Configure Google Vertex AI for AI agent imports

To import AI agents from Google Vertex AI, you need to create an OAuth 2.0 client in the Google Cloud Console. Then, you retrieve the client credentials and configure test user access.

After you've completed these configurations, follow the steps in Enable AI agent imports for an app.

Create an OAuth 2.0 client

1. Sign in to the Google Cloud Console as an editor or AI platform editor who's assigned to the target project.
2. Select the target project from the dropdown menu at the top of the dashboard.
3. Go to APIs & Services > Clients.
4. Select + Create client.
5. Set the Application type to Web application.
6. Enter a descriptive name for the client (for example, Vertex-Agent-Import-Client).
7. In Authorized redirect URIs, select Add URI and enter the following callback URL, replacing {domain} with your Okta org's root URL:

   {domain}/oauth2/v1/sts/callback

8. Click Create.
9. In the OAuth client created dialog, copy the Client ID and Client Secret values and store them in a secure location.
   Note:

   You need these values to complete the app configuration in Okta.

Configure test user access

1. Go to APIs & Services > OAuth consent screen.
2. Select the Audience tab.
3. Complete one of the following steps based on your configured user type:
   • If the user type is External: Scroll to the Test users section, select + Add Users, and enter the email addresses of the accounts that need access.
   • If the user type is Internal: No additional configuration is required. All users in your Google Workspace org have access.

Test the integration

After completing the OAuth configuration, run the following verification steps to confirm that Okta can authenticate users and retrieve AI agent responses from Google Vertex AI.

1. Generate a valid user ID token by completing an authorization handshake against your Okta OIDC app. In your terminal, run your Python orchestrator script:

   python3 main_vertex.py

   Confirm that the script outputs a verified access token and a short-lived Google Cloud bearer token.

2. The script sends an HTTP POST request to the Google Vertex AI Session Registry to initialize a session:

   POST https://{GCP_LOCATION}-aiplatform.googleapis.com/v1/projects/{GCP_PROJECT_ID}/locations/{GCP_LOCATION}/reasoningEngines/{GCP_REASONING_ENGINE_ID}/sessions

   A unique session resource ID is returned when the session is created successfully.

3. The script sends the conversational prompt to the session router:

   POST .../sessions/{session_id}:appendEvent

   The prompt is registered as a USER event in the session history.

4. The script polls for the agent response using a GET request:

   GET https://{GCP_LOCATION}-aiplatform.googleapis.com/v1beta1/projects/{GCP_PROJECT_ID}/locations/{GCP_LOCATION}/reasoningEngines/{GCP_REASONING_ENGINE_ID}/sessions/{session_id}/events

   The script scans the returned sessionEvents array for an event where author is AGENT or ASSISTANT and displays the response text.

A successful run produces output that's similar to the following:

Enter custom prompt for vertex ai: Hello
Initializing identity validation against Okta...
Identity verified and access_token generated successfully via Okta!
Minting short-lived Google Cloud platform bearer token...
Forwarding request to Google Vertex AI Reasoning Engine...

=================== VERTEX REASONING ENGINE RESPONSE ===================
Raw Events Payload for analysis:
{
  "sessionEvents": [
    {
      "name": "projects/575096167212/locations/us-west1/reasoningEngines/7643954369880129536/sessions/6809070451898187776/events/5066757525928411136",
      "author": "USER",
      "content": {},
      "invocationId": "inv-e66fb2c3",
      "actions": {},
      "timestamp": "2026-06-15T22:56:34Z",
      "rawEvent": {
        "text": "Hello"
      }
    }
  ]
}
=========================================================================

Next step

Enable AI agent imports for an app