Skip to content

Commit 26a82e0

Browse files
wdawsonclaudegithub-actions[bot]
authored
docs: add Stytch setup guide (#992)
* docs: add Stytch setup guide for User Sources (GRO-97) Fourth per-provider page under /guides/user-sources/, modeled on the Microsoft Entra ID, Okta, and Auth0 pages. Walks an admin through creating a Connected App in Stytch's Dashboard, setting the Arcade redirect URL, and pasting the Client ID / Client Secret into Arcade's User Source form. Stytch-specific decisions: - Custom domain is required. Stytch projects without a custom domain emit an issuer in the form `stytch.com/<project_id>` (no scheme), which Arcade can't byte-for-byte validate against incoming `iss` claims. Verified empirically against a test B2C and B2B project. - One shared page for both B2C and B2B SKUs. Connected Apps behaves identically at the OIDC protocol level (same issuer, scopes, grant types, signing alg, subject types, userinfo); the only difference is which Stytch Dashboard you log into. - No PKCE step. Connected Apps support PKCE on confidential clients automatically, with no per-app toggle. Add `Stytch`, `Connected App`, `Connected Apps` to the Arcade Vale vocabulary and reorganize the file so the project-specific terms sit together above the Tailwind regex section. Screenshots are intentionally omitted from this commit; Wils is capturing them from his test B2C tenant and they'll wire up in a follow-up commit on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: rewrite Stytch page from real dashboard captures + new prereqs Major revisions after Wils ran the flow against his test project and shared screenshots: - Drop the "custom domain required" framing. The Stytch-issued Project domain (auto-provisioned as `<name>.customers.stytch.dev` for every project, visible on Project Overview) works as the OIDC issuer without setting up a custom DNS record. Custom domains move to a Note as an optional upgrade. - Move the B2C/B2B applicability statement to the opening paragraph (per Wils) so it's not buried in Before-you-start. - Add two prereqs Wils hit during testing: - Frontend SDK enabled on the project - Authorization URL configured on the Connected App (links to Stytch's existing-auth-system integration guide) - Capture the actual Create dialog flow: pick "First-party application" + "Confidential method" + "Secure Web Application". - Use the real field name "Login Redirect URLs" (plural) instead of the generic "Redirect URLs". - Add a Note explaining the test→production toggle on the Connected App (Enable for production), since the dashboard defaults to test mode. - Wire up four light-mode screenshots: Create dialog, Client ID + Login Redirect URLs panel, client secret one-time dialog, Project Overview with the Project domain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: fix link drift and tighten Notes on Stytch page Verified every URL on the page. Findings + fixes: - Two URLs were behind a Stytch login wall (redirected to /docs/login?redirect=...): the SDK getting-started page and the custom-domains guide. Swap them for public-accessible canonical pages. - Five URLs were 308/307 redirects to renamed canonical paths. Update in place so readers don't bounce through a redirect. - Drop the duplicate Consumer/B2B links from the intro; the original redirects pointed to the same page anyway. Keep one Connected Apps link and prose ("applies to both Stytch Consumer and B2B projects"). - Drop the PKCE Note (per Wils — not adding value for this provider since there's no admin-visible PKCE toggle to call out). Verified all remaining links return 200 directly with no redirects. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: correct Stytch subject-claim Note — no ID token custom claims today The earlier link pointed at Stytch's session-JWT custom-claims feature, which is a different mechanism: those claims are on the session token Stytch's frontend SDK consumes, not on the OIDC ID token issued by Connected Apps to external clients like Arcade. Verified against Stytch's Connected App ID Token Object reference: ID tokens issued via Connected Apps carry only the standard OIDC claims (iss, sub, aud, exp, nbf, iat, plus profile / email / phone claims when those scopes apply). There's no per-app custom-claim template for ID tokens today — only the access token has one. Rewrite the Note to: - Recommend `sub` (Stytch user ID) without offering custom claims as an alternative - Link to the canonical Connected App ID Token Object reference - Be explicit about the limitation so admins don't go hunting for a custom-claim feature that doesn't exist Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * 🤖 Regenerate LLMs.txt * docs: polish Stytch page tone to match Entra/Okta/Auth0 Pass for tone consistency with the other per-provider pages. The previous draft drifted into casual phrasing ("right pick", "isn't suitable", "Stick with", "the only available picks") that didn't match the declarative + explanatory voice used elsewhere in the docs. Specific revisions: - Step 2 (Choose the application type): rewrite the rationale for First-party + Confidential method as informative descriptions of what each choice does, rather than colloquial recommendations. - Step 4 (Save the client secret): replace "keep it somewhere safe" with "store it somewhere secure" and add an explicit consequence for losing the value (rotation required). - Subject Claim Note: open with "Arcade's default Subject Claim, `sub`, is the Stytch user's stable identifier and is the recommended value" instead of "Stick with...". State the constraint factually rather than as a workaround. - Test vs production Note: tightened phrasing, removed redundant "Test-mode apps issue test-mode credentials and require test API keys" detail that didn't add information. - Client secret rotation Note: address the reader directly ("while you swap") rather than passive voice ("while the new one is swapped"), keeping the active-voice posture Vale prefers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: drop redundant claim list from Stytch Subject Claim Note The parenthetical enumeration of standard OIDC claims wasn't adding useful information for the reader. The linked reference covers them in full. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 parent c180308 commit 26a82e0

