Merge remote-tracking branch 'upstream/release/1.3' into optimizer-doc-fix

# Conflicts:
#	docs/source/reference/cli.md

Author: dnandakumar-nv

README.md

@@ -81,13 +81,13 @@ pip install nvidia-nat
 NeMo Agent Toolkit has many optional dependencies which can be installed with the core package. Optional dependencies are grouped by framework and can be installed with the core package. For example, to install the LangChain/LangGraph plugin, run the following:
 
 ```bash
-pip install nvidia-nat[langchain]
+pip install "nvidia-nat[langchain]"
 ```
 
 Or for all optional dependencies:
 
 ```bash
-pip install nvidia-nat[all]
+pip install "nvidia-nat[all]"
 ```
 
 The full list of optional dependencies can be found [here](./docs/source/quick-start/installing.md#framework-integrations).

docs/source/extend/telemetry-exporters.md

@@ -266,14 +266,14 @@ Before creating a custom exporter, check if your observability service is alread
 | Service | Type | Installation | Configuration |
 |---------|------|-------------|---------------|
 | **File** | `file` | `pip install nvidia-nat` | local file or directory |
-| **Langfuse** | `langfuse` | `pip install nvidia-nat[opentelemetry]` | endpoint + API keys |
-| **LangSmith** | `langsmith` | `pip install nvidia-nat[opentelemetry]` | endpoint + API key |
-| **OpenTelemetry Collector** | `otelcollector` | `pip install nvidia-nat[opentelemetry]` | endpoint + headers |
-| **Patronus** | `patronus` | `pip install nvidia-nat[opentelemetry]` | endpoint + API key |
-| **Galileo** | `galileo` | `pip install nvidia-nat[opentelemetry]` | endpoint + API key |
-| **Phoenix** | `phoenix` | `pip install nvidia-nat[phoenix]` | endpoint |
-| **RagaAI/Catalyst** | `catalyst` | `pip install nvidia-nat[ragaai]` | API key + project |
-| **Weave** | `weave` | `pip install nvidia-nat[weave]` | project name |
+| **Langfuse** | `langfuse` | `pip install "nvidia-nat[opentelemetry]"` | endpoint + API keys |
+| **LangSmith** | `langsmith` | `pip install "nvidia-nat[opentelemetry]"` | endpoint + API key |
+| **OpenTelemetry Collector** | `otelcollector` | `pip install "nvidia-nat[opentelemetry]"` | endpoint + headers |
+| **Patronus** | `patronus` | `pip install "nvidia-nat[opentelemetry]"` | endpoint + API key |
+| **Galileo** | `galileo` | `pip install "nvidia-nat[opentelemetry]"` | endpoint + API key |
+| **Phoenix** | `phoenix` | `pip install "nvidia-nat[phoenix]"` | endpoint |
+| **RagaAI/Catalyst** | `catalyst` | `pip install "nvidia-nat[ragaai]"` | API key + project |
+| **Weave** | `weave` | `pip install "nvidia-nat[weave]"` | project name |
 
 ### Simple Configuration Example
 
@@ -412,7 +412,7 @@ class CustomSpanExporter(SpanExporter[Span, dict]):
 > **Note**: OpenTelemetry exporters require the `nvidia-nat-opentelemetry` subpackage. Install it with:
 
 > ```bash
-> pip install nvidia-nat[opentelemetry]
+> pip install "nvidia-nat[opentelemetry]"
 > ```
 
 For most OTLP-compatible services, use the pre-built `OTLPSpanAdapterExporter`:

docs/source/quick-start/installing.md

@@ -92,13 +92,13 @@ pip install nvidia-nat
 NeMo Agent toolkit has many optional dependencies which can be installed with the core package. Optional dependencies are grouped by framework and can be installed with the core package. For example, to install the LangChain/LangGraph plugin, run the following:
 
 ```bash
-pip install nvidia-nat[langchain]
+pip install "nvidia-nat[langchain]"
 ```
 
 Or for all optional dependencies:
 
 ```bash
-pip install nvidia-nat[all]
+pip install "nvidia-nat[all]"
 ```
 
 The full list of optional dependencies can be found [here](../quick-start/installing.md#framework-integrations).

docs/source/reference/api-server-endpoints.md

@@ -61,7 +61,7 @@ result back to the client. The transaction schema is defined by the workflow.
 ## Asynchronous Generate
 The asynchronous generate endpoint allows clients to submit a workflow to run in the background and return a response immediately with a unique identifier for the workflow. This can be used to query the status and results of the workflow at a later time. This is useful for long-running workflows, which would otherwise cause the client to time out.
 
