✨feat: OAuth for Actions (#5693)

* ✨feat: OAuth for Actions * WIP: PoC flow state manager * refactor: Add identifier field to token model from action schema * chore: fix potential file type issues * ci: fix type issue with action metadata auth * fix: ensure FlowManagerOptions has a default ttl value * WIP: OAUTH actions * WIP: first pass OAuth Action * fix: standardize identifier usage in OAuth flow handling * fix: update token retrieval to include userId in query and use correct identifier * refacotr: update token retrieval to use userId for OAuth token query * feat: Tool Call Auth styling * fix: streamline token creation and add type field to token schema * refactor: cleanup OAuth flow by encrypting client credentials and ensuring oauth operations only run under condition * refactor: use encrypted credentials in OAuth callback * fix: update Token collection indexes to use expiresAt TTL index and not createdAt legacy index * refactor: enhance Token index cleanup by improving logging and removing redundant index creation logic * refactor: remove unused OAuth login route and related logic for improved clarity * refactor: replace fetch with axios for OAuth token exchange and improve error handling * refactor: better UX after authentication before oauth tool execution * refactor: implement cleanup handlers for FlowStateManager intervals to enhance resource management * refactor: encrypt OAuth tokens before storing and decrypt upon retrieval for enhanced security * refactor: enhance authentication success page with improved styling and countdown feature * refactor: add response_type parameter to OAuth redirect URI for improved compatibility * chore: update translation.json new localizations * chore: remove unused OGDialog import from OGDialogTemplate component * refactor: Actions Auth using new Dialog styling, use same component with Agents/Assistants * refactor: update removeNullishValues function to support removal of empty strings and adjust transform usage in schemas * chore: bump version of librechat-data-provider to 0.7.6991 * refactor: integrate removeNullishValues function to clean metadata before encryption in agent and assistant routes * refactor: update OAuth input fields to use 'password' type for better security * refactor: update localization placeholders for sign-in message to use double curly braces * refactor: add access_type parameter for offline access in createActionTool function * refactor: implement handleOAuthToken function for token management and encryption * feat: refresh token support * refactor: add default expiration for access token and error handling for missing token * feat: localizations for ActionAuth * refactor: set refresh token expiration to null to not expire if expiry never given * fix: prevent crash fromerror within async handleAbortError in AskController, EditController, and AgentController * feat: Action Callback URL * 🌍 i18n: Update translation.json with latest translations * refactor: handle errors in flow state checking to prevent unhandled promise rejections * fix: improve flow state concurrency to prevent multiple token creation calls * refactor: RequestExecutor to use separate axios instance * refactor: improve concurrency flows by keeping completed state until TTL expiry * refactor: increase TTL for flow state management and adjust monitoring interval * ci: mock axios instance creation in actions spec * feat: add Babel and Jest configuration files; implement FlowStateManager tests with concurrency handling * chore: add disableOAuth prop to ActionsAuth (not implemented for Assistants yet) --------- Co-authored-by: Danny Avila <danny@librechat.ai> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-22 06:00:56 +02:00 · 2025-02-10 21:56:08 +01:00 · 2025-02-10 21:56:08 +01:00 · d99a9db3f6
commit d99a9db3f6
parent 71c30a3640
58 changed files with 2146 additions and 1223 deletions
--- a/api/cache/getLogStores.js
+++ b/api/cache/getLogStores.js
@ -37,6 +37,10 @@ const messages = isRedisEnabled
  ? new Keyv({ store: keyvRedis, ttl: Time.ONE_MINUTE })
  : new Keyv({ namespace: CacheKeys.MESSAGES, ttl: Time.ONE_MINUTE });

+const flows = isRedisEnabled
+  ? new Keyv({ store: keyvRedis, ttl: Time.TWO_MINUTES })
+  : new Keyv({ namespace: CacheKeys.FLOWS, ttl: Time.ONE_MINUTE * 3 });
+
 const tokenConfig = isRedisEnabled
  ? new Keyv({ store: keyvRedis, ttl: Time.THIRTY_MINUTES })
  : new Keyv({ namespace: CacheKeys.TOKEN_CONFIG, ttl: Time.THIRTY_MINUTES });
@ -88,6 +92,7 @@ const namespaces = {
  [CacheKeys.MODEL_QUERIES]: modelQueries,
  [CacheKeys.AUDIO_RUNS]: audioRuns,
  [CacheKeys.MESSAGES]: messages,
+  [CacheKeys.FLOWS]: flows,
 };

 /**
--- a/api/cache/keyvRedis.js
+++ b/api/cache/keyvRedis.js
@ -1,6 +1,6 @@
 const KeyvRedis = require('@keyv/redis');
-const { logger } = require('~/config');
 const { isEnabled } = require('~/server/utils');
+const logger = require('~/config/winston');

 const { REDIS_URI, USE_REDIS } = process.env;

--- a/api/config/index.js
+++ b/api/config/index.js
@ -1,9 +1,11 @@
 const { EventSource } = require('eventsource');
+const { Time, CacheKeys } = require('librechat-data-provider');
 const logger = require('./winston');

 global.EventSource = EventSource;

 let mcpManager = null;
+let flowManager = null;

 /**
 * @returns {Promise<MCPManager>}
@ -16,6 +18,21 @@ async function getMCPManager() {
  return mcpManager;
 }

+/**
+ * @param {(key: string) => Keyv} getLogStores
+ * @returns {Promise<FlowStateManager>}
+ */
+async function getFlowStateManager(getLogStores) {
+  if (!flowManager) {
+    const { FlowStateManager } = await import('librechat-mcp');
+    flowManager = new FlowStateManager(getLogStores(CacheKeys.FLOWS), {
+      ttl: Time.ONE_MINUTE * 3,
+      logger,
+    });
+  }
+  return flowManager;
+}
+
 /**
 * Sends message data in Server Sent Events format.
 * @param {ServerResponse} res - The server response.
@ -34,4 +51,5 @@ module.exports = {
  logger,
  sendEvent,
  getMCPManager,
+  getFlowStateManager,
 };
--- a/api/models/Token.js
+++ b/api/models/Token.js
@ -1,5 +1,6 @@
-const tokenSchema = require('./schema/tokenSchema');
 const mongoose = require('mongoose');
+const { encryptV2 } = require('~/server/utils/crypto');
+const tokenSchema = require('./schema/tokenSchema');
 const { logger } = require('~/config');

 /**
@ -7,6 +8,32 @@ const { logger } = require('~/config');
 * @type {mongoose.Model}
 */
 const Token = mongoose.model('Token', tokenSchema);
+/**
+ * Fixes the indexes for the Token collection from legacy TTL indexes to the new expiresAt index.
+ */
+async function fixIndexes() {
+  try {
+    const indexes = await Token.collection.indexes();
+    logger.debug('Existing Token Indexes:', JSON.stringify(indexes, null, 2));
+    const unwantedTTLIndexes = indexes.filter(
+      (index) => index.key.createdAt === 1 && index.expireAfterSeconds !== undefined,
+    );
+    if (unwantedTTLIndexes.length === 0) {
+      logger.debug('No unwanted Token indexes found.');
+      return;
+    }
+    for (const index of unwantedTTLIndexes) {
+      logger.debug(`Dropping unwanted Token index: ${index.name}`);
+      await Token.collection.dropIndex(index.name);
+      logger.debug(`Dropped Token index: ${index.name}`);
+    }
+    logger.debug('Token index cleanup completed successfully.');
+  } catch (error) {
+    logger.error('An error occurred while fixing Token indexes:', error);
+  }
+}
+
+fixIndexes();

 /**
 * Creates a new Token instance.
@ -29,8 +56,7 @@ async function createToken(tokenData) {
      expiresAt,
    };

-    const newToken = new Token(newTokenData);
-    return await newToken.save();
+    return await Token.create(newTokenData);
  } catch (error) {
    logger.debug('An error occurred while creating token:', error);
    throw error;
@ -42,7 +68,8 @@ async function createToken(tokenData) {
 * @param {Object} query - The query to match against.
 * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
 * @param {String} query.token - The token value.
- * @param {String} query.email - The email of the user.
+ * @param {String} [query.email] - The email of the user.
+ * @param {String} [query.identifier] - Unique, alternative identifier for the token.
 * @returns {Promise<Object|null>} The matched Token document, or null if not found.
 * @throws Will throw an error if the find operation fails.
 */
@ -59,6 +86,9 @@ async function findToken(query) {
    if (query.email) {
      conditions.push({ email: query.email });
    }
+    if (query.identifier) {
+      conditions.push({ identifier: query.identifier });
+    }

    const token = await Token.findOne({
      $and: conditions,
@ -76,6 +106,8 @@ async function findToken(query) {
 * @param {Object} query - The query to match against.
 * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
 * @param {String} query.token - The token value.
+ * @param {String} [query.email] - The email of the user.
+ * @param {String} [query.identifier] - Unique, alternative identifier for the token.
 * @param {Object} updateData - The data to update the Token with.
 * @returns {Promise<mongoose.Document|null>} The updated Token document, or null if not found.
 * @throws Will throw an error if the update operation fails.
@ -94,14 +126,20 @@ async function updateToken(query, updateData) {
 * @param {Object} query - The query to match against.
 * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
 * @param {String} query.token - The token value.
- * @param {String} query.email - The email of the user.
+ * @param {String} [query.email] - The email of the user.
+ * @param {String} [query.identifier] - Unique, alternative identifier for the token.
 * @returns {Promise<Object>} The result of the delete operation.
 * @throws Will throw an error if the delete operation fails.
 */
 async function deleteTokens(query) {
  try {
    return await Token.deleteMany({
-      $or: [{ userId: query.userId }, { token: query.token }, { email: query.email }],
+      $or: [
+        { userId: query.userId },
+        { token: query.token },
+        { email: query.email },
+        { identifier: query.identifier },
+      ],
    });
  } catch (error) {
    logger.debug('An error occurred while deleting tokens:', error);
@ -109,9 +147,46 @@ async function deleteTokens(query) {
  }
 }

+/**
+ * Handles the OAuth token by creating or updating the token.
+ * @param {object} fields
+ * @param {string} fields.userId - The user's ID.
+ * @param {string} fields.token - The full token to store.
+ * @param {string} fields.identifier - Unique, alternative identifier for the token.
+ * @param {number} fields.expiresIn - The number of seconds until the token expires.
+ * @param {object} fields.metadata - Additional metadata to store with the token.
+ * @param {string} [fields.type="oauth"] - The type of token. Default is 'oauth'.
+ */
+async function handleOAuthToken({
+  token,
+  userId,
+  identifier,
+  expiresIn,
+  metadata,
+  type = 'oauth',
+}) {
+  const encrypedToken = await encryptV2(token);
+  const tokenData = {
+    type,
+    userId,
+    metadata,
+    identifier,
+    token: encrypedToken,
+    expiresIn: parseInt(expiresIn, 10) || 3600,
+  };
+
+  const existingToken = await findToken({ userId, identifier });
+  if (existingToken) {
+    return await updateToken({ identifier }, tokenData);
+  } else {
+    return await createToken(tokenData);
+  }
+}
+
 module.exports = {
-  createToken,
  findToken,
+  createToken,
  updateToken,
  deleteTokens,
+  handleOAuthToken,
 };
--- a/api/models/schema/tokenSchema.js
+++ b/api/models/schema/tokenSchema.js
@ -10,6 +10,10 @@ const tokenSchema = new Schema({
  email: {
    type: String,
  },
+  type: String,
+  identifier: {
+    type: String,
+  },
  token: {
    type: String,
    required: true,
@ -23,6 +27,10 @@ const tokenSchema = new Schema({
    type: Date,
    required: true,
  },
+  metadata: {
+    type: Map,
+    of: Schema.Types.Mixed,
+  },
 });

 tokenSchema.index({ expiresAt: 1 }, { expireAfterSeconds: 0 });
--- a/api/package.json
+++ b/api/package.json
@ -45,7 +45,7 @@
    "@langchain/google-genai": "^0.1.7",
    "@langchain/google-vertexai": "^0.1.8",
    "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.0.2",
+    "@librechat/agents": "^2.0.3",
    "@waylaidwanderer/fetch-event-source": "^3.0.1",
    "axios": "^1.7.7",
    "bcryptjs": "^2.4.3",
--- a/api/server/controllers/AskController.js
+++ b/api/server/controllers/AskController.js
@ -155,6 +155,8 @@ const AskController = async (req, res, next, initializeClient, addTitle) => {
      sender,
      messageId: responseMessageId,
      parentMessageId: userMessageId ?? parentMessageId,
+    }).catch((err) => {
+      logger.error('[AskController] Error in `handleAbortError`', err);
    });
  }
 };
--- a/api/server/controllers/EditController.js
+++ b/api/server/controllers/EditController.js
@ -140,6 +140,8 @@ const EditController = async (req, res, next, initializeClient) => {
      sender,
      messageId: responseMessageId,
      parentMessageId: userMessageId ?? parentMessageId,
+    }).catch((err) => {
+      logger.error('[EditController] Error in `handleAbortError`', err);
    });
  }
 };
--- a/api/server/controllers/agents/request.js
+++ b/api/server/controllers/agents/request.js
@ -143,6 +143,8 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
      sender,
      messageId: responseMessageId,
      parentMessageId: userMessageId ?? parentMessageId,
+    }).catch((err) => {
+      logger.error('[api/server/controllers/agents/request] Error in `handleAbortError`', err);
    });
  }
 };
--- a/api/server/index.js
+++ b/api/server/index.js
@ -84,6 +84,7 @@ const startServer = async () => {
  app.use('/oauth', routes.oauth);
  /* API Endpoints */
  app.use('/api/auth', routes.auth);
+  app.use('/api/actions', routes.actions);
  app.use('/api/keys', routes.keys);
  app.use('/api/user', routes.user);
  app.use('/api/search', routes.search);
--- a/api/server/routes/actions.js
+++ b/api/server/routes/actions.js
@ -0,0 +1,136 @@
+const express = require('express');
+const jwt = require('jsonwebtoken');
+const { getAccessToken } = require('~/server/services/TokenService');
+const { logger, getFlowStateManager } = require('~/config');
+const { getLogStores } = require('~/cache');
+
+const router = express.Router();
+const JWT_SECRET = process.env.JWT_SECRET;
+
+/**
+ * Handles the OAuth callback and exchanges the authorization code for tokens.
+ *
+ * @route GET /actions/:action_id/oauth/callback
+ * @param {string} req.params.action_id - The ID of the action.
+ * @param {string} req.query.code - The authorization code returned by the provider.
+ * @param {string} req.query.state - The state token to verify the authenticity of the request.
+ * @returns {void} Sends a success message after updating the action with OAuth tokens.
+ */
+router.get('/:action_id/oauth/callback', async (req, res) => {
+  const { action_id } = req.params;
+  const { code, state } = req.query;
+
+  const flowManager = await getFlowStateManager(getLogStores);
+  let identifier = action_id;
+  try {
+    let decodedState;
+    try {
+      decodedState = jwt.verify(state, JWT_SECRET);
+    } catch (err) {
+      await flowManager.failFlow(identifier, 'oauth', 'Invalid or expired state parameter');
+      return res.status(400).send('Invalid or expired state parameter');
+    }
+
+    if (decodedState.action_id !== action_id) {
+      await flowManager.failFlow(identifier, 'oauth', 'Mismatched action ID in state parameter');
+      return res.status(400).send('Mismatched action ID in state parameter');
+    }
+
+    if (!decodedState.user) {
+      await flowManager.failFlow(identifier, 'oauth', 'Invalid user ID in state parameter');
+      return res.status(400).send('Invalid user ID in state parameter');
+    }
+    identifier = `${decodedState.user}:${action_id}`;
+    const flowState = await flowManager.getFlowState(identifier, 'oauth');
+    if (!flowState) {
+      throw new Error('OAuth flow not found');
+    }
+
+    const tokenData = await getAccessToken({
+      code,
+      userId: decodedState.user,
+      identifier,
+      client_url: flowState.metadata.client_url,
+      redirect_uri: flowState.metadata.redirect_uri,
+      /** Encrypted values */
+      encrypted_oauth_client_id: flowState.metadata.encrypted_oauth_client_id,
+      encrypted_oauth_client_secret: flowState.metadata.encrypted_oauth_client_secret,
+    });
+    await flowManager.completeFlow(identifier, 'oauth', tokenData);
+    res.send(`
+      <!DOCTYPE html>
+      <html>
+        <head>
+          <title>Authentication Successful</title>
+          <meta name="viewport" content="width=device-width, initial-scale=1.0">
+          <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+          <style>
+            body {
+              font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont;
+              background-color: rgb(249, 250, 251);
+              margin: 0;
+              padding: 2rem;
+              display: flex;
+              justify-content: center;
+              align-items: center;
+              min-height: 100vh;
+            }
+            .card {
+              background-color: white;
+              border-radius: 0.5rem;
+              padding: 2rem;
+              max-width: 28rem;
+              width: 100%;
+              box-shadow: 0 4px 6px -1px rgb(0 0 0 / 0.1), 0 2px 4px -2px rgb(0 0 0 / 0.1);
+              text-align: center;
+            }
+            .heading {
+              color: rgb(17, 24, 39);
+              font-size: 1.875rem;
+              font-weight: 700;
+              margin: 0 0 1rem;
+            }
+            .description {
+              color: rgb(75, 85, 99);
+              font-size: 0.875rem;
+              margin: 0.5rem 0;
+            }
+            .countdown {
+              color: rgb(99, 102, 241);
+              font-weight: 500;
+            }
+          </style>
+        </head>
+        <body>
+          <div class="card">
+            <h1 class="heading">Authentication Successful</h1>
+            <p class="description">
+              Your authentication was successful. This window will close in 
+              <span class="countdown" id="countdown">3</span> seconds.
+            </p>
+          </div>
+          <script>
+            let secondsLeft = 3;
+            const countdownElement = document.getElementById('countdown');
+            
+            const countdown = setInterval(() => {
+              secondsLeft--;
+              countdownElement.textContent = secondsLeft;
+              
+              if (secondsLeft <= 0) {
+                clearInterval(countdown);
+                window.close();
+              }
+            }, 1000);
+          </script>
+        </body>
+      </html>
+    `);
+  } catch (error) {
+    logger.error('Error in OAuth callback:', error);
+    await flowManager.failFlow(identifier, 'oauth', error);
+    res.status(500).send('Authentication failed. Please try again.');
+  }
+});
+
+module.exports = router;
--- a/api/server/routes/agents/actions.js
+++ b/api/server/routes/agents/actions.js
@ -1,6 +1,6 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
-const { actionDelimiter, SystemRoles } = require('librechat-data-provider');
+const { actionDelimiter, SystemRoles, removeNullishValues } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { isActionDomainAllowed } = require('~/server/services/domains');
@ -51,7 +51,7 @@ router.post('/:agent_id', async (req, res) => {
      return res.status(400).json({ message: 'No functions provided' });
    }