8 files changed

Lines changed: 125 additions & 1 deletion

File tree

app/en/guides/user-sources/_meta.tsx

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ export const meta: MetaRecord = {
1313
okta: {
1414
title: "Okta",
1515
},
16+
stytch: {
17+
title: "Stytch",
18+
},
1619
};
1720

1821
export default meta;
Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
---
2+
title: "Stytch"
3+
description: "Use Stytch as a User Source so people who already sign in through your Stytch tenant can sign in to your MCP Gateways"
4+
---
5+
6+
import Image from "next/image";
7+
import { Callout, Steps } from "nextra/components";
8+
9+
export const IMAGE_SCALE_FACTOR = 1.5;
10+
export const STYTCH_SCREENSHOT_WIDTH = 1312 / IMAGE_SCALE_FACTOR;
11+
export const STYTCH_SCREENSHOT_HEIGHT = 1099 / IMAGE_SCALE_FACTOR;
12+
13+
# Stytch
14+
15+
Use Stytch as a User Source so the people who already sign in through your Stytch project can sign in to your MCP Gateways. Stytch's [Connected Apps](https://stytch.com/docs/connected-apps/build-login-flow/login-flow) feature turns your Stytch project into an OIDC identity provider that Arcade can connect to. This guide applies to both Stytch Consumer and B2B projects, where the Connected Apps feature behaves identically. Once you have the values it tells you to copy, [create the User Source in Arcade](/guides/user-sources#create-a-user-source).
16+
17+
## Before you start
18+
19+
- A Stytch admin role that can manage Connected Apps in your project.
20+
- A Stytch project. You can develop and test in the project's test environment first and switch the Connected App to production mode when you're ready.
21+
- The Stytch Frontend SDK enabled on the project. Connected Apps uses a customer-hosted page to render the authorization UI, and the SDK is what powers that page. Stytch's [build a login flow](https://stytch.com/docs/connected-apps/build-login-flow/login-flow) guide covers the SDK setup.
22+
- An **Authorization URL** configured on the Connected App, pointing to the page on your site that mounts Stytch's `<IdentityProvider />` (Consumer) or `<B2BIdentityProvider />` (B2B) component. Stytch's [integrate Connected Apps with an existing authentication system](https://stytch.com/docs/connected-apps/guides/integrate-with-existing-system) guide walks through the setup.
23+
- An Arcade project where you'll create the User Source.
24+
25+
## Register a Connected App in Stytch
26+
27+
<Steps>
28+
29+
### Open the Stytch Dashboard
30+
31+
Sign in to the [Stytch Dashboard](https://stytch.com/dashboard) for your project.
32+
33+
Go to **Connected Apps** in the left navigation, then click **Add Application**.
34+
35+
### Choose the application type
36+
37+
In the **Select type of Connected App** dialog:
38+
39+
- **Application type**: **First-party application**. First-party apps skip the Stytch consent screen at sign-in, which fits the User Source pattern where Arcade is acting as part of your own identity infrastructure rather than a third-party application requesting access.
40+
- **Authorization Code method**: **Confidential method**, with **Secure Web Application** selected. Arcade authenticates with Stytch using a client secret, which the confidential method supports. The public method is intended for applications that cannot securely store a secret and does not apply here.
41+
42+
Click **Add Application**.
43+
44+
<Image
45+
alt="Select type of Connected App dialog with First-party application and Confidential method selected"
46+
className="max-w-full mt-4"
47+
src="/images/user-sources/stytch/stytch-create-app-light.png"
48+
width={STYTCH_SCREENSHOT_WIDTH}
49+
height={STYTCH_SCREENSHOT_HEIGHT}
50+
/>
51+
52+
### Name the app and add the Arcade redirect URL
53+
54+
On the new app's **Details** page, set **Name** to something your team will recognize, for example `Arcade User Source`.
55+
56+
Scroll to the **Login Redirect URLs** section and add this URL:
57+
58+
`https://cloud.arcade.dev/oauth2/intermediate_callback`
59+
60+
Click **Save** to apply the changes. Stytch reveals the **Client ID** at the top of the details panel.
61+
62+
<Image
63+
alt="Connected App Details panel showing the Client ID at the top and Login Redirect URLs section with the Arcade redirect URL filled in"
64+
