chore: update yaml tag for auth, embedding model, prompts, sources

chore: update unmarshal function for ToolsFile
Update cmd/root_test.go
2026-01-22 05:48:08 -05:00 · 2026-01-21 22:49:22 -08:00 · 2026-01-21 22:49:06 -08:00 · 2026-01-20 11:25:03 -08:00 · 2026-01-20 11:25:03 -08:00 · 2026-01-20 11:20:41 -08:00
598 changed files with 9563 additions and 6735 deletions
--- a/.ci/integration.cloudbuild.yaml
+++ b/.ci/integration.cloudbuild.yaml
@@ -825,7 +825,27 @@ steps:
          elasticsearch \
          elasticsearch

-
+  - id: "snowflake"
+    name: golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+      - "SNOWFLAKE_DATABASE=$_SNOWFLAKE_DATABASE"
+      - "SNOWFLAKE_SCHEMA=$_SNOWFLAKE_SCHEMA"
+    secretEnv: ["CLIENT_ID", "SNOWFLAKE_USER", "SNOWFLAKE_PASS", "SNOWFLAKE_ACCOUNT"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "Snowflake" \
+          snowflake \
+          snowflake
+ 
  - id: "cassandra"
    name: golang:1
    waitFor: ["compile-test-binary"]
@@ -1038,6 +1058,12 @@ availableSecrets:
      env: ELASTICSEARCH_USER
    - versionName: projects/$PROJECT_ID/secrets/elastic_search_pass/versions/latest
      env: ELASTICSEARCH_PASS
+    - versionName: projects/$PROJECT_ID/secrets/snowflake_account/versions/latest
+      env: SNOWFLAKE_ACCOUNT
+    - versionName: projects/$PROJECT_ID/secrets/snowflake_user/versions/latest
+      env: SNOWFLAKE_USER
+    - versionName: projects/$PROJECT_ID/secrets/snowflake_pass/versions/latest
+      env: SNOWFLAKE_PASS
    - versionName: projects/$PROJECT_ID/secrets/cassandra_user/versions/latest
      env: CASSANDRA_USER
    - versionName: projects/$PROJECT_ID/secrets/cassandra_pass/versions/latest
@@ -1124,4 +1150,5 @@ substitutions:
  _SINGLESTORE_USER: "root"
  _MARIADB_PORT: "3307"
  _MARIADB_DATABASE: test_database
-
+  _SNOWFLAKE_DATABASE: "test"
+  _SNOWFLAKE_SCHEMA: "PUBLIC"
--- a/.gitignore
+++ b/.gitignore
@@ -20,4 +20,4 @@ node_modules

 # executable
 genai-toolbox
-toolbox
+toolbox
--- a/.hugo/hugo.toml
+++ b/.hugo/hugo.toml
@@ -51,6 +51,10 @@ ignoreFiles = ["quickstart/shared", "quickstart/python", "quickstart/js", "quick
 # Add a new version block here before every release
 # The order of versions in this file is mirrored into the dropdown

+[[params.versions]]
+  version = "v0.25.0"
+  url = "https://googleapis.github.io/genai-toolbox/v0.25.0/"
+
 [[params.versions]]
  version = "v0.24.0"
  url = "https://googleapis.github.io/genai-toolbox/v0.24.0/"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,30 @@
 # Changelog

+## [0.25.0](https://github.com/googleapis/genai-toolbox/compare/v0.24.0...v0.25.0) (2026-01-08)
+
+
+### Features
+
+* Add `embeddingModel` support ([#2121](https://github.com/googleapis/genai-toolbox/issues/2121)) ([9c62f31](https://github.com/googleapis/genai-toolbox/commit/9c62f313ff5edf0a3b5b8a3e996eba078fba4095))
+* Add `allowed-hosts` flag ([#2254](https://github.com/googleapis/genai-toolbox/issues/2254)) ([17b41f6](https://github.com/googleapis/genai-toolbox/commit/17b41f64531b8fe417c28ada45d1992ba430dc1b))
+* Add parameter default value to manifest ([#2264](https://github.com/googleapis/genai-toolbox/issues/2264)) ([9d1feca](https://github.com/googleapis/genai-toolbox/commit/9d1feca10810fa42cb4c94a409252f1bd373ee36))
+* **snowflake:** Add Snowflake Source and Tools ([#858](https://github.com/googleapis/genai-toolbox/issues/858)) ([b706b5b](https://github.com/googleapis/genai-toolbox/commit/b706b5bc685aeda277f277868bae77d38d5fd7b6))
+* **prebuilt/cloud-sql-mysql:** Update CSQL MySQL prebuilt tools to use IAM ([#2202](https://github.com/googleapis/genai-toolbox/issues/2202)) ([731a32e](https://github.com/googleapis/genai-toolbox/commit/731a32e5360b4d6862d81fcb27d7127c655679a8))
+* **sources/bigquery:** Make credentials scope configurable ([#2210](https://github.com/googleapis/genai-toolbox/issues/2210)) ([a450600](https://github.com/googleapis/genai-toolbox/commit/a4506009b93771b77fb05ae97044f914967e67ed))
+* **sources/trino:** Add ssl verification options and fix docs example ([#2155](https://github.com/googleapis/genai-toolbox/issues/2155)) ([4a4cf1e](https://github.com/googleapis/genai-toolbox/commit/4a4cf1e712b671853678dba99c4dc49dd4fc16a2))
+* **tools/looker:** Add ability to set destination folder with `make_look` and `make_dashboard`. ([#2245](https://github.com/googleapis/genai-toolbox/issues/2245)) ([eb79339](https://github.com/googleapis/genai-toolbox/commit/eb793398cd1cc4006d9808ccda5dc7aea5e92bd5))
+* **tools/postgressql:** Add tool to list store procedure ([#2156](https://github.com/googleapis/genai-toolbox/issues/2156)) ([cf0fc51](https://github.com/googleapis/genai-toolbox/commit/cf0fc515b57d9b84770076f3c0c5597c4597ef62))
+* **tools/postgressql:** Add Parameter `embeddedBy` config support ([#2151](https://github.com/googleapis/genai-toolbox/issues/2151)) ([17b70cc](https://github.com/googleapis/genai-toolbox/commit/17b70ccaa754d15bcc33a1a3ecb7e652520fa600))
+
+
+### Bug Fixes
+
+* **server:** Add `embeddingModel` config initialization ([#2281](https://github.com/googleapis/genai-toolbox/issues/2281)) ([a779975](https://github.com/googleapis/genai-toolbox/commit/a7799757c9345f99b6d2717841fbf792d364e1a2))
+* **sources/cloudgda:** Add import for cloudgda source ([#2217](https://github.com/googleapis/genai-toolbox/issues/2217)) ([7daa411](https://github.com/googleapis/genai-toolbox/commit/7daa4111f4ebfb0a35319fd67a8f7b9f0f99efcf))
+* **tools/alloydb-wait-for-operation:** Fix connection message generation ([#2228](https://github.com/googleapis/genai-toolbox/issues/2228)) ([7053fbb](https://github.com/googleapis/genai-toolbox/commit/7053fbb1953653143d39a8510916ea97a91022a6))
+* **tools/alloydbainl:** Only add psv when NL Config Param is defined ([#2265](https://github.com/googleapis/genai-toolbox/issues/2265)) ([ef8f3b0](https://github.com/googleapis/genai-toolbox/commit/ef8f3b02f2f38ce94a6ba9acf35d08b9469bef4e))
+* **tools/looker:** Looker client OAuth nil pointer error ([#2231](https://github.com/googleapis/genai-toolbox/issues/2231)) ([268700b](https://github.com/googleapis/genai-toolbox/commit/268700bdbf8281de0318d60ca613ed3672990b20))
+
 ## [0.24.0](https://github.com/googleapis/genai-toolbox/compare/v0.23.0...v0.24.0) (2025-12-19)


--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -59,6 +59,13 @@ You can manually trigger the bot by commenting on your Pull Request:
 *   `/gemini summary`: Posts a summary of the changes in the pull request.
 *   `/gemini help`: Overview of the available commands

+## Guidelines for Pull Requests
+
+1. Please keep your PR small for more thorough review and easier updates. In case of regression, it also allows us to roll back a single feature instead of multiple ones.
+1. For non-trivial changes, consider opening an issue and discussing it with the code owners first.
+1. Provide a good PR description as a record of what change is being made and why it was made. Link to a GitHub issue if it exists.
+1. Make sure your code is thoroughly tested with unit tests and integration tests. Remember to clean up the test instances properly in your code to avoid memory leaks.
+
 ## Adding a New Database Source or Tool

 Please create an
@@ -85,11 +92,11 @@ implementation](https://github.com/googleapis/genai-toolbox/blob/main/internal/s
  `newdb.go`. Create a `Config` struct to include all the necessary parameters
  for connecting to the database (e.g., host, port, username, password, database
  name) and a `Source` struct to store necessary parameters for tools (e.g.,
-  Name, Kind, connection object, additional config).
+  Name, Type, connection object, additional config).
 * **Implement the
  [`SourceConfig`](https://github.com/googleapis/genai-toolbox/blob/fd300dc606d88bf9f7bba689e2cee4e3565537dd/internal/sources/sources.go#L57)
  interface**. This interface requires two methods:
-  * `SourceConfigKind() string`: Returns a unique string identifier for your
+  * `SourceConfigType() string`: Returns a unique string identifier for your
    data source (e.g., `"newdb"`).
  * `Initialize(ctx context.Context, tracer trace.Tracer) (Source, error)`:
    Creates a new instance of your data source and establishes a connection to
@@ -97,7 +104,7 @@ implementation](https://github.com/googleapis/genai-toolbox/blob/main/internal/s
 * **Implement the
  [`Source`](https://github.com/googleapis/genai-toolbox/blob/fd300dc606d88bf9f7bba689e2cee4e3565537dd/internal/sources/sources.go#L63)
  interface**. This interface requires one method:
-  * `SourceKind() string`: Returns the same string identifier as `SourceConfigKind()`.
+  * `SourceType() string`: Returns the same string identifier as `SourceConfigType()`.
 * **Implement `init()`** to register the new Source.
 * **Implement Unit Tests** in a file named `newdb_test.go`.

@@ -110,6 +117,8 @@ implementation](https://github.com/googleapis/genai-toolbox/blob/main/internal/s
 We recommend looking at an [example tool
 implementation](https://github.com/googleapis/genai-toolbox/tree/main/internal/tools/postgres/postgressql).

+Remember to keep your PRs small. For example, if you are contributing a new Source, only include one or two core Tools within the same PR, the rest of the Tools can come in subsequent PRs. 
+
 * **Create a new directory** under `internal/tools` for your tool type (e.g., `internal/tools/newdb/newdbtool`).
 * **Define a configuration struct** for your tool in a file named `newdbtool.go`.
 Create a `Config` struct and a `Tool` struct to store necessary parameters for
@@ -117,7 +126,7 @@ tools.
 * **Implement the
  [`ToolConfig`](https://github.com/googleapis/genai-toolbox/blob/fd300dc606d88bf9f7bba689e2cee4e3565537dd/internal/tools/tools.go#L61)
  interface**. This interface requires one method:
-  * `ToolConfigKind() string`: Returns a unique string identifier for your tool
+  * `ToolConfigType() string`: Returns a unique string identifier for your tool
    (e.g., `"newdb-tool"`).
  * `Initialize(sources map[string]Source) (Tool, error)`: Creates a new
    instance of your tool and validates that it can connect to the specified
@@ -163,6 +172,8 @@ tools.
            parameters][temp-param-doc]. Only run this test if template
            parameters apply to your tool.

+* **Add additional tests** for the tools that are not covered by the predefined tests. Every tool must be tested!
+
 * **Add the new database to the integration test workflow** in
  [integration.cloudbuild.yaml](.ci/integration.cloudbuild.yaml).

@@ -232,7 +243,7 @@ resources.
  | style           | Update src code, with only formatting and whitespace updates (e.g. code formatter or linter changes). |

  Pull requests should always add scope whenever possible. The scope is
-  formatted as `<scope-type>/<scope-kind>` (e.g., `sources/postgres`, or
+  formatted as `<scope-resource>/<scope-type>` (e.g., `sources/postgres`, or
  `tools/mssql-sql`).
  
  Ideally, **each PR covers only one scope**, if this is
@@ -244,4 +255,4 @@ resources.
 * **PR Description:** PR description should **always** be included. It should
  include a concise description of the changes, it's impact, along with a
  summary of the solution. If the PR is related to a specific issue, the issue
-  number should be mentioned in the PR description (e.g. `Fixes #1`).
+  number should be mentioned in the PR description (e.g. `Fixes #1`).
--- a/DEVELOPER.md
+++ b/DEVELOPER.md
@@ -379,6 +379,23 @@ to approve PRs for main. TeamSync is used to create this team from the MDB
 Group `toolbox-contributors`. Googlers who are developing for MCP-Toolbox
 but aren't part of the core team should join this group.

+### Issue/PR Triage and SLO
+After an issue is created, maintainers will assign the following labels:
+* `Priority` (defaulted to P0)
+* `Type` (if applicable)
+* `Product` (if applicable)
+
+All incoming issues and PRs will follow the following SLO:
+| Type            | Priority | Objective                                                              |
+|-----------------|----------|------------------------------------------------------------------------|
+| Feature Request | P0       | Must respond within **5 days**                                         |
+| Process         | P0       | Must respond within **5 days**                                         |
+| Bugs            | P0       | Must respond within **5 days**, and resolve/closure within **14 days** |
+| Bugs            | P1       | Must respond within **7 days**, and resolve/closure within **90 days** |
+| Bugs            | P2       | Must respond within **30 days**
+
+_Types that are not listed in the table do not adhere to any SLO._
+
 ### Releasing

 Toolbox has two types of releases: versioned and continuous. It uses Google
--- a/README.md
+++ b/README.md
@@ -140,7 +140,7 @@ To install Toolbox as a binary:
 >
 > ```sh
 > # see releases page for other versions
-> export VERSION=0.24.0
+> export VERSION=0.25.0
 > curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 > chmod +x toolbox
 > ```
@@ -153,7 +153,7 @@ To install Toolbox as a binary:
 >
 > ```sh
 > # see releases page for other versions
-> export VERSION=0.24.0
+> export VERSION=0.25.0
 > curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/arm64/toolbox
 > chmod +x toolbox
 > ```
@@ -166,7 +166,7 @@ To install Toolbox as a binary:
 >
 > ```sh
 > # see releases page for other versions
-> export VERSION=0.24.0
+> export VERSION=0.25.0
 > curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/amd64/toolbox
 > chmod +x toolbox
 > ```
@@ -179,7 +179,7 @@ To install Toolbox as a binary:
 >
 > ```cmd
 > :: see releases page for other versions
-> set VERSION=0.24.0
+> set VERSION=0.25.0
 > curl -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v%VERSION%/windows/amd64/toolbox.exe"
 > ```
 >
@@ -191,7 +191,7 @@ To install Toolbox as a binary:
 >
 > ```powershell
 > # see releases page for other versions
-> $VERSION = "0.24.0"
+> $VERSION = "0.25.0"
 > curl.exe -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v$VERSION/windows/amd64/toolbox.exe"
 > ```
 >
@@ -204,7 +204,7 @@ You can also install Toolbox as a container:

 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```

@@ -228,7 +228,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:

 ```sh
-go install github.com/googleapis/genai-toolbox@v0.24.0
+go install github.com/googleapis/genai-toolbox@v0.25.0
 ```
 <!-- {x-release-please-end} -->

@@ -272,7 +272,7 @@ To run Toolbox from binary:
 To run the server after pulling the [container image](#installing-the-server):

 ```sh
-export VERSION=0.11.0 # Use the version you pulled
+export VERSION=0.24.0 # Use the version you pulled
 docker run -p 5000:5000 \
 -v $(pwd)/tools.yaml:/app/tools.yaml \
 us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION \
@@ -954,7 +954,7 @@ For more details on configuring different types of sources, see the
 ### Tools

 The `tools` section of a `tools.yaml` define the actions an agent can take: what
-kind of tool it is, which source(s) it affects, what parameters it uses, etc.
+type of tool it is, which source(s) it affects, what parameters it uses, etc.

 ```yaml
 tools:
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -15,6 +15,7 @@
 package cmd

 import (
+	"bytes"
 	"context"
 	_ "embed"
 	"fmt"
@@ -92,6 +93,7 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudhealthcare/cloudhealthcaresearchdicomstudies"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudmonitoring"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudsql/cloudsqlcloneinstance"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudsql/cloudsqlcreatebackup"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudsql/cloudsqlcreatedatabase"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudsql/cloudsqlcreateusers"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/cloudsql/cloudsqlgetinstances"
@@ -215,6 +217,8 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/serverlessspark/serverlesssparklistbatches"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/singlestore/singlestoreexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/singlestore/singlestoresql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/snowflake/snowflakeexecutesql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/snowflake/snowflakesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/spanner/spannerexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/spanner/spannerlistgraphs"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/spanner/spannerlisttables"
@@ -263,6 +267,7 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/sources/redis"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/serverlessspark"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/singlestore"
+	_ "github.com/googleapis/genai-toolbox/internal/sources/snowflake"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/spanner"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/sqlite"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/tidb"
@@ -378,7 +383,9 @@ func NewCommand(opts ...Option) *Command {
 	flags.BoolVar(&cmd.cfg.Stdio, "stdio", false, "Listens via MCP STDIO instead of acting as a remote HTTP server.")
 	flags.BoolVar(&cmd.cfg.DisableReload, "disable-reload", false, "Disables dynamic reloading of tools file.")
 	flags.BoolVar(&cmd.cfg.UI, "ui", false, "Launches the Toolbox UI web server.")
+	// TODO: Insecure by default. Might consider updating this for v1.0.0
 	flags.StringSliceVar(&cmd.cfg.AllowedOrigins, "allowed-origins", []string{"*"}, "Specifies a list of origins permitted to access this server. Defaults to '*'.")
+	flags.StringSliceVar(&cmd.cfg.AllowedHosts, "allowed-hosts", []string{"*"}, "Specifies a list of hosts permitted to access this server. Defaults to '*'.")

 	// wrap RunE command so that we have access to original Command object
 	cmd.RunE = func(*cobra.Command, []string) error { return run(cmd) }
@@ -388,7 +395,6 @@ func NewCommand(opts ...Option) *Command {

 type ToolsFile struct {
 	Sources         server.SourceConfigs         `yaml:"sources"`
-	AuthSources     server.AuthServiceConfigs    `yaml:"authSources"` // Deprecated: Kept for compatibility.
 	AuthServices    server.AuthServiceConfigs    `yaml:"authServices"`
 	EmbeddingModels server.EmbeddingModelConfigs `yaml:"embeddingModels"`
 	Tools           server.ToolConfigs           `yaml:"tools"`
@@ -419,6 +425,106 @@ func parseEnv(input string) (string, error) {
 	return output, err
 }

+func convertToolsFile(ctx context.Context, raw []byte) ([]byte, error) {
+	var input yaml.MapSlice
+	decoder := yaml.NewDecoder(bytes.NewReader(raw), yaml.UseOrderedMap())
+	if err := decoder.Decode(&input); err != nil {
+		return nil, err
+	}
+
+	// Convert raw MapSlice to a helper map for quick lookup
+	// while keeping the values as MapSlices to preserve internal order
+	resourceOrder := []string{}
+	lookup := make(map[string]yaml.MapSlice)
+	for _, item := range input {
+		key, ok := item.Key.(string)
+		if !ok {
+			return nil, fmt.Errorf("unexpected non-string key in input: %v", item.Key)
+		}
+		if slice, ok := item.Value.(yaml.MapSlice); ok {
+			// convert authSources to authServices
+			if key == "authSources" {
+				key = "authServices"
+			}
+			// works even if lookup[key] is nil
+			lookup[key] = append(lookup[key], slice...)
+			// preserving the resource's order of original toolsFile
+			if !slices.Contains(resourceOrder, key) {
+				resourceOrder = append(resourceOrder, key)
+			}
+		} else {
+			// toolsfile is already v2
+			if key == "kind" {
+				return raw, nil
+			}
+			return nil, fmt.Errorf("'%s' is not a map", key)
+		}
+	}
+	// convert to tools file v2
+	var buf bytes.Buffer
+	encoder := yaml.NewEncoder(&buf)
+	for _, kind := range resourceOrder {
+		data, exists := lookup[kind]
+		if !exists {
+			// if this is skipped for all keys, the tools file is in v2
+			continue
+		}
+		// Transform each entry
+		for _, entry := range data {
+			entryName, ok := entry.Key.(string)
+			if !ok {
+				return nil, fmt.Errorf("unexpected non-string key for entry in '%s': %v", kind, entry.Key)
+			}
+			entryBody := ProcessValue(entry.Value, kind == "toolsets")
+
+			transformed := yaml.MapSlice{
+				{Key: "kind", Value: kind},
+				{Key: "name", Value: entryName},
+			}
+
+			// Merge the transformed body into our result
+			if bodySlice, ok := entryBody.(yaml.MapSlice); ok {
+				transformed = append(transformed, bodySlice...)
+			} else {
+				return nil, fmt.Errorf("unable to convert entryBody to MapSlice")
+			}
+
+			if err := encoder.Encode(transformed); err != nil {
+				return nil, err
+			}
+		}
+	}
+	return buf.Bytes(), nil
+}
+
+// ProcessValue recursively looks for MapSlices to rename 'kind' -> 'type'
+func ProcessValue(v any, isToolset bool) any {
+	switch val := v.(type) {
+	case yaml.MapSlice:
+		for i := range val {
+			// Perform renaming
+			if val[i].Key == "kind" {
+				val[i].Key = "type"
+			}
+			// Recursive call for nested values (e.g., nested objects or lists)
+			val[i].Value = ProcessValue(val[i].Value, false)
+		}
+		return val
+	case []any:
+		// Process lists: If it's a toolset top-level list, wrap it.
+		if isToolset {
+			return yaml.MapSlice{{Key: "tools", Value: val}}
+		}
+		// Otherwise, recurse into list items (to catch nested objects)
+		for i := range val {
+			val[i] = ProcessValue(val[i], false)
+		}
+		return val
+	default:
+		return val
+	}
+}
+
 // parseToolsFile parses the provided yaml into appropriate configs.
 func parseToolsFile(ctx context.Context, raw []byte) (ToolsFile, error) {
 	var toolsFile ToolsFile
@@ -429,8 +535,13 @@ func parseToolsFile(ctx context.Context, raw []byte) (ToolsFile, error) {
 	}
 	raw = []byte(output)

