- What CrewAI ships — role-based agents, task graphs, delegation, planning, memory.
- What it doesn’t ship — a way for those agents to act as a real account: sign up for a SaaS tool, hold a funded card, or spend within a budget you control, per end-user.
How the pairing works
- CrewAI has first-class MCP support — point an agent’s
mcpsfield at any MCP server and its tools are discovered automatically. - Naive ships a hosted MCP server and mints per-user sessions — short-lived, revocable endpoints whose tool list is the fused native + third-party toolset, already filtered by that user’s Account Kit.
- So the integration is: mint a session for one user → hand its SSE URL + scoped bearer to a CrewAI agent → every tool call runs as that user, gated server-side.
Tested against: Naive API v2 (hosted MCP server over SSE, per-user sessions),
crewai 1.x (crewai.mcp.MCPServerSSE, the agent mcps field), and the mcp Python
package 1.x, on Python 3.10–3.13.Naive’s MCP server uses SSE transport, so this guide uses MCPServerSSE. There is no
There is no Naive Python SDK today — provision the control plane over the REST API, the
dashboard, the CLI, or the Node SDK (@usenaive-sdk/server).
Pin your versions
and adjust the model to a provider you have access to.Prerequisites
- A Naive API key (
nv_sk_...) — get one from the dashboard. - A model provider key for the model that runs the crew (CrewAI reads
OPENAI_API_KEYby default; set whichever provider you use). - Python 3.10–3.13.
Minimal viable integration
The shortest path to a CrewAI crew that can actually transact: define a policy, provision a user (control plane, once), then at runtime mint a per-user MCP session and hand it to the crew.Define the policy, then provision a user
An Account Kit is the spend/capability policy. Here a tenant
user gets a card (capped at $500, approval required), the vault, and an allowlist of apps.
Everything the crew does is bounded by this kit — server-side. These are one-time
control-plane calls:
Mint a per-user MCP session
At runtime, mint a short-lived session scoped to one user. It
returns an SSE URL plus a scoped bearer that lives only in the headers — never in the URL —
and expires (default 15 min, max 24h):
Give the crew the session — and let it transact
Point a CrewAI agent’s The crew discovers GitHub (
mcps field at the session via MCPServerSSE. CrewAI discovers
Naive’s tools automatically and runs the crew’s task loop for you:naive_connections_connect), returns a connect link for Alice to
authorize, and attempts to issue the card (naive_cards_create) — a real card on
Alice’s account, capped by her kit. The whole crew is CrewAI’s; the real-world actions are
Naive’s.The session’s tool list is already filtered by Alice’s kit — the crew never sees a tool the
policy forbids. To narrow further per agent, pass a
tool_filter to MCPServerSSE (e.g.
create_static_tool_filter(allowed_tool_names=[...]) from crewai.mcp.filters).Extension: human-in-the-loop spend
Because the kit setcards.requiresApproval: true, the crew cannot silently spend. When
an agent calls the card-issuing tool, Naive freezes the request and the tool result comes
back as a pending approval (HTTP 202) instead of a live card:
202 response uses action; approval records from the approvals API use
action_type.
The crew relays the pending status instead of claiming success. Your app then resolves it
out of band — and on approval, Naive replays the frozen action server-side:
pending → executed / failed / denied).
Approvals are only enforced for agent (API-key / MCP) calls on real tenant users. A human
acting in your dashboard, and agent calls on the operator’s own default user, bypass the
gate — so end-user crews stay governed while your own automation isn’t slowed down.
What stays enforced
No matter how the crew is wired, the policy is enforced where it matters — on Naive’s servers, not in your prompt or your crew config:- Identity — every action runs as a specific tenant user, fully isolated from your other users.
- Capability bounds — the Account Kit decides which
primitives and which apps the crew can touch (
allowlist/blocklist/ per-tool). - Scoped spend — virtual cards are capped per card and per user; the model can’t raise its own limit.
- Human-in-the-loop — sensitive actions (cards, domains, KYC, formation, connecting an app) freeze as approvals until a human says yes.
- Scoped, expiring access — the crew holds a per-user session bearer, not your API key;
it expires (default 15 min) and you can
DELETE /v1/users/:user_id/sessions/:idto revoke it early.
Next steps
- MCP server — the hosted SSE server and its full tool list
- Sessions — per-user MCP sessions, TTL, and revocation
- Account Kits — author spend/capability policy
- Approvals — the human-in-the-loop lifecycle
- LangGraph · Vercel AI SDK — the same pairing for TypeScript stacks