-    let metadata = await encryptMetadata(_metadata);
+    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
    if (!isDomainAllowed) {
      return res.status(400).json({ message: 'Domain not allowed' });
@ -117,10 +117,7 @@ router.post('/:agent_id', async (req, res) => {
    }

    /** @type {[Action]} */
-    const updatedAction = await updateAction(
-      { action_id },
-      actionUpdateData,
-    );
+    const updatedAction = await updateAction({ action_id }, actionUpdateData);

    const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
    for (let field of sensitiveFields) {
--- a/api/server/routes/assistants/actions.js
+++ b/api/server/routes/assistants/actions.js
@ -1,6 +1,6 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
-const { actionDelimiter, EModelEndpoint } = require('librechat-data-provider');
+const { actionDelimiter, EModelEndpoint, removeNullishValues } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
@ -29,7 +29,7 @@ router.post('/:assistant_id', async (req, res) => {
      return res.status(400).json({ message: 'No functions provided' });
    }

-    let metadata = await encryptMetadata(_metadata);
+    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
    if (!isDomainAllowed) {
      return res.status(400).json({ message: 'Domain not allowed' });
--- a/api/server/routes/index.js
+++ b/api/server/routes/index.js
@ -9,6 +9,7 @@ const prompts = require('./prompts');
 const balance = require('./balance');
 const plugins = require('./plugins');
 const bedrock = require('./bedrock');
+const actions = require('./actions');
 const search = require('./search');
 const models = require('./models');
 const convos = require('./convos');
@ -45,6 +46,7 @@ module.exports = {
  config,
  models,
  plugins,
+  actions,
  presets,
  balance,
  messages,
--- a/api/server/services/ActionService.js
+++ b/api/server/services/ActionService.js
@ -1,20 +1,28 @@
+const jwt = require('jsonwebtoken');
+const { nanoid } = require('nanoid');
+const { tool } = require('@langchain/core/tools');
+const { GraphEvents, sleep } = require('@librechat/agents');
 const {
+  Time,
  CacheKeys,
+  StepTypes,
  Constants,
  AuthTypeEnum,
  actionDelimiter,
  isImageVisionTool,
  actionDomainSeparator,
 } = require('librechat-data-provider');
-const { tool } = require('@langchain/core/tools');
+const { refreshAccessToken } = require('~/server/services/TokenService');
 const { isActionDomainAllowed } = require('~/server/services/domains');
+const { logger, getFlowStateManager, sendEvent } = require('~/config');
 const { encryptV2, decryptV2 } = require('~/server/utils/crypto');
 const { getActions, deleteActions } = require('~/models/Action');
 const { deleteAssistant } = require('~/models/Assistant');
+const { findToken } = require('~/models/Token');
 const { logAxiosError } = require('~/utils');
 const { getLogStores } = require('~/cache');
-const { logger } = require('~/config');

+const JWT_SECRET = process.env.JWT_SECRET;
 const toolNameRegex = /^[a-zA-Z0-9_-]+$/;
 const replaceSeparatorRegex = new RegExp(actionDomainSeparator, 'g');

@ -115,6 +123,8 @@ async function loadActionSets(searchParams) {
 * Creates a general tool for an entire action set.
 *
 * @param {Object} params - The parameters for loading action sets.
+ * @param {ServerRequest} params.req
+ * @param {ServerResponse} params.res
 * @param {Action} params.action - The action set. Necessary for decrypting authentication values.
 * @param {ActionRequest} params.requestBuilder - The ActionRequest builder class to execute the API call.
 * @param {string | undefined} [params.name] - The name of the tool.
@ -122,33 +132,185 @@ async function loadActionSets(searchParams) {
 * @param {import('zod').ZodTypeAny | undefined} [params.zodSchema] - The Zod schema for tool input validation/definition
 * @returns { Promise<typeof tool | { _call: (toolInput: Object | string) => unknown}> } An object with `_call` method to execute the tool input.
 */
-async function createActionTool({ action, requestBuilder, zodSchema, name, description }) {
-  action.metadata = await decryptMetadata(action.metadata);
+async function createActionTool({
+  req,
+  res,
+  action,
+  requestBuilder,
+  zodSchema,
+  name,
+  description,
+}) {
  const isDomainAllowed = await isActionDomainAllowed(action.metadata.domain);
  if (!isDomainAllowed) {
    return null;
  }
-  /** @type {(toolInput: Object | string) => Promise<unknown>} */
-  const _call = async (toolInput) => {
-    try {
-      const executor = requestBuilder.createExecutor();
+  const encrypted = {
+    oauth_client_id: action.metadata.oauth_client_id,
+    oauth_client_secret: action.metadata.oauth_client_secret,
+  };
+  action.metadata = await decryptMetadata(action.metadata);

-      // Chain the operations
+  /** @type {(toolInput: Object | string, config: GraphRunnableConfig) => Promise<unknown>} */
+  const _call = async (toolInput, config) => {
+    try {
+      /** @type {import('librechat-data-provider').ActionMetadataRuntime} */
+      const metadata = action.metadata;
+      const executor = requestBuilder.createExecutor();
      const preparedExecutor = executor.setParams(toolInput);

-      if (action.metadata.auth && action.metadata.auth.type !== AuthTypeEnum.None) {
-        await preparedExecutor.setAuth(action.metadata);
+      if (metadata.auth && metadata.auth.type !== AuthTypeEnum.None) {
+        try {
+          const action_id = action.action_id;
+          const identifier = `${req.user.id}:${action.action_id}`;
+          if (metadata.auth.type === AuthTypeEnum.OAuth && metadata.auth.authorization_url) {
+            const requestLogin = async () => {
+              const { args: _args, stepId, ...toolCall } = config.toolCall ?? {};
+              if (!stepId) {
+                throw new Error('Tool call is missing stepId');
+              }
+              const statePayload = {
+                nonce: nanoid(),
+                user: req.user.id,
+                action_id,
+              };
+
+              const stateToken = jwt.sign(statePayload, JWT_SECRET, { expiresIn: '10m' });
+              try {
+                const redirectUri = `${process.env.DOMAIN_CLIENT}/api/actions/${action_id}/oauth/callback`;
+                const params = new URLSearchParams({
+                  client_id: metadata.oauth_client_id,
+                  scope: metadata.auth.scope,
+                  redirect_uri: redirectUri,
+                  access_type: 'offline',
+                  response_type: 'code',
+                  state: stateToken,
+                });
+
+                const authURL = `${metadata.auth.authorization_url}?${params.toString()}`;
+                /** @type {{ id: string; delta: AgentToolCallDelta }} */
+                const data = {
+                  id: stepId,
+                  delta: {
+                    type: StepTypes.TOOL_CALLS,
+                    tool_calls: [{ ...toolCall, args: '' }],
+                    auth: authURL,
+                    expires_at: Date.now() + Time.TWO_MINUTES,
+                  },
+                };
+                const flowManager = await getFlowStateManager(getLogStores);
+                await flowManager.createFlowWithHandler(
+                  `${identifier}:login`,
+                  'oauth_login',
+                  async () => {
+                    sendEvent(res, { event: GraphEvents.ON_RUN_STEP_DELTA, data });
+                    logger.debug('Sent OAuth login request to client', { action_id, identifier });
+                    return true;
+                  },
+                );
+                logger.debug('Waiting for OAuth Authorization response', { action_id, identifier });
+                const result = await flowManager.createFlow(identifier, 'oauth', {
+                  state: stateToken,
+                  userId: req.user.id,
+                  client_url: metadata.auth.client_url,
+                  redirect_uri: `${process.env.DOMAIN_CLIENT}/api/actions/${action_id}/oauth/callback`,
+                  /** Encrypted values */
+                  encrypted_oauth_client_id: encrypted.oauth_client_id,
+                  encrypted_oauth_client_secret: encrypted.oauth_client_secret,
+                });
+                logger.debug('Received OAuth Authorization response', { action_id, identifier });
+                data.delta.auth = undefined;
+                data.delta.expires_at = undefined;
+                sendEvent(res, { event: GraphEvents.ON_RUN_STEP_DELTA, data });
+                await sleep(3000);
+                metadata.oauth_access_token = result.access_token;
+                metadata.oauth_refresh_token = result.refresh_token;
+                const expiresAt = new Date(Date.now() + result.expires_in * 1000);
+                metadata.oauth_token_expires_at = expiresAt.toISOString();
+              } catch (error) {
+                const errorMessage = 'Failed to authenticate OAuth tool';
+                logger.error(errorMessage, error);
+                throw new Error(errorMessage);
+              }
+            };
+
+            const tokenPromises = [];
+            tokenPromises.push(findToken({ userId: req.user.id, type: 'oauth', identifier }));
+            tokenPromises.push(
+              findToken({
+                userId: req.user.id,
+                type: 'oauth_refresh',
+                identifier: `${identifier}:refresh`,
+              }),
+            );
+            const [tokenData, refreshTokenData] = await Promise.all(tokenPromises);
+
+            if (tokenData) {
+              // Valid token exists, add it to metadata for setAuth
+              metadata.oauth_access_token = await decryptV2(tokenData.token);
+              if (refreshTokenData) {
+                metadata.oauth_refresh_token = await decryptV2(refreshTokenData.token);
+              }
+              metadata.oauth_token_expires_at = tokenData.expiresAt.toISOString();
+            } else if (!refreshTokenData) {
+              // No tokens exist, need to authenticate
+              await requestLogin();
+            } else if (refreshTokenData) {
+              // Refresh token is still valid, use it to get new access token
+              try {
+                const refresh_token = await decryptV2(refreshTokenData.token);
+                const refreshTokens = async () =>
+                  await refreshAccessToken({
+                    identifier,
+                    refresh_token,
+                    userId: req.user.id,
+                    client_url: metadata.auth.client_url,
+                    encrypted_oauth_client_id: encrypted.oauth_client_id,
+                    encrypted_oauth_client_secret: encrypted.oauth_client_secret,
+                  });
+                const flowManager = await getFlowStateManager(getLogStores);
+                const refreshData = await flowManager.createFlowWithHandler(
+                  `${identifier}:refresh`,
+                  'oauth_refresh',
+                  refreshTokens,
+                );
+                metadata.oauth_access_token = refreshData.access_token;
+                if (refreshData.refresh_token) {
+                  metadata.oauth_refresh_token = refreshData.refresh_token;
+                }
+                const expiresAt = new Date(Date.now() + refreshData.expires_in * 1000);
+                metadata.oauth_token_expires_at = expiresAt.toISOString();
+              } catch (error) {
+                logger.error('Failed to refresh token, requesting new login:', error);
+                await requestLogin();
+              }
+            } else {
+              await requestLogin();
+            }
+          }
+
+          await preparedExecutor.setAuth(metadata);
+        } catch (error) {
+          if (
+            error.message.includes('No access token found') ||
+            error.message.includes('Access token is expired')
+          ) {
+            throw error;
+          }
+          throw new Error(`Authentication failed: ${error.message}`);
+        }
      }

-      const res = await preparedExecutor.execute();
+      const response = await preparedExecutor.execute();

-      if (typeof res.data === 'object') {
-        return JSON.stringify(res.data);
+      if (typeof response.data === 'object') {
+        return JSON.stringify(response.data);
      }
-      return res.data;
+      return response.data;
    } catch (error) {
      const logMessage = `API call to ${action.metadata.domain} failed`;
      logAxiosError({ message: logMessage, error });
+      throw error;
    }
  };