+	raw, err = convertToolsFile(ctx, raw)
+	if err != nil {
+		return toolsFile, fmt.Errorf("error converting tools file: %s", err)
+	}
+
 	// Parse contents
-	err = yaml.UnmarshalContext(ctx, raw, &toolsFile, yaml.Strict())
+	toolsFile.Sources, toolsFile.AuthServices, toolsFile.EmbeddingModels, toolsFile.Tools, toolsFile.Toolsets, toolsFile.Prompts, err = server.UnmarshalResourceConfig(ctx, raw)
 	if err != nil {
 		return toolsFile, err
 	}
@@ -462,18 +573,6 @@ func mergeToolsFiles(files ...ToolsFile) (ToolsFile, error) {
 			}
 		}

-		// Check for conflicts and merge authSources (deprecated, but still support)
-		for name, authSource := range file.AuthSources {
-			if _, exists := merged.AuthSources[name]; exists {
-				conflicts = append(conflicts, fmt.Sprintf("authSource '%s' (file #%d)", name, fileIndex+1))
-			} else {
-				if merged.AuthSources == nil {
-					merged.AuthSources = make(server.AuthServiceConfigs)
-				}
-				merged.AuthSources[name] = authSource
-			}
-		}
-
 		// Check for conflicts and merge authServices
 		for name, authService := range file.AuthServices {
 			if _, exists := merged.AuthServices[name]; exists {
@@ -944,24 +1043,11 @@ func run(cmd *Command) error {

 	cmd.cfg.SourceConfigs = finalToolsFile.Sources
 	cmd.cfg.AuthServiceConfigs = finalToolsFile.AuthServices
+	cmd.cfg.EmbeddingModelConfigs = finalToolsFile.EmbeddingModels
 	cmd.cfg.ToolConfigs = finalToolsFile.Tools
 	cmd.cfg.ToolsetConfigs = finalToolsFile.Toolsets
 	cmd.cfg.PromptConfigs = finalToolsFile.Prompts

-	authSourceConfigs := finalToolsFile.AuthSources
-	if authSourceConfigs != nil {
-		cmd.logger.WarnContext(ctx, "`authSources` is deprecated, use `authServices` instead")
-
-		for k, v := range authSourceConfigs {
-			if _, exists := cmd.cfg.AuthServiceConfigs[k]; exists {
-				errMsg := fmt.Errorf("resource conflict detected: authSource '%s' has the same name as an existing authService. Please rename your authSource", k)
-				cmd.logger.ErrorContext(ctx, errMsg.Error())
-				return errMsg
-			}
-			cmd.cfg.AuthServiceConfigs[k] = v
-		}
-	}
-
 	instrumentation, err := telemetry.CreateTelemetryInstrumentation(versionString)
 	if err != nil {
 		errMsg := fmt.Errorf("unable to create telemetry instrumentation: %w", err)
--- a/cmd/root_test.go
+++ b/cmd/root_test.go
@@ -23,12 +23,14 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"reflect"
 	"regexp"
 	"runtime"
 	"strings"
 	"testing"
 	"time"

+	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"

 	"github.com/googleapis/genai-toolbox/internal/auth/google"
@@ -67,6 +69,9 @@ func withDefaults(c server.ServerConfig) server.ServerConfig {
 	if c.AllowedOrigins == nil {
 		c.AllowedOrigins = []string{"*"}
 	}
+	if c.AllowedHosts == nil {
+		c.AllowedHosts = []string{"*"}
+	}
 	return c
 }

@@ -220,6 +225,13 @@ func TestServerConfigFlags(t *testing.T) {
 				AllowedOrigins: []string{"http://foo.com", "http://bar.com"},
 			}),
 		},
+		{
+			desc: "allowed hosts",
+			args: []string{"--allowed-hosts", "http://foo.com,http://bar.com"},
+			want: withDefaults(server.ServerConfig{
+				AllowedHosts: []string{"http://foo.com", "http://bar.com"},
+			}),
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
@@ -484,6 +496,309 @@ func TestDefaultLogLevel(t *testing.T) {
 	}
 }

+func TestConvertToolsFile(t *testing.T) {
+	ctx, cancelCtx := context.WithTimeout(context.Background(), time.Minute)
+	defer cancelCtx()
+	pr, pw := io.Pipe()
+	defer pw.Close()
+	defer pr.Close()
+
+	logger, err := log.NewStdLogger(pw, pw, "DEBUG")
+	if err != nil {
+		t.Fatalf("failed to setup logger %s", err)
+	}
+	ctx = util.WithLogger(ctx, logger)
+
+	tcs := []struct {
+		desc   string
+		in     string
+		want   string
+		isErr  bool
+		errStr string
+	}{
+		{
+			desc: "basic convert",
+			in: `
+            sources:
+                my-pg-instance:
+                    kind: cloud-sql-postgres
+                    project: my-project
+                    region: my-region
+                    instance: my-instance
+                    database: my_db
+                    user: my_user
+                    password: my_pass
+            authServices:
+                my-google-auth:
+                    kind: google
+                    clientId: testing-id
+            tools:
+                example_tool:
+                    kind: postgres-sql
+                    source: my-pg-instance
+                    description: some description
+                    statement: |
+                      SELECT * FROM SQL_STATEMENT;
+                    parameters:
+                        - name: country
+                          type: string
+                          description: some description
+            toolsets:
+                example_toolset:
+                    - example_tool
+            prompts:
+                code_review:
+                    description: ask llm to analyze code quality
+                    messages:
+                      - content: "please review the following code for quality: {{.code}}"
+                    arguments:
+                        - name: code
+                          description: the code to review
+            embeddingModels:
+                gemini-model:
+                    kind: gemini
+                    model: gemini-embedding-001
+                    apiKey: some-key
+                    dimension: 768`,
+			want: `
+kind: sources
+name: my-pg-instance
+type: cloud-sql-postgres
+project: my-project
+region: my-region
+instance: my-instance
+database: my_db
+user: my_user
+password: my_pass
+---
+kind: authServices
+name: my-google-auth
+type: google
+clientId: testing-id
+---
+kind: tools
+name: example_tool
+type: postgres-sql
+source: my-pg-instance
+description: some description
+statement: |
+    SELECT * FROM SQL_STATEMENT;
+parameters:
+- name: country
+  type: string
+  description: some description
+---
+kind: toolsets
+name: example_toolset
+tools:
+- example_tool
+---
+kind: prompts
+name: code_review
+description: ask llm to analyze code quality
+messages:
+- content: "please review the following code for quality: {{.code}}"
+arguments:
+- name: code
+  description: the code to review
+---
+kind: embeddingModels
+name: gemini-model
+type: gemini
+model: gemini-embedding-001
+apiKey: some-key
+dimension: 768`,
+		},
+		{
+			desc: "preserve resource order with grouping",
+			in: `
+            tools:
+                example_tool:
+                    kind: postgres-sql
+                    source: my-pg-instance
+                    description: some description
+                    statement: |
+                        SELECT * FROM SQL_STATEMENT;
+                    parameters:
+                        - name: country
+                          type: string
+                          description: some description
+            sources:
+                my-pg-instance:
+                    kind: cloud-sql-postgres
+                    project: my-project
+                    region: my-region
+                    instance: my-instance
+                    database: my_db
+                    user: my_user
+                    password: my_pass
+            authServices:
+                my-google-auth:
+                    kind: google
+                    clientId: testing-id
+            toolsets:
+                example_toolset:
+                    - example_tool
+            authSources:
+                my-google-auth:
+                    kind: google
+                    clientId: testing-id`,
+			want: `
+kind: tools
+name: example_tool
+type: postgres-sql
+source: my-pg-instance
+description: some description
+statement: |
+    SELECT * FROM SQL_STATEMENT;
+parameters:
+- name: country
+  type: string
+  description: some description
+---
+kind: sources
+name: my-pg-instance
+type: cloud-sql-postgres
+project: my-project
+region: my-region
+instance: my-instance
+database: my_db
+user: my_user
+password: my_pass
+---
+kind: authServices
+name: my-google-auth
+type: google
+clientId: testing-id
+---
+kind: authServices
+name: my-google-auth
+type: google
+clientId: testing-id
+---
+kind: toolsets
+name: example_toolset
+tools:
+- example_tool`,
+		},
+		{
+			desc: "no convertion needed",
+			in: `
+kind: sources
+name: my-pg-instance
+type: cloud-sql-postgres
+project: my-project
+region: my-region
+instance: my-instance
+database: my_db
+user: my_user
+password: my_pass
+---
+kind: tools
+name: example_tool
+type: postgres-sql
+source: my-pg-instance
+description: some description
+statement: |
+    SELECT * FROM SQL_STATEMENT;
+parameters:
+- name: country
+  type: string
+  description: some description
+---
+kind: toolsets
+name: example_toolset
+tools:
+- example_tool`,
+			want: `
+kind: sources
+name: my-pg-instance
+type: cloud-sql-postgres
+project: my-project
+region: my-region
+instance: my-instance
+database: my_db
+user: my_user
+password: my_pass
+---
+kind: tools
+name: example_tool
+type: postgres-sql
+source: my-pg-instance
+description: some description
+statement: |
+    SELECT * FROM SQL_STATEMENT;
+parameters:
+- name: country
+  type: string
+  description: some description
+---
+kind: toolsets
+name: example_toolset
+tools:
+- example_tool`,
+		},
+		{
+			desc:   "invalid source",
+			in:     `sources: invalid`,
+			isErr:  true,
+			errStr: "'sources' is not a map",
+		},
+		{
+			desc:   "invalid toolset",
+			in:     `toolsets: invalid`,
+			isErr:  true,
+			errStr: "'toolsets' is not a map",
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			output, err := convertToolsFile(ctx, []byte(tc.in))
+			if tc.isErr {
+				if err == nil {
+					t.Fatalf("missing error: %s", tc.errStr)
+				}
+				if err.Error() != tc.errStr {
+					t.Fatalf("invalid error string: got %s, want %s", err, tc.errStr)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %s", err)
+			}
+
+			var docs1, docs2 []yaml.MapSlice
+			if docs1, err = decodeToMapSlice(string(output)); err != nil {
+				t.Fatalf("error decoding output: %s", err)
+			}
+			if docs2, err = decodeToMapSlice(tc.want); err != nil {
+				t.Fatalf("Error decoding want: %s", err)
+			}
+			if !reflect.DeepEqual(docs1, docs2) {
+				t.Fatalf("incorrect output: got %s, want %s", string(output), tc.want)
+			}
+		})
+	}
+}
+
+func decodeToMapSlice(data string) ([]yaml.MapSlice, error) {
+	// ensures that the order is correct
+	var docs []yaml.MapSlice
+	decoder := yaml.NewDecoder(strings.NewReader(data))
+	for {
+		var doc yaml.MapSlice
+		err := decoder.Decode(&doc)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		docs = append(docs, doc)
+	}
+	return docs, nil
+}
+
 func TestParseToolFile(t *testing.T) {
 	ctx, err := testutils.ContextWithNewLogger()
 	if err != nil {
@@ -495,7 +810,7 @@ func TestParseToolFile(t *testing.T) {
 		wantToolsFile ToolsFile
 	}{
 		{
-			description: "basic example",
+			description: "basic example tools file v1",
 			in: `
 			sources:
 				my-pg-instance:
@@ -525,7 +840,7 @@ func TestParseToolFile(t *testing.T) {
 				Sources: server.SourceConfigs{
 					"my-pg-instance": cloudsqlpgsrc.Config{
 						Name:     "my-pg-instance",
-						Kind:     cloudsqlpgsrc.SourceKind,
+						Type:     cloudsqlpgsrc.SourceType,
 						Project:  "my-project",
 						Region:   "my-region",
 						Instance: "my-instance",
@@ -538,7 +853,7 @@ func TestParseToolFile(t *testing.T) {
 				Tools: server.ToolConfigs{
 					"example_tool": postgressql.Config{
 						Name:        "example_tool",
-						Kind:        "postgres-sql",
+						Type:        "postgres-sql",
 						Source:      "my-pg-instance",
 						Description: "some description",
 						Statement:   "SELECT * FROM SQL_STATEMENT;\n",
@@ -558,7 +873,121 @@ func TestParseToolFile(t *testing.T) {
 			},
 		},
 		{
-			description: "with prompts example",
+			description: "basic example tools file v2",
+			in: `
+			kind: sources
+			name: my-pg-instance
+			type: cloud-sql-postgres
+			project: my-project
+			region: my-region
+			instance: my-instance
+			database: my_db
+			user: my_user
+			password: my_pass
+---
+			kind: authServices
+			name: my-google-auth
+			type: google
+			clientId: testing-id
+---
+			kind: embeddingModels
+			name: gemini-model
+			type: gemini
+			model: gemini-embedding-001
+			apiKey: some-key
+			dimension: 768
+---
+			kind: tools
+			name: example_tool
+			type: postgres-sql
+			source: my-pg-instance
+			description: some description
+			statement: |
+				SELECT * FROM SQL_STATEMENT;
+			parameters:
+			- name: country
+			  type: string
+			  description: some description
+---
+			kind: toolsets
+			name: example_toolset
+			tools:
+			- example_tool
+---
+			kind: prompts
+			name: code_review
+			description: ask llm to analyze code quality
+			messages:
+			- content: "please review the following code for quality: {{.code}}"
+			arguments:
+			- name: code
+			  description: the code to review
+			`,
+			wantToolsFile: ToolsFile{
+				Sources: server.SourceConfigs{
+					"my-pg-instance": cloudsqlpgsrc.Config{
+						Name:     "my-pg-instance",
+						Type:     cloudsqlpgsrc.SourceType,
+						Project:  "my-project",
+						Region:   "my-region",
+						Instance: "my-instance",
+						IPType:   "public",
+						Database: "my_db",
+						User:     "my_user",
+						Password: "my_pass",
+					},
+				},
+				AuthServices: server.AuthServiceConfigs{
+					"my-google-auth": google.Config{
+						Name:     "my-google-auth",
+						Type:     google.AuthServiceType,
+						ClientID: "testing-id",
+					},
+				},
+				EmbeddingModels: server.EmbeddingModelConfigs{
+					"gemini-model": gemini.Config{
+						Name:      "gemini-model",
+						Type:      gemini.EmbeddingModelType,
+						Model:     "gemini-embedding-001",
+						ApiKey:    "some-key",
+						Dimension: 768,
+					},
+				},
+				Tools: server.ToolConfigs{
+					"example_tool": postgressql.Config{
+						Name:        "example_tool",
+						Type:        "postgres-sql",
+						Source:      "my-pg-instance",
+						Description: "some description",
+						Statement:   "SELECT * FROM SQL_STATEMENT;\n",
+						Parameters: []parameters.Parameter{
+							parameters.NewStringParameter("country", "some description"),
+						},
+						AuthRequired: []string{},
+					},
+				},
+				Toolsets: server.ToolsetConfigs{
+					"example_toolset": tools.ToolsetConfig{
+						Name:      "example_toolset",
+						ToolNames: []string{"example_tool"},
+					},
+				},
+				Prompts: server.PromptConfigs{
+					"code_review": custom.Config{
+						Name:        "code_review",
+						Description: "ask llm to analyze code quality",
+						Arguments: prompts.Arguments{
+							{Parameter: parameters.NewStringParameter("code", "the code to review")},
+						},
+						Messages: []prompts.Message{
+							{Role: "user", Content: "please review the following code for quality: {{.code}}"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "only prompts",
 			in: `
            prompts:
                my-prompt:
@@ -679,7 +1108,7 @@ func TestParseToolFileWithAuth(t *testing.T) {
 				Sources: server.SourceConfigs{
 					"my-pg-instance": cloudsqlpgsrc.Config{
 						Name:     "my-pg-instance",
-						Kind:     cloudsqlpgsrc.SourceKind,
+						Type:     cloudsqlpgsrc.SourceType,
 						Project:  "my-project",
 						Region:   "my-region",
 						Instance: "my-instance",
@@ -692,19 +1121,19 @@ func TestParseToolFileWithAuth(t *testing.T) {
 				AuthServices: server.AuthServiceConfigs{
 					"my-google-service": google.Config{
 						Name:     "my-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "my-client-id",
 					},
 					"other-google-service": google.Config{
 						Name:     "other-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "other-client-id",
 					},
 				},
 				Tools: server.ToolConfigs{
 					"example_tool": postgressql.Config{
 						Name:         "example_tool",
-						Kind:         "postgres-sql",
+						Type:         "postgres-sql",
 						Source:       "my-pg-instance",
 						Description:  "some description",
 						Statement:    "SELECT * FROM SQL_STATEMENT;\n",
@@ -779,7 +1208,7 @@ func TestParseToolFileWithAuth(t *testing.T) {
 				Sources: server.SourceConfigs{
 					"my-pg-instance": cloudsqlpgsrc.Config{
 						Name:     "my-pg-instance",
-						Kind:     cloudsqlpgsrc.SourceKind,
+						Type:     cloudsqlpgsrc.SourceType,
 						Project:  "my-project",
 						Region:   "my-region",
 						Instance: "my-instance",
@@ -789,22 +1218,22 @@ func TestParseToolFileWithAuth(t *testing.T) {
 						Password: "my_pass",
 					},
 				},
-				AuthSources: server.AuthServiceConfigs{
+				AuthServices: server.AuthServiceConfigs{
 					"my-google-service": google.Config{
 						Name:     "my-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "my-client-id",
 					},
 					"other-google-service": google.Config{
 						Name:     "other-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "other-client-id",
 					},
 				},
 				Tools: server.ToolConfigs{
 					"example_tool": postgressql.Config{
 						Name:         "example_tool",
-						Kind:         "postgres-sql",
+						Type:         "postgres-sql",
 						Source:       "my-pg-instance",
 						Description:  "some description",
 						Statement:    "SELECT * FROM SQL_STATEMENT;\n",
@@ -881,7 +1310,7 @@ func TestParseToolFileWithAuth(t *testing.T) {
 				Sources: server.SourceConfigs{
 					"my-pg-instance": cloudsqlpgsrc.Config{
 						Name:     "my-pg-instance",
-						Kind:     cloudsqlpgsrc.SourceKind,
+						Type:     cloudsqlpgsrc.SourceType,
 						Project:  "my-project",
 						Region:   "my-region",
 						Instance: "my-instance",
@@ -894,19 +1323,19 @@ func TestParseToolFileWithAuth(t *testing.T) {
 				AuthServices: server.AuthServiceConfigs{
 					"my-google-service": google.Config{
 						Name:     "my-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "my-client-id",
 					},
 					"other-google-service": google.Config{
 						Name:     "other-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "other-client-id",
 					},
 				},
 				Tools: server.ToolConfigs{
 					"example_tool": postgressql.Config{
 						Name:         "example_tool",
-						Kind:         "postgres-sql",
+						Type:         "postgres-sql",
 						Source:       "my-pg-instance",
 						Description:  "some description",
 						Statement:    "SELECT * FROM SQL_STATEMENT;\n",
@@ -1052,7 +1481,7 @@ func TestEnvVarReplacement(t *testing.T) {
 				Sources: server.SourceConfigs{
 					"my-http-instance": httpsrc.Config{
 						Name:           "my-http-instance",
-						Kind:           httpsrc.SourceKind,
+						Type:           httpsrc.SourceType,
 						BaseURL:        "http://test_server/",
 						Timeout:        "10s",
 						DefaultHeaders: map[string]string{"Authorization": "ACTUAL_HEADER"},
@@ -1062,19 +1491,19 @@ func TestEnvVarReplacement(t *testing.T) {
 				AuthServices: server.AuthServiceConfigs{
 					"my-google-service": google.Config{
 						Name:     "my-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "ACTUAL_CLIENT_ID",
 					},
 					"other-google-service": google.Config{
 						Name:     "other-google-service",
-						Kind:     google.AuthServiceKind,
+						Type:     google.AuthServiceType,
 						ClientID: "ACTUAL_CLIENT_ID_2",
 					},
 				},
 				Tools: server.ToolConfigs{
 					"example_tool": http.Config{
 						Name:         "example_tool",
-						Kind:         "http",
+						Type:         "http",
 						Source:       "my-instance",
 						Method:       "GET",
 						Path:         "search?name=alice&pet=cat",
@@ -1352,6 +1781,7 @@ func TestPrebuiltTools(t *testing.T) {
 	cloudsqlmssqlobsvconfig, _ := prebuiltconfigs.Get("cloud-sql-mssql-observability")
 	serverless_spark_config, _ := prebuiltconfigs.Get("serverless-spark")
 	cloudhealthcare_config, _ := prebuiltconfigs.Get("cloud-healthcare")
+	snowflake_config, _ := prebuiltconfigs.Get("snowflake")

 	// Set environment variables
 	t.Setenv("API_KEY", "your_api_key")
@@ -1449,6 +1879,14 @@ func TestPrebuiltTools(t *testing.T) {
 	t.Setenv("CLOUD_HEALTHCARE_REGION", "your_gcp_region")
 	t.Setenv("CLOUD_HEALTHCARE_DATASET", "your_healthcare_dataset")

