Scoped permissions

Beta

Agents are in the beta phase of development and may not be available on your enrollment. Functionality may change during active development.

Agents authenticate against the Ontology SDK (OSDK), Ontology MCP (OMCP), and Palantir MCP with scoped permissions out of the box. You do not need to provision a client ID and secret or pass a Foundry token to call tools.

How scoped permissions work

When you create an agent from the agent template, Foundry provisions the credentials the agent needs to call OSDK, OMCP, and Palantir MCP on your behalf. The template resolves connection details at runtime, including the service URL and authorization headers, through helper functions provided by the agent library. Your agent code requests a configured client or MCP connection and uses it directly.

Because credentials are scoped and managed by the platform, the following are not required in agent code:

  • A client ID and secret
  • A Foundry token
  • Manual OAuth client setup

The agent only has access to the resources permitted by its scope. Access is governed by the Ontology binding selected when the agent is published and the application restrictions that apply to the underlying client.

Retrieve an Ontology MCP connection

The agent library (@palantir/agent-templates-bundle) exposes a helper that returns a ready-to-use Ontology MCP connection. The connection includes the resolved URL and authorization headers, so no client ID, secret, or Foundry token is required. For implementation details, see Agent templates.

Retrieve an OSDK client

The agent library also provides a helper to construct an OSDK client bound to your selected Ontology. For implementation details, see Agent templates.

Next steps