LlmAgent
a Gemini model, instructions, and tools; ADK runs the model-calling loop — plus multi-agent
handoff, sessions, and a Runner — until the job is done.
- What ADK ships — agents, the model loop, multi-agent orchestration, sessions,
callbacks, evals, deployment, and first-class MCP support via
McpToolset. - What it doesn’t ship — a way for those agents to act as a real account: sign up for a SaaS tool, hold a funded card, or spend within a budget you control, per end-user.
How the pairing works
- ADK has first-class MCP support via
McpToolset— point it at any MCP server and its tools are discovered and converted into ADK tools automatically (no manual schema wiring). - Naive ships a hosted MCP server and mints per-user sessions — short-lived, revocable endpoints whose tool list is the fused native + third-party toolset, already filtered by that user’s Account Kit.
- Each session is one URL + one bearer scoped to one user. Build an
McpToolsetfrom it, hand it to the agent for one run, and every tool call runs as that user — gated server-side.
Tested against:
google-adk 2.3.x (LlmAgent, Runner, InMemorySessionService,
and McpToolset / SseConnectionParams / require_confirmation from
google.adk.tools.mcp_tool), the mcp Python package 1.28.x (SSE transport), and
Naive API v2 (hosted MCP server over SSE + per-user sessions), on Python ≥ 3.10.Naive’s MCP server uses SSE transport — pair it with ADK’s SseConnectionParams
(not StreamableHTTPConnectionParams). MCP support isn’t in ADK’s base install: add the
mcp package. On older ADK (pre-1.x), import McpToolset from
google.adk.tools.mcp_tool.mcp_toolset and SseConnectionParams from
google.adk.tools.mcp_tool.mcp_session_manager. There is no Python Naive SDK yet — provision
the control plane over the REST API, the dashboard, the
CLI, or the Node SDK (@usenaive-sdk/server). Pin your versions
and set model to a Gemini model you have access to.Prerequisites
- A Naive API key (
nv_sk_...) — get one from the dashboard. - A
GOOGLE_API_KEYfor the Gemini model that runs the agent (from Google AI Studio). - Python ≥ 3.10.
Minimal viable integration
The shortest path to an ADK agent that can actually transact: define a policy and provision a user (control plane, once), then at runtime mint a per-user MCP session and hand it to the agent.Define the policy, then provision a user
An Account Kit is the spend/capability policy. Here a tenant
user gets a card (capped at $500, approval required), the vault, and an allowlist of apps.
Everything the agent does is bounded by this kit — server-side. These are one-time
control-plane calls:
Mint a per-user MCP session
At runtime, mint a short-lived session for the user. It returns the scoped
SSE endpoint and a bearer that lives in the headers — never in the URL — and expires (default
15 min, max 24h):
Build the agent — and let it transact
Point ADK’s The model discovers GitHub, returns a connect link for Alice to authorize, and attempts to
issue the card — a real card on Alice’s account, capped by her kit. The whole agent loop
is ADK’s; the real-world actions are Naive’s.
McpToolset at the session’s scoped SSE endpoint, attach it to an LlmAgent,
and run it with a Runner. ADK discovers Naive’s tools and runs the multi-step loop for you
(call tool → feed result back → continue):Extension: human-in-the-loop spend (two gates)
Because the kit setcards.requiresApproval: true, the agent cannot silently spend.
You get two complementary layers — pair them for defense in depth:
- In the agent — ADK’s
require_confirmationon theMcpToolsetpauses before a tool runs, so the run surfaces the call for human review. - On the server — even if a call gets through, Naive freezes it and returns a pending
approval (HTTP
202) instead of a live card. This holds no matter what runtime calls it.
require_confirmation also accepts a callable for per-tool control, and ADK’s
before_tool_callback on the LlmAgent can inspect or short-circuit a call before it runs.
Treat both as a UX / early-interrupt convenience — the real enforcement is Naive’s
server-side approval gate below, which applies regardless of prompt or agent configuration.202 response uses action; approval records from the approvals API use
action_type.
Your app then resolves it out of band — and on approval, Naive replays the frozen action
server-side:
pending → executed / failed / denied) and the deny endpoint.
Approvals are only enforced for agent (API-key / MCP) calls on real tenant users. A human
acting in your dashboard, and agent calls on the operator’s own default user, bypass the
gate — so end-user agents stay governed while your own automation isn’t slowed down.
Alternative: one agent, many tenants
Each Naive session is scoped to one user, so to serve every tenant from the same agent definition, mint a fresh session per request and build theMcpToolset from it. The agent’s
model and instructions stay identical — only which user’s session backs the tools changes,
and every call is Account-Kit-gated server-side:
Runner, then await toolset.close(). Same Account
Kit, same approval gates — just scoped to whichever user’s session you minted. Revoke a
session early with DELETE /v1/users/{user_id}/sessions/{id}.
What stays enforced
No matter which path you choose, the policy is enforced where it matters — on Naive’s servers, not in your prompt or your agent:- Identity — every action runs as a specific tenant user, fully isolated from your other users.
- Capability bounds — the Account Kit decides which
primitives and which apps the agent can touch (
allowlist/blocklist/ per-tool). - Scoped spend — virtual cards are capped per card and per user; the model can’t raise its own limit.
- Human-in-the-loop — sensitive actions (cards, domains, KYC, formation, connecting an app) freeze as approvals until a human says yes.
Next steps
- SDK overview — the full Naive client surface
- Sessions — per-user MCP sessions for any MCP-aware runtime
- Account Kits — author spend/capability policy
- Approvals — the human-in-the-loop lifecycle
- MCP server — how Naive’s hosted MCP server works