Arcade
Type: full-code · Vendor: Arcade AI, Inc. · Language: Python · License: proprietary · Status: active · Status in practice: emerging · First released: 2024-01-01
Arcade is an MCP runtime that sits between agents and external systems, handling user authentication, tool execution, and per-action scoping so agents act on behalf of an authenticated user with the right permissions.
Description. Arcade is an MCP runtime that handles user authentication, authorization, policy enforcement, and tool execution between agents and the systems they reach. It offers a registry of thousands of prebuilt MCP tools that agents browse and pick from. Agents act on behalf of real users with real permissions rather than shared tokens or hardcoded credentials, integrating with an existing identity provider so credentials never leave the runtime. Every action runs at the intersection of what the user can do and what the agent is scoped to do, and is logged.
Agent loop shape. An agent connects to the Arcade runtime, which sits between it and every system it needs to reach. The agent browses the registry of prebuilt MCP tools and picks the ones it needs. When it invokes a tool, Arcade authenticates the user through the existing identity provider and runs the action at the intersection of what the user can do and what the agent is scoped to do; if either line is crossed the action stops, and every action is logged.
Primary use cases
- authenticated tool access for agents on behalf of users
- browsing and selecting prebuilt MCP tools
- scoped, governed tool execution across SaaS systems
- enterprise authorization and audit for agent actions
Key concepts
- Arcade Engine → delegated-agent-authorization (docs) — The runtime component that fulfils authorized tool-calling flows for end users: it evaluates which scopes a tool requires, runs the OAuth flow against the configured identity provider, and injects the resulting token into tool execution.
- Tool Catalog → tool-agent-registry (docs) — Arcade's registry of 7,000-plus prebuilt MCP tools across dozens of MCP servers that agents browse and select from for the apps an organisation already runs.
- Authorized tool calling → agent-credential-vault (docs) — A tool declares the auth provider and scopes it needs; at call time Arcade checks whether the user has authorized those scopes, runs the OAuth flow if not, and only then executes the tool with the injected token.
- Workers (docs) — The processes that host and run Arcade tools, deployable on the user's own infrastructure including private cloud, on-premises, or fully air-gapped environments so credentials and execution stay inside the user's perimeter.
Patterns this full-code implements —
- ★Delegated Agent Authorization
Agents act on behalf of the authenticated user with that user's real permissions rather than shared tokens or hardcoded credentials; the existing identity provider plugs in and credentials never leav…
- ★★Model Context Protocol
Arcade is itself an MCP runtime: it manages authentication, tool registration, and execution and serves prebuilt tools as MCP servers that any conformant MCP client can call.
- ★Agent Credential Vault
Arcade brokers OAuth tokens at tool-call time, injecting the securely-stored credential into the tool's execution context so the agent never holds a raw user token; the runtime declares required scop…
- ★Secrets Handling
The OAuth token is securely injected into the tool call at runtime and never returned to the model or the MCP client, so the secret stays out of the prompt and context window.
- ★Tool/Agent Registry
Arcade exposes a registry/catalog of thousands of prebuilt MCP tools that agents browse and pick from, plus a registry to share and discover tools.
Neighbourhood
Click any neighbour to follow the lineage. Scroll to zoom, drag to pan.
Alternatives & relatives
- full-code · framework
Composio
Both broker authenticated third-party tool access for agents through a large prebuilt toolkit catalog with managed OAuth, so the agent never handles raw end-user credentials.
- full-code · framework
Cerbos
Arcade authenticates the user and scopes the action; Cerbos can sit alongside as the external policy decision point deciding whether a given user-and-context combination is allowed to invoke a tool.
Listed as alternative by (3)
References
Provenance
- Last analyzed:
- Last updated:
- Verification status: partial