-This endpoint is only available when the `async_endpoints` optional dependency extra is installed. For users installing from source, this can be done by running `uv pip install -e '.[async_endpoints]'` from the root directory of the NeMo Agent toolkit library. Similarly, for users installing from PyPI, this can be done by running `pip install 'nvidia-nat[async_endpoints]'`.
+This endpoint is only available when the `async_endpoints` optional dependency extra is installed. For users installing from source, this can be done by running `uv pip install -e '.[async_endpoints]'` from the root directory of the NeMo Agent toolkit library. Similarly, for users installing from PyPI, this can be done by running `pip install "nvidia-nat[async_endpoints]"`.
 
 Asynchronous jobs are managed using [Dask](https://docs.dask.org/en/stable/). By default, a local Dask cluster is created at start time, however you can also configure the server to connect to an existing Dask scheduler by setting the `scheduler_address` configuration parameter. The Dask scheduler is used to manage the execution of asynchronous jobs, and can be configured to run on a single machine or across a cluster of machines. Job history and metadata is stored in a SQL database using [SQLAlchemy](https://www.sqlalchemy.org/). By default, a temporary SQLite database is created at start time, however you can also configure the server to use a persistent database by setting the `db_url` configuration parameter. Refer to the [SQLAlchemy documentation](https://docs.sqlalchemy.org/en/20/core/engines.html#database-urls) for the format of the `db_url` parameter. Any database supported by [SQLAlchemy's Asynchronous I/O extension](https://docs.sqlalchemy.org/en/20/orm/extensions/asyncio.html) can be used. Refer to [SQLAlchemy's Dialects](https://docs.sqlalchemy.org/en/20/dialects/index.html) for a complete list (many but not all of these support Asynchronous I/O).
 

docs/source/reference/cli.md

@@ -36,32 +36,43 @@ nat
 ├── info
 │   ├── channels
 │   └── components
-│
-├── optimize  
-│  
+├── mcp
+│   ├── client
+│   │   ├── ping
+│   │   └── tool
+│   │       ├── call
+│   │       └── list
+│   └── serve
+├── object-store
+│   ├── mysql
+│   │   ├── delete
+│   │   └── upload
+│   ├── redis
+│   │   ├── delete
+│   │   └── upload
+│   └── s3
+│       ├── delete
+│       └── upload
+├── optimize
 ├── registry
 │   ├── publish
 │   ├── pull
 │   ├── remove
 │   └── search
 ├── run
 ├── serve
+├── sizing
+│   └── calc
 ├── start
 │   ├── console
 │   ├── fastapi
 │   └── mcp
-│       ├── serve
-│       └── client
-│           ├── ping
-│           └── tool
-│               ├── list
-│               └── call
 ├── uninstall
 ├── validate
 └── workflow
     ├── create
-    ├── reinstall
-    └── delete
+    ├── delete
+    └── reinstall
 ```
 
 ## Start

docs/source/reference/evaluate-api.md

@@ -20,7 +20,7 @@ limitations under the License.
 It is recommended that the [Evaluating NeMo Agent toolkit Workflows](./evaluate.md) guide be read before proceeding with this detailed documentation.
 :::
 
-The evaluation endpoint can be used to start evaluation jobs on a remote NeMo Agent toolkit server. This endpoint is only available when the `async_endpoints` optional dependency extra is installed. For users installing from source, this can be done by running `uv pip install -e '.[async_endpoints]'` from the root directory of the NeMo Agent toolkit library. Similarly, for users installing from PyPI, this can be done by running `pip install 'nvidia-nat[async_endpoints]'`.
+The evaluation endpoint can be used to start evaluation jobs on a remote NeMo Agent toolkit server. This endpoint is only available when the `async_endpoints` optional dependency extra is installed. For users installing from source, this can be done by running `uv pip install -e '.[async_endpoints]'` from the root directory of the NeMo Agent toolkit library. Similarly, for users installing from PyPI, this can be done by running `pip install "nvidia-nat[async_endpoints]"`.
 
 ## Evaluation Endpoint Overview
 ```{mermaid}

docs/source/workflows/evaluate.md

@@ -34,7 +34,7 @@ uv pip install -e '.[profiling]'
 
 If you are installing from a package, you can install the sub-package by running the following command:
 ```bash
-uv pip install nvidia-nat[profiling]
+uv pip install "nvidia-nat[profiling]"
 ```
 
 ## Evaluating a Workflow

docs/source/workflows/mcp/index.md

@@ -21,7 +21,7 @@ NeMo Agent toolkit [Model Context Protocol (MCP)](https://modelcontextprotocol.i
 * An [MCP client](./mcp-client.md) to connect to and use tools served by remote MCP servers.
 * An [MCP server](./mcp-server.md) to publish tools using MCP to be used by any MCP client.
 
