google
diff --git a/‎contributing/workflow_samples/auth_config/README.md‎
Lines changed: 114 additions & 0 deletions b/‎contributing/workflow_samples/auth_config/README.md‎
Lines changed: 114 additions & 0 deletions
diff --git a/‎contributing/workflow_samples/auth_config/agent.py‎
Lines changed: 83 additions & 0 deletions b/‎contributing/workflow_samples/auth_config/agent.py‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎src/google/adk/workflow/_function_node.py‎
Lines changed: 35 additions & 0 deletions b/‎src/google/adk/workflow/_function_node.py‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎src/google/adk/workflow/_node.py‎
Lines changed: 11 additions & 0 deletions b/‎src/google/adk/workflow/_node.py‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/google/adk/workflow/_workflow.py‎
Lines changed: 4 additions & 3 deletions b/‎src/google/adk/workflow/_workflow.py‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎src/google/adk/workflow/utils/_workflow_graph_utils.py‎
Lines changed: 3 additions & 0 deletions b/‎src/google/adk/workflow/utils/_workflow_graph_utils.py‎
Lines changed: 3 additions & 0 deletions
@@ -0,0 +1,114 @@
+# ADK Workflow Auth Config Sample
+
+## Overview
+
+This sample demonstrates how to use `auth_config` on a `FunctionNode` to require user authentication before the node runs.
+
+When a node has `auth_config`, the workflow automatically:
+1. Pauses the node and emits an `adk_request_credential` FunctionCall event
+2. The invocation ends — the node is marked as waiting
+3. The client sends a new request with the credential as a FunctionResponse
+4. The workflow stores the credential in session state and re-runs the node
+
+The **ADK web UI** (`adk web`) handles step 3 automatically — it recognizes auth
+requests and presents an auth dialog. If you use a custom client, you need to
+handle the `adk_request_credential` FunctionCall and respond with the credential
+yourself.
+
+This sample uses **API key** authentication (the simplest credential type).
+
+## No External Setup Required
+
+This sample uses a mock weather lookup. No external API key or server is needed. When the auth UI prompts for a key, you can enter any value (e.g., `my-test-key-123`).
+
+## Sample Inputs
+
+Send any message (e.g., `go`) to start the workflow.
+
+## Graph
+
+```text
+     [ START ]
+         |
+         v
+  [fetch_weather]  <-- pauses for auth on first run
+         |
+         v
+    [summarize]
+```
+
+## How To
+
+1. Define an `AuthConfig` with the auth scheme and credential type:
+
+   ```python
+   from google.adk.auth.auth_tool import AuthConfig
+   from google.adk.auth.auth_credential import AuthCredential, AuthCredentialTypes
+
+   auth_config = AuthConfig(
+       auth_scheme=APIKey(**{'in': APIKeyIn.header, 'name': 'X-Api-Key'}),
+       raw_auth_credential=AuthCredential(
+           auth_type=AuthCredentialTypes.API_KEY,
+           api_key='placeholder',
+       ),
+       credential_key='weather_api_key',
+   )
+   ```
+
+2. Use the `@node` decorator with `auth_config` and `rerun_on_resume=True`:
+
+   ```python
+   @node(auth_config=auth_config, rerun_on_resume=True)
+   def fetch_weather(ctx: Context):
+       ...
+   ```
+
+3. Inside the function, retrieve the credential from `ctx`:
+
+   ```python
+   def fetch_weather(ctx: Context):
+       cred = ctx.get_auth_response(auth_config)
+       api_key = cred.api_key
+       # Use api_key to call your API...
+   ```
+
+## OAuth2
+
+The same `auth_config` pattern works with OAuth2 and OpenID Connect. The key
+differences:
+
+- **Auth scheme**: Use `OAuth2` (from `fastapi.openapi.models`) instead of
+  `APIKey`. Configure the authorization and token URLs in the OAuth2 flows.
+- **Raw credential**: Set `auth_type=AuthCredentialTypes.OAUTH2` and provide
+  `client_id`, `client_secret`, and `redirect_uri` in the `oauth2` field.
+- **Web UI flow**: The ADK web UI recognizes OAuth2 auth requests and opens
+  an authorization popup automatically. The user authenticates with the
+  provider, and the UI sends the full `AuthConfig` response back. No special
+  handling is needed in the node.
+- **Token exchange**: The framework automatically exchanges the authorization
+  code for an access token via `AuthHandler.exchange_auth_token()`.
+
+```python
+from fastapi.openapi.models import OAuth2, OAuthFlowAuthorizationCode, OAuthFlows
+
+auth_config = AuthConfig(
+    auth_scheme=OAuth2(
+        flows=OAuthFlows(
+            authorizationCode=OAuthFlowAuthorizationCode(
+                authorizationUrl='https://provider.com/authorize',
+                tokenUrl='https://provider.com/token',
+                scopes={'read': 'Read access'},
+            )
+        )
+    ),
+    raw_auth_credential=AuthCredential(
+        auth_type=AuthCredentialTypes.OAUTH2,
+        oauth2=OAuth2Auth(
+            client_id='YOUR_CLIENT_ID',
+            client_secret='YOUR_CLIENT_SECRET',
+            redirect_uri='http://localhost:8000/callback',
+        ),
+    ),
+    credential_key='my_oauth_credential',
+)
+```
@@ -0,0 +1,83 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Auth Config sample: FunctionNode with API key authentication.
+
+Demonstrates how to use `auth_config` on a FunctionNode to pause
+the workflow and request user credentials before running the node.
+
+Flow:
+  1. User sends any message to start the workflow.
+  2. The `fetch_weather` node pauses and requests an API key.
+  3. The user provides the API key through the auth UI.
+  4. The node runs with the credential available in session state.
+  5. The `summarize` node displays the result.
+"""
+
+from fastapi.openapi.models import APIKey
+from fastapi.openapi.models import APIKeyIn
+from google.adk import Event
+from google.adk import Workflow
+from google.adk.agents.context import Context
+from google.adk.auth.auth_credential import AuthCredential
+from google.adk.auth.auth_credential import AuthCredentialTypes
+from google.adk.auth.auth_tool import AuthConfig
+from google.adk.workflow import node
+
+# --- Auth configuration ---
+# Uses API key auth: the simplest credential type.
+# The user will be prompted to provide an API key via the auth UI.
+auth_config = AuthConfig(
+    auth_scheme=APIKey(**{'in': APIKeyIn.header, 'name': 'X-Api-Key'}),
+    raw_auth_credential=AuthCredential(
+        auth_type=AuthCredentialTypes.API_KEY,
+        api_key='placeholder',
+    ),
+    credential_key='weather_api_key',
+)
+
+
+@node(auth_config=auth_config, rerun_on_resume=True)
+def fetch_weather(ctx: Context):
+  """Fetches weather data using the authenticated API key."""
+  # After auth completes, the credential is available via ctx.
+  cred = ctx.get_auth_response(auth_config)
+  api_key = cred.api_key if cred else 'unknown'
+
+  # In a real agent, you would use the api_key to call an external API.
+  # For this sample, we just echo it back (masked).
+  masked = api_key[:4] + '****' if len(api_key) > 4 else '****'
+  return {
+      'city': 'San Francisco',
+      'temperature': '18C',
+      'condition': 'Sunny',
+      'api_key_used': masked,
+  }
+
+
+def summarize(node_input: dict):
+  """Displays the weather result."""
+  yield Event(
+      message=(
+          f"Weather for {node_input['city']}:"
+          f" {node_input['temperature']}, {node_input['condition']}."
+          f" (Authenticated with key: {node_input['api_key_used']})"
+      )
+  )
+
+
+root_agent = Workflow(
+    name='auth_config',
+    edges=[('START', fetch_weather, summarize)],
+)
@@ -29,10 +29,14 @@
 from pydantic import TypeAdapter
 from typing_extensions import override
 
