Gemini-CLI and OAuth
Overview
Gemini-CLI can be configured to get an OAuth token from Looker, then send this token to MCP Toolbox as part of the request. MCP Toolbox can then use this token to authentincate with Looker. This means that there is no need to get a Looker Client ID and Client Secret. This also means that MCP Toolbox can be set up as a shared resource.
This configuration requires Toolbox v0.14.0 or later.
Step 1: Register the OAuth App in Looker
You first need to register the OAuth application. Refer to the documentation here. You may need to ask an administrator to do this for you.
Go to the API Explorer application, locate “Register OAuth App”, and press the “Run It” button.
Set the
client_guid
to “gemini-cli”.Set the
redirect_uri
to “http://localhost:7777/oauth/callback”.The
display_name
anddescription
can be “Gemini-CLI” or anything meaningful.Set
enabled
to “true”.Check the box confirming that you understand this API will change data.
Click the “Run” button.
Step 2: Install and configure Toolbox
In this section, we will download Toolbox and run the Toolbox server.
Download the latest version of Toolbox as a binary:
Tip
Select the correct binary corresponding to your OS and CPU architecture.
export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64 curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
Make the binary executable:
chmod +x toolbox
Create a file
looker_env
with the settings for your Looker instance.export LOOKER_BASE_URL=https://looker.example.com export LOOKER_VERIFY_SSL=true
In some instances you may need to append
:19999
to the LOOKER_BASE_URL.Load the looker_env file into your environment.
source looker_env
Run the Toolbox server using the prebuilt Looker tools.
./toolbox --prebuilt looker
The toolbox server will begin listening on localhost port 5000. Leave it running and continue in another terminal.
Later, when it is time to shut everything down, you can quit the toolbox server with Ctrl-C in this terminal window.
Step 3: Configure Gemini-CLI
Edit the file
~/.gemini/settings.json
. Add the following, substituting your Looker server host name forlooker.example.com
."mcpServers": { "looker": { "httpUrl": "http://localhost:5000/mcp", "oauth": { "enabled": true, "clientId": "gemini-cli", "authorizationUrl": "https://looker.example.com/auth", "tokenUrl": "https://looker.example.com/api/token", "scopes": ["cors_api"] } } }
The
authorizationUrl
should point to the URL you use to access Looker via the web UI. ThetokenUrl
should point to the URL you use to access Looker via the API. In some cases you will need to use the port number:19999
after the host name but before the/api/token
part.Start Gemini-CLI.
Authenticate with the command
/mcp auth looker
. Gemini-CLI will open up a browser where you will confirm that you want to access Looker with your account.Use Gemini-CLI with your tools.
Using Toolbox as a Shared Service
Toolbox can be run on another server as a shared service accessed by multiple
users. We strongly recommend running toolbox behind a web proxy such as nginx
which will provide SSL encryption. Google Cloud Run is another good way to run
toolbox. You will connect to a service like https://toolbox.example.com/mcp
.
The proxy server will handle the SSL encryption and certificates. Then it will
foward the requests to http://localhost:5000/mcp
running in that environment.
The details of the config are beyond the scope of this document, but will be
familiar to your system administrators.
To use the shared service, just change the localhost:5000
in the httpUrl
in
~/.gemini/settings.json
to the host name and possibly the port of the shared
service.