User Sources
A User Source connects an Gateway to your OIDC identity provider. When a gateway uses a User Source, your end users sign in with their own at your identity provider. They don’t need Arcade accounts.
Outcomes
Configure a User Source in your project and attach it to an Gateway so your end sign in with your identity provider.
You will Learn
- What a Source is and when to use one
- How to create a Source in the Arcade dashboard
- How to attach a User Source to an Gateway
- How to edit, rotate, deactivate, and delete a Source
Prerequisites
- An Arcade with access to a
- An OIDC identity provider, such as Auth0, Okta, Entra ID, Stytch, or Clerk
- An OAuth client registered with that identity provider, including its issuer URL, client ID, and client secret
What is a User Source?
Arcade distinguishes between two kinds of :
- Arcade are the people who build and manage your project in the Arcade dashboard. They sign in with Arcade .
- End are the people who call your agent or application, which in turn calls your Gateway.
A Source tells Arcade where your end users come from. When a gateway uses a User Source, Arcade redirects end users to your identity provider to sign in, then uses the resulting OIDC token to identify them on every gateway request.
User Sources are project-bound: you create one in a project, then attach it to any Gateway in that . One Source can back many gateways.
When to use a User Source
Arcade Gateways support three ways to authenticate end :
| Mode | Best for |
|---|---|
| Arcade Auth | Development, testing, and internal use, when every end user has an Arcade account |
| User Source (recommended for production) | Production agents whose end users have their own accounts in your OIDC identity provider |
| Arcade Headers (fallback) | MCP clients that can’t run a browser-based OAuth flow |
See MCP Gateway authentication for the full comparison. The rest of this guide walks through configuring a Source and attaching it to a gateway.
Create a User Source
Open the User Sources dashboard
Go to the User Sources dashboard for your and click Create Source.
Fill in the User Source details
Provide the following:
- Name: A short, human-readable name for this connection. For example,
Okta production. - Description (optional): Free-form notes about the connection.
- Issuer URL: The OIDC issuer URL, for example
https://accounts.example.com. Arcade matches this against theissclaim on incoming tokens, so it must exactly match what your identity provider issues. - Client ID: The client ID of the OAuth client you registered with your identity provider.
- Client Secret: The matching client secret. Arcade stores it encrypted and never returns it through the API or dashboard.
- Subject Claim: The JWT claim Arcade uses as the end ’s stable identifier. Defaults to
sub. Common alternatives areoid(Entra ID) andemail.
The issuer URL, client ID, client secret, and subject claim depend on your identity provider. Each provider has its own dashboard for registering OAuth clients and exposing OIDC discovery metadata.
Save the User Source
Click Create. The new Source appears in the list with Active status and is ready to attach to a gateway.
Attach a User Source to an MCP Gateway
You select a User Source when you create or edit an Gateway, not as a separate step.
Open the gateway
Go to the MCP Gateways dashboard and either create a new gateway or open an existing one.
Choose who the gateway’s users are
Under Who are the of this Gateway?, you’ll see two top-level options:
- Members of this : uses Arcade Auth. Pick this only when every end user has an Arcade in this project.
- Non-Arcade : uses either a User Source or Arcade Headers.
Select Non-Arcade , then choose User Source (recommended).
Select the User Source
In the dropdown that appears, pick the User Source you created. Only active User Sources in the current appear in the dropdown.
Save the gateway
Save the gateway. End will now reach your identity provider’s sign-in screen when they connect, and Arcade will use the configured subject claim as their stable identifier on every request.
One User Source can back multiple gateways in the same . You don’t need a separate Source per gateway.
Manage User Sources
Edit a User Source
You can change a Source’s name, description, issuer URL, client ID, or subject claim at any time from the User Sources dashboard. Saving the changes affects every gateway that uses this User Source on its next request.
Rotate the client secret
To rotate the client secret:
- Open the Source in the dashboard.
- Enter the new secret in the Client Secret field.
- Save.
The field is blank in edit mode and only updates when you fill it in, so editing other fields does not affect the stored secret.
Rotate the client secret in your identity provider first, then update it in Arcade. There’s a short window where token exchange fails if Arcade’s stored secret doesn’t match the one your provider expects.
Deactivate a User Source
Set a Source’s status to Inactive to take it out of rotation without deleting it. Inactive User Sources don’t appear when creating or editing a gateway, but gateways already attached to the source keep working.
You can only deactivate a Source when no active gateway references it. If an active gateway uses the source, the dashboard shows a message reporting how many active gateways still reference the source and asking you to disable or remove those gateways first. Do that, then deactivate the User Source.
Delete a User Source
Deleting a Source is permanent. As with deactivation, you can only delete a User Source when no active gateway references it. The dashboard blocks the action with the same message until you disable or remove the referencing gateways.
Next steps
- MCP Gateway authentication for a comparison of Arcade Auth, Sources, and Arcade Headers
- Connect to MCP clients to point your client at a gateway that uses a Source