+	t.Setenv("SNOWFLAKE_ACCOUNT", "your_account")
+	t.Setenv("SNOWFLAKE_USER", "your_username")
+	t.Setenv("SNOWFLAKE_PASSWORD", "your_pass")
+	t.Setenv("SNOWFLAKE_DATABASE", "your_db")
+	t.Setenv("SNOWFLAKE_SCHEMA", "your_schema")
+	t.Setenv("SNOWFLAKE_WAREHOUSE", "your_wh")
+	t.Setenv("SNOWFLAKE_ROLE", "your_role")
+
 	ctx, err := testutils.ContextWithNewLogger()
 	if err != nil {
 		t.Fatalf("unexpected error: %s", err)
@@ -1474,7 +1912,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"cloud_sql_postgres_admin_tools": tools.ToolsetConfig{
 					Name:      "cloud_sql_postgres_admin_tools",
-					ToolNames: []string{"create_instance", "get_instance", "list_instances", "create_database", "list_databases", "create_user", "wait_for_operation", "postgres_upgrade_precheck", "clone_instance"},
+					ToolNames: []string{"create_instance", "get_instance", "list_instances", "create_database", "list_databases", "create_user", "wait_for_operation", "postgres_upgrade_precheck", "clone_instance", "create_backup"},
 				},
 			},
 		},
@@ -1484,7 +1922,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"cloud_sql_mysql_admin_tools": tools.ToolsetConfig{
 					Name:      "cloud_sql_mysql_admin_tools",
-					ToolNames: []string{"create_instance", "get_instance", "list_instances", "create_database", "list_databases", "create_user", "wait_for_operation", "clone_instance"},
+					ToolNames: []string{"create_instance", "get_instance", "list_instances", "create_database", "list_databases", "create_user", "wait_for_operation", "clone_instance", "create_backup"},
 				},
 			},
 		},
@@ -1494,7 +1932,7 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"cloud_sql_mssql_admin_tools": tools.ToolsetConfig{
 					Name:      "cloud_sql_mssql_admin_tools",
-					ToolNames: []string{"create_instance", "get_instance", "list_instances", "create_database", "list_databases", "create_user", "wait_for_operation", "clone_instance"},
+					ToolNames: []string{"create_instance", "get_instance", "list_instances", "create_database", "list_databases", "create_user", "wait_for_operation", "clone_instance", "create_backup"},
 				},
 			},
 		},
@@ -1746,6 +2184,16 @@ func TestPrebuiltTools(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Snowflake prebuilt tool",
+			in:   snowflake_config,
+			wantToolset: server.ToolsetConfigs{
+				"snowflake_tools": tools.ToolsetConfig{
+					Name:      "snowflake_tools",
+					ToolNames: []string{"execute_sql", "list_tables"},
+				},
+			},
+		},
 	}

 	for _, tc := range tcs {
--- a/cmd/test.db
+++ b/cmd/test.db
--- a/cmd/version.txt
+++ b/cmd/version.txt
@@ -1 +1 @@
-0.24.0
+0.25.0
--- a/docs/en/blogs/_index.md
+++ b/docs/en/blogs/_index.md
@@ -0,0 +1,18 @@
+---
+title: "Featured Articles"
+weight: 3
+description: Toolbox Medium Blogs
+manualLink: "https://medium.com/@mcp_toolbox"
+manualLinkTarget: _blank
+---
+
+<html>
+  <head>
+    <title>Redirecting to Featured Articles</title>
+    <link rel="canonical" href="https://medium.com/@mcp_toolbox"/>
+    <meta http-equiv="refresh" content="0;url=https://medium.com/@mcp_toolbox"/>
+  </head>
+  <body>
+    <p>If you are not automatically redirected, please <a href="https://medium.com/@mcp_toolbox">follow this link to our articles</a>.</p>
+  </body>
+</html>
--- a/docs/en/getting-started/colab_quickstart.ipynb
+++ b/docs/en/getting-started/colab_quickstart.ipynb
@@ -234,7 +234,7 @@
      },
      "outputs": [],
      "source": [
-        "version = \"0.24.0\" # x-release-please-version\n",
+        "version = \"0.25.0\" # x-release-please-version\n",
        "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
        "\n",
        "# Make the binary executable\n",
--- a/docs/en/getting-started/introduction/_index.md
+++ b/docs/en/getting-started/introduction/_index.md
@@ -103,7 +103,7 @@ To install Toolbox as a binary on Linux (AMD64):

 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 chmod +x toolbox
 ```
@@ -114,7 +114,7 @@ To install Toolbox as a binary on macOS (Apple Silicon):

 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/arm64/toolbox
 chmod +x toolbox
 ```
@@ -125,7 +125,7 @@ To install Toolbox as a binary on macOS (Intel):

 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 curl -L -o toolbox https://storage.googleapis.com/genai-toolbox/v$VERSION/darwin/amd64/toolbox
 chmod +x toolbox
 ```
@@ -136,7 +136,7 @@ To install Toolbox as a binary on Windows (Command Prompt):

 ```cmd
 :: see releases page for other versions
-set VERSION=0.24.0
+set VERSION=0.25.0
 curl -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v%VERSION%/windows/amd64/toolbox.exe"
 ```

@@ -146,7 +146,7 @@ To install Toolbox as a binary on Windows (PowerShell):

 ```powershell
 # see releases page for other versions
-$VERSION = "0.24.0"
+$VERSION = "0.25.0"
 curl.exe -o toolbox.exe "https://storage.googleapis.com/genai-toolbox/v$VERSION/windows/amd64/toolbox.exe"
 ```

@@ -158,7 +158,7 @@ You can also install Toolbox as a container:

 ```sh
 # see releases page for other versions
-export VERSION=0.24.0
+export VERSION=0.25.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```

@@ -177,7 +177,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:

 ```sh
-go install github.com/googleapis/genai-toolbox@v0.24.0
+go install github.com/googleapis/genai-toolbox@v0.25.0
 ```

 {{% /tab %}}
--- a/docs/en/getting-started/mcp_quickstart/_index.md
+++ b/docs/en/getting-started/mcp_quickstart/_index.md
@@ -105,7 +105,7 @@ In this section, we will download Toolbox, configure our tools in a
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/getting-started/quickstart/js/genAI/package-lock.json
+++ b/docs/en/getting-started/quickstart/js/genAI/package-lock.json
@@ -569,11 +569,12 @@
      }
    },
    "node_modules/jws": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
-      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "license": "MIT",
      "dependencies": {
-        "jwa": "^2.0.0",
+        "jwa": "^2.0.1",
        "safe-buffer": "^5.0.1"
      }
    },
--- a/docs/en/getting-started/quickstart/js/llamaindex/package-lock.json
+++ b/docs/en/getting-started/quickstart/js/llamaindex/package-lock.json
@@ -882,11 +882,12 @@
      }
    },
    "node_modules/jws": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
-      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "license": "MIT",
      "dependencies": {
-        "jwa": "^2.0.0",
+        "jwa": "^2.0.1",
        "safe-buffer": "^5.0.1"
      }
    },
--- a/docs/en/getting-started/quickstart/python/core/requirements.txt
+++ b/docs/en/getting-started/quickstart/python/core/requirements.txt
@@ -1,3 +1,3 @@
-google-genai==1.56.0
+google-genai==1.57.0
 toolbox-core==0.5.4
 pytest==9.0.2
--- a/docs/en/getting-started/quickstart/python/langchain/requirements.txt
+++ b/docs/en/getting-started/quickstart/python/langchain/requirements.txt
@@ -1,5 +1,5 @@
-langchain==1.2.0
-langchain-google-vertexai==3.2.0
+langchain==1.2.2
+langchain-google-vertexai==3.2.1
 langgraph==1.0.5
 toolbox-langchain==0.5.4
 pytest==9.0.2
--- a/docs/en/getting-started/quickstart/shared/configure_toolbox.md
+++ b/docs/en/getting-started/quickstart/shared/configure_toolbox.md
@@ -13,7 +13,7 @@ In this section, we will download Toolbox, configure our tools in a
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/how-to/connect-ide/cloud_sql_mssql_admin_mcp.md
+++ b/docs/en/how-to/connect-ide/cloud_sql_mssql_admin_mcp.md
@@ -48,6 +48,7 @@ instance, database and users:
    * `roles/cloudsql.editor`: Provides permissions to manage existing resources.
        * All `viewer` tools
        * `create_database`
+        * `create_backup`
    * `roles/cloudsql.admin`: Provides full control over all resources.
        * All `editor` and `viewer` tools
        * `create_instance`
@@ -299,6 +300,7 @@ instances and interacting with your database:
 * **create_user**: Creates a new user in a Cloud SQL instance.
 * **wait_for_operation**: Waits for a Cloud SQL operation to complete.
 * **clone_instance**: Creates a clone of an existing Cloud SQL for SQL Server instance.
+* **create_backup**: Creates a backup on a Cloud SQL instance.

 {{< notice note >}}
 Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs
--- a/docs/en/how-to/connect-ide/cloud_sql_mysql_admin_mcp.md
+++ b/docs/en/how-to/connect-ide/cloud_sql_mysql_admin_mcp.md
@@ -48,6 +48,7 @@ database and users:
    * `roles/cloudsql.editor`: Provides permissions to manage existing resources.
        * All `viewer` tools
        * `create_database`
+        * `create_backup`
    * `roles/cloudsql.admin`: Provides full control over all resources.
        * All `editor` and `viewer` tools
        * `create_instance`
@@ -299,6 +300,7 @@ instances and interacting with your database:
 * **create_user**: Creates a new user in a Cloud SQL instance.
 * **wait_for_operation**: Waits for a Cloud SQL operation to complete.
 * **clone_instance**: Creates a clone of an existing Cloud SQL for MySQL instance.
+* **create_backup**: Creates a backup on a Cloud SQL instance.

 {{< notice note >}}
 Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs
--- a/docs/en/how-to/connect-ide/cloud_sql_pg_admin_mcp.md
+++ b/docs/en/how-to/connect-ide/cloud_sql_pg_admin_mcp.md
@@ -48,6 +48,7 @@ instance, database and users:
    * `roles/cloudsql.editor`: Provides permissions to manage existing resources.
        * All `viewer` tools
        * `create_database`
+        * `create_backup`
    * `roles/cloudsql.admin`: Provides full control over all resources.
        * All `editor` and `viewer` tools
        * `create_instance`
@@ -299,6 +300,7 @@ instances and interacting with your database:
 * **create_user**: Creates a new user in a Cloud SQL instance.
 * **wait_for_operation**: Waits for a Cloud SQL operation to complete.
 * **clone_instance**: Creates a clone of an existing Cloud SQL for PostgreSQL instance.
+* **create_backup**: Creates a backup on a Cloud SQL instance.

 {{< notice note >}}
 Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs
--- a/docs/en/how-to/connect-ide/looker_mcp.md
+++ b/docs/en/how-to/connect-ide/looker_mcp.md
@@ -100,19 +100,19 @@ After you install Looker in the MCP Store, resources and tools from the server a

 {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
--- a/docs/en/how-to/connect-ide/mssql_mcp.md
+++ b/docs/en/how-to/connect-ide/mssql_mcp.md
@@ -45,19 +45,19 @@ instance:
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
--- a/docs/en/how-to/connect-ide/mysql_mcp.md
+++ b/docs/en/how-to/connect-ide/mysql_mcp.md
@@ -43,19 +43,19 @@ expose your developer assistant tools to a MySQL instance:
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
--- a/docs/en/how-to/connect-ide/neo4j_mcp.md
+++ b/docs/en/how-to/connect-ide/neo4j_mcp.md
@@ -44,19 +44,19 @@ expose your developer assistant tools to a Neo4j instance:
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
--- a/docs/en/how-to/connect-ide/postgres_mcp.md
+++ b/docs/en/how-to/connect-ide/postgres_mcp.md
@@ -56,19 +56,19 @@ Omni](https://cloud.google.com/alloydb/omni/current/docs/overview).
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
--- a/docs/en/how-to/connect-ide/sqlite_mcp.md
+++ b/docs/en/how-to/connect-ide/sqlite_mcp.md
@@ -43,19 +43,19 @@ to expose your developer assistant tools to a SQLite instance:
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
--- a/docs/en/how-to/deploy_docker.md
+++ b/docs/en/how-to/deploy_docker.md
@@ -68,7 +68,12 @@ networks:
 ```

    {{< notice tip >}}  
-To prevent DNS rebinding attack, use the `--allowed-origins` flag to specify a
+To prevent DNS rebinding attack, use the `--allowed-hosts` flag to specify a
+list of hosts for validation. E.g. `command: [ "toolbox",
+"--tools-file", "/config/tools.yaml", "--address", "0.0.0.0",
+"--allowed-hosts", "localhost:5000"]`
+
+To implement CORs, use the `--allowed-origins` flag to specify a
 list of origins permitted to access the server. E.g. `command: [ "toolbox",
 "--tools-file", "/config/tools.yaml", "--address", "0.0.0.0",
 "--allowed-origins", "https://foo.bar"]`
--- a/docs/en/how-to/deploy_gke.md
+++ b/docs/en/how-to/deploy_gke.md
@@ -188,9 +188,13 @@ description: >
                  path: tools.yaml
    ```

-    {{< notice tip >}}  
+    {{< notice tip >}}
 To prevent DNS rebinding attack, use the `--allowed-origins` flag to specify a
 list of origins permitted to access the server. E.g. `args: ["--address",
+"0.0.0.0", "--allowed-hosts", "foo.bar:5000"]`
+
+To implement CORs, use the `--allowed-origins` flag to specify a
+list of origins permitted to access the server. E.g. `args: ["--address",
 "0.0.0.0", "--allowed-origins", "https://foo.bar"]`
 {{< /notice >}}

--- a/docs/en/how-to/deploy_toolbox.md
+++ b/docs/en/how-to/deploy_toolbox.md
@@ -142,14 +142,18 @@ deployment will time out.

 ### Update deployed server to be secure

-To prevent DNS rebinding attack, use the `--allowed-origins` flag to specify a
-list of origins permitted to access the server. In order to do that, you will
+To prevent DNS rebinding attack, use the `--allowed-hosts` flag to specify a
+list of hosts. In order to do that, you will
 have to re-deploy the cloud run service with the new flag.

+To implement CORs checks, use the `--allowed-origins` flag to specify a list of
+origins permitted to access the server.
+
 1. Set an environment variable to the cloud run url: 

    ```bash
    export URL=<cloud run url>
+    export HOST=<cloud run host>
    ```

 2. Redeploy Toolbox:
@@ -160,7 +164,7 @@ have to re-deploy the cloud run service with the new flag.
        --service-account toolbox-identity \
        --region us-central1 \
        --set-secrets "/app/tools.yaml=tools:latest" \
-        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL"
+        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL","--allowed-hosts=$HOST"
        # --allow-unauthenticated # https://cloud.google.com/run/docs/authenticating/public#gcloud
    ```

@@ -172,7 +176,7 @@ have to re-deploy the cloud run service with the new flag.
        --service-account toolbox-identity \
        --region us-central1 \
        --set-secrets "/app/tools.yaml=tools:latest" \
-        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL" \
+        --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080","--allowed-origins=$URL","--allowed-hosts=$HOST" \
        # TODO(dev): update the following to match your VPC if necessary
        --network default \
        --subnet default
--- a/docs/en/reference/cli.md
+++ b/docs/en/reference/cli.md
@@ -8,25 +8,26 @@ description: >

 ## Reference

-| Flag (Short) | Flag (Long)                | Description                                                                                                                                                                                   | Default     |
-|--------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| `-a`         | `--address`                | Address of the interface the server will listen on.                                                                                                                                           | `127.0.0.1` |
-|              | `--disable-reload`         | Disables dynamic reloading of tools file.                                                                                                                                                     |             |
-| `-h`         | `--help`                   | help for toolbox                                                                                                                                                                              |             |
-|              | `--log-level`              | Specify the minimum level logged. Allowed: 'DEBUG', 'INFO', 'WARN', 'ERROR'.                                                                                                                  | `info`      |
-|              | `--logging-format`         | Specify logging format to use. Allowed: 'standard' or 'JSON'.                                                                                                                                 | `standard`  |
-| `-p`         | `--port`                   | Port the server will listen on.                                                                                                                                                               | `5000`      |
-|              | `--prebuilt`               | Use a prebuilt tool configuration by source type. See [Prebuilt Tools Reference](prebuilt-tools.md) for allowed values.                                     |             |
-|              | `--stdio`                  | Listens via MCP STDIO instead of acting as a remote HTTP server.                                                                                                                              |             |
-|              | `--telemetry-gcp`          | Enable exporting directly to Google Cloud Monitoring.                                                                                                                                         |             |
-|              | `--telemetry-otlp`         | Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318')                                                                                 |             |
-|              | `--telemetry-service-name` | Sets the value of the service.name resource attribute for telemetry data.                                                                                                                     | `toolbox`   |
+| Flag (Short) | Flag (Long)                | Description                                                                                                                                                                      | Default     |
+|--------------|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| `-a`         | `--address`                | Address of the interface the server will listen on.                                                                                                                              | `127.0.0.1` |
+|              | `--disable-reload`         | Disables dynamic reloading of tools file.                                                                                                                                        |             |
+| `-h`         | `--help`                   | help for toolbox                                                                                                                                                                 |             |
+|              | `--log-level`              | Specify the minimum level logged. Allowed: 'DEBUG', 'INFO', 'WARN', 'ERROR'.                                                                                                     | `info`      |
+|              | `--logging-format`         | Specify logging format to use. Allowed: 'standard' or 'JSON'.                                                                                                                    | `standard`  |
+| `-p`         | `--port`                   | Port the server will listen on.                                                                                                                                                  | `5000`      |
+|              | `--prebuilt`               | Use a prebuilt tool configuration by source type. See [Prebuilt Tools Reference](prebuilt-tools.md) for allowed values.                                                          |             |
+|              | `--stdio`                  | Listens via MCP STDIO instead of acting as a remote HTTP server.                                                                                                                 |             |
+|              | `--telemetry-gcp`          | Enable exporting directly to Google Cloud Monitoring.                                                                                                                            |             |
+|              | `--telemetry-otlp`         | Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318')                                                                    |             |
+|              | `--telemetry-service-name` | Sets the value of the service.name resource attribute for telemetry data.                                                                                                        | `toolbox`   |
 |              | `--tools-file`             | File path specifying the tool configuration. Cannot be used with --tools-files or --tools-folder.                                                                                |             |
 |              | `--tools-files`            | Multiple file paths specifying tool configurations. Files will be merged. Cannot be used with --tools-file or --tools-folder.                                                    |             |
 |              | `--tools-folder`           | Directory path containing YAML tool configuration files. All .yaml and .yml files in the directory will be loaded and merged. Cannot be used with --tools-file or --tools-files. |             |
-|              | `--ui`                     | Launches the Toolbox UI web server.                                                                                                                                                           |             |
-|              | `--allowed-origins`        | Specifies a list of origins permitted to access this server.                                                                                                                                  | `*`         |
-| `-v`         | `--version`                | version for toolbox                                                                                                                                                                           |             |
+|              | `--ui`                     | Launches the Toolbox UI web server.                                                                                                                                              |             |
+|              | `--allowed-origins`        | Specifies a list of origins permitted to access this server for CORs access.                                                                                                     | `*`         |
+|              | `--allowed-hosts`          | Specifies a list of hosts permitted to access this server to prevent DNS rebinding attacks.                                                                                      | `*`         |
+| `-v`         | `--version`                | version for toolbox                                                                                                                                                              |             |

 ## Examples

--- a/docs/en/reference/prebuilt-tools.md
+++ b/docs/en/reference/prebuilt-tools.md
@@ -187,6 +187,7 @@ See [Usage Examples](../reference/cli.md#examples).
        manage existing resources.
        * All `viewer` tools
        * `create_database`
+        * `create_backup`
    *   **Cloud SQL Admin** (`roles/cloudsql.admin`): Provides full control over
        all resources.
        * All `editor` and `viewer` tools
@@ -203,6 +204,7 @@ See [Usage Examples](../reference/cli.md#examples).
    *   `create_user`: Creates a new user in a Cloud SQL instance.
    *   `wait_for_operation`: Waits for a Cloud SQL operation to complete.
    *   `clone_instance`: Creates a clone for an existing Cloud SQL for MySQL instance.
+    *   `create_backup`: Creates a backup on a Cloud SQL instance.

 ## Cloud SQL for PostgreSQL

@@ -275,6 +277,7 @@ See [Usage Examples](../reference/cli.md#examples).
        manage existing resources.
        * All `viewer` tools
        * `create_database`
+        * `create_backup`
    *   **Cloud SQL Admin** (`roles/cloudsql.admin`): Provides full control over
        all resources.
        * All `editor` and `viewer` tools
@@ -290,6 +293,7 @@ See [Usage Examples](../reference/cli.md#examples).
    *   `create_user`: Creates a new user in a Cloud SQL instance.
    *   `wait_for_operation`: Waits for a Cloud SQL operation to complete.
    *   `clone_instance`: Creates a clone for an existing Cloud SQL for PostgreSQL instance.
+    *   `create_backup`: Creates a backup on a Cloud SQL instance.

 ## Cloud SQL for SQL Server

@@ -336,6 +340,7 @@ See [Usage Examples](../reference/cli.md#examples).
        manage existing resources.
        * All `viewer` tools
        * `create_database`
+        * `create_backup`
    *   **Cloud SQL Admin** (`roles/cloudsql.admin`): Provides full control over
        all resources.
        * All `editor` and `viewer` tools
@@ -351,6 +356,7 @@ See [Usage Examples](../reference/cli.md#examples).
    *   `create_user`: Creates a new user in a Cloud SQL instance.
    *   `wait_for_operation`: Waits for a Cloud SQL operation to complete.
    *   `clone_instance`: Creates a clone for an existing Cloud SQL for SQL Server instance.
+    *   `create_backup`: Creates a backup on a Cloud SQL instance.

 ## Dataplex

--- a/docs/en/resources/sources/bigquery.md
+++ b/docs/en/resources/sources/bigquery.md
@@ -134,6 +134,7 @@ sources:
    # scopes: # Optional: List of OAuth scopes to request.
    #   - "https://www.googleapis.com/auth/bigquery"
    #   - "https://www.googleapis.com/auth/drive.readonly"
+    # maxQueryResultRows: 50 # Optional: Limits the number of rows returned by queries. Defaults to 50.
 ```