--- a/api/server/services/Endpoints/agents/initialize.js
+++ b/api/server/services/Endpoints/agents/initialize.js
@ -82,6 +82,7 @@ const initializeAgentOptions = async ({
 }) => {
  const { tools, toolContextMap } = await loadAgentTools({
    req,
+    res,
    agent,
    tool_resources,
  });
--- a/api/server/services/TokenService.js
+++ b/api/server/services/TokenService.js
@ -0,0 +1,170 @@
+const axios = require('axios');
+const { handleOAuthToken } = require('~/models/Token');
+const { decryptV2 } = require('~/server/utils/crypto');
+const { logAxiosError } = require('~/utils');
+const { logger } = require('~/config');
+
+/**
+ * Processes the access tokens and stores them in the database.
+ * @param {object} tokenData
+ * @param {string} tokenData.access_token
+ * @param {number} tokenData.expires_in
+ * @param {string} [tokenData.refresh_token]
+ * @param {number} [tokenData.refresh_token_expires_in]
+ * @param {object} metadata
+ * @param {string} metadata.userId
+ * @param {string} metadata.identifier
+ * @returns {Promise<void>}
+ */
+async function processAccessTokens(tokenData, { userId, identifier }) {
+  const { access_token, expires_in = 3600, refresh_token, refresh_token_expires_in } = tokenData;
+  if (!access_token) {
+    logger.error('Access token not found: ', tokenData);
+    throw new Error('Access token not found');
+  }
+  await handleOAuthToken({
+    identifier,
+    token: access_token,
+    expiresIn: expires_in,
+    userId,
+  });
+
+  if (refresh_token != null) {
+    logger.debug('Processing refresh token');
+    await handleOAuthToken({
+      token: refresh_token,
+      type: 'oauth_refresh',
+      userId,
+      identifier: `${identifier}:refresh`,
+      expiresIn: refresh_token_expires_in ?? null,
+    });
+  }
+  logger.debug('Access tokens processed');
+}
+
+/**
+ * Refreshes the access token using the refresh token.
+ * @param {object} fields
+ * @param {string} fields.userId - The ID of the user.
+ * @param {string} fields.client_url - The URL of the OAuth provider.
+ * @param {string} fields.identifier - The identifier for the token.
+ * @param {string} fields.refresh_token - The refresh token to use.
+ * @param {string} fields.encrypted_oauth_client_id - The client ID for the OAuth provider.
+ * @param {string} fields.encrypted_oauth_client_secret - The client secret for the OAuth provider.
+ * @returns {Promise<{
+ *  access_token: string,
+ *  expires_in: number,
+ *  refresh_token?: string,
+ *  refresh_token_expires_in?: number,
+ * }>}
+ */
+const refreshAccessToken = async ({
+  userId,
+  client_url,
+  identifier,
+  refresh_token,
+  encrypted_oauth_client_id,
+  encrypted_oauth_client_secret,
+}) => {
+  try {
+    const oauth_client_id = await decryptV2(encrypted_oauth_client_id);
+    const oauth_client_secret = await decryptV2(encrypted_oauth_client_secret);
+    const params = new URLSearchParams({
+      client_id: oauth_client_id,
+      client_secret: oauth_client_secret,
+      grant_type: 'refresh_token',
+      refresh_token,
+    });
+
+    const response = await axios({
+      method: 'POST',
+      url: client_url,
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Accept: 'application/json',
+      },
+      data: params.toString(),
+    });
+    await processAccessTokens(response.data, {
+      userId,
+      identifier,
+    });
+    logger.debug(`Access token refreshed successfully for ${identifier}`);
+    return response.data;
+  } catch (error) {
+    const message = 'Error refreshing OAuth tokens';
+    logAxiosError({
+      message,
+      error,
+    });
+    throw new Error(message);
+  }
+};
+
+/**
+ * Handles the OAuth callback and exchanges the authorization code for tokens.
+ * @param {object} fields
+ * @param {string} fields.code - The authorization code returned by the provider.
+ * @param {string} fields.userId - The ID of the user.
+ * @param {string} fields.identifier - The identifier for the token.
+ * @param {string} fields.client_url - The URL of the OAuth provider.
+ * @param {string} fields.redirect_uri - The redirect URI for the OAuth provider.
+ * @param {string} fields.encrypted_oauth_client_id - The client ID for the OAuth provider.
+ * @param {string} fields.encrypted_oauth_client_secret - The client secret for the OAuth provider.
+ * @returns {Promise<{
+ *  access_token: string,
+ *  expires_in: number,
+ *  refresh_token?: string,
+ *  refresh_token_expires_in?: number,
+ * }>}
+ */
+const getAccessToken = async ({
+  code,
+  userId,
+  identifier,
+  client_url,
+  redirect_uri,
+  encrypted_oauth_client_id,
+  encrypted_oauth_client_secret,
+}) => {
+  const oauth_client_id = await decryptV2(encrypted_oauth_client_id);
+  const oauth_client_secret = await decryptV2(encrypted_oauth_client_secret);
+  const params = new URLSearchParams({
+    code,
+    client_id: oauth_client_id,
+    client_secret: oauth_client_secret,
+    grant_type: 'authorization_code',
+    redirect_uri,
+  });
+
+  try {
+    const response = await axios({
+      method: 'POST',
+      url: client_url,
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Accept: 'application/json',
+      },
+      data: params.toString(),
+    });
+
+    await processAccessTokens(response.data, {
+      userId,
+      identifier,
+    });
+    logger.debug(`Access tokens successfully created for ${identifier}`);
+    return response.data;
+  } catch (error) {
+    const message = 'Error exchanging OAuth code';
+    logAxiosError({
+      message,
+      error,
+    });
+    throw new Error(message);
+  }
+};
+
+module.exports = {
+  getAccessToken,
+  refreshAccessToken,
+};
--- a/api/server/services/ToolService.js
+++ b/api/server/services/ToolService.js
@ -409,11 +409,12 @@ async function processRequiredActions(client, requiredActions) {
 * Processes the runtime tool calls and returns the tool classes.
 * @param {Object} params - Run params containing user and request information.
 * @param {ServerRequest} params.req - The request object.
+ * @param {ServerResponse} params.res - The request object.
 * @param {Agent} params.agent - The agent to load tools for.
 * @param {string | undefined} [params.openAIApiKey] - The OpenAI API key.
 * @returns {Promise<{ tools?: StructuredTool[] }>} The agent tools.
 */
-async function loadAgentTools({ req, agent, tool_resources, openAIApiKey }) {
+async function loadAgentTools({ req, res, agent, tool_resources, openAIApiKey }) {
  if (!agent.tools || agent.tools.length === 0) {
    return {};
  }
@ -546,6 +547,8 @@ async function loadAgentTools({ req, agent, tool_resources, openAIApiKey }) {

      if (requestBuilder) {
        const tool = await createActionTool({
+          req,
+          res,
          action: actionSet,
          requestBuilder,
          zodSchema,
--- a/api/typedefs.js
+++ b/api/typedefs.js
@ -98,6 +98,12 @@
 * @memberof typedefs
 */

+/**
+ * @exports LangChainToolCall
+ * @typedef {import('@langchain/core/messages/tool').ToolCall} LangChainToolCall
+ * @memberof typedefs
+ */
+
 /**
 * @exports GraphRunnableConfig
 * @typedef {import('@langchain/core/runnables').RunnableConfig<{
@ -109,7 +115,9 @@
 * agent_index: number;
 * last_agent_index: number;
 * hide_sequential_outputs: boolean;
- * }>} GraphRunnableConfig
+ * }> & {
+ * toolCall?: LangChainToolCall & { stepId?: string };
+ * }} GraphRunnableConfig
 * @memberof typedefs
 */

@ -383,6 +391,12 @@
 * @memberof typedefs
 */

+/**
+ * @exports AgentToolCallDelta
+ * @typedef {import('librechat-data-provider').Agents.ToolCallDelta} AgentToolCallDelta
+ * @memberof typedefs
+ */
+
 /** Prompts */
 /**
 * @exports TPrompt
@ -947,12 +961,24 @@
 * @memberof typedefs
 */

+/**
+ * @exports Keyv
+ * @typedef {import('keyv')} Keyv
+ * @memberof typedefs
+ */
+
 /**
 * @exports MCPManager
 * @typedef {import('librechat-mcp').MCPManager} MCPManager
 * @memberof typedefs
 */

+/**
+ * @exports FlowStateManager
+ * @typedef {import('librechat-mcp').FlowStateManager} FlowStateManager
+ * @memberof typedefs
+ */
+
 /**
 * @exports LCAvailableTools
 * @typedef {import('librechat-mcp').LCAvailableTools} LCAvailableTools
--- a/client/src/components/Chat/Messages/Content/Files.tsx
+++ b/client/src/components/Chat/Messages/Content/Files.tsx
@ -9,14 +9,14 @@ const Files = ({ message }: { message?: TMessage }) => {
  }, [message?.files]);

  const otherFiles = useMemo(() => {
-    return message?.files?.filter((file) => !file.type?.startsWith('image/')) || [];
+    return message?.files?.filter((file) => !(file.type?.startsWith('image/') === true)) || [];
  }, [message?.files]);

  return (
    <>
      {otherFiles.length > 0 &&
        otherFiles.map((file) => <FileContainer key={file.file_id} file={file as TFile} />)}
-      {imageFiles &&
+      {imageFiles.length > 0 &&
        imageFiles.map((file) => (
          <Image
            key={file.file_id}
--- a/client/src/components/Chat/Messages/Content/InProgressCall.tsx
+++ b/client/src/components/Chat/Messages/Content/InProgressCall.tsx
@ -11,7 +11,7 @@ export default function InProgressCall({
  progress: number;
  children: React.ReactNode;
 }) {
-  if ((!isSubmitting && progress < 1) || error) {
+  if ((!isSubmitting && progress < 1) || error === true) {
    return <CancelledIcon />;
  }

--- a/client/src/components/Chat/Messages/Content/Part.tsx
+++ b/client/src/components/Chat/Messages/Content/Part.tsx
@ -81,6 +81,8 @@ const Part = memo(({ part, isSubmitting, attachments, showCursor, isCreatedByUse
          initialProgress={toolCall.progress ?? 0.1}
          isSubmitting={isSubmitting}
          attachments={attachments}
+          auth={toolCall.auth}
+          expires_at={toolCall.expires_at}
        />
      );
    } else if (toolCall.type === ToolCallTypes.CODE_INTERPRETER) {
--- a/client/src/components/Chat/Messages/Content/ProgressText.tsx
+++ b/client/src/components/Chat/Messages/Content/ProgressText.tsx
@ -39,16 +39,19 @@ export default function ProgressText({
  onClick,
  inProgressText,
  finishedText,
+  authText,
  hasInput = true,
  popover = false,
 }: {
  progress: number;
-  onClick: () => void;
+  onClick?: () => void;
  inProgressText: string;
  finishedText: string;
+  authText?: string;
  hasInput?: boolean;
  popover?: boolean;
 }) {
+  const text = progress < 1 ? authText ?? inProgressText : finishedText;
  return (
    <Wrapper popover={popover}>
      <button
@ -57,7 +60,7 @@ export default function ProgressText({
        disabled={!hasInput}
        onClick={onClick}
      >
-        {progress < 1 ? inProgressText : finishedText}
+        {text}
        <svg width="16" height="17" viewBox="0 0 16 17" fill="none">
          <path
            className={hasInput ? '' : 'stroke-transparent'}
--- a/client/src/components/Chat/Messages/Content/ToolCall.tsx
+++ b/client/src/components/Chat/Messages/Content/ToolCall.tsx
@ -1,5 +1,6 @@
 import { useMemo } from 'react';
 import * as Popover from '@radix-ui/react-popover';
+import { ShieldCheck, TriangleAlert } from 'lucide-react';
 import { actionDelimiter, actionDomainSeparator, Constants } from 'librechat-data-provider';
 import type { TAttachment } from 'librechat-data-provider';
 import useLocalize from '~/hooks/useLocalize';
@ -14,6 +15,9 @@ import WrenchIcon from './WrenchIcon';
 import { useProgress } from '~/hooks';
 import { logger } from '~/utils';

+const radius = 56.08695652173913;
+const circumference = 2 * Math.PI * radius;
+
 export default function ToolCall({
  initialProgress = 0.1,
  isSubmitting,
@ -21,6 +25,7 @@ export default function ToolCall({
  args: _args = '',
  output,
  attachments,
+  auth,
 }: {
  initialProgress: number;
  isSubmitting: boolean;
@ -28,13 +33,10 @@ export default function ToolCall({
  args: string | Record<string, unknown>;
  output?: string | null;
  attachments?: TAttachment[];
+  auth?: string;
+  expires_at?: number;
 }) {
  const localize = useLocalize();
-  const progress = useProgress(initialProgress);
-  const radius = 56.08695652173913;
-  const circumference = 2 * Math.PI * radius;
-  const offset = circumference - progress * circumference;
-
  const { function_name, domain, isMCPToolCall } = useMemo(() => {
    if (typeof name !== 'string') {
      return { function_name: '', domain: null, isMCPToolCall: false };
@ -83,8 +85,37 @@ export default function ToolCall({
    [args, output],
  );

+  const authDomain = useMemo(() => {
+    const authURL = auth ?? '';
+    if (!authURL) {
+      return '';
+    }
+    try {
+      const url = new URL(authURL);
+      return url.hostname;
+    } catch (e) {
+      return '';
+    }
+  }, [auth]);
+
+  const progress = useProgress(error === true ? 1 : initialProgress);
+  const cancelled = (!isSubmitting && progress < 1) || error === true;
+  const offset = circumference - progress * circumference;
+
  const renderIcon = () => {
-    if (progress < 1) {
+    if (progress < 1 && authDomain.length > 0) {
+      return (
+        <div
+          className="absolute left-0 top-0 flex h-full w-full items-center justify-center rounded-full bg-transparent text-text-secondary"
+          style={{ opacity: 1, transform: 'none' }}
+          data-projection-id="849"
+        >
+          <div>
+            <ShieldCheck />
+          </div>
+        </div>
+      );
+    } else if (progress < 1) {
      return (
        <InProgressCall progress={progress} isSubmitting={isSubmitting} error={error}>
          <div
@ -101,10 +132,13 @@ export default function ToolCall({
      );
    }

-    return error === true ? <CancelledIcon /> : <FinishedIcon />;
+    return cancelled ? <CancelledIcon /> : <FinishedIcon />;
  };

  const getFinishedText = () => {
+    if (cancelled) {
+      return localize('com_ui_error');
+    }
    if (isMCPToolCall === true) {
      return localize('com_assistants_completed_function', { 0: function_name });
    }
@ -116,28 +150,49 @@ export default function ToolCall({

  return (
    <Popover.Root>
-      <div className="my-2.5 flex items-center gap-2.5">
-        <div className="relative h-5 w-5 shrink-0">{renderIcon()}</div>
-        <ProgressText
-          progress={progress}
-          onClick={() => ({})}
-          inProgressText={localize('com_assistants_running_action')}
-          finishedText={getFinishedText()}
-          hasInput={hasInfo}
-          popover={true}
-        />
-        {hasInfo && (
-          <ToolPopover
-            input={args ?? ''}
-            output={output}
-            domain={domain ?? ''}
-            function_name={function_name}
+      <div className="my-2.5 flex flex-wrap items-center gap-2.5">
+        <div className="flex w-full items-center gap-2.5">
+          <div className="relative h-5 w-5 shrink-0">{renderIcon()}</div>
+          <ProgressText
+            progress={cancelled ? 1 : progress}
+            inProgressText={localize('com_assistants_running_action')}
+            authText={
+              !cancelled && authDomain.length > 0 ? localize('com_ui_requires_auth') : undefined
+            }
+            finishedText={getFinishedText()}
+            hasInput={hasInfo}
+            popover={true}
          />
+          {hasInfo && (
+            <ToolPopover
+              input={args ?? ''}
+              output={output}
+              domain={authDomain || (domain ?? '')}
+              function_name={function_name}
+              pendingAuth={authDomain.length > 0 && !cancelled && progress < 1}
+            />
+          )}
+        </div>
+        {auth != null && auth && progress < 1 && !cancelled && (
+          <div className="flex w-full flex-col gap-2.5">
+            <div className="mb-1 mt-2">
+              <a
+                className="inline-flex items-center justify-center gap-2 rounded-3xl bg-surface-tertiary px-4 py-2 text-sm font-medium hover:bg-surface-hover"
+                href={auth}
+                target="_blank"
+                rel="noopener noreferrer"
+              >
+                {localize('com_ui_sign_in_to_domain', { 0: authDomain })}
+              </a>
+            </div>
+            <p className="flex items-center text-xs text-text-secondary">
+              <TriangleAlert className="mr-1.5 inline-block h-4 w-4" />
+              {localize('com_assistants_allow_sites_you_trust')}
+            </p>
+          </div>
        )}
      </div>
-      {attachments?.map((attachment, index) => (
-        <Attachment attachment={attachment} key={index} />
-      ))}
+      {attachments?.map((attachment, index) => <Attachment attachment={attachment} key={index} />)}
    </Popover.Root>
  );
 }
--- a/client/src/components/Chat/Messages/Content/ToolPopover.tsx
+++ b/client/src/components/Chat/Messages/Content/ToolPopover.tsx
@ -4,13 +4,15 @@ import useLocalize from '~/hooks/useLocalize';
 export default function ToolPopover({
  input,
  output,
-  function_name,
  domain,
+  function_name,
+  pendingAuth,
 }: {
  input: string;
  function_name: string;
  output?: string | null;
  domain?: string;
+  pendingAuth?: boolean;
 }) {
  const localize = useLocalize();
  const formatText = (text: string) => {
@ -21,6 +23,17 @@ export default function ToolPopover({
    }
  };