className="max-w-full mt-4"
65+
src="/images/user-sources/stytch/stytch-client-id-redirect-uri-light.png"
66+
width={STYTCH_SCREENSHOT_WIDTH}
67+
height={STYTCH_SCREENSHOT_HEIGHT}
68+
/>
69+
70+
### Save the client secret
71+
72+
Stytch shows the **Client Secret** in a one-time dialog after the app is created. Copy the value and store it somewhere secure. The full secret is not retrievable from the Dashboard afterward, so a lost value requires rotating to a new one.
73+
74+
Check the **I have saved my client secret in a secure place** box and confirm.
75+
76+
<Image
77+
alt="Did you save your client secret? dialog with the secret visible and the confirmation checkbox"
78+
className="max-w-full mt-4"
79+
src="/images/user-sources/stytch/stytch-client-secret-light.png"
80+
width={STYTCH_SCREENSHOT_WIDTH}
81+
height={STYTCH_SCREENSHOT_HEIGHT}
82+
/>
83+
84+
</Steps>
85+
86+
## Copy these values to Arcade
87+
88+
Open your project's **Project Overview** page in the Stytch Dashboard. The **Project ID & API keys** section lists your **Project domain**, which is the OIDC issuer Arcade uses.
89+
90+
<Image
91+
alt="Stytch Project Overview page with the Project domain field highlighted"
92+
className="max-w-full mt-4"
93+
src="/images/user-sources/stytch/stytch-domain-light.png"
94+
width={STYTCH_SCREENSHOT_WIDTH}
95+
height={STYTCH_SCREENSHOT_HEIGHT}
96+
/>
97+
98+
Copy these values into Arcade's User Source form:
99+
100+
| Arcade field | Where to find it in Stytch |
101+
|---|---|
102+
| **Issuer URL** | The full URL form of your **Project domain** from the **Project Overview** page, for example `https://<your-project-domain>.customers.stytch.dev`. Stytch publishes the OIDC discovery document at `<project-domain>/.well-known/openid-configuration`. |
103+
| **Client ID** | The ID shown at the top of the Connected App's **Details** page. |
104+
| **Client Secret** | The Client Secret you saved when you created the app. |
105+
106+
## Create the User Source in Arcade
107+
108+
Open the Arcade Dashboard, select your project, navigate to **User Sources**, and click **Create User Source**. Paste the values from the table above. For a walkthrough of the form, see [Create a User Source](/guides/user-sources#create-a-user-source) in the User Sources overview.
109+
110+
Once the User Source is active, attach it to an MCP Gateway by following [Create via Dashboard](/guides/mcp-gateways/create-via-dashboard) and picking **User Source** under "Non-Arcade Users" in the gateway form.
111+
112+
## Notes
113+
114+
- **Test vs production**: New Connected Apps default to test mode and issue test-environment credentials. Enable the **Enable for production** toggle on the app's **Details** page when you're ready to issue live tokens, then update the User Source in Arcade with the production Client ID and Client Secret.
115+
- **Custom Stytch domains**: If you've configured a [custom domain](https://stytch.com/docs/connected-apps/resources/custom-domains) on the Stytch project, use that hostname as the **Issuer URL** instead of the `<project-domain>.customers.stytch.dev` value. End users see the custom domain on the authorization page.
116+
- **Client secret rotation**: Stytch supports [rotating the client secret](https://stytch.com/docs/api-reference/consumer/api/connected-apps/rotate-secret/start-secret-rotation) for a Connected App from the Dashboard or via the API. The rotation flow keeps the previous secret active while you swap the new one into Arcade. See [Rotate the client secret](/guides/user-sources#rotate-the-client-secret) in the User Sources guide for the Arcade-side procedure.
117+
- **Subject Claim**: Arcade's default Subject Claim, `sub`, is the Stytch user's stable identifier and is the recommended value. Stytch's Connected Apps issues a [fixed set of standard OIDC claims](https://stytch.com/docs/api-reference/consumer/api/connected-apps/tokens/connected-app-id-token-object) on the ID token. Stytch does not currently support a custom-claim template for the ID token, so the standard claim set is what Arcade has available. See [Advanced: scopes and subject claim](/guides/user-sources#advanced-scopes-and-subject-claim) in the overview for what makes a good claim.
305 KB
Loading
281 KB
Loading
272 KB
Loading
276 KB
Loading