-**Note:** MCP client functionality requires the `nvidia-nat-mcp` package. Install it with `uv pip install nvidia-nat[mcp]`.
+**Note:** MCP client functionality requires the `nvidia-nat-mcp` package. Install it with `uv pip install "nvidia-nat[mcp]"`.
 
 
 ```{toctree}
@@ -30,4 +30,5 @@ NeMo Agent toolkit [Model Context Protocol (MCP)](https://modelcontextprotocol.i
 Connecting to Remote Tools <./mcp-client.md>
 Serving NeMo Agent toolkit Functions <./mcp-server.md>
 MCP Authentication <./mcp-auth.md>
+Secure Token Storage <./mcp-auth-token-storage.md>
 ```

docs/source/workflows/mcp/mcp-auth-token-storage.md

@@ -0,0 +1,202 @@
+<!--
+SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Secure Token Storage for MCP Authentication
+
+The NeMo Agent toolkit provides a configurable, secure token storage mechanism for Model Context Protocol (MCP) OAuth2 authentication. You can store tokens securely using the object store infrastructure, which provides encryption at rest, access controls, and persistence across service restarts.
+
+## Overview
+
+When using MCP with OAuth2 authentication, the toolkit needs to store authentication tokens for each user. The secure token storage feature provides:
+
+- **Encryption at rest**: Tokens are stored in object stores that support encryption
+- **Flexible backends**: Choose from in-memory (default), S3, MySQL, Redis, or custom object stores
+- **Persistence**: Tokens persist across restarts when using external storage backends
+- **Multi-user support**: Tokens are isolated per user with proper access controls
+- **Automatic refresh**: Supports OAuth2 token refresh flows
+
+### Components
+
+The token storage system includes three main components:
+
+1. **TokenStorageBase**: Abstract interface defining `store()`, `retrieve()`, `delete()`, and `clear_all()` operations.
+2. **InMemoryTokenStorage**: Default implementation using the in-memory object store.
+3. **ObjectStoreTokenStorage**: Implementation backed by configurable object stores such as S3, MySQL, and Redis.
+
+## Configuration
+
+### Default Configuration (In-Memory Storage)
+
+By default, MCP OAuth2 authentication uses in-memory storage. No additional configuration is required:
+
+```yaml
+authentication:
+  mcp_oauth2_jira:
+    _type: mcp_oauth2
+    server_url: ${CORPORATE_MCP_JIRA_URL}
+    redirect_uri: http://localhost:8000/auth/redirect
+    default_user_id: ${CORPORATE_MCP_JIRA_URL}
+    allow_default_user_id_for_tool_calls: ${ALLOW_DEFAULT_USER_ID_FOR_TOOL_CALLS:-true}
+```
+
+This setup is **ONLY suitable for development and testing environments** since it uses in-memory storage that is not
+persistent and also unsafe.
+
+### External Object Store Configuration
+
+For production environments, configure an external object store to persist tokens across restarts. The NeMo Agent toolkit supports S3-compatible storage (MinIO, AWS S3), MySQL, and Redis backends.
+
+:::{note}
+For detailed object store setup instructions including MinIO, MySQL, and Redis installation and configuration examples, see the `examples/object_store/user_report/README.md` guide (under the "Choose an Object Store" section).
+:::
+
+The following example shows token storage configuration using S3-compatible storage (MinIO):
+
+```yaml
+object_stores:
+  token_store:
+    _type: s3
+    endpoint_url: http://localhost:9000
+    access_key: minioadmin
+    secret_key: minioadmin
+    bucket_name: my-bucket
+
+function_groups:
+  mcp_jira:
+    _type: mcp_client
+    server:
+      transport: streamable-http
+      url: ${CORPORATE_MCP_JIRA_URL}
+      auth_provider: mcp_oauth2_jira
+
+authentication:
+  mcp_oauth2_jira:
+    _type: mcp_oauth2
+    server_url: ${CORPORATE_MCP_JIRA_URL}
+    redirect_uri: http://localhost:8000/auth/redirect
+    default_user_id: ${CORPORATE_MCP_JIRA_URL}
+    allow_default_user_id_for_tool_calls: ${ALLOW_DEFAULT_USER_ID_FOR_TOOL_CALLS:-true}
+    token_storage_object_store: token_store
+
+llms:
+  nim_llm:
+    _type: nim
+    model_name: meta/llama-3.1-70b-instruct
+    temperature: 0.0
+    max_tokens: 1024
+
+workflow:
+  _type: react_agent
+  tool_names:
+    - mcp_jira
+  llm_name: nim_llm
+  verbose: true
+  retry_parsing_errors: true
+  max_retries: 3
+```
+
+For MySQL or Redis configurations, replace the `object_stores` section with the appropriate object store type. Refer to the [Object Store Documentation](../../store-and-retrieve/object-store.md) for configuration options for each backend.
+
+## Token Storage Format
+
+The system stores tokens as JSON-serialized `AuthResult` objects in the object store with the following structure:
+
+- **Key format**: `tokens/{sha256_hash}` where the hash is computed from the `user_id` to ensure S3 compatibility
+- **Content type**: `application/json`
+- **Metadata**: Includes token expiration timestamp when available
+
+Example stored token:
+```json
+{
+  "credentials": [
+    {
+      "kind": "bearer",
+      "token": "encrypted_token_value",
+      "scheme": "Bearer",
+      "header_name": "Authorization"
+    }
+  ],
+  "token_expires_at": "2025-10-02T12:00:00Z",
+  "raw": {
+    "access_token": "...",
+    "refresh_token": "...",
+    "expires_at": 1727870400
+  }
+}
+```
+
+## Token Lifecycle
+
+### 1. Initial Authentication
+
+When a user first authenticates, the system completes the following steps:
+1. The OAuth2 flow completes and returns an access token.
+2. The token is serialized and stored using the configured storage backend.
+3. The token is associated with the user's session ID.
+
+### 2. Token Retrieval
+
+On subsequent requests, the system completes the following steps:
+1. The user's session ID is extracted from cookies.
+2. The stored token is retrieved from the storage backend.
+3. The token expiration is checked.
+4. If expired, a token refresh is attempted.
+
+### 3. Token Refresh
+
+When a token expires, the system completes the following steps:
+1. The refresh token is extracted from the stored token.
+2. A new access token is requested from the OAuth2 provider.
+3. The new token is stored, replacing the old one.
+4. The refreshed token is returned for use.
+
+
+## Custom Token Storage
+
+You can implement custom token storage by extending the `TokenStorageBase` abstract class:
+
+```python
+from nat.plugins.mcp.auth.token_storage import TokenStorageBase
+from nat.data_models.authentication import AuthResult
+
+class CustomTokenStorage(TokenStorageBase):
+    async def store(self, user_id: str, auth_result: AuthResult) -> None:
+        # Custom storage logic
+        pass
+
+    async def retrieve(self, user_id: str) -> AuthResult | None:
+        # Custom retrieval logic
+        pass
+
+    async def delete(self, user_id: str) -> None:
+        # Custom deletion logic
+        pass
+
+    async def clear_all(self) -> None:
+        # Custom clear logic
+        pass
+```
+
+Then configure your custom storage in the MCP provider initialization.
+
+
+## Related Documentation
+
+- [MCP Client Configuration](mcp-client.md)
+- [Object Store Documentation](../../store-and-retrieve/object-store.md)
+- [Authentication API Reference](../../reference/api-authentication.md)
+- [Extending Object Stores](../../extend/object-store.md)