+  let title =
+    domain != null && domain
+      ? localize('com_assistants_domain_info', { 0: domain })
+      : localize('com_assistants_function_use', { 0: function_name });
+  if (pendingAuth === true) {
+    title =
+      domain != null && domain
+        ? localize('com_assistants_action_attempt', { 0: domain })
+        : localize('com_assistants_attempt_info');
+  }
+
  return (
    <Popover.Portal>
      <Popover.Content
@ -28,27 +41,23 @@ export default function ToolPopover({
        align="start"
        sideOffset={12}
        alignOffset={-5}
-        className="w-18 min-w-[180px]  max-w-sm rounded-lg bg-white dark:bg-gray-900"
+        className="w-18 min-w-[180px]  max-w-sm rounded-lg bg-surface-primary px-1"
      >
        <div tabIndex={-1}>
          <div className="bg-token-surface-primary max-w-sm rounded-md p-2 shadow-[0_0_24px_0_rgba(0,0,0,0.05),inset_0_0.5px_0_0_rgba(0,0,0,0.05),0_2px_8px_0_rgba(0,0,0,0.05)]">
-            <div className="mb-2 text-sm font-medium dark:text-gray-100">
-              {domain != null && domain
-                ? localize('com_assistants_domain_info', { 0: domain })
-                : localize('com_assistants_function_use', { 0: function_name })}
-            </div>
+            <div className="mb-2 text-sm font-medium text-text-primary">{title}</div>
            <div className="bg-token-surface-secondary text-token-text-primary dark rounded-md text-xs">
-              <div className="max-h-32 overflow-y-auto rounded-md p-2 dark:bg-gray-700">
+              <div className="max-h-32 overflow-y-auto rounded-md bg-surface-tertiary p-2">
                <code className="!whitespace-pre-wrap ">{formatText(input)}</code>
              </div>
            </div>
            {output != null && output && (
              <>
-                <div className="mb-2 mt-2 text-sm font-medium dark:text-gray-100">
+                <div className="mb-2 mt-2 text-sm font-medium text-text-primary">
                  {localize('com_ui_result')}
                </div>
                <div className="bg-token-surface-secondary text-token-text-primary dark rounded-md text-xs">
-                  <div className="max-h-32 overflow-y-auto rounded-md p-2 dark:bg-gray-700">
+                  <div className="max-h-32 overflow-y-auto rounded-md bg-surface-tertiary p-2">
                    <code className="!whitespace-pre-wrap ">{formatText(output)}</code>
                  </div>
                </div>
--- a/client/src/components/Prompts/Groups/GroupSidePanel.tsx
+++ b/client/src/components/Prompts/Groups/GroupSidePanel.tsx
@ -30,17 +30,13 @@ export default function GroupSidePanel({
    <div
      className={cn(
        'mr-2 flex h-auto w-auto min-w-72 flex-col gap-2 lg:w-1/4 xl:w-1/4',
-        isDetailView && isSmallerScreen ? 'hidden' : '',
+        isDetailView === true && isSmallerScreen ? 'hidden' : '',
        className,
      )}
    >
      {children}
      <div className="flex-grow overflow-y-auto">
-        <List
-          groups={promptGroups}
-          isChatRoute={isChatRoute}
-          isLoading={!!groupsQuery.isLoading}
-        />
+        <List groups={promptGroups} isChatRoute={isChatRoute} isLoading={!!groupsQuery.isLoading} />
      </div>
      <PanelNavigation
        nextPage={nextPage}
--- a/client/src/components/SidePanel/Agents/ActionsAuth.tsx
+++ b/client/src/components/SidePanel/Agents/ActionsAuth.tsx
@ -1,296 +0,0 @@
-import { useFormContext } from 'react-hook-form';
-import * as RadioGroup from '@radix-ui/react-radio-group';
-import * as DialogPrimitive from '@radix-ui/react-dialog';
-import {
-  AuthTypeEnum,
-  AuthorizationTypeEnum,
-  TokenExchangeMethodEnum,
-} from 'librechat-data-provider';
-import { DialogContent } from '~/components/ui/';
-
-export default function ActionsAuth({
-  setOpenAuthDialog,
-}: {
-  setOpenAuthDialog: React.Dispatch<React.SetStateAction<boolean>>;
-}) {
-  const { watch, setValue, trigger } = useFormContext();
-  const type = watch('type');
-  return (
-    <DialogContent
-      role="dialog"
-      id="radix-:rf5:"
-      aria-describedby="radix-:rf7:"
-      aria-labelledby="radix-:rf6:"
-      data-state="open"
-      className="left-1/2 col-auto col-start-2 row-auto row-start-2 w-full max-w-md -translate-x-1/2 rounded-xl bg-white pb-0 text-left shadow-xl transition-all dark:bg-gray-700 dark:text-gray-100"
-      tabIndex={-1}
-      style={{ pointerEvents: 'auto' }}
-    >
-      <div className="flex items-center justify-between border-b border-black/10 px-4 pb-4 pt-5 dark:border-white/10 sm:p-6">
-        <div className="flex">
-          <div className="flex items-center">
-            <div className="flex grow flex-col gap-1">
-              <h2
-                id="radix-:rf6:"
-                className="text-token-text-primary text-lg font-medium leading-6"
-              >
-                Authentication
-              </h2>
-            </div>
-          </div>
-        </div>
-      </div>
-      <div className="p-4 sm:p-6 sm:pt-0">
-        <div className="mb-4">
-          <label className="mb-1 block text-sm font-medium">Authentication Type</label>
-          <RadioGroup.Root
-            defaultValue={AuthTypeEnum.None}
-            onValueChange={(value) => setValue('type', value)}
-            value={type}
-            role="radiogroup"
-            aria-required="false"
-            dir="ltr"
-            className="flex gap-4"
-            tabIndex={0}
-            style={{ outline: 'none' }}
-          >
-            <div className="flex items-center gap-2">
-              <label htmlFor=":rf8:" className="flex cursor-pointer items-center gap-1">
-                <RadioGroup.Item
-                  type="button"
-                  role="radio"
-                  value={AuthTypeEnum.None}
-                  id=":rf8:"
-                  className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-                  tabIndex={-1}
-                >
-                  <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-                </RadioGroup.Item>
-                None
-              </label>
-            </div>
-            <div className="flex items-center gap-2">
-              <label htmlFor=":rfa:" className="flex cursor-pointer items-center gap-1">
-                <RadioGroup.Item
-                  type="button"
-                  role="radio"
-                  value={AuthTypeEnum.ServiceHttp}
-                  id=":rfa:"
-                  className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-                  tabIndex={0}
-                >
-                  <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-                </RadioGroup.Item>
-                API Key
-              </label>
-            </div>
-            <div className="flex items-center gap-2 text-gray-500">
-              <label htmlFor=":rfc:" className="flex cursor-not-allowed items-center gap-1">
-                <RadioGroup.Item
-                  type="button"
-                  role="radio"
-                  disabled={true}
-                  value={AuthTypeEnum.OAuth}
-                  id=":rfc:"
-                  className="mr-1 flex h-5 w-5 cursor-not-allowed items-center justify-center rounded-full border border-gray-500 bg-gray-300 dark:border-gray-600 dark:bg-gray-700"
-                  tabIndex={-1}
-                >
-                  <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-                </RadioGroup.Item>
-                OAuth
-              </label>
-            </div>
-          </RadioGroup.Root>
-        </div>
-        {type === 'none' ? null : type === 'service_http' ? <ApiKey /> : <OAuth />}
-        {/* Cancel/Save */}
-        <div className="mt-5 flex flex-col gap-3 sm:mt-4 sm:flex-row-reverse">
-          <button
-            className="btn relative bg-green-500 text-white hover:bg-green-600 dark:hover:bg-green-600"
-            onClick={async () => {
-              const result = await trigger(undefined, { shouldFocus: true });
-              setValue('saved_auth_fields', result);
-              setOpenAuthDialog(!result);
-            }}
-          >
-            <div className="flex w-full items-center justify-center gap-2">Save</div>
-          </button>
-          <DialogPrimitive.Close className="btn btn-neutral relative">
-            <div className="flex w-full items-center justify-center gap-2">Cancel</div>
-          </DialogPrimitive.Close>
-        </div>
-      </div>
-    </DialogContent>
-  );
-}
-
-const ApiKey = () => {
-  const { register, watch, setValue } = useFormContext();
-  const authorization_type = watch('authorization_type');
-  const type = watch('type');
-  return (
-    <>
-      <label className="mb-1 block text-sm font-medium">API Key</label>
-      <input
-        placeholder="<HIDDEN>"
-        type="password"
-        autoComplete="new-password"
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-600"
-        {...register('api_key', { required: type === AuthTypeEnum.ServiceHttp })}
-      />
-      <label className="mb-1 block text-sm font-medium">Auth Type</label>
-      <RadioGroup.Root
-        defaultValue={AuthorizationTypeEnum.Basic}
-        onValueChange={(value) => setValue('authorization_type', value)}
-        value={authorization_type}
-        role="radiogroup"
-        aria-required="true"
-        dir="ltr"
-        className="mb-2 flex gap-6 overflow-hidden rounded-lg"
-        tabIndex={0}
-        style={{ outline: 'none' }}
-      >
-        <div className="flex items-center gap-2">
-          <label htmlFor=":rfu:" className="flex cursor-pointer items-center gap-1">
-            <RadioGroup.Item
-              type="button"
-              role="radio"
-              value={AuthorizationTypeEnum.Basic}
-              id=":rfu:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-              tabIndex={-1}
-            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-            </RadioGroup.Item>
-            Basic
-          </label>
-        </div>
-        <div className="flex items-center gap-2">
-          <label htmlFor=":rg0:" className="flex cursor-pointer items-center gap-1">
-            <RadioGroup.Item
-              type="button"
-              role="radio"
-              value={AuthorizationTypeEnum.Bearer}
-              id=":rg0:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-              tabIndex={-1}
-            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-            </RadioGroup.Item>
-            Bearer
-          </label>
-        </div>
-        <div className="flex items-center gap-2">
-          <label htmlFor=":rg2:" className="flex cursor-pointer items-center gap-1">
-            <RadioGroup.Item
-              type="button"
-              role="radio"
-              value={AuthorizationTypeEnum.Custom}
-              id=":rg2:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-              tabIndex={0}
-            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-            </RadioGroup.Item>
-            Custom
-          </label>
-        </div>
-      </RadioGroup.Root>
-      {authorization_type === AuthorizationTypeEnum.Custom && (
-        <div className="mt-2">
-          <label className="mb-1 block text-sm font-medium">Custom Header Name</label>
-          <input
-            className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-600"
-            placeholder="X-Api-Key"
-            {...register('custom_auth_header', {
-              required: authorization_type === AuthorizationTypeEnum.Custom,
-            })}
-          />
-        </div>
-      )}
-    </>
-  );
-};
-
-const OAuth = () => {
-  const { register, watch, setValue } = useFormContext();
-  const token_exchange_method = watch('token_exchange_method');
-  const type = watch('type');
-  return (
-    <>
-      <label className="mb-1 block text-sm font-medium">Client ID</label>
-      <input
-        placeholder="<HIDDEN>"
-        type="password"
-        autoComplete="off"
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('oauth_client_id', { required: type === AuthTypeEnum.OAuth })}
-      />
-      <label className="mb-1 block text-sm font-medium">Client Secret</label>
-      <input
-        placeholder="<HIDDEN>"
-        type="password"
-        autoComplete="off"
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('oauth_client_secret', { required: type === AuthTypeEnum.OAuth })}
-      />
-      <label className="mb-1 block text-sm font-medium">Authorization URL</label>
-      <input
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('authorization_url', { required: type === AuthTypeEnum.OAuth })}
-      />
-      <label className="mb-1 block text-sm font-medium">Token URL</label>
-      <input
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('client_url', { required: type === AuthTypeEnum.OAuth })}
-      />
-      <label className="mb-1 block text-sm font-medium">Scope</label>
-      <input
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('scope', { required: type === AuthTypeEnum.OAuth })}
-      />
-      <label className="mb-1 block text-sm font-medium">Token Exchange Method</label>
-      <RadioGroup.Root
-        defaultValue={AuthorizationTypeEnum.Basic}
-        onValueChange={(value) => setValue('token_exchange_method', value)}
-        value={token_exchange_method}
-        role="radiogroup"
-        aria-required="true"
-        dir="ltr"
-        tabIndex={0}
-        style={{ outline: 'none' }}
-      >
-        <div className="flex items-center gap-2">
-          <label htmlFor=":rj1:" className="flex cursor-pointer items-center gap-1">
-            <RadioGroup.Item
-              type="button"
-              role="radio"
-              value={TokenExchangeMethodEnum.DefaultPost}
-              id=":rj1:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-700 dark:bg-gray-700"
-              tabIndex={-1}
-            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-            </RadioGroup.Item>
-            Default (POST request)
-          </label>
-        </div>
-        <div className="flex items-center gap-2">
-          <label htmlFor=":rj3:" className="flex cursor-pointer items-center gap-1">
-            <RadioGroup.Item
-              type="button"
-              role="radio"
-              value={TokenExchangeMethodEnum.BasicAuthHeader}
-              id=":rj3:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-700 dark:bg-gray-700"
-              tabIndex={-1}
-            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-            </RadioGroup.Item>
-            Basic authorization header
-          </label>
-        </div>
-      </RadioGroup.Root>
-    </>
-  );
-};
--- a/client/src/components/SidePanel/Agents/ActionsInput.tsx
+++ b/client/src/components/SidePanel/Agents/ActionsInput.tsx
@ -14,6 +14,7 @@ import type {
 } from 'librechat-data-provider';
 import type { ActionAuthForm } from '~/common';
 import type { Spec } from './ActionsTable';
+import ActionCallback from '~/components/SidePanel/Builder/ActionCallback';
 import { ActionsTable, columns } from './ActionsTable';
 import { useUpdateAgentAction } from '~/data-provider';
 import { useToastContext } from '~/Providers';
@ -248,8 +249,8 @@ export default function ActionsInput({
        </div>
      </div>
      {!!data && (
-        <div>
-          <div className="mb-1.5 flex items-center">
+        <div className="my-2">
+          <div className="flex items-center">
            <label className="text-token-text-primary block font-medium">
              {localize('com_assistants_available_actions')}
            </label>
@ -258,6 +259,7 @@ export default function ActionsInput({
        </div>
      )}
      <div className="relative my-1">
+        <ActionCallback action_id={action?.action_id} />
        <div className="mb-1.5 flex items-center">
          <label className="text-token-text-primary block font-medium">
            {localize('com_ui_privacy_policy_url')}
@ -267,7 +269,7 @@ export default function ActionsInput({
          <input
            type="text"
            placeholder="https://api.example-weather-app.com/privacy"
-            className="flex-1 rounded-lg bg-transparent px-3 py-1.5 text-sm outline-none focus:ring-1 focus:ring-border-light"
+            className="flex-1 rounded-lg bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
          />
        </div>
      </div>
--- a/client/src/components/SidePanel/Agents/ActionsPanel.tsx
+++ b/client/src/components/SidePanel/Agents/ActionsPanel.tsx
@ -1,4 +1,4 @@
-import { useEffect, useState } from 'react';
+import { useEffect } from 'react';
 import { useForm, FormProvider } from 'react-hook-form';
 import {
  AuthTypeEnum,
@ -7,14 +7,14 @@ import {
 } from 'librechat-data-provider';
 import { ChevronLeft } from 'lucide-react';
 import type { AgentPanelProps, ActionAuthForm } from '~/common';
-import { Dialog, DialogTrigger, OGDialog, OGDialogTrigger, Label } from '~/components/ui';
+import ActionsAuth from '~/components/SidePanel/Builder/ActionsAuth';
+import { OGDialog, OGDialogTrigger, Label } from '~/components/ui';
 import OGDialogTemplate from '~/components/ui/OGDialogTemplate';
 import { useDeleteAgentAction } from '~/data-provider';
 import useLocalize from '~/hooks/useLocalize';
 import { useToastContext } from '~/Providers';
 import { TrashIcon } from '~/components/svg';
 import ActionsInput from './ActionsInput';
-import ActionsAuth from './ActionsAuth';
 import { Panel } from '~/common';