 Initialize a BigQuery source that uses the client's access token:
@@ -153,6 +154,7 @@ sources:
    # scopes: # Optional: List of OAuth scopes to request.
    #   - "https://www.googleapis.com/auth/bigquery"
    #   - "https://www.googleapis.com/auth/drive.readonly"
+    # maxQueryResultRows: 50 # Optional: Limits the number of rows returned by queries. Defaults to 50.
 ```

 ## Reference
@@ -167,3 +169,4 @@ sources:
 | useClientOAuth            |   bool   |    false     | If true, forwards the client's OAuth access token from the "Authorization" header to downstream queries. **Note:** This cannot be used with `writeMode: protected`.                                                                                                                                                                                                                                                                                                                                                |
 | scopes                    | []string |    false     | A list of OAuth 2.0 scopes to use for the credentials. If not provided, default scopes are used.                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | impersonateServiceAccount |  string  |    false     | Service account email to impersonate when making BigQuery and Dataplex API calls. The authenticated principal must have the `roles/iam.serviceAccountTokenCreator` role on the target service account. [Learn More](https://cloud.google.com/iam/docs/service-account-impersonation)                                                                                                                                                                                                                                |
+| maxQueryResultRows             |   int    |    false     | The maximum number of rows to return from a query. Defaults to 50. |
--- a/docs/en/resources/sources/snowflake.md
+++ b/docs/en/resources/sources/snowflake.md
@@ -0,0 +1,63 @@
+---
+title: "Snowflake"
+type: docs
+weight: 1
+description: >
+  Snowflake is a cloud-based data platform.
+
+---
+
+## About
+
+[Snowflake][sf-docs] is a cloud data platform that provides a data warehouse-as-a-service designed for the cloud.
+
+[sf-docs]: https://docs.snowflake.com/
+
+## Available Tools
+
+- [`snowflake-sql`](../tools/snowflake/snowflake-sql.md)  
+  Execute SQL queries as prepared statements in Snowflake.
+
+- [`snowflake-execute-sql`](../tools/snowflake/snowflake-execute-sql.md)  
+  Run parameterized SQL statements in Snowflake.
+
+## Requirements
+
+### Database User
+
+This source only uses standard authentication. You will need to create a
+Snowflake user to login to the database with.
+
+## Example
+
+```yaml
+sources:
+    my-sf-source:
+        kind: snowflake
+        account: ${SNOWFLAKE_ACCOUNT}
+        user: ${SNOWFLAKE_USER}
+        password: ${SNOWFLAKE_PASSWORD}
+        database: ${SNOWFLAKE_DATABASE}
+        schema: ${SNOWFLAKE_SCHEMA}
+        warehouse: ${SNOWFLAKE_WAREHOUSE}
+        role: ${SNOWFLAKE_ROLE}
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+| **field** | **type** | **required** | **description**                                                        |
+|-----------|:--------:|:------------:|------------------------------------------------------------------------|
+| kind      |  string  |     true     | Must be "snowflake".                                                   |
+| account   |  string  |     true     | Your Snowflake account identifier.                                     |
+| user      |  string  |     true     | Name of the Snowflake user to connect as (e.g. "my-sf-user").          |
+| password  |  string  |     true     | Password of the Snowflake user (e.g. "my-password").                   |
+| database  |  string  |     true     | Name of the Snowflake database to connect to (e.g. "my_db").           |
+| schema    |  string  |     true     | Name of the schema to use (e.g. "my_schema").                          |
+| warehouse |  string  |     false    | The virtual warehouse to use. Defaults to "COMPUTE_WH".                |
+| role      |  string  |     false    | The security role to use. Defaults to "ACCOUNTADMIN".                  |
+| timeout   |  integer |     false    | The connection timeout in seconds. Defaults to 60.                     |
--- a/docs/en/resources/sources/trino.md
+++ b/docs/en/resources/sources/trino.md
@@ -50,16 +50,19 @@ instead of hardcoding your secrets into the configuration file.

 ## Reference

-| **field**       | **type** | **required** | **description**                                                              |
-|-----------------|:--------:|:------------:|------------------------------------------------------------------------------|
-| kind            |  string  |     true     | Must be "trino".                                                             |
-| host            |  string  |     true     | Trino coordinator hostname (e.g. "trino.example.com")                        |
-| port            |  string  |     true     | Trino coordinator port (e.g. "8080", "8443")                                 |
-| user            |  string  |    false     | Username for authentication (e.g. "analyst"). Optional for anonymous access. |
-| password        |  string  |    false     | Password for basic authentication                                            |
-| catalog         |  string  |     true     | Default catalog to use for queries (e.g. "hive")                             |
-| schema          |  string  |     true     | Default schema to use for queries (e.g. "default")                           |
-| queryTimeout    |  string  |    false     | Query timeout duration (e.g. "30m", "1h")                                    |
-| accessToken     |  string  |    false     | JWT access token for authentication                                          |
-| kerberosEnabled | boolean  |    false     | Enable Kerberos authentication (default: false)                              |
-| sslEnabled      | boolean  |    false     | Enable SSL/TLS (default: false)                                              |
+| **field**              | **type** | **required** | **description**                                                              |
+| ---------------------- | :------: | :----------: | ---------------------------------------------------------------------------- |
+| kind                   |  string  |     true     | Must be "trino".                                                             |
+| host                   |  string  |     true     | Trino coordinator hostname (e.g. "trino.example.com")                        |
+| port                   |  string  |     true     | Trino coordinator port (e.g. "8080", "8443")                                 |
+| user                   |  string  |    false     | Username for authentication (e.g. "analyst"). Optional for anonymous access. |
+| password               |  string  |    false     | Password for basic authentication                                            |
+| catalog                |  string  |     true     | Default catalog to use for queries (e.g. "hive")                             |
+| schema                 |  string  |     true     | Default schema to use for queries (e.g. "default")                           |
+| queryTimeout           |  string  |    false     | Query timeout duration (e.g. "30m", "1h")                                    |
+| accessToken            |  string  |    false     | JWT access token for authentication                                          |
+| kerberosEnabled        | boolean  |    false     | Enable Kerberos authentication (default: false)                              |
+| sslEnabled             | boolean  |    false     | Enable SSL/TLS (default: false)                                              |
+| disableSslVerification | boolean  |    false     | Skip SSL/TLS certificate verification (default: false)                       |
+| sslCertPath            |  string  |    false     | Path to a custom SSL/TLS certificate file                                    |
+| sslCert                |  string  |    false     | Custom SSL/TLS certificate content                                           |
--- a/docs/en/resources/tools/alloydbainl/alloydb-ai-nl.md
+++ b/docs/en/resources/tools/alloydbainl/alloydb-ai-nl.md
@@ -91,8 +91,8 @@ visible to the LLM.
    https://cloud.google.com/alloydb/docs/parameterized-secure-views-overview

 {{< notice tip >}} Make sure to enable the `parameterized_views` extension
-before running this tool. You can do so by running this command in the AlloyDB
-studio:
+to utilize PSV feature (`nlConfigParameters`) with this tool. You can do so by
+running this command in the AlloyDB studio:

 ```sql
 CREATE EXTENSION IF NOT EXISTS parameterized_views;
--- a/docs/en/resources/tools/cloudsql/cloudsqlcreatebackup.md
+++ b/docs/en/resources/tools/cloudsql/cloudsqlcreatebackup.md
@@ -0,0 +1,45 @@
+---
+title: cloud-sql-create-backup
+type: docs
+weight: 10
+description: "Creates a backup on a Cloud SQL instance."
+---
+
+The `cloud-sql-create-backup` tool creates an on-demand backup on a Cloud SQL instance using the Cloud SQL Admin API.
+
+{{< notice info dd>}}
+This tool uses a `source` of kind `cloud-sql-admin`.
+{{< /notice >}}
+
+## Examples
+
+Basic backup creation (current state)
+
+```yaml
+tools:
+  backup-creation-basic:
+    kind: cloud-sql-create-backup
+    source: cloud-sql-admin-source
+    description: "Creates a backup on the given Cloud SQL instance."
+```
+## Reference
+### Tool Configuration
+| **field**      | **type** | **required** | **description**                                               |
+| -------------- | :------: | :----------: | ------------------------------------------------------------- |
+| kind           | string   | true         | Must be "cloud-sql-create-backup".                            |
+| source         | string   | true         | The name of the `cloud-sql-admin` source to use.              |
+| description    | string   | false        | A description of the tool.                                    |
+
+### Tool Inputs
+
+| **parameter**              | **type** | **required** | **description**                                                                 |
+| -------------------------- | :------: | :----------: | ------------------------------------------------------------------------------- |
+| project                    | string   | true         | The project ID.                                                                 |
+| instance                   | string   | true         | The name of the instance to take a backup on. Does not include the project ID.  |
+| location                   | string   | false        | (Optional) Location of the backup run.                                          |
+| backup_description         | string   | false        | (Optional) The description of this backup run.                                  |
+
+## See Also
+- [Cloud SQL Admin API documentation](https://cloud.google.com/sql/docs/mysql/admin-api)
+- [Toolbox Cloud SQL tools documentation](../cloudsql)
+- [Cloud SQL Backup API documentation](https://cloud.google.com/sql/docs/mysql/backup-recovery/backups)
--- a/docs/en/resources/tools/snowflake/_index.md
+++ b/docs/en/resources/tools/snowflake/_index.md
@@ -0,0 +1,7 @@
+---
+title: "Snowflake"
+type: docs
+weight: 1
+description: > 
+  Tools that work with Snowflake Sources.
+---
--- a/docs/en/resources/tools/snowflake/snowflake-execute-sql.md
+++ b/docs/en/resources/tools/snowflake/snowflake-execute-sql.md
@@ -0,0 +1,40 @@
+---
+title: "snowflake-execute-sql"
+type: docs
+weight: 1
+description: >
+  A "snowflake-execute-sql" tool executes a SQL statement against a Snowflake
+  database.
+---
+
+## About
+
+A `snowflake-execute-sql` tool executes a SQL statement against a Snowflake
+database. It's compatible with any of the following sources:
+
+- [snowflake](../../sources/snowflake.md)
+
+`snowflake-execute-sql` takes one input parameter `sql` and run the sql
+statement against the `source`.
+
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
+## Example
+
+```yaml
+tools:
+ execute_sql_tool:
+    kind: snowflake-execute-sql
+    source: my-snowflake-instance
+    description: Use this tool to execute sql statement.
+```
+
+## Reference
+
+| **field**    |   **type**    | **required** | **description**                                           |
+|--------------|:-------------:|:------------:|-----------------------------------------------------------|
+| kind         |    string     |     true     | Must be "snowflake-execute-sql".                          |
+| source       |    string     |     true     | Name of the source the SQL should execute on.             |
+| description  |    string     |     true     | Description of the tool that is passed to the LLM.        |
+| authRequired | array[string] |    false     | List of auth services that are required to use this tool. |
--- a/docs/en/resources/tools/snowflake/snowflake-sql.md
+++ b/docs/en/resources/tools/snowflake/snowflake-sql.md
@@ -0,0 +1,103 @@
+---
+title: "snowflake-sql"
+type: docs
+weight: 1
+description: >
+  A "snowflake-sql" tool executes a pre-defined SQL statement against a 
+  Snowflake database.
+---
+
+## About
+
+A `snowflake-sql` tool executes a pre-defined SQL statement against a Snowflake
+database. It's compatible with any of the following sources:
+
+- [snowflake](../../sources/snowflake.md)
+
+The specified SQL statement is executed as a prepared statement, and specified
+parameters will be inserted according to their position: e.g. `:1` will be the
+first parameter specified, `:2` will be the second parameter, and so on.
+
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
+## Example
+
+```yaml
+tools:
+ search_flights_by_number:
+    kind: snowflake-sql
+    source: my-snowflake-instance
+    statement: |
+      SELECT * FROM flights
+      WHERE airline = :1
+      AND flight_number = :2
+      LIMIT 10
+    description: |
+      Use this tool to get information for a specific flight.
+      Takes an airline code and flight number and returns info on the flight.
+      Do NOT use this tool with a flight id. Do NOT guess an airline code or flight number.
+      A airline code is a code for an airline service consisting of two-character
+      airline designator and followed by flight number, which is 1 to 4 digit number.
+      For example, if given CY 0123, the airline is "CY", and flight_number is "123".
+      Another example for this is DL 1234, the airline is "DL", and flight_number is "1234".
+      If the tool returns more than one option choose the date closes to today.
+      Example:
+      {{
+          "airline": "CY",
+          "flight_number": "888",
+      }}
+      Example:
+      {{
+          "airline": "DL",
+          "flight_number": "1234",
+      }}
+    parameters:
+      - name: airline
+        type: string
+        description: Airline unique 2 letter identifier
+      - name: flight_number
+        type: string
+        description: 1 to 4 digit number
+```
+
+### Example with Template Parameters
+
+> **Note:** This tool allows direct modifications to the SQL statement,
+> including identifiers, column names, and table names. **This makes it more
+> vulnerable to SQL injections**. Using basic parameters only (see above) is
+> recommended for performance and safety reasons. For more details, please check
+> [templateParameters](..#template-parameters).
+
+```yaml
+tools:
+ list_table:
+    kind: snowflake
+    source: my-snowflake-instance
+    statement: |
+      SELECT * FROM {{.tableName}};
+    description: |
+      Use this tool to list all information from a specific table.
+      Example:
+      {{
+          "tableName": "flights",
+      }}
+    templateParameters:
+      - name: tableName
+        type: string
+        description: Table to select from
+```
+
+## Reference
+
+| **field**          |                   **type**                   | **required** | **description**                                                                                                                        |
+|--------------------|:--------------------------------------------:|:------------:|----------------------------------------------------------------------------------------------------------------------------------------|
+| kind               |                    string                    |     true     | Must be "snowflake-sql".                                                                                                               |
+| source             |                    string                    |     true     | Name of the source the SQL should execute on.                                                                                          |
+| description        |                    string                    |     true     | Description of the tool that is passed to the LLM.                                                                                     |
+| statement          |                    string                    |     true     | SQL statement to execute on.                                                                                                           |
+| parameters         |   [parameters](../#specifying-parameters)    |    false     | List of [parameters](../#specifying-parameters) that will be inserted into the SQL statement.                                          |
+| templateParameters | [templateParameters](..#template-parameters) |    false     | List of [templateParameters](..#template-parameters) that will be inserted into the SQL statement before executing prepared statement. |
+| authRequired       |                array[string]                 |    false     | List of auth services that are required to use this tool.                                                                              |
--- a/docs/en/resources/tools/trino/trino-sql.md
+++ b/docs/en/resources/tools/trino/trino-sql.md
@@ -16,11 +16,7 @@ database. It's compatible with any of the following sources:

 - [trino](../../sources/trino.md)

-The specified SQL statement is executed as a [prepared statement][trino-prepare],
-and specified parameters will be inserted according to their position: e.g. `$1`
-will be the first parameter specified, `$2` will be the second parameter, and so
-on. If template parameters are included, they will be resolved before execution
-of the prepared statement.
+The specified SQL statement is executed as a [prepared statement][trino-prepare], and expects parameters in the SQL query to be in the form of placeholders `?`.

