Streaming Agent: Deployment

[enxilium]

What's the best way to deploy the streaming live agent onto the web? Should the agent run locally on the user's machine, with the API key being injected via some sort of secure backend call, or should the agent be moved to a remote websocket server that can handle incoming/outgoing requests and sessions simultaneously?

Key concerns:

1. If a remotely deployed agent tries to connect to an MCP that requires authorization, does the OAuth flow launch on the user (client side) or the agent side?
2. If the agent runs locally on the user's machine (e.g. as a subproecss in an Electron app), what's the best way to safely inject the API Key into the process so the agent actually runs?

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: For web deployment, it's recommended to run the agent on a remote server. The OAuth flow is handled on the client-side, and API keys should be managed using environment variables for security.

---

Hello! Here is some information regarding your questions on deploying a streaming agent.

Remote Agent Authentication (OAuth)

For your first concern, if a remotely deployed agent needs to connect to a service requiring authorization, the OAuth flow is handled on the user's (client) side. The ADK framework is designed to pause the agent's execution and signal your client application to initiate the interactive authentication process. Once the user completes the OAuth flow, the credentials are then passed to the remote agent.

This is demonstrated in the "A2A OAuth Authentication Sample Agent" which shows a remote agent surfacing authentication requests to a root agent on the client side [1]. The documentation on "Authenticating with Tools" further explains that for flows requiring user interaction, a specific process is triggered in the Agent Client application [2].

Local Agent API Key Injection

For your second question, if you are running the agent locally, the recommended and most secure way to handle API keys is by using environment variables. Hardcoding keys directly in the code is discouraged. You can load the API key from a .env file during development and use your operating system's environment variables or a secret management service in production.

Several quickstart guides and sample code snippets demonstrate this practice, showing how to set the GOOGLE_API_KEY as an environment variable before running the agent [3][4][5]. The after_agent_callback.py snippet also illustrates setting the API key using os.environ in Python [6].

General Deployment Recommendations

While running the agent locally is possible, for a production web application, the recommended approach is to deploy the agent to a remote server. This architecture is more scalable and secure. You can run multiple instances of your agent behind a load balancer to handle many users simultaneously.

The documentation provides guidance on several deployment options, including:

• Google Cloud Run [7]
• Google Kubernetes Engine (GKE)
• Any other container-friendly infrastructure [8]

The "Custom Streaming with WebSockets" documentation also advises deploying multiple instances and using a load balancer for production applications [9]. For a sample implementation using .env files and python-dotenv, you can refer to the "integration_connector_euc_agent" example [10].

We hope this information helps you in deploying your streaming agent!

---

[1] https://github.com/google/adk-python/blob/main/contributing/samples/a2a_auth/README.md
[2] https://google.github.io/adk-docs/tools/authentication/
[3] https://google.github.io/adk-docs/get-started/streaming/quickstart-streaming-java/
[4] https://github.com/google/adk-docs/blob/main/examples/python/snippets/tools/auth/tools_and_agent.py
[5] https://google.github.io/adk-docs/deploy/
[6] https://github.com/google/adk-docs/blob/main/examples/python/snippets/callbacks/after_agent_callback.py
[7] https://google.github.io/adk-docs/deploy/cloud-run/
[8] https://google.github.io/adk-docs/deploy/
[9] https://google.github.io/adk-docs/streaming/custom-streaming-ws/
[10] https://github.com/google/adk-python/blob/main/contributing/samples/integration_connector_euc_agent/README.md

[hangfei]

There are live/bidi specific deployments concerns, like websockets, connection etc. You can use the approaches mentioned above. Agent Engine will soon support live/bidi agents deployment.

There are other things(like MCP, auth) that works the same for bidi or non-bidi cases. You can check general resources on how to enable them.