 export default function ActionsPanel({
@ -26,8 +26,6 @@ export default function ActionsPanel({
 }: AgentPanelProps) {
  const localize = useLocalize();
  const { showToast } = useToastContext();
-
-  const [openAuthDialog, setOpenAuthDialog] = useState(false);
  const deleteAgentAction = useDeleteAgentAction({
    onSuccess: () => {
      showToast({
@ -65,7 +63,6 @@ export default function ActionsPanel({
  });

  const { reset, watch } = methods;
-  const type = watch('type');

  useEffect(() => {
    if (action?.metadata.auth) {
@ -156,40 +153,7 @@ export default function ActionsPanel({
            <a href="https://help.openai.com/en/articles/8554397-creating-a-gpt" target="_blank" rel="noreferrer" className="font-medium">Learn more.</a>
          </div> */}
          </div>
-          <Dialog open={openAuthDialog} onOpenChange={setOpenAuthDialog}>
-            <DialogTrigger asChild>
-              <div className="relative mb-4">
-                <div className="mb-1.5 flex items-center">
-                  <label className="text-token-text-primary block font-medium">
-                    {localize('com_ui_authentication')}
-                  </label>
-                </div>
-                <div className="border-token-border-medium flex rounded-lg border text-sm hover:cursor-pointer">
-                  <div className="h-9 grow px-3 py-2">{type}</div>
-                  <div className="bg-token-border-medium w-px"></div>
-                  <button type="button" color="neutral" className="flex items-center gap-2 px-3">
-                    <svg
-                      width="24"
-                      height="24"
-                      viewBox="0 0 24 24"
-                      fill="none"
-                      xmlns="http://www.w3.org/2000/svg"
-                      className="icon-sm"
-                    >
-                      <path
-                        d="M11.6439 3C10.9352 3 10.2794 3.37508 9.92002 3.98596L9.49644 4.70605C8.96184 5.61487 7.98938 6.17632 6.93501 6.18489L6.09967 6.19168C5.39096 6.19744 4.73823 6.57783 4.38386 7.19161L4.02776 7.80841C3.67339 8.42219 3.67032 9.17767 4.01969 9.7943L4.43151 10.5212C4.95127 11.4386 4.95127 12.5615 4.43151 13.4788L4.01969 14.2057C3.67032 14.8224 3.67339 15.5778 4.02776 16.1916L4.38386 16.8084C4.73823 17.4222 5.39096 17.8026 6.09966 17.8083L6.93502 17.8151C7.98939 17.8237 8.96185 18.3851 9.49645 19.294L9.92002 20.014C10.2794 20.6249 10.9352 21 11.6439 21H12.3561C13.0648 21 13.7206 20.6249 14.08 20.014L14.5035 19.294C15.0381 18.3851 16.0106 17.8237 17.065 17.8151L17.9004 17.8083C18.6091 17.8026 19.2618 17.4222 19.6162 16.8084L19.9723 16.1916C20.3267 15.5778 20.3298 14.8224 19.9804 14.2057L19.5686 13.4788C19.0488 12.5615 19.0488 11.4386 19.5686 10.5212L19.9804 9.7943C20.3298 9.17767 20.3267 8.42219 19.9723 7.80841L19.6162 7.19161C19.2618 6.57783 18.6091 6.19744 17.9004 6.19168L17.065 6.18489C16.0106 6.17632 15.0382 5.61487 14.5036 4.70605L14.08 3.98596C13.7206 3.37508 13.0648 3 12.3561 3H11.6439Z"
-                        stroke="currentColor"
-                        strokeWidth="2"
-                        strokeLinejoin="round"
-                      />
-                      <circle cx="12" cy="12" r="2.5" stroke="currentColor" strokeWidth="2" />
-                    </svg>
-                  </button>
-                </div>
-              </div>
-            </DialogTrigger>
-            <ActionsAuth setOpenAuthDialog={setOpenAuthDialog} />
-          </Dialog>
+          <ActionsAuth />
          <ActionsInput action={action} agent_id={agent_id} setAction={setAction} />
        </div>
      </form>
--- a/client/src/components/SidePanel/Agents/ActionsTable/Table.tsx
+++ b/client/src/components/SidePanel/Agents/ActionsTable/Table.tsx
@ -22,7 +22,7 @@ export default function DataTable<TData, TValue>({ columns, data }: DataTablePro
            className="border-token-border-light text-token-text-tertiary border-b text-left text-xs"
          >
            {headerGroup.headers.map((header, j) => (
-              <th key={j} className="py-1 font-normal">
+              <th key={j} className="py-1 font-normal text-text-secondary-alt">
                {header.isPlaceholder
                  ? null
                  : flexRender(header.column.columnDef.header, header.getContext())}
--- a/client/src/components/SidePanel/Builder/ActionCallback.tsx
+++ b/client/src/components/SidePanel/Builder/ActionCallback.tsx
@ -0,0 +1,63 @@
+import { useState } from 'react';
+import { Copy, CopyCheck } from 'lucide-react';
+import { useFormContext } from 'react-hook-form';
+import { AuthTypeEnum } from 'librechat-data-provider';
+import { useLocalize, useCopyToClipboard } from '~/hooks';
+import { useToastContext } from '~/Providers';
+import { Button } from '~/components/ui';
+import { cn } from '~/utils';
+
+export default function ActionCallback({ action_id }: { action_id?: string }) {
+  const localize = useLocalize();
+  const { watch } = useFormContext();
+  const { showToast } = useToastContext();
+  const [isCopying, setIsCopying] = useState(false);
+  const callbackURL = `${window.location.protocol}//${window.location.host}/api/actions/${action_id}/oauth/callback`;
+  const copyLink = useCopyToClipboard({ text: callbackURL });
+
+  if (!action_id) {
+    return null;
+  }
+  const type = watch('type');
+  if (type !== AuthTypeEnum.OAuth) {
+    return null;
+  }
+  return (
+    <div className="mb-1.5 flex flex-col space-y-2">
+      <label className="font-semibold">{localize('com_ui_callback_url')}</label>
+      <div className="relative flex items-center">
+        <div className="border-token-border-medium bg-token-surface-primary hover:border-token-border-hover flex h-10 w-full rounded-lg border">
+          <div className="flex-1 overflow-hidden">
+            <div className="relative w-full">
+              <input
+                type="text"
+                readOnly
+                value={callbackURL}
+                className="w-full border-0 bg-transparent px-3 py-2 pr-12 text-sm text-text-secondary-alt focus:outline-none"
+                style={{ direction: 'rtl' }}
+              />
+            </div>
+          </div>
+          <div className="absolute right-0 flex h-full items-center pr-1">
+            <Button
+              size="sm"
+              variant="ghost"
+              type="button"
+              onClick={() => {
+                if (isCopying) {
+                  return;
+                }
+                showToast({ message: localize('com_ui_copied_to_clipboard') });
+                copyLink(setIsCopying);
+              }}
+              className={cn('h-8 rounded-md px-2', isCopying ? 'cursor-default' : '')}
+              aria-label={localize('com_ui_copy_link')}
+            >
+              {isCopying ? <CopyCheck className="size-4" /> : <Copy className="size-4" />}
+            </Button>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
--- a/client/src/components/SidePanel/Builder/ActionsAuth.tsx
+++ b/client/src/components/SidePanel/Builder/ActionsAuth.tsx
@ -1,144 +1,190 @@
+import { useState } from 'react';
 import { useFormContext } from 'react-hook-form';
 import * as RadioGroup from '@radix-ui/react-radio-group';
-import * as DialogPrimitive from '@radix-ui/react-dialog';
 import {
  AuthTypeEnum,
  AuthorizationTypeEnum,
  TokenExchangeMethodEnum,
 } from 'librechat-data-provider';
-import { DialogContent } from '~/components/ui/';
+import {
+  OGDialog,
+  OGDialogClose,
+  OGDialogTitle,
+  OGDialogHeader,
+  OGDialogContent,
+  OGDialogTrigger,
+} from '~/components/ui';
+import { TranslationKeys, useLocalize } from '~/hooks';
+import { cn } from '~/utils';

-export default function ActionsAuth({
-  setOpenAuthDialog,
-}: {
-  setOpenAuthDialog: React.Dispatch<React.SetStateAction<boolean>>;
-}) {
+export default function ActionsAuth({ disableOAuth }: { disableOAuth?: boolean }) {
+  const localize = useLocalize();
+  const [openAuthDialog, setOpenAuthDialog] = useState(false);
  const { watch, setValue, trigger } = useFormContext();
  const type = watch('type');
+
  return (
-    <DialogContent
-      role="dialog"
-      id="radix-:rf5:"
-      aria-describedby="radix-:rf7:"
-      aria-labelledby="radix-:rf6:"
-      data-state="open"
-      className="left-1/2 col-auto col-start-2 row-auto row-start-2 w-full max-w-md -translate-x-1/2 rounded-xl bg-white pb-0 text-left shadow-xl transition-all dark:bg-gray-700 dark:text-gray-100"
-      tabIndex={-1}
-      style={{ pointerEvents: 'auto' }}
-    >
-      <div className="flex items-center justify-between border-b border-black/10 px-4 pb-4 pt-5 dark:border-white/10 sm:p-6">
-        <div className="flex">
-          <div className="flex items-center">
-            <div className="flex grow flex-col gap-1">
-              <h2
-                id="radix-:rf6:"
-                className="text-token-text-primary text-lg font-medium leading-6"
-              >
-                Authentication
-              </h2>
+    <OGDialog open={openAuthDialog} onOpenChange={setOpenAuthDialog}>
+      <OGDialogTrigger asChild>
+        <div className="relative mb-4">
+          <div className="mb-1.5 flex items-center">
+            <label className="text-token-text-primary block font-medium">
+              {localize('com_ui_authentication')}
+            </label>
+          </div>
+          <div className="border-token-border-medium flex rounded-lg border text-sm hover:cursor-pointer">
+            <div className="h-9 grow px-3 py-2">
+              {localize(`com_ui_${type}` as TranslationKeys)}
            </div>
+            <div className="bg-token-border-medium w-px"></div>
+            <button type="button" color="neutral" className="flex items-center gap-2 px-3">
+              <svg
+                width="24"
+                height="24"
+                viewBox="0 0 24 24"
+                fill="none"
+                xmlns="http://www.w3.org/2000/svg"
+                className="icon-sm"
+              >
+                <path
+                  d="M11.6439 3C10.9352 3 10.2794 3.37508 9.92002 3.98596L9.49644 4.70605C8.96184 5.61487 7.98938 6.17632 6.93501 6.18489L6.09967 6.19168C5.39096 6.19744 4.73823 6.57783 4.38386 7.19161L4.02776 7.80841C3.67339 8.42219 3.67032 9.17767 4.01969 9.7943L4.43151 10.5212C4.95127 11.4386 4.95127 12.5615 4.43151 13.4788L4.01969 14.2057C3.67032 14.8224 3.67339 15.5778 4.02776 16.1916L4.38386 16.8084C4.73823 17.4222 5.39096 17.8026 6.09966 17.8083L6.93502 17.8151C7.98939 17.8237 8.96185 18.3851 9.49645 19.294L9.92002 20.014C10.2794 20.6249 10.9352 21 11.6439 21H12.3561C13.0648 21 13.7206 20.6249 14.08 20.014L14.5035 19.294C15.0381 18.3851 16.0106 17.8237 17.065 17.8151L17.9004 17.8083C18.6091 17.8026 19.2618 17.4222 19.6162 16.8084L19.9723 16.1916C20.3267 15.5778 20.3298 14.8224 19.9804 14.2057L19.5686 13.4788C19.0488 12.5615 19.0488 11.4386 19.5686 10.5212L19.9804 9.7943C20.3298 9.17767 20.3267 8.42219 19.9723 7.80841L19.6162 7.19161C19.2618 6.57783 18.6091 6.19744 17.9004 6.19168L17.065 6.18489C16.0106 6.17632 15.0382 5.61487 14.5036 4.70605L14.08 3.98596C13.7206 3.37508 13.0648 3 12.3561 3H11.6439Z"
+                  stroke="currentColor"
+                  strokeWidth="2"
+                  strokeLinejoin="round"
+                />
+                <circle cx="12" cy="12" r="2.5" stroke="currentColor" strokeWidth="2" />
+              </svg>
+            </button>
          </div>
        </div>
-      </div>
-      <div className="p-4 sm:p-6 sm:pt-0">
-        <div className="mb-4">
-          <label className="mb-1 block text-sm font-medium">Authentication Type</label>
-          <RadioGroup.Root
-            defaultValue={AuthTypeEnum.None}
-            onValueChange={(value) => setValue('type', value)}
-            value={type}
-            role="radiogroup"
-            aria-required="false"
-            dir="ltr"
-            className="flex gap-4"
-            tabIndex={0}
-            style={{ outline: 'none' }}
-          >
-            <div className="flex items-center gap-2">
-              <label htmlFor=":rf8:" className="flex cursor-pointer items-center gap-1">
-                <RadioGroup.Item
-                  type="button"
-                  role="radio"
-                  value={AuthTypeEnum.None}
-                  id=":rf8:"
-                  className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-                  tabIndex={-1}
+      </OGDialogTrigger>
+      <OGDialogContent className="w-full max-w-md border-none bg-surface-primary text-text-primary">
+        <OGDialogHeader className="border-b border-border-light sm:p-3">
+          <OGDialogTitle>{localize('com_ui_authentication')}</OGDialogTitle>
+        </OGDialogHeader>
+        <div className="p-4 sm:p-6 sm:pt-0">
+          <div className="mb-4">
+            <label className="mb-1 block text-sm font-medium">
+              {localize('com_ui_authentication_type')}
+            </label>
+            <RadioGroup.Root
+              defaultValue={AuthTypeEnum.None}
+              onValueChange={(value) => setValue('type', value)}
+              value={type}
+              role="radiogroup"
+              aria-required="false"
+              dir="ltr"
+              className="flex gap-4"
+              style={{ outline: 'none' }}
+            >
+              <div className="flex items-center gap-2">
+                <label htmlFor=":rf8:" className="flex cursor-pointer items-center gap-1">
+                  <RadioGroup.Item
+                    type="button"
+                    role="radio"
+                    value={AuthTypeEnum.None}
+                    id=":rf8:"
+                    className={cn(
+                      'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                      'border-border-heavy bg-surface-primary',
+                    )}
+                  >
+                    <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
+                  </RadioGroup.Item>
+                  {localize('com_ui_none')}
+                </label>
+              </div>
+              <div className="flex items-center gap-2">
+                <label htmlFor=":rfa:" className="flex cursor-pointer items-center gap-1">
+                  <RadioGroup.Item
+                    type="button"
+                    role="radio"
+                    value={AuthTypeEnum.ServiceHttp}
+                    id=":rfa:"
+                    className={cn(
+                      'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                      'border-border-heavy bg-surface-primary',
+                    )}
+                  >
+                    <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
+                  </RadioGroup.Item>
+                  {localize('com_ui_api_key')}
+                </label>
+              </div>
+              <div className="flex items-center gap-2">
+                <label
+                  htmlFor=":rfc:"
+                  className={cn(
+                    'flex items-center gap-1',
+                    disableOAuth === true ? 'cursor-not-allowed' : 'cursor-pointer',
+                  )}
                >
-                  <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-                </RadioGroup.Item>
-                None
-              </label>
-            </div>
-            <div className="flex items-center gap-2">
-              <label htmlFor=":rfa:" className="flex cursor-pointer items-center gap-1">
-                <RadioGroup.Item
-                  type="button"
-                  role="radio"
-                  value={AuthTypeEnum.ServiceHttp}
-                  id=":rfa:"
-                  className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-                  tabIndex={0}
-                >
-                  <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-                </RadioGroup.Item>
-                API Key
-              </label>
-            </div>
-            <div className="flex items-center gap-2 text-gray-500">
-              <label htmlFor=":rfc:" className="flex cursor-not-allowed items-center gap-1">
-                <RadioGroup.Item
-                  type="button"
-                  role="radio"
-                  disabled={true}
-                  value={AuthTypeEnum.OAuth}
-                  id=":rfc:"
-                  className="mr-1 flex h-5 w-5 cursor-not-allowed items-center justify-center rounded-full border border-gray-500 bg-gray-300 dark:border-gray-600 dark:bg-gray-700"
-                  tabIndex={-1}
-                >
-                  <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
-                </RadioGroup.Item>
-                OAuth
-              </label>
-            </div>
-          </RadioGroup.Root>
+                  <RadioGroup.Item
+                    type="button"
+                    role="radio"
+                    disabled={disableOAuth}
+                    value={AuthTypeEnum.OAuth}
+                    id=":rfc:"
+                    className={cn(
+                      'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                      'border-border-heavy bg-surface-primary',
+                      disableOAuth === true ? 'cursor-not-allowed' : '',
+                    )}
+                  >
+                    <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
+                  </RadioGroup.Item>
+                  {localize('com_ui_oauth')}
+                </label>
+              </div>
+            </RadioGroup.Root>
+          </div>
+          {type === 'none' ? null : type === 'service_http' ? <ApiKey /> : <OAuth />}
+          {/* Cancel/Save */}
+          <div className="mt-5 flex flex-col gap-3 sm:mt-4 sm:flex-row-reverse">
+            <button
+              className="btn relative bg-surface-submit text-primary-foreground hover:bg-surface-submit-hover"
+              onClick={async () => {
+                const result = await trigger(undefined, { shouldFocus: true });
+                setValue('saved_auth_fields', result);
+                setOpenAuthDialog(!result);
+              }}
+            >
+              <div className="flex w-full items-center justify-center gap-2 text-white">
+                {localize('com_ui_save')}
+              </div>
+            </button>
+            <OGDialogClose className="btn btn-neutral relative">
+              <div className="flex w-full items-center justify-center gap-2">
+                {localize('com_ui_cancel')}
+              </div>
+            </OGDialogClose>
+          </div>
        </div>
-        {type === 'none' ? null : type === 'service_http' ? <ApiKey /> : <OAuth />}
-        {/* Cancel/Save */}
-        <div className="mt-5 flex flex-col gap-3 sm:mt-4 sm:flex-row-reverse">
-          <button
-            className="btn relative bg-green-500 text-white hover:bg-green-600 dark:hover:bg-green-600"
-            onClick={async () => {
-              const result = await trigger(undefined, { shouldFocus: true });
-              setValue('saved_auth_fields', result);
-              setOpenAuthDialog(!result);
-            }}
-          >
-            <div className="flex w-full items-center justify-center gap-2">Save</div>
-          </button>
-          <DialogPrimitive.Close className="btn btn-neutral relative">
-            <div className="flex w-full items-center justify-center gap-2">Cancel</div>
-          </DialogPrimitive.Close>
-        </div>
-      </div>
-    </DialogContent>
+      </OGDialogContent>
+    </OGDialog>
  );
 }

