Gemini-CLI and OAuth

How to connect to Looker from Gemini-CLI with end-user credentials

Overview

Gemini-CLI can be configured to get an OAuth token from Looker, then send this token to MCP Toolbox as part of the request. MCP Toolbox can then use this token to authentincate with Looker. This means that there is no need to get a Looker Client ID and Client Secret. This also means that MCP Toolbox can be set up as a shared resource.

This configuration requires Toolbox v0.14.0 or later.

Step 1: Register the OAuth App in Looker

You first need to register the OAuth application. Refer to the documentation here. You may need to ask an administrator to do this for you.

Go to the API Explorer application, locate “Register OAuth App”, and press the “Run It” button.
Set the client_guid to “gemini-cli”.
Set the redirect_uri to “http://localhost:7777/oauth/callback”.
The display_name and description can be “Gemini-CLI” or anything meaningful.
Set enabled to “true”.
Check the box confirming that you understand this API will change data.
Click the “Run” button.

Step 2: Install and configure Toolbox

In this section, we will download Toolbox and run the Toolbox server.

Download the latest version of Toolbox as a binary:
Tip
Select the correct binary corresponding to your OS and CPU architecture.
```
export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
```
Make the binary executable:
```
chmod +x toolbox
```
Create a file looker_env with the settings for your Looker instance.
```
 export LOOKER_BASE_URL=https://looker.example.com
 export LOOKER_VERIFY_SSL=true
```
In some instances you may need to append :19999 to the LOOKER_BASE_URL.
Load the looker_env file into your environment.
```
source looker_env
```
Run the Toolbox server using the prebuilt Looker tools.
```
./toolbox --prebuilt looker
```
The toolbox server will begin listening on localhost port 5000. Leave it running and continue in another terminal.
Later, when it is time to shut everything down, you can quit the toolbox server with Ctrl-C in this terminal window.

Step 3: Configure Gemini-CLI

Edit the file ~/.gemini/settings.json. Add the following, substituting your Looker server host name for looker.example.com.

"mcpServers": {
    "looker": {
        "httpUrl": "http://localhost:5000/mcp",
        "oauth": {
            "enabled": true,
            "clientId": "gemini-cli",
            "authorizationUrl": "https://looker.example.com/auth",
            "tokenUrl": "https://looker.example.com/api/token",
            "scopes": ["cors_api"]
        }
    }
}

The authorizationUrl should point to the URL you use to access Looker via the web UI. The tokenUrl should point to the URL you use to access Looker via the API. In some cases you will need to use the port number :19999 after the host name but before the /api/token part.

Start Gemini-CLI.
Authenticate with the command /mcp auth looker. Gemini-CLI will open up a browser where you will confirm that you want to access Looker with your account.
Use Gemini-CLI with your tools.

Using Toolbox as a Shared Service

Toolbox can be run on another server as a shared service accessed by multiple users. We strongly recommend running toolbox behind a web proxy such as nginx which will provide SSL encryption. Google Cloud Run is another good way to run toolbox. You will connect to a service like https://toolbox.example.com/mcp. The proxy server will handle the SSL encryption and certificates. Then it will foward the requests to http://localhost:5000/mcp running in that environment. The details of the config are beyond the scope of this document, but will be familiar to your system administrators.

To use the shared service, just change the localhost:5000 in the httpUrl in ~/.gemini/settings.json to the host name and possibly the port of the shared service.

Last modified September 3, 2025: feat(tools/looker): Authenticate via end user credentials (#1257) (8755e3db3)