+from ..auth.auth_tool import AuthConfig
 from ..events.event import Event
 from ..events.request_input import RequestInput
 from ._base_node import BaseNode
 from ._retry_config import RetryConfig
+from .utils._workflow_hitl_utils import create_auth_request_event
+from .utils._workflow_hitl_utils import has_auth_credential
+from .utils._workflow_hitl_utils import process_auth_resume
 
 logger = logging.getLogger('google_adk.' + __name__)
 
@@ -96,6 +100,16 @@ class FunctionNode(BaseNode):
     - All other values are validated/coerced by Pydantic's ``TypeAdapter``.
   """
 
+  auth_config: AuthConfig | None = None
+  """If set, the framework requests user authentication before running.
+
+  When the node runs for the first time and no credential is found in
+  session state, it yields an ``adk_request_credential`` event and
+  interrupts.  On resume, the credential is stored and the node
+  re-runs with the credential available via
+  ``AuthHandler(auth_config).get_auth_response(ctx.state)``.
+  """
+
   # Private attributes (won't be serialized)
   _func: Callable[..., Any] = PrivateAttr()
   _sig: inspect.Signature = PrivateAttr()
@@ -109,6 +123,7 @@ def __init__(
       rerun_on_resume: bool = False,
       retry_config: RetryConfig | None = None,
       timeout: float | None = None,
+      auth_config: AuthConfig | None = None,
   ):
     """Initializes FunctionNode.
 
@@ -125,11 +140,20 @@ def __init__(
       retry_config: If provided, the node will be retried on failure based on
         this configuration.
       timeout: Maximum time in seconds for this node to complete.
+      auth_config: If provided, the framework requests user authentication
+        before running the node. Requires rerun_on_resume=True (the node
+        must rerun after credentials are provided).
     """
 
     if not callable(func):
       raise TypeError('Function must be callable.')
 