 const ApiKey = () => {
+  const localize = useLocalize();
  const { register, watch, setValue } = useFormContext();
  const authorization_type = watch('authorization_type');
  const type = watch('type');
  return (
    <>
-      <label className="mb-1 block text-sm font-medium">API Key</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_api_key')}</label>
      <input
        placeholder="<HIDDEN>"
-        type="password"
+        type="new-password"
        autoComplete="new-password"
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-600"
+        className={cn(
+          'mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm',
+          'border-border-medium bg-surface-primary outline-none',
+          'focus:ring-2 focus:ring-ring',
+        )}
        {...register('api_key', { required: type === AuthTypeEnum.ServiceHttp })}
      />
-      <label className="mb-1 block text-sm font-medium">Auth Type</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_auth_type')}</label>
      <RadioGroup.Root
        defaultValue={AuthorizationTypeEnum.Basic}
        onValueChange={(value) => setValue('authorization_type', value)}
@ -147,7 +193,6 @@ const ApiKey = () => {
        aria-required="true"
        dir="ltr"
        className="mb-2 flex gap-6 overflow-hidden rounded-lg"
-        tabIndex={0}
        style={{ outline: 'none' }}
      >
        <div className="flex items-center gap-2">
@ -157,12 +202,14 @@ const ApiKey = () => {
              role="radio"
              value={AuthorizationTypeEnum.Basic}
              id=":rfu:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-              tabIndex={-1}
+              className={cn(
+                'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                'border-border-heavy bg-surface-primary',
+              )}
            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
+              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
            </RadioGroup.Item>
-            Basic
+            {localize('com_ui_basic')}
          </label>
        </div>
        <div className="flex items-center gap-2">
@ -172,12 +219,14 @@ const ApiKey = () => {
              role="radio"
              value={AuthorizationTypeEnum.Bearer}
              id=":rg0:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-              tabIndex={-1}
+              className={cn(
+                'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                'border-border-heavy bg-surface-primary',
+              )}
            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
+              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
            </RadioGroup.Item>
-            Bearer
+            {localize('com_ui_bearer')}
          </label>
        </div>
        <div className="flex items-center gap-2">
@ -187,20 +236,28 @@ const ApiKey = () => {
              role="radio"
              value={AuthorizationTypeEnum.Custom}
              id=":rg2:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-500 dark:bg-gray-500"
-              tabIndex={0}
+              className={cn(
+                'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                'border-border-heavy bg-surface-primary',
+              )}
            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
+              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
            </RadioGroup.Item>
-            Custom
+            {localize('com_ui_custom')}
          </label>
        </div>
      </RadioGroup.Root>
      {authorization_type === AuthorizationTypeEnum.Custom && (
        <div className="mt-2">
-          <label className="mb-1 block text-sm font-medium">Custom Header Name</label>
+          <label className="mb-1 block text-sm font-medium">
+            {localize('com_ui_custom_header_name')}
+          </label>
          <input
-            className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-600"
+            className={cn(
+              'mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm',
+              'border-border-medium bg-surface-primary outline-none',
+              'focus:ring-2 focus:ring-ring',
+            )}
            placeholder="X-Api-Key"
            {...register('custom_auth_header', {
              required: authorization_type === AuthorizationTypeEnum.Custom,
@ -213,43 +270,53 @@ const ApiKey = () => {
 };

 const OAuth = () => {
+  const localize = useLocalize();
  const { register, watch, setValue } = useFormContext();
  const token_exchange_method = watch('token_exchange_method');
  const type = watch('type');
+
+  const inputClasses = cn(
+    'mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm',
+    'border-border-medium bg-surface-primary outline-none',
+    'focus:ring-2 focus:ring-ring',
+  );
+
  return (
    <>
-      <label className="mb-1 block text-sm font-medium">Client ID</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_client_id')}</label>
      <input
        placeholder="<HIDDEN>"
        type="password"
-        autoComplete="off"
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('oauth_client_id', { required: type === AuthTypeEnum.OAuth })}
+        autoComplete="new-password"
+        className={inputClasses}
+        {...register('oauth_client_id', { required: false })}
      />
-      <label className="mb-1 block text-sm font-medium">Client Secret</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_client_secret')}</label>
      <input
        placeholder="<HIDDEN>"
        type="password"
-        autoComplete="off"
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
-        {...register('oauth_client_secret', { required: type === AuthTypeEnum.OAuth })}
+        autoComplete="new-password"
+        className={inputClasses}
+        {...register('oauth_client_secret', { required: false })}
      />
-      <label className="mb-1 block text-sm font-medium">Authorization URL</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_auth_url')}</label>
      <input
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
+        className={inputClasses}
        {...register('authorization_url', { required: type === AuthTypeEnum.OAuth })}
      />
-      <label className="mb-1 block text-sm font-medium">Token URL</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_token_url')}</label>
      <input
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
+        className={inputClasses}
        {...register('client_url', { required: type === AuthTypeEnum.OAuth })}
      />
-      <label className="mb-1 block text-sm font-medium">Scope</label>
+      <label className="mb-1 block text-sm font-medium">{localize('com_ui_scope')}</label>
      <input
-        className="border-token-border-medium mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm outline-none focus:ring-2 focus:ring-blue-400 dark:bg-gray-800"
+        className={inputClasses}
        {...register('scope', { required: type === AuthTypeEnum.OAuth })}
      />
-      <label className="mb-1 block text-sm font-medium">Token Exchange Method</label>
+      <label className="mb-1 block text-sm font-medium">
+        {localize('com_ui_token_exchange_method')}
+      </label>
      <RadioGroup.Root
        defaultValue={AuthorizationTypeEnum.Basic}
        onValueChange={(value) => setValue('token_exchange_method', value)}
@ -257,7 +324,6 @@ const OAuth = () => {
        role="radiogroup"
        aria-required="true"
        dir="ltr"
-        tabIndex={0}
        style={{ outline: 'none' }}
      >
        <div className="flex items-center gap-2">
@ -267,12 +333,14 @@ const OAuth = () => {
              role="radio"
              value={TokenExchangeMethodEnum.DefaultPost}
              id=":rj1:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-700 dark:bg-gray-700"
-              tabIndex={-1}
+              className={cn(
+                'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                'border-border-heavy bg-surface-primary',
+              )}
            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
+              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
            </RadioGroup.Item>
-            Default (POST request)
+            {localize('com_ui_default_post_request')}
          </label>
        </div>
        <div className="flex items-center gap-2">
@ -282,12 +350,14 @@ const OAuth = () => {
              role="radio"
              value={TokenExchangeMethodEnum.BasicAuthHeader}
              id=":rj3:"
-              className="mr-1 flex h-5 w-5 items-center justify-center rounded-full border border-gray-500 bg-white dark:border-gray-700 dark:bg-gray-700"
-              tabIndex={-1}
+              className={cn(
+                'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
+                'border-border-heavy bg-surface-primary',
+              )}
            >
-              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-gray-950 dark:bg-white"></RadioGroup.Indicator>
+              <RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
            </RadioGroup.Item>
-            Basic authorization header
+            {localize('com_ui_basic_auth_header')}
          </label>
        </div>
      </RadioGroup.Root>
--- a/client/src/components/SidePanel/Builder/ActionsInput.tsx
+++ b/client/src/components/SidePanel/Builder/ActionsInput.tsx
@ -15,6 +15,7 @@ import type {
 } from 'librechat-data-provider';
 import type { ActionAuthForm, ActionWithNullableMetadata } from '~/common';
 import type { Spec } from './ActionsTable';
+import ActionCallback from '~/components/SidePanel/Builder/ActionCallback';
 import { useAssistantsMapContext, useToastContext } from '~/Providers';
 import { ActionsTable, columns } from './ActionsTable';
 import { useUpdateAction } from '~/data-provider';
@ -259,8 +260,8 @@ export default function ActionsInput({
        </div>
      </div>
      {!!data && (
-        <div>
-          <div className="mb-1.5 flex items-center">
+        <div className="my-2">
+          <div className="flex items-center">
            <label className="text-token-text-primary block font-medium">
              {localize('com_assistants_available_actions')}
            </label>
@ -269,6 +270,7 @@ export default function ActionsInput({
        </div>
      )}
      <div className="relative my-1">
+        <ActionCallback action_id={action?.action_id} />
        <div className="mb-1.5 flex items-center">
          <label className="text-token-text-primary block font-medium">
            {localize('com_ui_privacy_policy_url')}
@ -278,7 +280,7 @@ export default function ActionsInput({
          <input
            type="text"
            placeholder="https://api.example-weather-app.com/privacy"
-            className="flex-1 rounded-lg bg-transparent px-3 py-1.5 text-sm outline-none focus:ring-1 focus:ring-border-light"
+            className="flex-1 rounded-lg bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
          />
        </div>
      </div>
--- a/client/src/components/SidePanel/Builder/ActionsPanel.tsx
+++ b/client/src/components/SidePanel/Builder/ActionsPanel.tsx
@ -1,4 +1,4 @@
-import { useEffect, useState } from 'react';
+import { useEffect } from 'react';
 import { useForm, FormProvider } from 'react-hook-form';
 import {
  AuthTypeEnum,
@ -8,7 +8,7 @@ import {
 import { ChevronLeft } from 'lucide-react';
 import type { AssistantPanelProps, ActionAuthForm } from '~/common';
 import { useAssistantsMapContext, useToastContext } from '~/Providers';
-import { Dialog, DialogTrigger, OGDialog, OGDialogTrigger, Label } from '~/components/ui';
+import { OGDialog, OGDialogTrigger, Label } from '~/components/ui';
 import OGDialogTemplate from '~/components/ui/OGDialogTemplate';
 import { useDeleteAction } from '~/data-provider';
 import { TrashIcon } from '~/components/svg';
@ -29,7 +29,6 @@ export default function ActionsPanel({
  const localize = useLocalize();
  const { showToast } = useToastContext();
  const assistantMap = useAssistantsMapContext();
-  const [openAuthDialog, setOpenAuthDialog] = useState(false);
  const deleteAction = useDeleteAction({
    onSuccess: () => {
      showToast({
@ -68,7 +67,6 @@ export default function ActionsPanel({
  });

  const { reset, watch } = methods;
-  const type = watch('type');

  useEffect(() => {
    if (action?.metadata?.auth) {
@ -162,40 +160,7 @@ export default function ActionsPanel({
            <a href="https://help.openai.com/en/articles/8554397-creating-a-gpt" target="_blank" rel="noreferrer" className="font-medium">Learn more.</a>
          </div> */}
          </div>
-          <Dialog open={openAuthDialog} onOpenChange={setOpenAuthDialog}>
-            <DialogTrigger asChild>
-              <div className="relative mb-4">
-                <div className="mb-1.5 flex items-center">
-                  <label className="text-token-text-primary block font-medium">
-                    {localize('com_ui_authentication')}
-                  </label>
-                </div>
-                <div className="border-token-border-medium flex rounded-lg border text-sm hover:cursor-pointer">
-                  <div className="h-9 grow px-3 py-2">{type}</div>
-                  <div className="bg-token-border-medium w-px"></div>
-                  <button type="button" color="neutral" className="flex items-center gap-2 px-3">
-                    <svg
-                      width="24"
-                      height="24"
-                      viewBox="0 0 24 24"
-                      fill="none"
-                      xmlns="http://www.w3.org/2000/svg"
-                      className="icon-sm"
-                    >
-                      <path
-                        d="M11.6439 3C10.9352 3 10.2794 3.37508 9.92002 3.98596L9.49644 4.70605C8.96184 5.61487 7.98938 6.17632 6.93501 6.18489L6.09967 6.19168C5.39096 6.19744 4.73823 6.57783 4.38386 7.19161L4.02776 7.80841C3.67339 8.42219 3.67032 9.17767 4.01969 9.7943L4.43151 10.5212C4.95127 11.4386 4.95127 12.5615 4.43151 13.4788L4.01969 14.2057C3.67032 14.8224 3.67339 15.5778 4.02776 16.1916L4.38386 16.8084C4.73823 17.4222 5.39096 17.8026 6.09966 17.8083L6.93502 17.8151C7.98939 17.8237 8.96185 18.3851 9.49645 19.294L9.92002 20.014C10.2794 20.6249 10.9352 21 11.6439 21H12.3561C13.0648 21 13.7206 20.6249 14.08 20.014L14.5035 19.294C15.0381 18.3851 16.0106 17.8237 17.065 17.8151L17.9004 17.8083C18.6091 17.8026 19.2618 17.4222 19.6162 16.8084L19.9723 16.1916C20.3267 15.5778 20.3298 14.8224 19.9804 14.2057L19.5686 13.4788C19.0488 12.5615 19.0488 11.4386 19.5686 10.5212L19.9804 9.7943C20.3298 9.17767 20.3267 8.42219 19.9723 7.80841L19.6162 7.19161C19.2618 6.57783 18.6091 6.19744 17.9004 6.19168L17.065 6.18489C16.0106 6.17632 15.0382 5.61487 14.5036 4.70605L14.08 3.98596C13.7206 3.37508 13.0648 3 12.3561 3H11.6439Z"
-                        stroke="currentColor"
-                        strokeWidth="2"
-                        strokeLinejoin="round"
-                      />
-                      <circle cx="12" cy="12" r="2.5" stroke="currentColor" strokeWidth="2" />
-                    </svg>
-                  </button>
-                </div>
-              </div>
-            </DialogTrigger>
-            <ActionsAuth setOpenAuthDialog={setOpenAuthDialog} />
-          </Dialog>
+          <ActionsAuth disableOAuth={true} />
          <ActionsInput
            action={action}
            assistant_id={assistant_id}
--- a/client/src/components/SidePanel/Files/PanelFileCell.tsx
+++ b/client/src/components/SidePanel/Files/PanelFileCell.tsx
@ -4,12 +4,12 @@ import ImagePreview from '~/components/Chat/Input/Files/ImagePreview';
 import FilePreview from '~/components/Chat/Input/Files/FilePreview';
 import { getFileType } from '~/utils';