public/llms.txt

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- git-sha: e7668fa68b8dbebdfdac68f07e0e8d92836100e2 generation-date: 2026-06-02T22:07:48.236Z -->
1+
<!-- git-sha: 2e2be3803117defc992bf4c2e5744a162c4ae6ff generation-date: 2026-06-02T23:31:22.193Z -->
22

33
# Arcade
44

@@ -145,6 +145,7 @@ Arcade delivers three core capabilities: Deploy agents even your security team w
145145
- [Setup Arcade with LangChain](https://docs.arcade.dev/en/get-started/agent-frameworks/langchain/use-arcade-with-langchain-ts): This documentation page provides a comprehensive guide on integrating Arcade tools within LangChain agents, enabling users to build and manage AI agents effectively. It covers essential concepts, prerequisites, and step-by-step instructions for transforming Arcade tools into LangChain-compatible tools, configuring agents
146146
- [Setup Arcade with OpenAI Agents (TypeScript)](https://docs.arcade.dev/en/get-started/agent-frameworks/openai-agents/setup-typescript): This documentation page provides a comprehensive guide for setting up and building AI agents using the OpenAI Agents SDK with Arcade tools in TypeScript. It covers the integration process, including converting Arcade tools to the required format, handling authorization, and executing agent functions.
147147
- [Setup Arcade with OpenAI Agents SDK](https://docs.arcade.dev/en/get-started/agent-frameworks/openai-agents/setup-python): This documentation page guides users on how to set up and integrate Arcade tools within OpenAI Agents applications using the OpenAI Agents SDK. It covers the necessary prerequisites, provides step-by-step instructions for creating a CLI agent, and explains how to implement tool authorization
148+
- [Stytch](https://docs.arcade.dev/en/guides/user-sources/stytch): Documentation page
148149
- [Tavily](https://docs.arcade.dev/en/resources/integrations/search/tavily): Documentation page
149150
- [The Arcade Registry](https://docs.arcade.dev/en/resources/registry-early-access): The Arcade Registry documentation provides an overview of a platform where developers can share and monetize their tools for agentic applications, similar to HuggingFace or Pypi. It explains how the registry integrates runtime metrics and user feedback to enhance tool development and usage
150151
- [Tool error handling](https://docs.arcade.dev/en/guides/tool-calling/error-handling): This documentation page provides guidance on effectively handling errors when using tools with Arcade's Tool Development Kit (TDK). It explains the error handling philosophy, outlines best practices, and offers code examples for managing output errors in various programming languages. Users will learn how

styles/config/vocabularies/Arcade/accept.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ User Source
55
User Sources
66
Entra
77
Entra ID
8+
Stytch
9+
Connected App
10+
Connected Apps
811
LLM
912
SDK
1013
API

0 commit comments

Comments
 (0)