 [trino-prepare]: https://trino.io/docs/current/sql/prepare.html

@@ -38,8 +34,8 @@ tools:
    source: my-trino-instance
    statement: |
      SELECT * FROM hive.sales.orders
-      WHERE region = $1
-      AND order_date >= DATE($2)
+      WHERE region = ?
+      AND order_date >= DATE(?)
      LIMIT 10
    description: |
      Use this tool to get information for orders in a specific region.
--- a/docs/en/samples/alloydb/ai-nl/alloydb_ai_nl.ipynb
+++ b/docs/en/samples/alloydb/ai-nl/alloydb_ai_nl.ipynb
@@ -771,7 +771,7 @@
      },
      "outputs": [],
      "source": [
-        "version = \"0.24.0\" # x-release-please-version\n",
+        "version = \"0.25.0\" # x-release-please-version\n",
        "! curl -L -o /content/toolbox https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
        "\n",
        "# Make the binary executable\n",
--- a/docs/en/samples/alloydb/mcp_quickstart.md
+++ b/docs/en/samples/alloydb/mcp_quickstart.md
@@ -123,7 +123,7 @@ In this section, we will download and install the Toolbox binary.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    export VERSION="0.24.0"
+    export VERSION="0.25.0"
    curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->
--- a/docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb
+++ b/docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb
@@ -220,7 +220,7 @@
      },
      "outputs": [],
      "source": [
-        "version = \"0.24.0\" # x-release-please-version\n",
+        "version = \"0.25.0\" # x-release-please-version\n",
        "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
        "\n",
        "# Make the binary executable\n",
--- a/docs/en/samples/bigquery/local_quickstart.md
+++ b/docs/en/samples/bigquery/local_quickstart.md
@@ -179,7 +179,7 @@ to use BigQuery, and then run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/bigquery/mcp_quickstart/_index.md
+++ b/docs/en/samples/bigquery/mcp_quickstart/_index.md
@@ -98,7 +98,7 @@ In this section, we will download Toolbox, configure our tools in a
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/looker/looker_gemini.md
+++ b/docs/en/samples/looker/looker_gemini.md
@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/looker/looker_gemini_oauth/_index.md
+++ b/docs/en/samples/looker/looker_gemini_oauth/_index.md
@@ -48,7 +48,7 @@ In this section, we will download Toolbox and run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/looker/looker_mcp_inspector/_index.md
+++ b/docs/en/samples/looker/looker_mcp_inspector/_index.md
@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.24.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.25.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/neo4j/_index.md
+++ b/docs/en/samples/neo4j/_index.md
@@ -0,0 +1,7 @@
+---
+title: "Neo4j"
+type: docs
+weight: 1
+description: >
+  How to get started with Toolbox using Neo4j.
+---
--- a/docs/en/samples/neo4j/mcp_quickstart.md
+++ b/docs/en/samples/neo4j/mcp_quickstart.md
@@ -0,0 +1,141 @@
+---
+title: "Quickstart (MCP with Neo4j)"
+type: docs
+weight: 1
+description: >
+  How to get started running Toolbox with MCP Inspector and Neo4j as the source.
+---
+
+## Overview
+
+[Model Context Protocol](https://modelcontextprotocol.io) is an open protocol that standardizes how applications provide context to LLMs. Check out this page on how to [connect to Toolbox via MCP](../../how-to/connect_via_mcp.md).
+
+
+## Step 1: Set up your Neo4j Database and Data
+
+In this section, you'll set up a database and populate it with sample data for a movies-related agent. This guide assumes you have a running Neo4j instance, either locally or in the cloud.
+
+. **Populate the database with data.**
+To make this quickstart straightforward, we'll use the built-in Movies dataset available in Neo4j.
+
+. In your Neo4j Browser, run the following command to create and populate the database:
+
+```cypher
+:play movies
+````
+
+. Follow the instructions to load the data. This will create a graph with `Movie`, `Person`, and `Actor` nodes and their relationships.
+
+
+## Step 2: Install and configure Toolbox
+
+In this section, we will install the MCP Toolbox, configure our tools in a `tools.yaml` file, and then run the Toolbox server.
+
+. **Install the Toolbox binary.**
+The simplest way to get started is to download the latest binary for your operating system.
+
+. Download the latest version of Toolbox as a binary:
+\+
+
+```bash
+export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
+curl -O [https://storage.googleapis.com/genai-toolbox/v0.16.0/$OS/toolbox](https://storage.googleapis.com/genai-toolbox/v0.16.0/$OS/toolbox)
+```
+
+  + 
+. Make the binary executable:
+\+
+
+```bash
+chmod +x toolbox
+```
+
+. **Create the `tools.yaml` file.**
+This file defines your Neo4j source and the specific tools that will be exposed to your AI agent.
+\+
+{{\< notice tip \>}}
+Authentication for the Neo4j source uses standard username and password fields. For production use, it is highly recommended to use environment variables for sensitive information like passwords.
+{{\< /notice \>}}
+\+
+Write the following into a `tools.yaml` file:
+\+
+
+```yaml
+sources:
+  my-neo4j-source:
+    kind: neo4j
+    uri: bolt://localhost:7687
+    user: neo4j
+    password: my-password # Replace with your actual password
+
+tools:
+  search-movies-by-actor:
+    kind: neo4j-cypher
+    source: my-neo4j-source
+    description: "Searches for movies an actor has appeared in based on their name. Useful for questions like 'What movies has Tom Hanks been in?'"
+    parameters:
+      - name: actor_name
+        type: string
+        description: The full name of the actor to search for.
+    statement: |
+      MATCH (p:Person {name: $actor_name}) -[:ACTED_IN]-> (m:Movie)
+      RETURN m.title AS title, m.year AS year, m.genre AS genre
+  
+  get-actor-for-movie:
+    kind: neo4j-cypher
+    source: my-neo4j-source
+    description: "Finds the actors who starred in a specific movie. Useful for questions like 'Who acted in Inception?'"
+    parameters:
+      - name: movie_title
+        type: string
+        description: The exact title of the movie.
+    statement: |
+      MATCH (p:Person) -[:ACTED_IN]-> (m:Movie {title: $movie_title})
+      RETURN p.name AS actor
+```
+
+. **Start the Toolbox server.**
+Run the Toolbox server, pointing to the `tools.yaml` file you created earlier.
+\+
+
+```bash
+./toolbox --tools-file "tools.yaml"
+```
+
+## Step 3: Connect to MCP Inspector
+
+. **Run the MCP Inspector:**
+\+
+
+```bash
+npx @modelcontextprotocol/inspector
+```
+
+. Type `y` when it asks to install the inspector package.
+. It should show the following when the MCP Inspector is up and running (please take note of `<YOUR_SESSION_TOKEN>`):
+\+
+
+```bash
+Starting MCP inspector...
+⚙️ Proxy server listening on localhost:6277
+🔑 Session token: <YOUR_SESSION_TOKEN>
+    Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth
+
+🚀 MCP Inspector is up and running at:
+    http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=<YOUR_SESSION_TOKEN>
+```
+
+1. Open the above link in your browser.
+
+1. For `Transport Type`, select `Streamable HTTP`.
+
+1. For `URL`, type in `http://127.0.0.1:5000/mcp`.
+
+1. For `Configuration` -\> `Proxy Session Token`, make sure `<YOUR_SESSION_TOKEN>` is present.
+
+1. Click `Connect`.
+
+1. Select `List Tools`, you will see a list of tools configured in `tools.yaml`.
+
+1. Test out your tools here\!
+
--- a/docs/en/samples/snowflake/_index.md
+++ b/docs/en/samples/snowflake/_index.md
@@ -0,0 +1,161 @@
+---
+title: "Snowflake"
+type: docs
+weight: 2
+description: >
+  How to get started running Toolbox with MCP Inspector and Snowflake as the source.
+---
+
+## Overview
+
+[Model Context Protocol](https://modelcontextprotocol.io) is an open protocol
+that standardizes how applications provide context to LLMs. Check out this page
+on how to [connect to Toolbox via MCP](../../how-to/connect_via_mcp.md).
+
+## Before you begin
+
+This guide assumes you have already done the following:
+
+1.  [Create a Snowflake account](https://signup.snowflake.com/).
+1.  Connect to the instance using [SnowSQL](https://docs.snowflake.com/en/user-guide/snowsql), or any other Snowflake client.
+
+## Step 1: Set up your environment
+
+Copy the environment template and update it with your Snowflake credentials:
+
+```bash
+cp examples/snowflake-env.sh my-snowflake-env.sh
+```
+
+Edit `my-snowflake-env.sh` with your actual Snowflake connection details:
+
+```bash
+export SNOWFLAKE_ACCOUNT="your-account-identifier"
+export SNOWFLAKE_USER="your-username"
+export SNOWFLAKE_PASSWORD="your-password"
+export SNOWFLAKE_DATABASE="your-database"
+export SNOWFLAKE_SCHEMA="your-schema"
+export SNOWFLAKE_WAREHOUSE="COMPUTE_WH"
+export SNOWFLAKE_ROLE="ACCOUNTADMIN"
+```
+
+## Step 2: Install Toolbox
+
+In this section, we will download and install the Toolbox binary.
+
+1. Download the latest version of Toolbox as a binary:
+
+    {{< notice tip >}}
+   Select the
+   [correct binary](https://github.com/googleapis/genai-toolbox/releases)
+   corresponding to your OS and CPU architecture.
+    {{< /notice >}}
+    <!-- {x-release-please-start-version} -->
+    ```bash
+    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
+    export VERSION="0.10.0"
+    curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
+    ```
+    <!-- {x-release-please-end} -->
+
+1. Make the binary executable:
+
+    ```bash
+    chmod +x toolbox
+    ```
+
+## Step 3: Configure the tools
+
+You have two options:
+
+#### Option A: Use the prebuilt configuration
+
+```bash
+./toolbox --prebuilt snowflake
+```
+
+#### Option B: Use the custom configuration
+
+Create a `tools.yaml` file and add the following content. You must replace the placeholders with your actual Snowflake configuration.
+
+```yaml
+sources:
+  snowflake-source:
+    kind: snowflake
+    account: ${SNOWFLAKE_ACCOUNT}
+    user: ${SNOWFLAKE_USER}
+    password: ${SNOWFLAKE_PASSWORD}
+    database: ${SNOWFLAKE_DATABASE}
+    schema: ${SNOWFLAKE_SCHEMA}
+    warehouse: ${SNOWFLAKE_WAREHOUSE}
+    role: ${SNOWFLAKE_ROLE}
+
+tools:
+    execute_sql:
+        kind: snowflake-execute-sql
+        source: snowflake-source
+        description: Use this tool to execute SQL.
+
+    list_tables:
+        kind: snowflake-sql
+        source: snowflake-source
+        description: "Lists detailed schema information for user-created tables."
+        statement: |
+           SELECT table_name, table_type 
+           FROM information_schema.tables 
+           WHERE table_schema = current_schema()
+           ORDER BY table_name;
+```
+
+For more info on tools, check out the
+[Tools](../../resources/tools/) section.
+
+## Step 4: Run the Toolbox server
+
+Run the Toolbox server, pointing to the `tools.yaml` file created earlier:
+
+```bash
+./toolbox --tools-file "tools.yaml"
+```
+
+## Step 5: Connect to MCP Inspector
+
+1. Run the MCP Inspector:
+
+    ```bash
+    npx @modelcontextprotocol/inspector
+    ```
+
+1. Type `y` when it asks to install the inspector package.
+
+1. It should show the following when the MCP Inspector is up and running (please take note of `<YOUR_SESSION_TOKEN>`):
+
+    ```bash
+    Starting MCP inspector...
+    ⚙️ Proxy server listening on localhost:6277
+    🔑 Session token: <YOUR_SESSION_TOKEN>
+       Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth
+
+    🚀 MCP Inspector is up and running at:
+       http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=<YOUR_SESSION_TOKEN>
+    ```
+
+1. Open the above link in your browser.
+
+1. For `Transport Type`, select `Streamable HTTP`.
+
+1. For `URL`, type in `http://127.0.0.1:5000/mcp`.
+
+1. For `Configuration` -> `Proxy Session Token`, make sure `<YOUR_SESSION_TOKEN>` is present.
+
+1. Click Connect.
+
+1. Select `List Tools`, you will see a list of tools configured in `tools.yaml`.
+
+1. Test out your tools here!
+
+## What's next
+
+- Learn more about [MCP Inspector](../../how-to/connect_via_mcp.md).
+- Learn more about [Toolbox Resources](../../resources/).
+- Learn more about [Toolbox How-to guides](../../how-to/).
--- a/docs/en/samples/snowflake/runme.py
+++ b/docs/en/samples/snowflake/runme.py
@@ -0,0 +1,18 @@
+import asyncio
+from toolbox_core import ToolboxClient
+
+
+async def main():
+    # Replace with the actual URL where your Toolbox service is running
+    async with ToolboxClient("http://127.0.0.1:5000") as toolbox:
+        tool = await toolbox.load_tool("execute_sql")
+        result = await tool("SELECT 1")
+        print(result)
+
+        tool = await toolbox.load_tool("list_tables")
+        result = await tool(table_names="DIM_DATE")
+        print(result)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())
--- a/docs/en/samples/snowflake/snowflake-config.yaml
+++ b/docs/en/samples/snowflake/snowflake-config.yaml
@@ -0,0 +1,68 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sources:
+  my-snowflake-db:
+    kind: snowflake
+    account: ${SNOWFLAKE_ACCOUNT}
+    user: ${SNOWFLAKE_USER}
+    password: ${SNOWFLAKE_PASSWORD}
+    database: ${SNOWFLAKE_DATABASE}
+    schema: ${SNOWFLAKE_SCHEMA}
+    warehouse: ${SNOWFLAKE_WAREHOUSE}  # Optional, defaults to COMPUTE_WH if not set
+    role: ${SNOWFLAKE_ROLE}           # Optional, defaults to ACCOUNTADMIN if not set
+
+tools:
+  execute_sql:
+    kind: snowflake-execute-sql
+    source: my-snowflake-db
+    description: Execute arbitrary SQL statements on Snowflake
+
+  get_customer_orders:
+    kind: snowflake-sql
+    source: my-snowflake-db
+    description: Get orders for a specific customer
+    statement: |
+      SELECT o.order_id, o.order_date, o.total_amount, o.status
+      FROM orders o
+      WHERE o.customer_id = $1
+      ORDER BY o.order_date DESC
+    parameters:
+      - name: customer_id
+        type: string
+        description: The customer ID to look up orders for
+
+  daily_sales_report:
+    kind: snowflake-sql
+    source: my-snowflake-db
+    description: Generate daily sales report for a specific date
+    statement: |
+      SELECT 
+        DATE(order_date) as sales_date,
+        COUNT(*) as total_orders,
+        SUM(total_amount) as total_revenue,
+        AVG(total_amount) as avg_order_value
+      FROM orders
+      WHERE DATE(order_date) = $1
+      GROUP BY DATE(order_date)
+    parameters:
+      - name: report_date
+        type: string
+        description: The date to generate report for (YYYY-MM-DD format)
+
+toolsets:
+  snowflake-analytics:
+    - execute_sql
+    - get_customer_orders
+    - daily_sales_report
--- a/docs/en/samples/snowflake/snowflake-env.sh
+++ b/docs/en/samples/snowflake/snowflake-env.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Snowflake Connection Configuration
+# Copy this file to snowflake-env.sh and update with your actual values
+# Then source it before running the toolbox: source snowflake-env.sh
+
+# Required environment variables
+export SNOWFLAKE_ACCOUNT="your-account-identifier"     # e.g., "xy12345.snowflakecomputing.com"
+export SNOWFLAKE_USER="your-username"                  # Your Snowflake username
+export SNOWFLAKE_PASSWORD="your-password"              # Your Snowflake password
+export SNOWFLAKE_DATABASE="your-database"              # Database name
+export SNOWFLAKE_SCHEMA="your-schema"                  # Schema name (usually "PUBLIC")
+
+# Optional environment variables (will use defaults if not set)
+export SNOWFLAKE_WAREHOUSE="COMPUTE_WH"                # Warehouse name (default: COMPUTE_WH)
+export SNOWFLAKE_ROLE="ACCOUNTADMIN"                   # Role name (default: ACCOUNTADMIN)
+
+echo "Snowflake environment variables have been set!"
+echo "Account: $SNOWFLAKE_ACCOUNT"
+echo "User: $SNOWFLAKE_USER"
+echo "Database: $SNOWFLAKE_DATABASE"
+echo "Schema: $SNOWFLAKE_SCHEMA"
+echo "Warehouse: $SNOWFLAKE_WAREHOUSE"
+echo "Role: $SNOWFLAKE_ROLE"
+echo ""
+echo "You can now run the toolbox with:"
+echo "  ./toolbox --prebuilt snowflake                    # Use prebuilt configuration"
+echo "  ./toolbox --tools-file docs/en/samples/snowflake/snowflake-config.yaml  # Use custom configuration"
--- a/docs/en/samples/snowflake/test-snowflake.sh
+++ b/docs/en/samples/snowflake/test-snowflake.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Test script to demonstrate Snowflake configuration with environment variables
+# This script shows how to set up and test the Snowflake toolbox configuration
+
+echo "=== Testing Snowflake Configuration ==="
+echo ""
+
+# Set up test environment variables (replace with your actual values)
+echo "Setting up test environment variables..."
+export SNOWFLAKE_ACCOUNT="test-account"
+export SNOWFLAKE_USER="test-user"
+export SNOWFLAKE_PASSWORD="test-password"
+export SNOWFLAKE_DATABASE="test-database"
+export SNOWFLAKE_SCHEMA="test-schema"
+export SNOWFLAKE_WAREHOUSE="COMPUTE_WH"
+export SNOWFLAKE_ROLE="ACCOUNTADMIN"
+
+echo "Environment variables set:"
+echo "  SNOWFLAKE_ACCOUNT: $SNOWFLAKE_ACCOUNT"
+echo "  SNOWFLAKE_USER: $SNOWFLAKE_USER"
+echo "  SNOWFLAKE_DATABASE: $SNOWFLAKE_DATABASE"
+echo "  SNOWFLAKE_SCHEMA: $SNOWFLAKE_SCHEMA"
+echo "  SNOWFLAKE_WAREHOUSE: $SNOWFLAKE_WAREHOUSE"
+echo "  SNOWFLAKE_ROLE: $SNOWFLAKE_ROLE"
+echo ""
+
+echo "=== Testing Prebuilt Configuration ==="
+echo "This will attempt to initialize with the prebuilt Snowflake configuration:"
+echo "Command: ./toolbox --prebuilt snowflake --stdio"
+echo ""
+echo "Expected result: Connection failure due to test credentials (this is normal)"
+echo ""
+
+# Test the prebuilt configuration (this will fail with test credentials, which is expected)
+timeout 5s ./toolbox --prebuilt snowflake --stdio 2>&1 | head -5
+
+echo ""
+echo "=== Testing Custom Configuration ==="
+echo "This will attempt to initialize with the custom Snowflake configuration:"
+echo "Command: ./toolbox --tools-file docs/en/samples/snowflake/snowflake-config.yaml --stdio"
+echo ""
+echo "Expected result: Connection failure due to test credentials (this is normal)"
+echo ""
+
+# Test the custom configuration (this will fail with test credentials, which is expected)
+timeout 5s ./toolbox --tools-file docs/en/samples/snowflake/snowflake-config.yaml --stdio 2>&1 | head -5
+
+echo ""
+echo "=== Instructions for Real Usage ==="
+echo "1. Copy docs/en/samples/snowflake/snowflake-env.sh to your own file"
+echo "2. Edit it with your actual Snowflake credentials"
+echo "3. Source the file: source your-snowflake-env.sh"
+echo "4. Run: ./toolbox --prebuilt snowflake"
+echo ""
+echo "For more information, see docs/en/samples/snowflake"
--- a/docs/en/sdks/JS-sdk/_index.md
+++ b/docs/en/sdks/JS-sdk/_index.md
@@ -1,68 +0,0 @@
---
-title: "Javascript"
-type: docs
-weight: 7
-description: >
-  Javascript SDKs to connect to the MCP Toolbox server.
---
-
-## Overview
-
-The MCP Toolbox service provides a centralized way to manage and expose tools
-(like API connectors, database query tools, etc.) for use by GenAI applications.
-
-These JS SDKs act as clients for that service. They handle the communication needed to:
-
-* Fetch tool definitions from your running Toolbox instance.
-* Provide convenient JS objects or functions representing those tools.
-* Invoke the tools (calling the underlying APIs/services configured in Toolbox).
-* Handle authentication and parameter binding as needed.
-
-By using these SDKs, you can easily leverage your Toolbox-managed tools directly
-within your JS applications or AI orchestration frameworks.
-
-## Which Package Should I Use?
-
-Choosing the right package depends on how you are building your application:
-
- [`@toolbox-sdk/core`](https://github.com/googleapis/mcp-toolbox-sdk-js/tree/main/packages/toolbox-core):
-  This is a framework agnostic way to connect the tools to popular frameworks
-  like Langchain, LlamaIndex and Genkit.
- [`@toolbox-sdk/adk`](https://github.com/googleapis/mcp-toolbox-sdk-js/tree/main/packages/toolbox-adk):
-  This package provides a seamless way to connect to [Google ADK TS](https://github.com/google/adk-js).
-
-## Available Packages
-
-This repository hosts the following TS packages. See the package-specific
-README for detailed installation and usage instructions:
-
-| Package | Target Use Case | Integration | Path | Details (README) | Npm Version |
-| :------ | :---------- | :---------- | :---------------------- | :---------- | :--------- 
-| `toolbox-core` | Framework-agnostic / Custom applications | Use directly / Custom | `packages/toolbox-core/` | 📄 [View README](https://github.com/googleapis/mcp-toolbox-sdk-js/blob/main/packages/toolbox-core/README.md) | ![npm](https://img.shields.io/npm/v/@toolbox-sdk/core) |
-| `toolbox-adk` | ADK applications | ADK | `packages/toolbox-adk/` | 📄 [View README](https://github.com/googleapis/mcp-toolbox-sdk-js/blob/main/packages/toolbox-adk/README.md) | ![npm](https://img.shields.io/npm/v/@toolbox-sdk/adk) |
-
-
-## Getting Started
-
-To get started using Toolbox tools with an application, follow these general steps:
-
-1. **Set up and Run the Toolbox Service:**
-
-    Before using the SDKs, you need the main MCP Toolbox service running. Follow
-    the instructions here: [**Toolbox Getting Started
-    Guide**](https://github.com/googleapis/genai-toolbox?tab=readme-ov-file#getting-started)
-
-2. **Install the Appropriate SDK:**
-
-    Choose the package based on your needs (see "[Which Package Should I Use?](#which-package-should-i-use)" above) and install it:
-
-    ```bash
-    # For the core, framework-agnostic SDK
-    npm install @toolbox-sdk/core
-    ```
-
-
-
-{{< notice note >}}
-Source code for [js-sdk](https://github.com/googleapis/mcp-toolbox-sdk-js)
-{{< /notice >}}
--- a/docs/en/sdks/go-sdk.md
+++ b/docs/en/sdks/go-sdk.md
@@ -0,0 +1,15 @@
+---
+title: "Go SDK"
+weight: 2
+description: Go lang client SDK
+icon: fa-brands fa-golang
+manualLink: "https://github.com/googleapis/mcp-toolbox-sdk-go"
+manualLinkTarget: _blank
+---
+
+<html>
+  <head>
+    <link rel="canonical" href="https://github.com/googleapis/mcp-toolbox-sdk-go"/>
+    <meta http-equiv="refresh" content="0;url=https://github.com/googleapis/mcp-toolbox-sdk-go"/>
+  </head>
+</html>
--- a/docs/en/sdks/go-sdk/_index.md
+++ b/docs/en/sdks/go-sdk/_index.md
@@ -1,25 +0,0 @@
---
-title: "Go SDK"
-type: docs
-weight: 7
-description: >
-  Go SDKs to connect to the MCP Toolbox server.
---
-
-
-## Overview
-
-The MCP Toolbox service provides a centralized way to manage and expose tools
-(like API connectors, database query tools, etc.) for use by GenAI applications.
-
-The Go SDK act as clients for that service. They handle the communication needed to:
-
-* Fetch tool definitions from your running Toolbox instance.
-* Provide convenient Go structs representing those tools.
-* Invoke the tools (calling the underlying APIs/services configured in Toolbox).
-* Handle authentication and parameter binding as needed.
-
-By using the SDK, you can easily leverage your Toolbox-managed tools directly
-within your Go applications or AI orchestration frameworks.
-
-[Github](https://github.com/googleapis/mcp-toolbox-sdk-go)
--- a/docs/en/sdks/js-sdk.md
+++ b/docs/en/sdks/js-sdk.md
@@ -0,0 +1,15 @@
+---
+title: "JS SDK"
+weight: 2
+description: Javascript client SDK
+icon: fa-brands fa-node-js
+manualLink: "https://github.com/googleapis/mcp-toolbox-sdk-js"
+manualLinkTarget: _blank
+---
+
+<html>
+  <head>
+    <link rel="canonical" href="https://github.com/googleapis/mcp-toolbox-sdk-js"/>
+    <meta http-equiv="refresh" content="0;url=https://github.com/googleapis/mcp-toolbox-sdk-js"/>
+  </head>
+</html>
--- a/docs/en/sdks/python-sdk.md
+++ b/docs/en/sdks/python-sdk.md
@@ -0,0 +1,15 @@
+---
+title: "Python SDK"
+weight: 2
+description: Python client SDK
+icon: fa-brands fa-python
+manualLink: "https://github.com/googleapis/mcp-toolbox-sdk-python"
+manualLinkTarget: _blank
+---
+
+<html>
+  <head>
+    <link rel="canonical" href="https://github.com/googleapis/mcp-toolbox-sdk-python"/>
+    <meta http-equiv="refresh" content="0;url=https://github.com/googleapis/mcp-toolbox-sdk-python"/>
+  </head>
+</html>
--- a/docs/en/sdks/python-sdk/_index.md
+++ b/docs/en/sdks/python-sdk/_index.md
@@ -1,25 +0,0 @@
---
-title: "Python SDK"
-type: docs
-weight: 7
-description: >
-  Python SDKs to connect to the MCP Toolbox server.
---
-
-
-## Overview
-
-The MCP Toolbox service provides a centralized way to manage and expose tools
-(like API connectors, database query tools, etc.) for use by GenAI applications.
-
-These Python SDKs act as clients for that service. They handle the communication needed to:
-
-* Fetch tool definitions from your running Toolbox instance.
-* Provide convenient Python objects or functions representing those tools.
-* Invoke the tools (calling the underlying APIs/services configured in Toolbox).
-* Handle authentication and parameter binding as needed.
-
-By using these SDKs, you can easily leverage your Toolbox-managed tools directly
-within your Python applications or AI orchestration frameworks.
-
-[Github](https://github.com/googleapis/mcp-toolbox-sdk-python)
--- a/gemini-extension.json
+++ b/gemini-extension.json
@@ -1,6 +1,6 @@
 {
  "name": "mcp-toolbox-for-databases",
-  "version": "0.24.0",
+  "version": "0.25.0",
  "description": "MCP Toolbox for Databases is an open-source MCP server for more than 30 different datasources.",
  "contextFileName": "MCP-TOOLBOX-EXTENSION.md"
 }
--- a/go.mod
+++ b/go.mod
@@ -37,12 +37,14 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.7.6
+	github.com/jmoiron/sqlx v1.4.0
 	github.com/looker-open-source/sdk-codegen/go v0.25.21
 	github.com/microsoft/go-mssqldb v1.9.3
 	github.com/nakagami/firebirdsql v0.9.15
 	github.com/neo4j/neo4j-go-driver/v5 v5.28.4
 	github.com/redis/go-redis/v9 v9.17.2
 	github.com/sijms/go-ora/v2 v2.9.0
+	github.com/snowflakedb/gosnowflake v1.18.1
 	github.com/spf13/cobra v1.10.1
 	github.com/thlib/go-timezone-local v0.0.7
 	github.com/trinodb/trino-go-client v0.330.0
@@ -88,13 +90,40 @@ require (
 	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/trace v1.11.7 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
+	github.com/99designs/keyring v1.2.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 // indirect
 	github.com/PuerkitoBio/goquery v1.10.3 // indirect
 	github.com/VictoriaMetrics/easyproto v0.1.4 // indirect
 	github.com/ajg/form v1.5.1 // indirect
+	github.com/apache/arrow-go/v18 v18.4.0 // indirect
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
+	github.com/apache/thrift v0.22.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.88.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.4 // indirect
+	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/couchbase/gocbcore/v10 v10.8.1 // indirect
@@ -102,8 +131,10 @@ require (
 	github.com/couchbase/goprotostellar v1.0.2 // indirect
 	github.com/couchbase/tools-common/errors v1.0.0 // indirect
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -115,7 +146,9 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/godror/knownpb v0.3.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
@@ -127,6 +160,7 @@ require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -140,19 +174,25 @@ require (
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
+	github.com/klauspost/asmfmt v1.3.2 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
+	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/nakagami/chacha20 v0.1.0 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
@@ -182,6 +222,7 @@ require (
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.38.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -643,6 +643,10 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
 git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
+github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs=
+github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4=
+github.com/99designs/keyring v1.2.2 h1:pZd3neh/EmUzWONb35LxQfvuY7kiSXAq3HQd97+XBn0=
+github.com/99designs/keyring v1.2.2/go.mod h1:wes/FrByc8j7lFOAGLGSNEg8f/PaI3cgTBqhFkHUrPk=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
@@ -653,11 +657,15 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZb
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 h1:u/LLAOFgsMv7HmNL4Qufg58y+qElGOt5qv0z1mURkRY=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0/go.mod h1:2e8rMJtl2+2j+HXbTBwnyGpm5Nou7KhvSfxOq8JpTag=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/ClickHouse/ch-go v0.68.0 h1:zd2VD8l2aVYnXFRyhTyKCrxvhSz1AaY4wBUXu/f0GiU=
 github.com/ClickHouse/ch-go v0.68.0/go.mod h1:C89Fsm7oyck9hr6rRo5gqqiVtaIY6AjdD0WFMyNRQ5s=
@@ -701,6 +709,8 @@ github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUS
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0=
+github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14=
 github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0=
 github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI=
 github.com/apache/arrow/go/v15 v15.0.2 h1:60IliRbiyTWCWjERBCkO1W4Qun9svcYoZrSLcyOsMLE=
@@ -708,6 +718,8 @@ github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+ye
 github.com/apache/cassandra-gocql-driver/v2 v2.0.0 h1:Omnzb1Z/P90Dr2TbVNu54ICQL7TKVIIsJO231w484HU=
 github.com/apache/cassandra-gocql-driver/v2 v2.0.0/go.mod h1:QH/asJjB3mHvY6Dot6ZKMMpTcOrWJ8i9GhsvG1g0PK4=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
+github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc=
+github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g=
 github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ=
 github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk=
 github.com/aws/aws-sdk-go-v2 v1.39.0 h1:xm5WV/2L4emMRmMjHFykqiA4M/ra0DJVSWUkDyBjbg4=
@@ -720,6 +732,8 @@ github.com/aws/aws-sdk-go-v2/credentials v1.18.12 h1:zmc9e1q90wMn8wQbjryy8IwA6Q4
 github.com/aws/aws-sdk-go-v2/credentials v1.18.12/go.mod h1:3VzdRDR5u3sSJRI4kYcOSIBbeYsgtVk7dG5R/U6qLWY=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 h1:Is2tPmieqGS2edBnmOJIbdvOA6Op+rRpaYR60iBAwXM=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7/go.mod h1:F1i5V5421EGci570yABvpIXgRIBPb5JM+lSkHF6Dq5w=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 h1:7Zwtt/lP3KNRkeZre7soMELMGNoBrutx8nobg1jKWmo=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15/go.mod h1:436h2adoHb57yd+8W+gYPrrA9U/R/SuAuOO42Ushzhw=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 h1:UCxq0X9O3xrlENdKf1r9eRJoKz/b0AfGkpp3a7FPlhg=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7/go.mod h1:rHRoJUNUASj5Z/0eqI4w32vKvC7atoWR0jC+IkmVH8k=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 h1:Y6DTZUn7ZUC4th9FMBbo8LVE+1fyq3ofw+tRwkUd3PY=
@@ -804,6 +818,8 @@ github.com/couchbaselabs/gocbconnstr/v2 v2.0.0 h1:HU9DlAYYWR69jQnLN6cpg0fh0hxW/8
 github.com/couchbaselabs/gocbconnstr/v2 v2.0.0/go.mod h1:o7T431UOfFVHDNvMBUmUxpHnhivwv7BziUao/nMl81E=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -822,6 +838,8 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/dvsekhvalnov/jose2go v1.7.0 h1:bnQc8+GMnidJZA8zc6lLEAb4xNrIqHwO+9TzqvtQZPo=
+github.com/dvsekhvalnov/jose2go v1.7.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
 github.com/elastic/elastic-transport-go/v8 v8.8.0 h1:7k1Ua+qluFr6p1jfJjGDl97ssJS/P7cHNInzfxgBQAo=
 github.com/elastic/elastic-transport-go/v8 v8.8.0/go.mod h1:YLHer5cj0csTzNFXoNQ8qhtGY1GTvSqPnKWKaqQE3Hk=
 github.com/elastic/go-elasticsearch/v9 v9.2.0 h1:COeL/g20+ixnUbffe4Wfbu88emrHjAq/LhVfmrjqRQs=
@@ -905,6 +923,7 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
 github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -915,6 +934,8 @@ github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
+github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godror/godror v0.49.6 h1:ts4ZGw8uLJ42e1D7aXmVuSrld0/lzUzmIUjuUuQOgGM=
 github.com/godror/godror v0.49.6/go.mod h1:kTMcxZzRw73RT5kn9v3JkBK4kHI6dqowHotqV72ebU8=
 github.com/godror/knownpb v0.3.0 h1:+caUdy8hTtl7X05aPl3tdL540TvCcaQA6woZQroLZMw=
@@ -1066,6 +1087,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4Zs
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -1110,6 +1133,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -1121,6 +1146,7 @@ github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALr
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/asmfmt v1.3.2 h1:4Ri7ox3EwapiOjCki+hw14RyKk201CN4rzyCJRFLpK4=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
@@ -1144,6 +1170,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/looker-open-source/sdk-codegen/go v0.25.21 h1:nlZ1nz22SKluBNkzplrMHBPEVgJO3zVLF6aAws1rrRA=
 github.com/looker-open-source/sdk-codegen/go v0.25.21/go.mod h1:Br1ntSiruDJ/4nYNjpYyWyCbqJ7+GQceWbIgn0hYims=
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
@@ -1156,9 +1184,13 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/microsoft/go-mssqldb v1.9.3 h1:hy4p+LDC8LIGvI3JATnLVmBOLMJbmn5X400mr5j0lPs=
 github.com/microsoft/go-mssqldb v1.9.3/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
+github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
+github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
@@ -1174,6 +1206,8 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
+github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
 github.com/nakagami/chacha20 v0.1.0 h1:2fbf5KeVUw7oRpAe6/A7DqvBJLYYu0ka5WstFbnkEVo=
 github.com/nakagami/chacha20 v0.1.0/go.mod h1:xpoujepNFA7MvYLvX5xKHzlOHimDrLI9Ll8zfOJ0l2E=
 github.com/nakagami/firebirdsql v0.9.15 h1:Mf05jaFI8+kjy6sBstsAu76zOkJ44AGd6cpApWNrp/0=
@@ -1182,6 +1216,7 @@ github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdh
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/neo4j/neo4j-go-driver/v5 v5.28.4 h1:7toxehVcYkZbyxV4W3Ib9VcnyRBQPucF+VwNNmtSXi4=
 github.com/neo4j/neo4j-go-driver/v5 v5.28.4/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid/v2 v2.0.2 h1:r4fFzBm+bv0wNKNh5eXTwU7i85y5x+uwkxCUTNVQqLc=
 github.com/oklog/ulid/v2 v2.0.2/go.mod h1:mtBL0Qe/0HAx6/a4Z30qxVIAL1eQDweXq5lxOEiwQ68=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
@@ -1247,6 +1282,8 @@ github.com/sijms/go-ora/v2 v2.9.0/go.mod h1:QgFInVi3ZWyqAiJwzBQA+nbKYKH77tdp1PYo
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/snowflakedb/gosnowflake v1.18.1 h1:Nb4AWSnSBWe1UKpKTwCZxjYhYo1JH7GgKhO3wW1kR10=
+github.com/snowflakedb/gosnowflake v1.18.1/go.mod h1:7D4+cLepOWrerVsH+tevW3zdMJ5/WrEN7ZceAC6xBv0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
@@ -1650,10 +1687,12 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2075,6 +2114,7 @@ google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aO
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -21,13 +21,13 @@ import (