-export default function PanelFileCell({ row }: { row: Row<TFile> }) {
+export default function PanelFileCell({ row }: { row: Row<TFile | undefined> }) {
  const file = row.original;

  return (
    <div className="flex w-full items-center gap-2">
-      {file.type.startsWith('image') ? (
+      {file?.type.startsWith('image') === true ? (
        <ImagePreview
          url={file.filepath}
          className="h-10 w-10 flex-shrink-0"
@ -17,11 +17,11 @@ export default function PanelFileCell({ row }: { row: Row<TFile> }) {
          alt={file.filename}
        />
      ) : (
-        <FilePreview fileType={getFileType(file.type)} file={file} />
+        <FilePreview fileType={getFileType(file?.type)} file={file} />
      )}
      <div className="min-w-0 flex-1 overflow-hidden">
        <span className="block w-full overflow-hidden truncate text-ellipsis whitespace-nowrap text-xs">
-          {file.filename}
+          {file?.filename}
        </span>
      </div>
    </div>
--- a/client/src/components/ui/OGDialogTemplate.tsx
+++ b/client/src/components/ui/OGDialogTemplate.tsx
@ -6,7 +6,6 @@ import {
  OGDialogHeader,
  OGDialogContent,
  OGDialogDescription,
-  OGDialog,
 } from './OriginalDialog';
 import { useLocalize } from '~/hooks';
 import { Spinner } from '../svg';
--- a/client/src/hooks/SSE/useStepHandler.ts
+++ b/client/src/hooks/SSE/useStepHandler.ts
@ -125,6 +125,8 @@ export default function useStepHandler({
        name,
        args,
        type: ToolCallTypes.TOOL_CALL,
+        auth: contentPart.tool_call.auth,
+        expires_at: contentPart.tool_call.expires_at,
      };

      if (finalUpdate) {
@ -286,6 +288,11 @@ export default function useStepHandler({
              },
            };

+            if (runStepDelta.delta.auth != null) {
+              contentPart.tool_call.auth = runStepDelta.delta.auth;
+              contentPart.tool_call.expires_at = runStepDelta.delta.expires_at;
+            }
+
            updatedResponse = updateContent(updatedResponse, runStep.index, contentPart);
          });

--- a/client/src/locales/en/translation.json
+++ b/client/src/locales/en/translation.json
@ -518,6 +518,8 @@
  "com_ui_attach_warn_endpoint": "Non-Assistant files may be ignored without a compatible tool",
  "com_ui_attachment": "Attachment",
  "com_ui_authentication": "Authentication",
+  "com_ui_auth_type": "Auth Type",
+  "com_ui_authentication_type": "Authentication Type",
  "com_ui_avatar": "Avatar",
  "com_ui_back_to_chat": "Back to Chat",
  "com_ui_back_to_prompts": "Back to Prompts",
@ -622,6 +624,22 @@
  "com_ui_endpoint_menu": "LLM Endpoint Menu",
  "com_ui_endpoints_available": "Available Endpoints",
  "com_ui_enter": "Enter",
+  "com_ui_api_key": "API Key",
+  "com_ui_oauth": "OAuth",
+  "com_ui_basic": "Basic",
+  "com_ui_bearer": "Bearer",
+  "com_ui_custom": "Custom",
+  "com_ui_custom_header_name": "Custom Header Name",
+  "com_ui_client_id": "Client ID",
+  "com_ui_client_secret": "Client Secret",
+  "com_ui_auth_url": "Authorization URL",
+  "com_ui_token_url": "Token URL",
+  "com_ui_scope": "Scope",
+  "com_ui_service_http": "API Key",
+  "com_ui_default_post_request": "Default (POST request)",
+  "com_ui_token_exchange_method": "Token Exchange Method",
+  "com_ui_basic_auth_header": "Basic authorization header",
+  "com_ui_callback_url": "Callback URL",
  "com_ui_enter_api_key": "Enter API Key",
  "com_ui_enter_openapi_schema": "Enter your OpenAPI schema here",
  "com_ui_enter_var": "Enter {{0}}",
@ -706,6 +724,7 @@
  "com_ui_no_conversation_id": "No conversation ID found",
  "com_ui_no_prompt_description": "No description found.",
  "com_ui_no_terms_content": "No terms and conditions content to display",
+  "com_ui_none": "None",
  "com_ui_none_selected": "None selected",
  "com_ui_nothing_found": "Nothing found",
  "com_ui_of": "of",
@ -832,5 +851,10 @@
  "com_ui_yes": "Yes",
  "com_ui_zoom": "Zoom",
  "com_user_message": "You",
-  "com_warning_resubmit_unsupported": "Resubmitting the AI message is not supported for this endpoint."
+  "com_warning_resubmit_unsupported": "Resubmitting the AI message is not supported for this endpoint.",
+  "com_assistants_action_attempt": "Assistant wants to talk to {{0}}",
+  "com_assistants_attempt_info": "Assistant wants to send the following:",
+  "com_assistants_allow_sites_you_trust": "Only allow sites you trust.",
+  "com_ui_sign_in_to_domain": "Sign-in to {{0}}",
+  "com_ui_requires_auth": "Requires Authentication"
 }
--- a/client/src/locales/nl/translation.json
+++ b/client/src/locales/nl/translation.json
@ -7,6 +7,7 @@
  "com_agents_code_interpreter": "Indien ingeschakeld, kan je agent de LibreChat Code Interpreter API gebruiken om gegenereerde code, inclusief bestandsverwerking, veilig uit te voeren. Vereist een geldige API-sleutel.",
  "com_agents_code_interpreter_title": "Code-interpreter API",
  "com_agents_create_error": "Er is een fout opgetreden bij het aanmaken van uw agent.",
+  "com_agents_instructions_placeholder": "De systeeminstructies die de agent gebruikt",
  "com_auth_already_have_account": "Heb je al een account?",
  "com_auth_click": "Klik",
  "com_auth_click_here": "Klik hier",
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -270,6 +270,7 @@ export default [
    })),
  {
    files: ['**/*.ts', '**/*.tsx'],
+    ignores: ['packages/**/*'],
    plugins: {
      '@typescript-eslint': typescriptEslintEslintPlugin,
      jest: fixupPluginRules(jest),
@ -283,7 +284,6 @@ export default [
      },
    },
    rules: {
-      // TODO: maybe later to error.
      '@typescript-eslint/no-unused-expressions': 'off',
      '@typescript-eslint/no-unused-vars': 'off',
      '@typescript-eslint/no-explicit-any': 'off',
--- a/package-lock.json
+++ b/package-lock.json
--- a/packages/data-provider/package.json
+++ b/packages/data-provider/package.json
@ -1,6 +1,6 @@
 {
  "name": "librechat-data-provider",
-  "version": "0.7.699",
+  "version": "0.7.6991",
  "description": "data services for librechat apps",
  "main": "dist/index.js",
  "module": "dist/index.es.js",
--- a/packages/data-provider/specs/actions.spec.ts
+++ b/packages/data-provider/specs/actions.spec.ts
@ -21,6 +21,7 @@ import type { ParametersSchema } from '../src/actions';

 jest.mock('axios');
 const mockedAxios = axios as jest.Mocked<typeof axios>;
+mockedAxios.create.mockReturnValue(mockedAxios);

 describe('FunctionSignature', () => {
  it('creates a function signature and converts to JSON tool', () => {
--- a/packages/data-provider/src/actions.ts
+++ b/packages/data-provider/src/actions.ts
@ -1,9 +1,15 @@
 import { z } from 'zod';
-import axios from 'axios';
+import _axios from 'axios';
 import { URL } from 'url';
 import crypto from 'crypto';
 import { load } from 'js-yaml';
-import type { FunctionTool, Schema, Reference, ActionMetadata } from './types/assistants';
+import type {
+  FunctionTool,
+  Schema,
+  Reference,
+  ActionMetadata,
+  ActionMetadataRuntime,
+} from './types/assistants';
 import type { OpenAPIV3 } from 'openapi-types';
 import { Tools, AuthTypeEnum, AuthorizationTypeEnum } from './types/assistants';

@ -176,7 +182,7 @@ class RequestExecutor {
    return this;
  }

-  async setAuth(metadata: ActionMetadata) {
+  async setAuth(metadata: ActionMetadataRuntime) {
    if (!metadata.auth) {
      return this;
    }
@ -199,6 +205,8 @@ class RequestExecutor {
      /* OAuth */
      oauth_client_id,
      oauth_client_secret,
+      oauth_token_expires_at,
+      oauth_access_token = '',
    } = metadata;

    const isApiKey = api_key != null && api_key.length > 0 && type === AuthTypeEnum.ServiceHttp;
@ -230,22 +238,23 @@ class RequestExecutor {
    ) {
      this.authHeaders[custom_auth_header] = api_key;
    } else if (isOAuth) {
-      const authToken = this.authToken ?? '';
-      if (!authToken) {
-        const tokenResponse = await axios.post(
-          client_url,
-          {
-            client_id: oauth_client_id,
-            client_secret: oauth_client_secret,
-            scope: scope,
-            grant_type: 'client_credentials',
-          },
-          {
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-          },
-        );
-        this.authToken = tokenResponse.data.access_token;
+      // TODO: maybe doing it in a different way later on. but we want that the user needs to folllow the oauth flow.
+      // If we do not have a valid token, bail or ask user to sign in
+      const now = new Date();
+
+      // 1. Check if token is set
+      if (!oauth_access_token) {
+        throw new Error('No access token found. Please log in first.');
      }
+
+      // 2. Check if token is expired
+      if (oauth_token_expires_at && now >= new Date(oauth_token_expires_at)) {
+        // Optionally check refresh_token logic, or just prompt user to re-login
+        throw new Error('Access token is expired. Please re-login.');
+      }
+
+      // If valid, use it
+      this.authToken = oauth_access_token;
      this.authHeaders['Authorization'] = `Bearer ${this.authToken}`;
    }
    return this;
@ -259,7 +268,7 @@ class RequestExecutor {
    };

    const method = this.config.method.toLowerCase();
-
+    const axios = _axios.create();
    if (method === 'get') {
      return axios.get(url, { headers, params: this.params });
    } else if (method === 'post') {
@ -511,6 +520,7 @@ export function validateAndParseOpenAPISpec(specString: string): ValidationResul
      spec: parsedSpec,
    };
  } catch (error) {
+    console.error(error);
    return { status: false, message: 'Error parsing OpenAPI spec.' };
  }
 }
--- a/packages/data-provider/src/bedrock.ts
+++ b/packages/data-provider/src/bedrock.ts
@ -25,7 +25,7 @@ export const bedrockInputSchema = s.tConversationSchema
    topK: true,
    additionalModelRequestFields: true,
  })
-  .transform(s.removeNullishValues)
+  .transform((obj) => s.removeNullishValues(obj))
  .catch(() => ({}));

 export type BedrockConverseInput = z.infer<typeof bedrockInputSchema>;
--- a/packages/data-provider/src/config.ts
+++ b/packages/data-provider/src/config.ts
@ -932,6 +932,10 @@ export enum CacheKeys {
   * Key for in-progress messages.
   */
  MESSAGES = 'messages',
+  /**
+   * Key for in-progress flow states.
+   */
+  FLOWS = 'flows',
 }

 /**
--- a/packages/data-provider/src/schemas.ts
+++ b/packages/data-provider/src/schemas.ts
@ -877,7 +877,10 @@ export const gptPluginsSchema = tConversationSchema
    maxContextTokens: undefined,
  }));

-export function removeNullishValues<T extends Record<string, unknown>>(obj: T): Partial<T> {
+export function removeNullishValues<T extends Record<string, unknown>>(
+  obj: T,
+  removeEmptyStrings?: boolean,
+): Partial<T> {
  const newObj: Partial<T> = { ...obj };

  (Object.keys(newObj) as Array<keyof T>).forEach((key) => {
@ -885,6 +888,9 @@ export function removeNullishValues<T extends Record<string, unknown>>(obj: T):
    if (value === undefined || value === null) {
      delete newObj[key];
    }
+    if (removeEmptyStrings && typeof value === 'string' && value === '') {
+      delete newObj[key];
+    }
  });

  return newObj;
@ -935,8 +941,7 @@ export const compactAssistantSchema = tConversationSchema
    greeting: true,
    spec: true,
  })
-  // will change after adding temperature
-  .transform(removeNullishValues)
+  .transform((obj) => removeNullishValues(obj))
  .catch(() => ({}));

 export const agentsSchema = tConversationSchema
@ -1138,7 +1143,7 @@ export const compactPluginsSchema = tConversationSchema
  })
  .catch(() => ({}));

-const tBannerSchema = z.object({
+export const tBannerSchema = z.object({
  bannerId: z.string(),
  message: z.string(),
  displayFrom: z.string(),
@ -1160,5 +1165,5 @@ export const compactAgentsSchema = tConversationSchema
    instructions: true,
    additional_instructions: true,
  })
-  .transform(removeNullishValues)
+  .transform((obj) => removeNullishValues(obj))
  .catch(() => ({}));
--- a/packages/data-provider/src/types/agents.ts
+++ b/packages/data-provider/src/types/agents.ts
@ -52,6 +52,10 @@ export namespace Agents {
    id?: string;
    /** If provided, the output of the tool call */
    output?: string;
+    /** Auth URL */
+    auth?: string;
+    /** Expiration time */
+    expires_at?: number;
  };

  export type ToolEndEvent = {
@ -190,6 +194,8 @@ export namespace Agents {
  export type ToolCallDelta = {
    type: StepTypes.TOOL_CALLS | string;
    tool_calls?: ToolCallChunk[];
+    auth?: string;
+    expires_at?: number;
  };
  export type AgentToolCall = FunctionToolCall | ToolCall;
  export interface ExtendedMessageContent {
--- a/packages/data-provider/src/types/assistants.ts
+++ b/packages/data-provider/src/types/assistants.ts
@ -417,6 +417,8 @@ export type PartMetadata = {
  asset_pointer?: string;
  status?: string;
  action?: boolean;
+  auth?: string;
+  expires_at?: number;
 };

 export type ContentPart = (
@ -506,6 +508,12 @@ export type ActionMetadata = {
  oauth_client_secret?: string;
 };

