We recently launched mTLS bound tokens for Agentic workloads. However, it was discovered that mcp_toolset is incompatible with mTLS and therefore incompatible with bound tokens. The problem is that mcp_toolset depends on a bespoke mcp_session_manager, based off of "asyncio", which does not have mtls support. The correct longterm solution is to migrate to google's official python aiohttp lib which does have mtls support. Since the issue is blocking Cloud NEXT demos, we propose to apply a temporary patch to turn off bound tokens for mcp_toolset at the client-side.
If this issue is not fixed, then mcp_toolset invocation on Agent Engine will result in 401 unauthorized, since the access token will fail the mTLS binding verification.
We recently launched mTLS bound tokens for Agentic workloads. However, it was discovered that mcp_toolset is incompatible with mTLS and therefore incompatible with bound tokens. The problem is that mcp_toolset depends on a bespoke mcp_session_manager, based off of "asyncio", which does not have mtls support. The correct longterm solution is to migrate to google's official python aiohttp lib which does have mtls support. Since the issue is blocking Cloud NEXT demos, we propose to apply a temporary patch to turn off bound tokens for mcp_toolset at the client-side.
If this issue is not fixed, then mcp_toolset invocation on Agent Engine will result in 401 unauthorized, since the access token will fail the mTLS binding verification.