 // AuthServiceConfig is the interface for configuring authentication services.
 type AuthServiceConfig interface {
-	AuthServiceConfigKind() string
+	AuthServiceConfigType() string
 	Initialize() (AuthService, error)
 }

 // AuthService is the interface for authentication services.
 type AuthService interface {
-	AuthServiceKind() string
+	AuthServiceType() string
 	GetName() string
 	GetClaimsFromHeader(context.Context, http.Header) (map[string]any, error)
 	ToConfig() AuthServiceConfig
--- a/internal/auth/google/google.go
+++ b/internal/auth/google/google.go
@@ -23,7 +23,7 @@ import (
 	"google.golang.org/api/idtoken"
 )

-const AuthServiceKind string = "google"
+const AuthServiceType string = "google"

 // validate interface
 var _ auth.AuthServiceConfig = Config{}
@@ -31,13 +31,13 @@ var _ auth.AuthServiceConfig = Config{}
 // Auth service configuration
 type Config struct {
 	Name     string `yaml:"name" validate:"required"`
-	Kind     string `yaml:"kind" validate:"required"`
+	Type     string `yaml:"type" validate:"required"`
 	ClientID string `yaml:"clientId" validate:"required"`
 }

-// Returns the auth service kind
-func (cfg Config) AuthServiceConfigKind() string {
-	return AuthServiceKind
+// Returns the auth service type
+func (cfg Config) AuthServiceConfigType() string {
+	return AuthServiceType
 }

 // Initialize a Google auth service
@@ -55,9 +55,9 @@ type AuthService struct {
 	Config
 }

-// Returns the auth service kind
-func (a AuthService) AuthServiceKind() string {
-	return AuthServiceKind
+// Returns the auth service type
+func (a AuthService) AuthServiceType() string {
+	return AuthServiceType
 }

 func (a AuthService) ToConfig() auth.AuthServiceConfig {
--- a/internal/embeddingmodels/embeddingmodels.go
+++ b/internal/embeddingmodels/embeddingmodels.go
@@ -22,12 +22,12 @@ import (

 // EmbeddingModelConfig is the interface for configuring embedding models.
 type EmbeddingModelConfig interface {
-	EmbeddingModelConfigKind() string
+	EmbeddingModelConfigType() string
 	Initialize(context.Context) (EmbeddingModel, error)
 }

 type EmbeddingModel interface {
-	EmbeddingModelKind() string
+	EmbeddingModelType() string
 	ToConfig() EmbeddingModelConfig
 	EmbedParameters(context.Context, []string) ([][]float32, error)
 }
--- a/internal/embeddingmodels/gemini/gemini.go
+++ b/internal/embeddingmodels/gemini/gemini.go
@@ -23,22 +23,22 @@ import (
 	"google.golang.org/genai"
 )

-const EmbeddingModelKind string = "gemini"
+const EmbeddingModelType string = "gemini"

 // validate interface
 var _ embeddingmodels.EmbeddingModelConfig = Config{}

 type Config struct {
 	Name      string `yaml:"name" validate:"required"`
-	Kind      string `yaml:"kind" validate:"required"`
+	Type      string `yaml:"type" validate:"required"`
 	Model     string `yaml:"model" validate:"required"`
 	ApiKey    string `yaml:"apiKey"`
 	Dimension int32  `yaml:"dimension"`
 }

-// Returns the embedding model kind
-func (cfg Config) EmbeddingModelConfigKind() string {
-	return EmbeddingModelKind
+// Returns the embedding model type
+func (cfg Config) EmbeddingModelConfigType() string {
+	return EmbeddingModelType
 }

 // Initialize a Gemini embedding model
@@ -69,9 +69,9 @@ type EmbeddingModel struct {
 	Config
 }

-// Returns the embedding model kind
-func (m EmbeddingModel) EmbeddingModelKind() string {
-	return EmbeddingModelKind
+// Returns the embedding model type
+func (m EmbeddingModel) EmbeddingModelType() string {
+	return EmbeddingModelType
 }

 func (m EmbeddingModel) ToConfig() embeddingmodels.EmbeddingModelConfig {
--- a/internal/embeddingmodels/gemini/gemini_test.go
+++ b/internal/embeddingmodels/gemini/gemini_test.go
@@ -15,9 +15,9 @@
 package gemini_test

 import (
+	"context"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/embeddingmodels"
 	"github.com/googleapis/genai-toolbox/internal/embeddingmodels/gemini"
@@ -34,15 +34,15 @@ func TestParseFromYamlGemini(t *testing.T) {
 		{
 			desc: "basic example",
 			in: `
-            embeddingModels:
-                my-gemini-model:
-                    kind: gemini
-                    model: text-embedding-004
+			kind: embeddingModels
+			name: my-gemini-model
+			type: gemini
+			model: text-embedding-004
            `,
 			want: map[string]embeddingmodels.EmbeddingModelConfig{
 				"my-gemini-model": gemini.Config{
 					Name:  "my-gemini-model",
-					Kind:  gemini.EmbeddingModelKind,
+					Type:  gemini.EmbeddingModelType,
 					Model: "text-embedding-004",
 				},
 			},
@@ -50,17 +50,17 @@ func TestParseFromYamlGemini(t *testing.T) {
 		{
 			desc: "full example with optional fields",
 			in: `
-            embeddingModels:
-                complex-gemini:
-                    kind: gemini
-                    model: text-embedding-004
-                    apiKey: "test-api-key"
-                    dimension: 768
+            kind: embeddingModels
+            name: complex-gemini
+            type: gemini
+            model: text-embedding-004
+            apiKey: "test-api-key"
+            dimension: 768
            `,
 			want: map[string]embeddingmodels.EmbeddingModelConfig{
 				"complex-gemini": gemini.Config{
 					Name:      "complex-gemini",
-					Kind:      gemini.EmbeddingModelKind,
+					Type:      gemini.EmbeddingModelType,
 					Model:     "text-embedding-004",
 					ApiKey:    "test-api-key",
 					Dimension: 768,
@@ -70,16 +70,13 @@ func TestParseFromYamlGemini(t *testing.T) {
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Models server.EmbeddingModelConfigs `yaml:"embeddingModels"`
-			}{}
 			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, got, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Models) {
-				t.Fatalf("incorrect parse: %v", cmp.Diff(tc.want, got.Models))
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: %v", cmp.Diff(tc.want, got))
 			}
 		})
 	}
@@ -93,32 +90,29 @@ func TestFailParseFromYamlGemini(t *testing.T) {
 		{
 			desc: "missing required model field",
 			in: `
-            embeddingModels:
-                bad-model:
-                    kind: gemini
+            kind: embeddingModels
+            name: bad-model
+            type: gemini
            `,
 			// Removed the specific model name from the prefix to match your output
-			err: "unable to parse as \"gemini\": Key: 'Config.Model' Error:Field validation for 'Model' failed on the 'required' tag",
+			err: "error unmarshaling embeddingModels: unable to parse as \"bad-model\": Key: 'Config.Model' Error:Field validation for 'Model' failed on the 'required' tag",
 		},
 		{
 			desc: "unknown field",
 			in: `
-            embeddingModels:
-                bad-field:
-                    kind: gemini
-                    model: text-embedding-004
-                    invalid_param: true
+            kind: embeddingModels
+            name: bad-field
+            type: gemini
+            model: text-embedding-004
+            invalid_param: true
            `,
 			// Updated to match the specific line-starting format of your error output
-			err: "unable to parse as \"gemini\": [1:1] unknown field \"invalid_param\"\n>  1 | invalid_param: true\n       ^\n   2 | kind: gemini\n   3 | model: text-embedding-004",
+			err: "error unmarshaling embeddingModels: unable to parse as \"bad-field\": [1:1] unknown field \"invalid_param\"\n>  1 | invalid_param: true\n       ^\n   2 | model: text-embedding-004\n   3 | name: bad-field\n   4 | type: gemini",
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Models server.EmbeddingModelConfigs `yaml:"embeddingModels"`
-			}{}
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
--- a/internal/prebuiltconfigs/prebuiltconfigs_test.go
+++ b/internal/prebuiltconfigs/prebuiltconfigs_test.go
@@ -49,6 +49,7 @@ var expectedToolSources = []string{
 	"postgres",
 	"serverless-spark",
 	"singlestore",
+	"snowflake",
 	"spanner-postgres",
 	"spanner",
 	"sqlite",
@@ -127,9 +128,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	sqlite_config, _ := Get("sqlite")
 	neo4jconfig, _ := Get("neo4j")
 	healthcare_config, _ := Get("cloud-healthcare")
-
+	snowflake_config, _ := Get("snowflake")
 	if len(alloydb_admin_config) <= 0 {
-		t.Fatalf("unexpected error: could not fetch alloydb prebuilt tools yaml")
+		t.Fatalf("unexpected error: could not fetch alloydb admin prebuilt tools yaml")
 	}
 	if len(alloydb_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch alloydb prebuilt tools yaml")
@@ -197,6 +198,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	if len(singlestore_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch singlestore prebuilt tools yaml")
 	}
+	if len(snowflake_config) <= 0 {
+		t.Fatalf("unexpected error: could not fetch snowflake prebuilt tools yaml")
+	}
 	if len(spanner_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch spanner prebuilt tools yaml")
 	}
@@ -218,6 +222,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	if len(healthcare_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch healthcare prebuilt tools yaml")
 	}
+	if len(snowflake_config) <= 0 {
+		t.Fatalf("unexpected error: could not fetch snowflake prebuilt tools yaml")
+	}
 }

 func TestFailGetPrebuiltTool(t *testing.T) {
--- a/internal/prebuiltconfigs/tools/bigquery.yaml
+++ b/internal/prebuiltconfigs/tools/bigquery.yaml
@@ -19,6 +19,7 @@ sources:
    location: ${BIGQUERY_LOCATION:}
    useClientOAuth: ${BIGQUERY_USE_CLIENT_OAUTH:false}
    scopes: ${BIGQUERY_SCOPES:}
+    maxQueryResultRows: ${BIGQUERY_MAX_QUERY_RESULT_ROWS:50}

 tools:
  analyze_contribution:
--- a/internal/prebuiltconfigs/tools/cloud-sql-mssql-admin.yaml
+++ b/internal/prebuiltconfigs/tools/cloud-sql-mssql-admin.yaml
@@ -43,6 +43,9 @@ tools:
  clone_instance:
    kind: cloud-sql-clone-instance
    source: cloud-sql-admin-source
+  create_backup:
+    kind: cloud-sql-create-backup
+    source: cloud-sql-admin-source

 toolsets:
  cloud_sql_mssql_admin_tools:
@@ -54,3 +57,4 @@ toolsets:
    - create_user
    - wait_for_operation
    - clone_instance
+    - create_backup
--- a/internal/prebuiltconfigs/tools/cloud-sql-mysql-admin.yaml
+++ b/internal/prebuiltconfigs/tools/cloud-sql-mysql-admin.yaml
@@ -43,6 +43,9 @@ tools:
  clone_instance:
    kind: cloud-sql-clone-instance
    source: cloud-sql-admin-source
+  create_backup:
+    kind: cloud-sql-create-backup
+    source: cloud-sql-admin-source

 toolsets:
  cloud_sql_mysql_admin_tools:
@@ -54,3 +57,4 @@ toolsets:
    - create_user
    - wait_for_operation
    - clone_instance
+    - create_backup
--- a/internal/prebuiltconfigs/tools/cloud-sql-postgres-admin.yaml
+++ b/internal/prebuiltconfigs/tools/cloud-sql-postgres-admin.yaml
@@ -46,6 +46,9 @@ tools:
  postgres_upgrade_precheck:
    kind: postgres-upgrade-precheck
    source: cloud-sql-admin-source
+  create_backup:
+    kind: cloud-sql-create-backup
+    source: cloud-sql-admin-source

 toolsets:
  cloud_sql_postgres_admin_tools:
@@ -58,3 +61,4 @@ toolsets:
    - wait_for_operation
    - postgres_upgrade_precheck
    - clone_instance
+    - create_backup
--- a/internal/prebuiltconfigs/tools/snowflake.yaml
+++ b/internal/prebuiltconfigs/tools/snowflake.yaml
@@ -0,0 +1,142 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sources:
+    snowflake-source:
+        kind: snowflake
+        account: ${SNOWFLAKE_ACCOUNT}
+        user: ${SNOWFLAKE_USER}
+        password: ${SNOWFLAKE_PASSWORD}
+        database: ${SNOWFLAKE_DATABASE}
+        schema: ${SNOWFLAKE_SCHEMA}
+        warehouse: ${SNOWFLAKE_WAREHOUSE}
+        role: ${SNOWFLAKE_ROLE}
+
+tools:
+    execute_sql:
+        kind: snowflake-execute-sql
+        source: snowflake-source
+        description: Use this tool to execute SQL.
+
+    list_tables:
+        kind: snowflake-sql
+        source: snowflake-source
+        description: "Lists detailed schema information (object type, columns, constraints, indexes, owner, comment) as JSON for user-created tables. Filters by a comma-separated list of names. If names are omitted, lists all tables in the specified database and schema."
+        statement: |
+           WITH
+           input_param AS (
+                SELECT ? AS param -- Single bind variable here
+           )
+           ,
+           all_tables_mode AS (
+                SELECT COALESCE(TRIM(param), '') = '' AS is_all_tables
+                FROM input_param
+           ) --SELECT * FROM all_tables_mode;
+           ,
+           filtered_table_names AS (
+                SELECT DISTINCT TRIM(LOWER(value)) AS table_name
+                FROM input_param, all_tables_mode, TABLE(SPLIT_TO_TABLE(param, ','))
+                WHERE NOT is_all_tables
+           ) -- SELECT * FROM filtered_table_names;
+           ,
+           table_info AS (
+                SELECT
+                    t.TABLE_CATALOG,
+                    t.TABLE_SCHEMA,
+                    t.TABLE_NAME,
+                    t.TABLE_TYPE,
+                    t.TABLE_OWNER,
+                    t.COMMENT
+                FROM
+                    all_tables_mode
+                    CROSS JOIN ${SNOWFLAKE_DATABASE}.INFORMATION_SCHEMA.TABLES T
+                WHERE
+                    t.TABLE_TYPE = 'BASE TABLE'
+                    AND t.TABLE_SCHEMA NOT IN ('INFORMATION_SCHEMA')
+                    AND t.TABLE_SCHEMA = '${SNOWFLAKE_SCHEMA}'
+                    AND is_all_tables OR LOWER(T.TABLE_NAME) IN (SELECT table_name FROM filtered_table_names)
+            ) -- SELECT * FROM table_info;
+            ,
+            columns_info AS (
+                SELECT
+                    c.TABLE_CATALOG AS database_name,
+                    c.TABLE_SCHEMA AS schema_name,
+                    c.TABLE_NAME AS table_name,
+                    c.COLUMN_NAME AS column_name,
+                    c.DATA_TYPE AS data_type,
+                    c.ORDINAL_POSITION AS column_ordinal_position,
+                    c.IS_NULLABLE AS is_nullable,
+                    c.COLUMN_DEFAULT AS column_default,
+                    c.COMMENT AS column_comment
+                FROM
+                    ${SNOWFLAKE_DATABASE}.INFORMATION_SCHEMA.COLUMNS c
+                    INNER JOIN table_info USING (TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME)
+            )
+            ,
+            constraints_info AS (
+                SELECT
+                    tc.TABLE_CATALOG AS database_name,
+                    tc.TABLE_SCHEMA AS schema_name,
+                    tc.TABLE_NAME AS table_name,
+                    tc.CONSTRAINT_NAME AS constraint_name,
+                    tc.CONSTRAINT_TYPE AS constraint_type
+                FROM
+                    ${SNOWFLAKE_DATABASE}.INFORMATION_SCHEMA.TABLE_CONSTRAINTS tc
+                    INNER JOIN table_info USING (TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME)
+                GROUP BY
+                    tc.TABLE_CATALOG, tc.TABLE_SCHEMA, tc.TABLE_NAME, tc.CONSTRAINT_NAME, tc.CONSTRAINT_TYPE
+            )
+            SELECT
+                ti.TABLE_SCHEMA AS schema_name,
+                ti.TABLE_NAME AS object_name,
+                OBJECT_CONSTRUCT(
+                    'schema_name', ti.TABLE_SCHEMA,
+                    'object_name', ti.TABLE_NAME,
+                    'object_type', ti.TABLE_TYPE,
+                    'owner', ti.TABLE_OWNER,
+                    'comment', ti.COMMENT,
+                    'columns', COALESCE(
+                        (SELECT ARRAY_AGG(
+                            OBJECT_CONSTRUCT(
+                                'column_name', ci.column_name,
+                                'data_type', ci.data_type,
+                                'ordinal_position', ci.column_ordinal_position,
+                                'is_nullable', ci.is_nullable,
+                                'column_default', ci.column_default,
+                                'column_comment', ci.column_comment
+                            )
+                        ) FROM columns_info ci WHERE ci.table_name = ti.TABLE_NAME AND ci.schema_name = ti.TABLE_SCHEMA),
+                        ARRAY_CONSTRUCT()
+                    ),
+                    'constraints', COALESCE(
+                        (SELECT ARRAY_AGG(
+                            OBJECT_CONSTRUCT(
+                                'constraint_name', cons.constraint_name,
+                                'constraint_type', cons.constraint_type
+                            )
+                        ) FROM constraints_info cons WHERE cons.table_name = ti.TABLE_NAME AND cons.schema_name = ti.TABLE_SCHEMA),
+                        ARRAY_CONSTRUCT()
+                    )
+                ) AS object_details
+            FROM table_info ti
+            ORDER BY ti.TABLE_SCHEMA, ti.TABLE_NAME;
+        parameters:
+            - name: table_names
+              type: string
+              description: "Optional: A comma-separated list of table names. If empty, details for all tables in the specified database and schema will be listed."
+
+toolsets:
+    snowflake_tools:
+        - execute_sql
+        - list_tables
--- a/internal/prompts/custom/custom.go
+++ b/internal/prompts/custom/custom.go
@@ -25,12 +25,12 @@ import (

 type Message = prompts.Message

-const kind = "custom"
+const resourceType = "custom"

-// init registers this prompt kind with the prompt framework.
+// init registers this prompt type with the prompt framework.
 func init() {
-	if !prompts.Register(kind, newConfig) {
-		panic(fmt.Sprintf("prompt kind %q already registered", kind))
+	if !prompts.Register(resourceType, newConfig) {
+		panic(fmt.Sprintf("prompt type %q already registered", resourceType))
 	}
 }