+export type ActionMetadataRuntime = ActionMetadata & {
+  oauth_access_token?: string;
+  oauth_refresh_token?: string;
+  oauth_token_expires_at?: Date;
+};
+
 /* Assistant types */

 export type Action = {
--- a/packages/data-provider/tsconfig.json
+++ b/packages/data-provider/tsconfig.json
@ -18,9 +18,8 @@
    "isolatedModules": true,
    "noEmit": true,
    "sourceMap": true,
-    "baseUrl": ".", // This should be the root of your package
+    "baseUrl": ".",
    "paths": {
-      // Add path mappings
      "librechat-data-provider/react-query": ["./src/react-query/index.ts"]
    }
  },
--- a/packages/mcp/babel.config.cjs
+++ b/packages/mcp/babel.config.cjs
--- a/packages/mcp/jest.config.mjs
+++ b/packages/mcp/jest.config.mjs
@ -1,4 +1,4 @@
-module.exports = {
+export default {
  collectCoverageFrom: ['src/**/*.{js,jsx,ts,tsx}', '!<rootDir>/node_modules/'],
  coveragePathIgnorePatterns: ['/node_modules/', '/dist/'],
  coverageReporters: ['text', 'cobertura'],
@ -15,4 +15,5 @@ module.exports = {
  //   },
  // },
  restoreMocks: true,
-};
+  testTimeout: 15000,
+};
--- a/packages/mcp/package.json
+++ b/packages/mcp/package.json
@ -73,5 +73,8 @@
    "diff": "^7.0.0",
    "eventsource": "^3.0.1",
    "express": "^4.21.2"
+  },
+  "peerDependencies": {
+    "keyv": "^4.5.4"
  }
 }
--- a/packages/mcp/src/flow/manager.spec.ts
+++ b/packages/mcp/src/flow/manager.spec.ts
@ -0,0 +1,152 @@
+import { FlowStateManager } from './manager';
+import Keyv from 'keyv';
+import type { FlowState } from './types';
+
+// Create a mock class without extending Keyv
+class MockKeyv {
+  private store: Map<string, FlowState<string>>;
+
+  constructor() {
+    this.store = new Map();
+  }
+
+  async get(key: string): Promise<FlowState<string> | undefined> {
+    return this.store.get(key);
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  async set(key: string, value: FlowState<string>, _ttl?: number): Promise<true> {
+    this.store.set(key, value);
+    return true;
+  }
+
+  async delete(key: string): Promise<boolean> {
+    return this.store.delete(key);
+  }
+}
+
+describe('FlowStateManager', () => {
+  let flowManager: FlowStateManager<string>;
+  let store: MockKeyv;
+
+  beforeEach(() => {
+    store = new MockKeyv();
+    // Type assertion here since we know our mock implements the necessary methods
+    flowManager = new FlowStateManager(store as unknown as Keyv, { ttl: 30000, ci: true });
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('Concurrency Tests', () => {
+    it('should handle concurrent flow creation and return same result', async () => {
+      const flowId = 'test-flow';
+      const type = 'test-type';
+
+      // Start two concurrent flow creations
+      const flow1Promise = flowManager.createFlowWithHandler(flowId, type, async () => {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+        return 'result';
+      });
+
+      const flow2Promise = flowManager.createFlowWithHandler(flowId, type, async () => {
+        await new Promise((resolve) => setTimeout(resolve, 50));
+        return 'different-result';
+      });
+
+      // Both should resolve to the same result from the first handler
+      const [result1, result2] = await Promise.all([flow1Promise, flow2Promise]);
+
+      expect(result1).toBe('result');
+      expect(result2).toBe('result');
+    });
+
+    it('should handle flow timeout correctly', async () => {
+      const flowId = 'timeout-flow';
+      const type = 'test-type';
+
+      // Create flow with very short TTL
+      const shortTtlManager = new FlowStateManager(store as unknown as Keyv, {
+        ttl: 100,
+        ci: true,
+      });
+
+      const flowPromise = shortTtlManager.createFlow(flowId, type);
+
+      await expect(flowPromise).rejects.toThrow('test-type flow timed out');
+    });
+
+    it('should maintain flow state consistency under high concurrency', async () => {
+      const flowId = 'concurrent-flow';
+      const type = 'test-type';
+
+      // Create multiple concurrent operations
+      const operations = [];
+      for (let i = 0; i < 10; i++) {
+        operations.push(
+          flowManager.createFlowWithHandler(flowId, type, async () => {
+            await new Promise((resolve) => setTimeout(resolve, Math.random() * 50));
+            return `result-${i}`;
+          }),
+        );
+      }
+
+      // All operations should resolve to the same result
+      const results = await Promise.all(operations);
+      const firstResult = results[0];
+      results.forEach((result: string) => {
+        expect(result).toBe(firstResult);
+      });
+    });
+
+    it('should handle race conditions in flow completion', async () => {
+      const flowId = 'test-flow';
+      const type = 'test-type';
+
+      // Create initial flow
+      const flowPromise = flowManager.createFlow(flowId, type);
+
+      // Increase delay to ensure flow is properly created
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Complete the flow
+      await flowManager.completeFlow(flowId, type, 'result1');
+
+      const result = await flowPromise;
+      expect(result).toBe('result1');
+    }, 15000);
+
+    it('should handle concurrent flow monitoring', async () => {
+      const flowId = 'test-flow';
+      const type = 'test-type';
+
+      // Create initial flow
+      const flowPromise = flowManager.createFlow(flowId, type);
+
+      // Increase delay
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Complete the flow
+      await flowManager.completeFlow(flowId, type, 'success');
+
+      const result = await flowPromise;
+      expect(result).toBe('success');
+    }, 15000);
+
+    it('should handle concurrent success and failure attempts', async () => {
+      const flowId = 'race-flow';
+      const type = 'test-type';
+
+      const flowPromise = flowManager.createFlow(flowId, type);
+
+      // Increase delay
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Fail the flow
+      await flowManager.failFlow(flowId, type, new Error('failure'));
+
+      await expect(flowPromise).rejects.toThrow('failure');
+    }, 15000);
+  });
+});
--- a/packages/mcp/src/flow/manager.ts
+++ b/packages/mcp/src/flow/manager.ts
@ -0,0 +1,241 @@
+import Keyv from 'keyv';
+import type { Logger } from 'winston';
+import type { FlowState, FlowMetadata, FlowManagerOptions } from './types';
+
+export class FlowStateManager<T = unknown> {
+  private keyv: Keyv;
+  private ttl: number;
+  private logger: Logger;
+  private intervals: Set<NodeJS.Timeout>;
+
+  private static getDefaultLogger(): Logger {
+    return {
+      error: console.error,
+      warn: console.warn,
+      info: console.info,
+      debug: console.debug,
+    } as Logger;
+  }
+
+  constructor(store: Keyv, options?: FlowManagerOptions) {
+    if (!options) {
+      options = { ttl: 60000 * 3 };
+    }
+    const { ci = false, ttl, logger } = options;
+
+    if (!ci && !(store instanceof Keyv)) {
+      throw new Error('Invalid store provided to FlowStateManager');
+    }
+
+    this.ttl = ttl;
+    this.keyv = store;
+    this.logger = logger || FlowStateManager.getDefaultLogger();
+    this.intervals = new Set();
+    this.setupCleanupHandlers();
+  }
+
+  private setupCleanupHandlers() {
+    const cleanup = () => {
+      this.logger.info('Cleaning up FlowStateManager intervals...');
+      this.intervals.forEach((interval) => clearInterval(interval));
+      this.intervals.clear();
+      process.exit(0);
+    };
+
+    process.on('SIGTERM', cleanup);
+    process.on('SIGINT', cleanup);
+    process.on('SIGQUIT', cleanup);
+    process.on('SIGHUP', cleanup);
+  }
+
+  private getFlowKey(flowId: string, type: string): string {
+    return `${type}:${flowId}`;
+  }
+
+  /**
+   * Creates a new flow and waits for its completion
+   */
+  async createFlow(flowId: string, type: string, metadata: FlowMetadata = {}): Promise<T> {
+    const flowKey = this.getFlowKey(flowId, type);
+
+    let existingState = (await this.keyv.get(flowKey)) as FlowState<T> | undefined;
+    if (existingState) {
+      this.logger.debug(`[${flowKey}] Flow already exists`);
+      return this.monitorFlow(flowKey, type);
+    }
+
+    await new Promise((resolve) => setTimeout(resolve, 250));
+
+    existingState = (await this.keyv.get(flowKey)) as FlowState<T> | undefined;
+    if (existingState) {
+      this.logger.debug(`[${flowKey}] Flow exists on 2nd check`);
+      return this.monitorFlow(flowKey, type);
+    }
+
+    const initialState: FlowState = {
+      type,
+      status: 'PENDING',
+      metadata,
+      createdAt: Date.now(),
+    };
+
+    this.logger.debug('Creating initial flow state:', flowKey);
+    await this.keyv.set(flowKey, initialState, this.ttl);
+    return this.monitorFlow(flowKey, type);
+  }
+
+  private monitorFlow(flowKey: string, type: string): Promise<T> {
+    return new Promise<T>((resolve, reject) => {
+      const checkInterval = 2000;
+      let elapsedTime = 0;
+
+      const intervalId = setInterval(async () => {
+        try {
+          const flowState = (await this.keyv.get(flowKey)) as FlowState<T> | undefined;
+
+          if (!flowState) {
+            clearInterval(intervalId);
+            this.intervals.delete(intervalId);
+            this.logger.error(`[${flowKey}] Flow state not found`);
+            reject(new Error(`${type} Flow state not found`));
+            return;
+          }
+
+          if (flowState.status !== 'PENDING') {
+            clearInterval(intervalId);
+            this.intervals.delete(intervalId);
+            this.logger.debug(`[${flowKey}] Flow completed`);
+
+            if (flowState.status === 'COMPLETED' && flowState.result !== undefined) {
+              resolve(flowState.result);
+            } else if (flowState.status === 'FAILED') {
+              await this.keyv.delete(flowKey);
+              reject(new Error(flowState.error ?? `${type} flow failed`));
+            }
+            return;
+          }
+
+          elapsedTime += checkInterval;
+          if (elapsedTime >= this.ttl) {
+            clearInterval(intervalId);
+            this.intervals.delete(intervalId);
+            this.logger.error(
+              `[${flowKey}] Flow timed out | Elapsed time: ${elapsedTime} | TTL: ${this.ttl}`,
+            );
+            await this.keyv.delete(flowKey);
+            reject(new Error(`${type} flow timed out`));
+          }
+          this.logger.debug(
+            `[${flowKey}] Flow state elapsed time: ${elapsedTime}, checking again...`,
+          );
+        } catch (error) {
+          this.logger.error(`[${flowKey}] Error checking flow state:`, error);
+          clearInterval(intervalId);
+          this.intervals.delete(intervalId);
+          reject(error);
+        }
+      }, checkInterval);
+
+      this.intervals.add(intervalId);
+    });
+  }
+
+  /**
+   * Completes a flow successfully
+   */
+  async completeFlow(flowId: string, type: string, result: T): Promise<boolean> {
+    const flowKey = this.getFlowKey(flowId, type);
+    const flowState = (await this.keyv.get(flowKey)) as FlowState<T> | undefined;
+
+    if (!flowState) {
+      return false;
+    }
+
+    const updatedState: FlowState<T> = {
+      ...flowState,
+      status: 'COMPLETED',
+      result,
+      completedAt: Date.now(),
+    };
+
+    await this.keyv.set(flowKey, updatedState, this.ttl);
+    return true;
+  }
+
+  /**
+   * Marks a flow as failed
+   */
+  async failFlow(flowId: string, type: string, error: Error | string): Promise<boolean> {
+    const flowKey = this.getFlowKey(flowId, type);
+    const flowState = (await this.keyv.get(flowKey)) as FlowState | undefined;
+
+    if (!flowState) {
+      return false;
+    }
+
+    const updatedState: FlowState = {
+      ...flowState,
+      status: 'FAILED',
+      error: error instanceof Error ? error.message : error,
+      failedAt: Date.now(),
+    };
+
+    await this.keyv.set(flowKey, updatedState, this.ttl);
+    return true;
+  }
+
+  /**
+   * Gets current flow state
+   */
+  async getFlowState(flowId: string, type: string): Promise<FlowState<T> | null> {
+    const flowKey = this.getFlowKey(flowId, type);
+    return this.keyv.get(flowKey);
+  }
+
+  /**
+   * Creates a new flow and waits for its completion, only executing the handler if no existing flow is found
+   * @param flowId - The ID of the flow
+   * @param type - The type of flow
+   * @param handler - Async function to execute if no existing flow is found
+   * @param metadata - Optional metadata for the flow
+   */
+  async createFlowWithHandler(
+    flowId: string,
+    type: string,
+    handler: () => Promise<T>,
+    metadata: FlowMetadata = {},
+  ): Promise<T> {
+    const flowKey = this.getFlowKey(flowId, type);
+    let existingState = (await this.keyv.get(flowKey)) as FlowState<T> | undefined;
+    if (existingState) {
+      this.logger.debug(`[${flowKey}] Flow already exists`);
+      return this.monitorFlow(flowKey, type);
+    }
+
+    await new Promise((resolve) => setTimeout(resolve, 250));
+
+    existingState = (await this.keyv.get(flowKey)) as FlowState<T> | undefined;
+    if (existingState) {
+      this.logger.debug(`[${flowKey}] Flow exists on 2nd check`);
+      return this.monitorFlow(flowKey, type);
+    }
+
+    const initialState: FlowState = {
+      type,
+      status: 'PENDING',
+      metadata,
+      createdAt: Date.now(),
+    };
+    this.logger.debug(`[${flowKey}] Creating initial flow state`);
+    await this.keyv.set(flowKey, initialState, this.ttl);
+
+    try {
+      const result = await handler();
+      await this.completeFlow(flowId, type, result);
+      return result;
+    } catch (error) {
+      await this.failFlow(flowId, type, error instanceof Error ? error : new Error(String(error)));
+      throw error;
+    }
+  }
+}
--- a/packages/mcp/src/flow/types.ts
+++ b/packages/mcp/src/flow/types.ts
@ -0,0 +1,23 @@
+import type { Logger } from 'winston';
+export type FlowStatus = 'PENDING' | 'COMPLETED' | 'FAILED';
+
+export interface FlowMetadata {
+  [key: string]: unknown;
+}
+
+export interface FlowState<T = unknown> {
+  type: string;
+  status: FlowStatus;
+  metadata: FlowMetadata;
+  createdAt: number;
+  result?: T;
+  error?: string;
+  completedAt?: number;
+  failedAt?: number;
+}
+
+export interface FlowManagerOptions {
+  ttl: number;
+  ci?: boolean;
+  logger?: Logger;
+}
--- a/packages/mcp/src/index.ts
+++ b/packages/mcp/src/index.ts
@ -1,4 +1,7 @@
 /* MCP */
 export * from './manager';
+/* Flow */
+export * from './flow/manager';
 /* types */
 export type * from './types/mcp';
+export type * from './flow/types';
--- a/packages/mcp/tsconfig.json
+++ b/packages/mcp/tsconfig.json
@ -18,7 +18,7 @@
    "isolatedModules": true,
    "noEmit": true,
    "sourceMap": true,
-    "baseUrl": "." // This should be the root of your package
+    "baseUrl": "."
  },
  "ts-node": {
    "experimentalSpecifierResolution": "node",