+    if auth_config and not rerun_on_resume:
+      raise ValueError(
+          'FunctionNode with auth_config requires rerun_on_resume=True.'
+          ' The node must rerun after credentials are provided.'
+      )
+
     inferred_name = name or getattr(func, '__name__', None)
     if not inferred_name:
       raise ValueError(
@@ -143,6 +167,7 @@ def __init__(
         rerun_on_resume=rerun_on_resume,
         retry_config=retry_config,
         timeout=timeout,
+        auth_config=auth_config,
     )
 
     sig = inspect.signature(func)
@@ -298,6 +323,16 @@ async def _run_impl(
       ctx: Context,
       node_input: Any,
   ) -> AsyncGenerator[Any, None]:
+    # --- Auth gate ---
+    if self.auth_config:
+      interrupt_id = f'wf_auth:{ctx.node_path}'
+      auth_response = ctx.resume_inputs.get(interrupt_id)
+      if auth_response is not None:
+        await process_auth_resume(auth_response, self.auth_config, ctx.state)
+      elif not has_auth_credential(self.auth_config, ctx.state):
+        yield create_auth_request_event(self.auth_config, interrupt_id)
+        return
+
     kwargs: dict[str, Any] = {}
     for param_name, param in self._sig.parameters.items():
       if param_name == 'ctx':
 
@@ -19,6 +19,7 @@
 from typing import Any
 from typing import Callable
 from typing import overload
+from typing import TYPE_CHECKING
 from typing import TypeVar
 
 from pydantic import Field
@@ -32,6 +33,9 @@
 from ._retry_config import RetryConfig
 from .utils import _workflow_graph_utils as workflow_graph_utils
 
+if TYPE_CHECKING:
+  from ..auth.auth_tool import AuthConfig
+
 T = TypeVar("T", bound=Callable[..., Any])
 
 
@@ -43,6 +47,7 @@ def node(
     retry_config: RetryConfig | None = None,
     timeout: float | None = None,
     parallel_worker: bool = False,
+    auth_config: AuthConfig | None = None,
 ) -> Callable[
     [T], function_node.FunctionNode | parallel_worker_lib._ParallelWorker
 ]:
@@ -58,6 +63,7 @@ def node(
     retry_config: RetryConfig | None = None,
     timeout: float | None = None,
     parallel_worker: bool = False,
+    auth_config: AuthConfig | None = None,
 ) -> base_node.BaseNode:
   ...
 
@@ -70,6 +76,7 @@ def node(
     retry_config: RetryConfig | None = None,
     timeout: float | None = None,
     parallel_worker: bool = False,
+    auth_config: AuthConfig | None = None,
 ) -> Any:
   """Decorator or function to wrap a NodeLike in a node or override its properties.
 
@@ -96,6 +103,8 @@ async def my_func3(): ...
       wrapped node.
     timeout: If provided, overrides the timeout property of the wrapped node.
     parallel_worker: If True, wraps the node in a _ParallelWorker.
+    auth_config: If provided, the framework requests user authentication
+      before running the node. Requires rerun_on_resume=True.
 
   Returns:
     If used as a decorator factory (@node() or @node(...)), returns a decorator.
@@ -114,6 +123,7 @@ def wrapper(
         else False,
         retry_config=retry_config,
         timeout=timeout,
+        auth_config=auth_config,
     )
     if parallel_worker:
       return parallel_worker_lib._ParallelWorker(built_node)
@@ -129,6 +139,7 @@ def wrapper(
         rerun_on_resume=rerun_on_resume,
         retry_config=retry_config,
         timeout=timeout,
+        auth_config=auth_config,
     )
     if parallel_worker:
       return parallel_worker_lib._ParallelWorker(built_node)
 
@@ -61,6 +61,7 @@
 from .utils._node_path_utils import join_paths
 from .utils._retry_utils import _get_retry_delay
 from .utils._retry_utils import _should_retry_node
+from .utils._workflow_hitl_utils import REQUEST_CREDENTIAL_FUNCTION_CALL_NAME
 from .utils._workflow_hitl_utils import REQUEST_INPUT_FUNCTION_CALL_NAME
 from .utils._workflow_hitl_utils import unwrap_response
 
@@ -417,9 +418,9 @@ def _process_resumptions(
       ]
 
       response_data = response_part.function_response.response
-      if (
-          response_part.function_response.name
-          == REQUEST_INPUT_FUNCTION_CALL_NAME
+      if response_part.function_response.name in (
+          REQUEST_INPUT_FUNCTION_CALL_NAME,
+          REQUEST_CREDENTIAL_FUNCTION_CALL_NAME,
       ):
         response_data = unwrap_response(response_data)
 
 
@@ -45,6 +45,7 @@ def build_node(
     rerun_on_resume: bool | None = None,
     retry_config: RetryConfig | None = None,
     timeout: float | None = None,
+    auth_config: Any = None,
 ) -> BaseNode:
   """Converts a NodeLike to a BaseNode, wrapping async funcs in FunctionNode.
 
@@ -56,6 +57,7 @@ def build_node(
     retry_config: If provided, overrides the retry_config property of the
       wrapped node.
     timeout: If provided, overrides the timeout property of the wrapped node.
+    auth_config: If provided, passed to FunctionNode for authentication.
 
   Returns:
     A BaseNode instance.
@@ -132,6 +134,7 @@ def build_node(
         rerun_on_resume=rerun_on_resume or False,
         retry_config=retry_config,
         timeout=timeout,
+        auth_config=auth_config,
     )
   else:
     raise ValueError(