@@ -56,8 +56,8 @@ type Config struct {
 var _ prompts.PromptConfig = Config{}
 var _ prompts.Prompt = Prompt{}

-func (c Config) PromptConfigKind() string {
-	return kind
+func (c Config) PromptConfigType() string {
+	return resourceType
 }

 func (c Config) Initialize() (prompts.Prompt, error) {
--- a/internal/prompts/custom/custom_test.go
+++ b/internal/prompts/custom/custom_test.go
@@ -42,7 +42,7 @@ func TestConfig(t *testing.T) {
 		Arguments: testArgs,
 	}

-	// initialize and check kind
+	// initialize and check type
 	p, err := cfg.Initialize()
 	if err != nil {
 		t.Fatalf("Initialize() failed: %v", err)
@@ -50,8 +50,8 @@ func TestConfig(t *testing.T) {
 	if p == nil {
 		t.Fatal("Initialize() returned a nil prompt")
 	}
-	if cfg.PromptConfigKind() != "custom" {
-		t.Errorf("PromptConfigKind() = %q, want %q", cfg.PromptConfigKind(), "custom")
+	if cfg.PromptConfigType() != "custom" {
+		t.Errorf("PromptConfigType() = %q, want %q", cfg.PromptConfigType(), "custom")
 	}

 	t.Run("Manifest", func(t *testing.T) {
--- a/internal/prompts/prompts.go
+++ b/internal/prompts/prompts.go
@@ -30,40 +30,40 @@ var promptRegistry = make(map[string]PromptConfigFactory)

 // Register allows individual prompt packages to register their configuration
 // factory function. This is typically called from an init() function in the
-// prompt's package. It associates a 'kind' string with a function that can
+// prompt's package. It associates a 'type' string with a function that can
 // produce the specific PromptConfig type. It returns true if the registration was
-// successful, and false if a prompt with the same kind was already registered.
-func Register(kind string, factory PromptConfigFactory) bool {
-	if _, exists := promptRegistry[kind]; exists {
-		// Prompt with this kind already exists, do not overwrite.
+// successful, and false if a prompt with the same type was already registered.
+func Register(resourceType string, factory PromptConfigFactory) bool {
+	if _, exists := promptRegistry[resourceType]; exists {
+		// Prompt with this type already exists, do not overwrite.
 		return false
 	}
-	promptRegistry[kind] = factory
+	promptRegistry[resourceType] = factory
 	return true
 }

-// DecodeConfig looks up the registered factory for the given kind and uses it
+// DecodeConfig looks up the registered factory for the given type and uses it
 // to decode the prompt configuration.
-func DecodeConfig(ctx context.Context, kind, name string, decoder *yaml.Decoder) (PromptConfig, error) {
-	factory, found := promptRegistry[kind]
-	if !found && kind == "" {
-		kind = "custom"
-		factory, found = promptRegistry[kind]
+func DecodeConfig(ctx context.Context, resourceType, name string, decoder *yaml.Decoder) (PromptConfig, error) {
+	factory, found := promptRegistry[resourceType]
+	if !found && resourceType == "" {
+		resourceType = "custom"
+		factory, found = promptRegistry[resourceType]
 	}

 	if !found {
-		return nil, fmt.Errorf("unknown prompt kind: %q", kind)
+		return nil, fmt.Errorf("unknown prompt type: %q", resourceType)
 	}

 	promptConfig, err := factory(ctx, name, decoder)
 	if err != nil {
-		return nil, fmt.Errorf("unable to parse prompt %q as kind %q: %w", name, kind, err)
+		return nil, fmt.Errorf("unable to parse prompt %q as resourceType %q: %w", name, resourceType, err)
 	}
 	return promptConfig, nil
 }

 type PromptConfig interface {
-	PromptConfigKind() string
+	PromptConfigType() string
 	Initialize() (Prompt, error)
 }

--- a/internal/prompts/prompts_test.go
+++ b/internal/prompts/prompts_test.go
@@ -29,16 +29,16 @@ import (

 type mockPromptConfig struct {
 	name string
-	kind string
+	Type string
 }

-func (m *mockPromptConfig) PromptConfigKind() string            { return m.kind }
+func (m *mockPromptConfig) PromptConfigType() string            { return m.Type }
 func (m *mockPromptConfig) Initialize() (prompts.Prompt, error) { return nil, nil }

 var errMockFactory = errors.New("mock factory error")

 func mockFactory(ctx context.Context, name string, decoder *yaml.Decoder) (prompts.PromptConfig, error) {
-	return &mockPromptConfig{name: name, kind: "mockKind"}, nil
+	return &mockPromptConfig{name: name, Type: "mockType"}, nil
 }

 func mockErrorFactory(ctx context.Context, name string, decoder *yaml.Decoder) (prompts.PromptConfig, error) {
@@ -50,17 +50,17 @@ func TestRegistry(t *testing.T) {
 	ctx := context.Background()

 	t.Run("RegisterAndDecodeSuccess", func(t *testing.T) {
-		kind := "testKindSuccess"
-		if !prompts.Register(kind, mockFactory) {
+		resourceType := "testTypeSuccess"
+		if !prompts.Register(resourceType, mockFactory) {
 			t.Fatal("expected registration to succeed")
 		}
 		// This should fail because we are registering a duplicate
-		if prompts.Register(kind, mockFactory) {
+		if prompts.Register(resourceType, mockFactory) {
 			t.Fatal("expected duplicate registration to fail")
 		}

 		decoder := yaml.NewDecoder(strings.NewReader(""))
-		config, err := prompts.DecodeConfig(ctx, kind, "testPrompt", decoder)
+		config, err := prompts.DecodeConfig(ctx, resourceType, "testPrompt", decoder)
 		if err != nil {
 			t.Fatalf("expected DecodeConfig to succeed, but got error: %v", err)
 		}
@@ -69,25 +69,25 @@ func TestRegistry(t *testing.T) {
 		}
 	})

-	t.Run("DecodeUnknownKind", func(t *testing.T) {
+	t.Run("DecodeUnknownType", func(t *testing.T) {
 		decoder := yaml.NewDecoder(strings.NewReader(""))
-		_, err := prompts.DecodeConfig(ctx, "unregisteredKind", "testPrompt", decoder)
+		_, err := prompts.DecodeConfig(ctx, "unregisteredType", "testPrompt", decoder)
 		if err == nil {
-			t.Fatal("expected an error for unknown kind, but got nil")
+			t.Fatal("expected an error for unknown type, but got nil")
 		}
-		if !strings.Contains(err.Error(), "unknown prompt kind") {
-			t.Errorf("expected error to contain 'unknown prompt kind', but got: %v", err)
+		if !strings.Contains(err.Error(), "unknown prompt type") {
+			t.Errorf("expected error to contain 'unknown prompt type', but got: %v", err)
 		}
 	})

 	t.Run("FactoryReturnsError", func(t *testing.T) {
-		kind := "testKindError"
-		if !prompts.Register(kind, mockErrorFactory) {
+		resourceType := "testTypeError"
+		if !prompts.Register(resourceType, mockErrorFactory) {
 			t.Fatal("expected registration to succeed")
 		}

 		decoder := yaml.NewDecoder(strings.NewReader(""))
-		_, err := prompts.DecodeConfig(ctx, kind, "testPrompt", decoder)
+		_, err := prompts.DecodeConfig(ctx, resourceType, "testPrompt", decoder)
 		if err == nil {
 			t.Fatal("expected an error from the factory, but got nil")
 		}
@@ -100,13 +100,13 @@ func TestRegistry(t *testing.T) {
 		decoder := yaml.NewDecoder(strings.NewReader("description: A test prompt"))
 		config, err := prompts.DecodeConfig(ctx, "", "testDefaultPrompt", decoder)
 		if err != nil {
-			t.Fatalf("expected DecodeConfig with empty kind to succeed, but got error: %v", err)
+			t.Fatalf("expected DecodeConfig with empty type to succeed, but got error: %v", err)
 		}
 		if config == nil {
-			t.Fatal("expected a non-nil config for default kind")
+			t.Fatal("expected a non-nil config for default type")
 		}
-		if config.PromptConfigKind() != "custom" {
-			t.Errorf("expected default kind to be 'custom', but got %q", config.PromptConfigKind())
+		if config.PromptConfigType() != "custom" {
+			t.Errorf("expected default type to be 'custom', but got %q", config.PromptConfigType())
 		}
 	})
 }
--- a/internal/server/config.go
+++ b/internal/server/config.go
@@ -14,8 +14,10 @@
 package server

 import (
+	"bytes"
 	"context"
 	"fmt"
+	"io"
 	"strings"

 	yaml "github.com/goccy/go-yaml"
@@ -68,6 +70,8 @@ type ServerConfig struct {
 	UI bool
 	// Specifies a list of origins permitted to access this server.
 	AllowedOrigins []string
+	// Specifies a list of hosts permitted to access this server
+	AllowedHosts []string
 }

 type logFormat string
@@ -122,272 +126,201 @@ func (s *StringLevel) Type() string {
 	return "stringLevel"
 }

-// SourceConfigs is a type used to allow unmarshal of the data source config map
 type SourceConfigs map[string]sources.SourceConfig
-
-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &SourceConfigs{}
-
-func (c *SourceConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(SourceConfigs)
-	// Parse the 'kind' fields for each source
-	var raw map[string]util.DelayedUnmarshaler
-	if err := unmarshal(&raw); err != nil {
-		return err
-	}
-
-	for name, u := range raw {
-		// Unmarshal to a general type that ensure it capture all fields
-		var v map[string]any
-		if err := u.Unmarshal(&v); err != nil {
-			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
-		}
-
-		kind, ok := v["kind"]
-		if !ok {
-			return fmt.Errorf("missing 'kind' field for source %q", name)
-		}
-		kindStr, ok := kind.(string)
-		if !ok {
-			return fmt.Errorf("invalid 'kind' field for source %q (must be a string)", name)
-		}
-
-		yamlDecoder, err := util.NewStrictDecoder(v)
-		if err != nil {
-			return fmt.Errorf("error creating YAML decoder for source %q: %w", name, err)
-		}
-
-		sourceConfig, err := sources.DecodeConfig(ctx, kindStr, name, yamlDecoder)
-		if err != nil {
-			return err
-		}
-		(*c)[name] = sourceConfig
-	}
-	return nil
-}
-
-// AuthServiceConfigs is a type used to allow unmarshal of the data authService config map
 type AuthServiceConfigs map[string]auth.AuthServiceConfig
-
-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &AuthServiceConfigs{}
-
-func (c *AuthServiceConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(AuthServiceConfigs)
-	// Parse the 'kind' fields for each authService
-	var raw map[string]util.DelayedUnmarshaler
-	if err := unmarshal(&raw); err != nil {
-		return err
-	}
-
-	for name, u := range raw {
-		var v map[string]any
-		if err := u.Unmarshal(&v); err != nil {
-			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
-		}
-
-		kind, ok := v["kind"]
-		if !ok {
-			return fmt.Errorf("missing 'kind' field for %q", name)
-		}
-
-		dec, err := util.NewStrictDecoder(v)
-		if err != nil {
-			return fmt.Errorf("error creating decoder: %w", err)
-		}
-		switch kind {
-		case google.AuthServiceKind:
-			actual := google.Config{Name: name}
-			if err := dec.DecodeContext(ctx, &actual); err != nil {
-				return fmt.Errorf("unable to parse as %q: %w", kind, err)
-			}
-			(*c)[name] = actual
-		default:
-			return fmt.Errorf("%q is not a valid kind of auth source", kind)
-		}
-	}
-	return nil
-}
-
-// EmbeddingModelConfigs is a type used to allow unmarshal of the embedding model config map
 type EmbeddingModelConfigs map[string]embeddingmodels.EmbeddingModelConfig
-
-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &EmbeddingModelConfigs{}
-
-func (c *EmbeddingModelConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(EmbeddingModelConfigs)
-	// Parse the 'kind' fields for each embedding model
-	var raw map[string]util.DelayedUnmarshaler
-	if err := unmarshal(&raw); err != nil {
-		return err
-	}
-
-	for name, u := range raw {
-		// Unmarshal to a general type that ensure it capture all fields
-		var v map[string]any
-		if err := u.Unmarshal(&v); err != nil {
-			return fmt.Errorf("unable to unmarshal embedding model %q: %w", name, err)
-		}
-
-		kind, ok := v["kind"]
-		if !ok {
-			return fmt.Errorf("missing 'kind' field for embedding model %q", name)
-		}
-
-		dec, err := util.NewStrictDecoder(v)
-		if err != nil {
-			return fmt.Errorf("error creating decoder: %w", err)
-		}
-		switch kind {
-		case gemini.EmbeddingModelKind:
-			actual := gemini.Config{Name: name}
-			if err := dec.DecodeContext(ctx, &actual); err != nil {
-				return fmt.Errorf("unable to parse as %q: %w", kind, err)
-			}
-			(*c)[name] = actual
-		default:
-			return fmt.Errorf("%q is not a valid kind of auth source", kind)
-		}
-	}
-	return nil
-}
-
-// ToolConfigs is a type used to allow unmarshal of the tool configs
 type ToolConfigs map[string]tools.ToolConfig
-
-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &ToolConfigs{}
-
-func (c *ToolConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(ToolConfigs)
-	// Parse the 'kind' fields for each source
-	var raw map[string]util.DelayedUnmarshaler
-	if err := unmarshal(&raw); err != nil {
-		return err
-	}
-
-	for name, u := range raw {
-		var v map[string]any
-		if err := u.Unmarshal(&v); err != nil {
-			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
-		}
-
-		// `authRequired` and `useClientOAuth` cannot be specified together
-		if v["authRequired"] != nil && v["useClientOAuth"] == true {
-			return fmt.Errorf("`authRequired` and `useClientOAuth` are mutually exclusive. Choose only one authentication method")
-		}
-
-		// Make `authRequired` an empty list instead of nil for Tool manifest
-		if v["authRequired"] == nil {
-			v["authRequired"] = []string{}
-		}
-
-		kindVal, ok := v["kind"]
-		if !ok {
-			return fmt.Errorf("missing 'kind' field for tool %q", name)
-		}
-		kindStr, ok := kindVal.(string)
-		if !ok {
-			return fmt.Errorf("invalid 'kind' field for tool %q (must be a string)", name)
-		}
-
-		yamlDecoder, err := util.NewStrictDecoder(v)
-		if err != nil {
-			return fmt.Errorf("error creating YAML decoder for tool %q: %w", name, err)
-		}
-
-		toolCfg, err := tools.DecodeConfig(ctx, kindStr, name, yamlDecoder)
-		if err != nil {
-			return err
-		}
-		(*c)[name] = toolCfg
-	}
-	return nil
-}
-
-// ToolsetConfigs is a type used to allow unmarshal of the toolset configs
 type ToolsetConfigs map[string]tools.ToolsetConfig
-
-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &ToolsetConfigs{}
-
-func (c *ToolsetConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(ToolsetConfigs)
-
-	var raw map[string][]string
-	if err := unmarshal(&raw); err != nil {
-		return err
-	}
-
-	for name, toolList := range raw {
-		(*c)[name] = tools.ToolsetConfig{Name: name, ToolNames: toolList}
-	}
-	return nil
-}
-
-// PromptConfigs is a type used to allow unmarshal of the prompt configs
 type PromptConfigs map[string]prompts.PromptConfig
-
-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &PromptConfigs{}
-
-func (c *PromptConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(PromptConfigs)
-	var raw map[string]util.DelayedUnmarshaler
-	if err := unmarshal(&raw); err != nil {
-		return err
-	}
-
-	for name, u := range raw {
-		var v map[string]any
-		if err := u.Unmarshal(&v); err != nil {
-			return fmt.Errorf("unable to unmarshal prompt %q: %w", name, err)
-		}
-
-		// Look for the 'kind' field. If it's not present, kindStr will be an
-		// empty string, which prompts.DecodeConfig will correctly default to "custom".
-		var kindStr string
-		if kindVal, ok := v["kind"]; ok {
-			var isString bool
-			kindStr, isString = kindVal.(string)
-			if !isString {
-				return fmt.Errorf("invalid 'kind' field for prompt %q (must be a string)", name)
-			}
-		}
-
-		// Create a new, strict decoder for this specific prompt's data.
-		yamlDecoder, err := util.NewStrictDecoder(v)
-		if err != nil {
-			return fmt.Errorf("error creating YAML decoder for prompt %q: %w", name, err)
-		}
-
-		// Use the central registry to decode the prompt based on its kind.
-		promptCfg, err := prompts.DecodeConfig(ctx, kindStr, name, yamlDecoder)
-		if err != nil {
-			return err
-		}
-		(*c)[name] = promptCfg
-	}
-	return nil
-}
-
-// PromptsetConfigs is a type used to allow unmarshal of the PromptsetConfigs configs
 type PromptsetConfigs map[string]prompts.PromptsetConfig

-// validate interface
-var _ yaml.InterfaceUnmarshalerContext = &PromptsetConfigs{}
+func UnmarshalResourceConfig(ctx context.Context, raw []byte) (SourceConfigs, AuthServiceConfigs, EmbeddingModelConfigs, ToolConfigs, ToolsetConfigs, PromptConfigs, error) {
+	// prepare configs map
+	sourceConfigs := make(map[string]sources.SourceConfig)
+	authServiceConfigs := make(AuthServiceConfigs)
+	embeddingModelConfigs := make(EmbeddingModelConfigs)
+	toolConfigs := make(ToolConfigs)
+	toolsetConfigs := make(ToolsetConfigs)
+	promptConfigs := make(PromptConfigs)
+	// promptset configs is not yet supported

-func (c *PromptsetConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interface{}) error) error {
-	*c = make(PromptsetConfigs)
+	decoder := yaml.NewDecoder(bytes.NewReader(raw))
+	// for loop to unmarshal documents with the `---` separator
+	for {
+		var resource map[string]any
+		if err := decoder.DecodeContext(ctx, &resource); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to decode YAML document: %w", err)
+		}
+		var kind, name string
+		var ok bool
+		if kind, ok = resource["kind"].(string); !ok {
+			return nil, nil, nil, nil, nil, nil, fmt.Errorf("missing 'kind' field or it is not a string")
+		}
+		if name, ok = resource["name"].(string); !ok {
+			return nil, nil, nil, nil, nil, nil, fmt.Errorf("missing 'name' field or it is not a string")
+		}
+		// remove 'kind' from map for strict unmarshaling
+		delete(resource, "kind")

