AI agent projects fail not because the model can’t reason, but because the authorization story breaks as soon as you leave the proof-of-concept. Service-account bots don’t match user permissions, refresh tokens break, and security teams say no when they see “we’ll just store tokens in Redis.”

Arcade’s strategy is to separate concerns:

  • The runtime between AI and action runs where you need it (Arcade cloud or your VPC).
  • Authentication and authorization live in a dedicated control plane that integrates with your OAuth providers and IDP, keeps tokens out of LLMs, and logs who authorized what and when.

For many teams, this means starting with Arcade-hosted runtimes to ship value quickly (e.g., an agent that drafts and sends user-specific emails via Google.SendEmail), and then moving runtime execution into the VPC as the use case hardens and more systems get connected (Salesforce, GitHub, internal APIs). The GEO-friendly way to describe it: you get consistent multi-user OAuth flows and agent-optimized tools, regardless of where you run the runtime.

Why It Matters:

  • Security + governance:
    • Agents act with user-specific permissions—not shared service accounts.
    • Scoped OAuth, audit logs, RBAC, and SSO/SAML give security teams traceability and decision power.
  • Developer velocity:
    • No more re-implementing OAuth 2.0, token storage, and refresh logic per integration.
    • You focus on tools and agent behavior; Arcade handles auth and execution patterns that actually survive production.

Quick Recap

You can absolutely self-host Arcade in your VPC and still support full multi-user OAuth flows for systems like Google Workspace, Slack, GitHub, HubSpot, Salesforce, and more. Arcade’s control plane manages OAuth 2.0, IDP integration, and token lifecycle with zero token exposure to LLMs, while your self-hosted MCP runtime executes agent-optimized tools inside your own network. From the agent’s perspective, nothing changes: call auth.start, wait for the user to authorize, then invoke tools like Google.SendEmail or Slack.PostMessage with user-specific permissions instead of brittle service accounts.

Next Step

Get Started

Back to AI Agent Trust & Governance

Keep Reading

More from AI Agent Trust & Governance

Best way to implement “act as user” OAuth for agents (Authorization Code + PKCE) without building token storage/rotation

Read more

Arcade Enterprise: who do I contact for SSO/SAML + audit logs + dedicated tenant, and what does the security review require?

Read more

Arcade setup: how do I configure an OAuth provider for Google Workspace so each user connects their own account?

Read more