docs/source/workflows/mcp/mcp-auth.md

@@ -168,6 +168,7 @@ This will use the `mcp_oauth2` authentication provider to authenticate the user.
 - The `default_user_id` is used to cache the authenticating user during setup and optionally for tool calls. It is recommended to set `allow_default_user_id_for_tool_calls` to `false` in the authentication configuration for multi-user workflows to avoid accidental tool calls by unauthorized users.
 - Use HTTPS redirect URIs in production environments.
 - Scope OAuth2 tokens to the minimum required permissions.
+- For production deployments, configure [secure token storage](./mcp-auth-token-storage.md) using an external object store (S3, MySQL, or Redis) with encryption enabled.
 
 ## Troubleshooting
 1.  **Setup fails** - This can happen if:
@@ -178,3 +179,8 @@ This will use the `mcp_oauth2` authentication provider to authenticate the user.
 - The workflow was not accessed in `WebSocket` mode, or
 - The user did not complete the authentication flow through the `WebSocket` UI, or
 - The user is not authorized to call the tool
+
+## Related Documentation
+- [Secure Token Storage](./mcp-auth-token-storage.md) - Learn about configuring secure token storage for MCP authentication
+- [MCP Client](./mcp-client.md) - Connect to and use tools from remote MCP servers
+- [Object Store Documentation](../../store-and-retrieve/object-store.md) - Configure object stores for persistent token storage