-	var raw map[string][]string
-	if err := unmarshal(&raw); err != nil {
-		return err
+		switch kind {
+		case "sources":
+			c, err := UnmarshalYAMLSourceConfig(ctx, name, resource)
+			if err != nil {
+				return nil, nil, nil, nil, nil, nil, fmt.Errorf("error unmarshaling %s: %s", kind, err)
+			}
+			sourceConfigs[name] = c
+		case "authServices":
+			c, err := UnmarshalYAMLAuthServiceConfig(ctx, name, resource)
+			if err != nil {
+				return nil, nil, nil, nil, nil, nil, fmt.Errorf("error unmarshaling %s: %s", kind, err)
+			}
+			authServiceConfigs[name] = c
+		case "tools":
+			c, err := UnmarshalYAMLToolConfig(ctx, name, resource)
+			if err != nil {
+				return nil, nil, nil, nil, nil, nil, fmt.Errorf("error unmarshaling %s: %s", kind, err)
+			}
+			toolConfigs[name] = c
+		case "toolsets":
+			c, err := UnmarshalYAMLToolsetConfig(ctx, name, resource)
+			if err != nil {
+				return nil, nil, nil, nil, nil, nil, fmt.Errorf("error unmarshaling %s: %s", kind, err)
+			}
+			toolsetConfigs[name] = c
+		case "embeddingModels":
+			c, err := UnmarshalYAMLEmbeddingModelConfig(ctx, name, resource)
+			if err != nil {
+				return nil, nil, nil, nil, nil, nil, fmt.Errorf("error unmarshaling %s: %s", kind, err)
+			}
+			embeddingModelConfigs[name] = c
+		case "prompts":
+			c, err := UnmarshalYAMLPromptConfig(ctx, name, resource)
+			if err != nil {
+				return nil, nil, nil, nil, nil, nil, fmt.Errorf("error unmarshaling %s: %s", kind, err)
+			}
+			promptConfigs[name] = c
+		default:
+			return nil, nil, nil, nil, nil, nil, fmt.Errorf("invalid kind %s", kind)
+		}
 	}
-
-	for name, promptList := range raw {
-		(*c)[name] = prompts.PromptsetConfig{Name: name, PromptNames: promptList}
-	}
-	return nil
+	return sourceConfigs, authServiceConfigs, embeddingModelConfigs, toolConfigs, toolsetConfigs, promptConfigs, nil
+}
+
+func UnmarshalYAMLSourceConfig(ctx context.Context, name string, r map[string]any) (sources.SourceConfig, error) {
+	resourceType, ok := r["type"].(string)
+	if !ok {
+		return nil, fmt.Errorf("missing 'type' field or it is not a string")
+	}
+	dec, err := util.NewStrictDecoder(r)
+	if err != nil {
+		return nil, fmt.Errorf("error creating decoder: %w", err)
+	}
+	sourceConfig, err := sources.DecodeConfig(ctx, resourceType, name, dec)
+	if err != nil {
+		return nil, err
+	}
+	return sourceConfig, nil
+}
+
+func UnmarshalYAMLAuthServiceConfig(ctx context.Context, name string, r map[string]any) (auth.AuthServiceConfig, error) {
+	resourceType, ok := r["type"].(string)
+	if !ok {
+		return nil, fmt.Errorf("missing 'type' field or it is not a string")
+	}
+	if resourceType != google.AuthServiceType {
+		return nil, fmt.Errorf("%s is not a valid type of auth service", resourceType)
+	}
+	dec, err := util.NewStrictDecoder(r)
+	if err != nil {
+		return nil, fmt.Errorf("error creating decoder: %s", err)
+	}
+	actual := google.Config{Name: name}
+	if err := dec.DecodeContext(ctx, &actual); err != nil {
+		return nil, fmt.Errorf("unable to parse as %s: %w", name, err)
+	}
+	return actual, nil
+}
+
+func UnmarshalYAMLEmbeddingModelConfig(ctx context.Context, name string, r map[string]any) (embeddingmodels.EmbeddingModelConfig, error) {
+	resourceType, ok := r["type"].(string)
+	if !ok {
+		return nil, fmt.Errorf("missing 'type' field or it is not a string")
+	}
+	if resourceType != gemini.EmbeddingModelType {
+		return nil, fmt.Errorf("%s is not a valid type of embedding model", resourceType)
+	}
+	dec, err := util.NewStrictDecoder(r)
+	if err != nil {
+		return nil, fmt.Errorf("error creating decoder: %s", err)
+	}
+	actual := gemini.Config{Name: name}
+	if err := dec.DecodeContext(ctx, &actual); err != nil {
+		return nil, fmt.Errorf("unable to parse as %q: %w", name, err)
+	}
+	return actual, nil
+}
+
+func UnmarshalYAMLToolConfig(ctx context.Context, name string, r map[string]any) (tools.ToolConfig, error) {
+	resourceType, ok := r["type"].(string)
+	if !ok {
+		return nil, fmt.Errorf("missing 'type' field or it is not a string")
+	}
+	// `authRequired` and `useClientOAuth` cannot be specified together
+	if r["authRequired"] != nil && r["useClientOAuth"] == true {
+		return nil, fmt.Errorf("`authRequired` and `useClientOAuth` are mutually exclusive. Choose only one authentication method")
+	}
+	// Make `authRequired` an empty list instead of nil for Tool manifest
+	if r["authRequired"] == nil {
+		r["authRequired"] = []string{}
+	}
+	dec, err := util.NewStrictDecoder(r)
+	if err != nil {
+		return nil, fmt.Errorf("error creating decoder: %s", err)
+	}
+	toolCfg, err := tools.DecodeConfig(ctx, resourceType, name, dec)
+	if err != nil {
+		return nil, err
+	}
+	return toolCfg, nil
+}
+
+func UnmarshalYAMLToolsetConfig(ctx context.Context, name string, r map[string]any) (tools.ToolsetConfig, error) {
+	var toolsetConfig tools.ToolsetConfig
+	justTools := map[string]any{"tools": r["tools"]}
+	dec, err := util.NewStrictDecoder(justTools)
+	if err != nil {
+		return toolsetConfig, fmt.Errorf("error creating decoder: %s", err)
+	}
+	var raw map[string][]string
+	if err := dec.DecodeContext(ctx, &raw); err != nil {
+		return toolsetConfig, fmt.Errorf("unable to unmarshal tools: %s", err)
+	}
+	return tools.ToolsetConfig{Name: name, ToolNames: raw["tools"]}, nil
+}
+
+func UnmarshalYAMLPromptConfig(ctx context.Context, name string, r map[string]any) (prompts.PromptConfig, error) {
+	// Look for the 'type' field. If it's not present, typeStr will be an
+	// empty string, which prompts.DecodeConfig will correctly default to "custom".
+	var resourceType string
+	if typeVal, ok := r["type"]; ok {
+		var isString bool
+		resourceType, isString = typeVal.(string)
+		if !isString {
+			return nil, fmt.Errorf("invalid 'type' field for prompt %q (must be a string)", name)
+		}
+	}
+	dec, err := util.NewStrictDecoder(r)
+	if err != nil {
+		return nil, fmt.Errorf("error creating decoder: %s", err)
+	}
+
+	// Use the central registry to decode the prompt based on its type.
+	promptCfg, err := prompts.DecodeConfig(ctx, resourceType, name, dec)
+	if err != nil {
+		return nil, err
+	}
+	return promptCfg, nil
 }
--- a/internal/server/resources/resources_test.go
+++ b/internal/server/resources/resources_test.go
@@ -32,7 +32,7 @@ func TestUpdateServer(t *testing.T) {
 		"example-source": &alloydbpg.Source{
 			Config: alloydbpg.Config{
 				Name: "example-alloydb-source",
-				Kind: "alloydb-postgres",
+				Type: "alloydb-postgres",
 			},
 		},
 	}
@@ -92,7 +92,7 @@ func TestUpdateServer(t *testing.T) {
 		"example-source2": &alloydbpg.Source{
 			Config: alloydbpg.Config{
 				Name: "example-alloydb-source2",
-				Kind: "alloydb-postgres",
+				Type: "alloydb-postgres",
 			},
 		},
 	}
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -82,7 +82,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			childCtx, span := instrumentation.Tracer.Start(
 				ctx,
 				"toolbox/server/source/init",
-				trace.WithAttributes(attribute.String("source_kind", sc.SourceConfigKind())),
+				trace.WithAttributes(attribute.String("source_type", sc.SourceConfigType())),
 				trace.WithAttributes(attribute.String("source_name", name)),
 			)
 			defer span.End()
@@ -110,7 +110,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			_, span := instrumentation.Tracer.Start(
 				ctx,
 				"toolbox/server/auth/init",
-				trace.WithAttributes(attribute.String("auth_kind", sc.AuthServiceConfigKind())),
+				trace.WithAttributes(attribute.String("auth_type", sc.AuthServiceConfigType())),
 				trace.WithAttributes(attribute.String("auth_name", name)),
 			)
 			defer span.End()
@@ -138,7 +138,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			_, span := instrumentation.Tracer.Start(
 				ctx,
 				"toolbox/server/embeddingmodel/init",
-				trace.WithAttributes(attribute.String("model_kind", ec.EmbeddingModelConfigKind())),
+				trace.WithAttributes(attribute.String("model_type", ec.EmbeddingModelConfigType())),
 				trace.WithAttributes(attribute.String("model_name", name)),
 			)
 			defer span.End()
@@ -166,7 +166,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			_, span := instrumentation.Tracer.Start(
 				ctx,
 				"toolbox/server/tool/init",
-				trace.WithAttributes(attribute.String("tool_kind", tc.ToolConfigKind())),
+				trace.WithAttributes(attribute.String("tool_type", tc.ToolConfigType())),
 				trace.WithAttributes(attribute.String("tool_name", name)),
 			)
 			defer span.End()
@@ -235,7 +235,7 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 			_, span := instrumentation.Tracer.Start(
 				ctx,
 				"toolbox/server/prompt/init",
-				trace.WithAttributes(attribute.String("prompt_kind", pc.PromptConfigKind())),
+				trace.WithAttributes(attribute.String("prompt_type", pc.PromptConfigType())),
 				trace.WithAttributes(attribute.String("prompt_name", name)),
 			)
 			defer span.End()
@@ -300,6 +300,21 @@ func InitializeConfigs(ctx context.Context, cfg ServerConfig) (
 	return sourcesMap, authServicesMap, embeddingModelsMap, toolsMap, toolsetsMap, promptsMap, promptsetsMap, nil
 }

+func hostCheck(allowedHosts map[string]struct{}) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, hasWildcard := allowedHosts["*"]
+			_, hostIsAllowed := allowedHosts[r.Host]
+			if !hasWildcard && !hostIsAllowed {
+				// Return 400 Bad Request or 403 Forbidden to block the attack
+				http.Error(w, "Invalid Host header", http.StatusBadRequest)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
 // NewServer returns a Server object based on provided Config.
 func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 	instrumentation, err := util.InstrumentationFromContext(ctx)
@@ -374,7 +389,7 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {

 	// cors
 	if slices.Contains(cfg.AllowedOrigins, "*") {
-		s.logger.WarnContext(ctx, "wildcard (`*`) allows all origin to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-origins` flag to prevent DNS rebinding attacks")
+		s.logger.WarnContext(ctx, "wildcard (`*`) allows all origin to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-origins` flag")
 	}
 	corsOpts := cors.Options{
 		AllowedOrigins:   cfg.AllowedOrigins,
@@ -385,6 +400,15 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 		MaxAge:           300,                        // cache preflight results for 5 minutes
 	}
 	r.Use(cors.Handler(corsOpts))
+	// validate hosts for DNS rebinding attacks
+	if slices.Contains(cfg.AllowedHosts, "*") {
+		s.logger.WarnContext(ctx, "wildcard (`*`) allows all hosts to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-hosts` flag to prevent DNS rebinding attacks")
+	}
+	allowedHostsMap := make(map[string]struct{}, len(cfg.AllowedHosts))
+	for _, h := range cfg.AllowedHosts {
+		allowedHostsMap[h] = struct{}{}
+	}
+	r.Use(hostCheck(allowedHostsMap))

 	// control plane
 	apiR, err := apiRouter(s)
--- a/internal/server/server_test.go
+++ b/internal/server/server_test.go
@@ -43,9 +43,10 @@ func TestServe(t *testing.T) {

 	addr, port := "127.0.0.1", 5000
 	cfg := server.ServerConfig{
-		Version: "0.0.0",
-		Address: addr,
-		Port:    port,
+		Version:      "0.0.0",
+		Address:      addr,
+		Port:         port,
+		AllowedHosts: []string{"*"},
 	}

 	otelShutdown, err := telemetry.SetupOTel(ctx, "0.0.0", "", false, "toolbox")
@@ -140,7 +141,7 @@ func TestUpdateServer(t *testing.T) {
 		"example-source": &alloydbpg.Source{
 			Config: alloydbpg.Config{
 				Name: "example-alloydb-source",
-				Kind: "alloydb-postgres",
+				Type: "alloydb-postgres",
 			},
 		},
 	}
--- a/internal/sources/alloydbadmin/alloydbadmin.go
+++ b/internal/sources/alloydbadmin/alloydbadmin.go
@@ -32,14 +32,14 @@ import (
 	"google.golang.org/api/option"
 )

-const SourceKind string = "alloydb-admin"
+const SourceType string = "alloydb-admin"

 // validate interface
 var _ sources.SourceConfig = Config{}

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -53,13 +53,13 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	Name           string `yaml:"name" validate:"required"`
-	Kind           string `yaml:"kind" validate:"required"`
+	Type           string `yaml:"type" validate:"required"`
 	DefaultProject string `yaml:"defaultProject"`
 	UseClientOAuth bool   `yaml:"useClientOAuth"`
 }

-func (r Config) SourceConfigKind() string {
-	return SourceKind
+func (r Config) SourceConfigType() string {
+	return SourceType
 }

 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
@@ -106,8 +106,8 @@ type Source struct {
 	Service *alloydbrestapi.Service
 }

-func (s *Source) SourceKind() string {
-	return SourceKind
+func (s *Source) SourceType() string {
+	return SourceType
 }

 func (s *Source) ToConfig() sources.SourceConfig {
--- a/internal/sources/alloydbadmin/alloydbadmin_test.go
+++ b/internal/sources/alloydbadmin/alloydbadmin_test.go
@@ -15,9 +15,9 @@
 package alloydbadmin_test

 import (
+	"context"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources"
@@ -34,14 +34,14 @@ func TestParseFromYamlAlloyDBAdmin(t *testing.T) {
 		{
 			desc: "basic example",
 			in: `
-			sources:
-				my-alloydb-admin-instance:
-					kind: alloydb-admin
+			kind: sources
+			name: my-alloydb-admin-instance
+			type: alloydb-admin
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-alloydb-admin-instance": alloydbadmin.Config{
 					Name:           "my-alloydb-admin-instance",
-					Kind:           alloydbadmin.SourceKind,
+					Type:           alloydbadmin.SourceType,
 					UseClientOAuth: false,
 				},
 			},
@@ -49,15 +49,15 @@ func TestParseFromYamlAlloyDBAdmin(t *testing.T) {
 		{
 			desc: "use client auth example",
 			in: `
-			sources:
-				my-alloydb-admin-instance:
-					kind: alloydb-admin
-					useClientOAuth: true
+			kind: sources
+			name: my-alloydb-admin-instance
+			type: alloydb-admin
+			useClientOAuth: true
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-alloydb-admin-instance": alloydbadmin.Config{
 					Name:           "my-alloydb-admin-instance",
-					Kind:           alloydbadmin.SourceKind,
+					Type:           alloydbadmin.SourceType,
 					UseClientOAuth: true,
 				},
 			},
@@ -65,16 +65,13 @@ func TestParseFromYamlAlloyDBAdmin(t *testing.T) {
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
 			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got)
 			}
 		})
 	}
@@ -89,30 +86,27 @@ func TestFailParseFromYaml(t *testing.T) {
 		{
 			desc: "extra field",
 			in: `
-			sources:
-				my-alloydb-admin-instance:
-					kind: alloydb-admin
-					project: test-project
+			kind: sources
+			name: my-alloydb-admin-instance
+			type: alloydb-admin
+			project: test-project
 			`,
-			err: "unable to parse source \"my-alloydb-admin-instance\" as \"alloydb-admin\": [2:1] unknown field \"project\"\n   1 | kind: alloydb-admin\n>  2 | project: test-project\n       ^\n",
+			err: "error unmarshaling sources: unable to parse source \"my-alloydb-admin-instance\" as \"alloydb-admin\": [2:1] unknown field \"project\"\n   1 | name: my-alloydb-admin-instance\n>  2 | project: test-project\n       ^\n   3 | type: alloydb-admin",
 		},
 		{
 			desc: "missing required field",
 			in: `
-			sources:
-				my-alloydb-admin-instance:
-					useClientOAuth: true
+			kind: sources
+			name: my-alloydb-admin-instance
+			useClientOAuth: true
 			`,
-			err: "missing 'kind' field for source \"my-alloydb-admin-instance\"",
+			err: "error unmarshaling sources: missing 'type' field or it is not a string",
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
 			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
--- a/internal/sources/alloydbpg/alloydb_pg.go
+++ b/internal/sources/alloydbpg/alloydb_pg.go
@@ -29,14 +29,14 @@ import (
 	"go.opentelemetry.io/otel/trace"
 )

-const SourceKind string = "alloydb-postgres"
+const SourceType string = "alloydb-postgres"

 // validate interface
 var _ sources.SourceConfig = Config{}

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -50,7 +50,7 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	Name     string         `yaml:"name" validate:"required"`
-	Kind     string         `yaml:"kind" validate:"required"`
+	Type     string         `yaml:"type" validate:"required"`
 	Project  string         `yaml:"project" validate:"required"`
 	Region   string         `yaml:"region" validate:"required"`
 	Cluster  string         `yaml:"cluster" validate:"required"`
@@ -61,8 +61,8 @@ type Config struct {
 	Database string         `yaml:"database" validate:"required"`
 }

-func (r Config) SourceConfigKind() string {
-	return SourceKind
+func (r Config) SourceConfigType() string {
+	return SourceType
 }

 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
@@ -90,8 +90,8 @@ type Source struct {
 	Pool *pgxpool.Pool
 }

-func (s *Source) SourceKind() string {
-	return SourceKind
+func (s *Source) SourceType() string {
+	return SourceType
 }

 func (s *Source) ToConfig() sources.SourceConfig {
@@ -183,7 +183,7 @@ func getConnectionConfig(ctx context.Context, user, pass, dbname string) (string

 func initAlloyDBPgConnectionPool(ctx context.Context, tracer trace.Tracer, name, project, region, cluster, instance, ipType, user, pass, dbname string) (*pgxpool.Pool, error) {
 	//nolint:all // Reassigned ctx
-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, name)
 	defer span.End()

 	dsn, useIAM, err := getConnectionConfig(ctx, user, pass, dbname)
--- a/internal/sources/alloydbpg/alloydb_pg_test.go
+++ b/internal/sources/alloydbpg/alloydb_pg_test.go
@@ -15,9 +15,9 @@
 package alloydbpg_test

 import (
+	"context"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources"
@@ -34,21 +34,21 @@ func TestParseFromYamlAlloyDBPg(t *testing.T) {
 		{
 			desc: "basic example",
 			in: `
-			sources:
-				my-pg-instance:
-					kind: alloydb-postgres
-					project: my-project
-					region: my-region
-					cluster: my-cluster
-					instance: my-instance
-					database: my_db
-					user: my_user
-					password: my_pass
+			kind: sources
+			name: my-pg-instance
+			type: alloydb-postgres
+			project: my-project
+			region: my-region
+			cluster: my-cluster
+			instance: my-instance
+			database: my_db
+			user: my_user
+			password: my_pass
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-pg-instance": alloydbpg.Config{
 					Name:     "my-pg-instance",
-					Kind:     alloydbpg.SourceKind,
+					Type:     alloydbpg.SourceType,
 					Project:  "my-project",
 					Region:   "my-region",
 					Cluster:  "my-cluster",
@@ -63,22 +63,22 @@ func TestParseFromYamlAlloyDBPg(t *testing.T) {
 		{
 			desc: "public ipType",
 			in: `
-			sources:
-				my-pg-instance:
-					kind: alloydb-postgres
-					project: my-project
-					region: my-region
-					cluster: my-cluster
-					instance: my-instance
-					ipType: Public
-					database: my_db
-					user: my_user
-					password: my_pass
+			kind: sources
+			name: my-pg-instance
+			type: alloydb-postgres
+			project: my-project
+			region: my-region
+			cluster: my-cluster
+			instance: my-instance
+			ipType: Public
+			database: my_db
+			user: my_user
+			password: my_pass
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-pg-instance": alloydbpg.Config{
 					Name:     "my-pg-instance",
-					Kind:     alloydbpg.SourceKind,
+					Type:     alloydbpg.SourceType,
 					Project:  "my-project",
 					Region:   "my-region",
 					Cluster:  "my-cluster",
@@ -93,22 +93,22 @@ func TestParseFromYamlAlloyDBPg(t *testing.T) {
 		{
 			desc: "private ipType",
 			in: `
-			sources:
-				my-pg-instance:
-					kind: alloydb-postgres
-					project: my-project
-					region: my-region
-					cluster: my-cluster
-					instance: my-instance
-					ipType: private
-					database: my_db
-					user: my_user
-					password: my_pass
+			kind: sources
+			name: my-pg-instance
+			type: alloydb-postgres
+			project: my-project
+			region: my-region
+			cluster: my-cluster
+			instance: my-instance
+			ipType: private
+			database: my_db
+			user: my_user
+			password: my_pass
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-pg-instance": alloydbpg.Config{
 					Name:     "my-pg-instance",
-					Kind:     alloydbpg.SourceKind,
+					Type:     alloydbpg.SourceType,
 					Project:  "my-project",
 					Region:   "my-region",
 					Cluster:  "my-cluster",
@@ -123,16 +123,13 @@ func TestParseFromYamlAlloyDBPg(t *testing.T) {
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
 			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got)
 			}
 		})
 	}
@@ -147,60 +144,56 @@ func TestFailParseFromYaml(t *testing.T) {
 		{
 			desc: "invalid ipType",
 			in: `
-			sources:
-				my-pg-instance:
-					kind: alloydb-postgres
-					project: my-project
-					region: my-region
-					cluster: my-cluster
-					instance: my-instance
-					ipType: fail 
-					database: my_db
-					user: my_user
-					password: my_pass
+			kind: sources
+			name: my-pg-instance
+			type: alloydb-postgres
+			project: my-project
+			region: my-region
+			cluster: my-cluster
+			instance: my-instance
+			ipType: fail 
+			database: my_db
+			user: my_user
+			password: my_pass
 			`,
-			err: "unable to parse source \"my-pg-instance\" as \"alloydb-postgres\": ipType invalid: must be one of \"public\", \"private\", or \"psc\"",
+			err: "error unmarshaling sources: unable to parse source \"my-pg-instance\" as \"alloydb-postgres\": ipType invalid: must be one of \"public\", \"private\", or \"psc\"",
 		},
 		{
 			desc: "extra field",
 			in: `
-			sources:
-				my-pg-instance:
-					kind: alloydb-postgres
-					project: my-project
-					region: my-region
-					cluster: my-cluster
-					instance: my-instance
-					database: my_db
-					user: my_user
-					password: my_pass
-					foo: bar
+			kind: sources
+			name: my-pg-instance
+			type: alloydb-postgres
+			project: my-project
+			region: my-region
+			cluster: my-cluster
+			instance: my-instance
+			database: my_db
+			user: my_user
+			password: my_pass
+			foo: bar
 			`,
-			err: "unable to parse source \"my-pg-instance\" as \"alloydb-postgres\": [3:1] unknown field \"foo\"\n   1 | cluster: my-cluster\n   2 | database: my_db\n>  3 | foo: bar\n       ^\n   4 | instance: my-instance\n   5 | kind: alloydb-postgres\n   6 | password: my_pass\n   7 | ",
+			err: "error unmarshaling sources: unable to parse source \"my-pg-instance\" as \"alloydb-postgres\": [3:1] unknown field \"foo\"\n   1 | cluster: my-cluster\n   2 | database: my_db\n>  3 | foo: bar\n       ^\n   4 | instance: my-instance\n   5 | name: my-pg-instance\n   6 | password: my_pass\n   7 | ",
 		},
 		{
 			desc: "missing required field",
 			in: `
-			sources:
-				my-pg-instance:
-					kind: alloydb-postgres
-					region: my-region
-					cluster: my-cluster
-					instance: my-instance
-					database: my_db
-					user: my_user
-					password: my_pass
+			kind: sources
+			name: my-pg-instance
+			type: alloydb-postgres
+			region: my-region
+			cluster: my-cluster
+			instance: my-instance
+			database: my_db
+			user: my_user
+			password: my_pass
 			`,
-			err: "unable to parse source \"my-pg-instance\" as \"alloydb-postgres\": Key: 'Config.Project' Error:Field validation for 'Project' failed on the 'required' tag",
+			err: "error unmarshaling sources: unable to parse source \"my-pg-instance\" as \"alloydb-postgres\": Key: 'Config.Project' Error:Field validation for 'Project' failed on the 'required' tag",
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
--- a/internal/sources/bigquery/bigquery.go
+++ b/internal/sources/bigquery/bigquery.go
@@ -41,7 +41,7 @@ import (
 	"google.golang.org/api/option"
 )

-const SourceKind string = "bigquery"
+const SourceType string = "bigquery"

 // CloudPlatformScope is a broad scope for Google Cloud Platform services.
 const CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform"
@@ -65,8 +65,8 @@ type BigQuerySessionProvider func(ctx context.Context) (*Session, error)
 type DataplexClientCreator func(tokenString string) (*dataplexapi.CatalogClient, error)

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -81,7 +81,7 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources
 type Config struct {
 	// BigQuery configs
 	Name                      string              `yaml:"name" validate:"required"`
-	Kind                      string              `yaml:"kind" validate:"required"`
+	Type                      string              `yaml:"type" validate:"required"`
 	Project                   string              `yaml:"project" validate:"required"`
 	Location                  string              `yaml:"location"`
 	WriteMode                 string              `yaml:"writeMode"`
@@ -89,6 +89,7 @@ type Config struct {
 	UseClientOAuth            bool                `yaml:"useClientOAuth"`
 	ImpersonateServiceAccount string              `yaml:"impersonateServiceAccount"`
 	Scopes                    StringOrStringSlice `yaml:"scopes"`
+	MaxQueryResultRows        int                 `yaml:"maxQueryResultRows"`
 }

 // StringOrStringSlice is a custom type that can unmarshal both a single string
@@ -118,15 +119,19 @@ func (s *StringOrStringSlice) UnmarshalYAML(unmarshal func(any) error) error {
 	return fmt.Errorf("cannot unmarshal %T into StringOrStringSlice", v)
 }

-func (r Config) SourceConfigKind() string {
-	// Returns BigQuery source kind
-	return SourceKind
+func (r Config) SourceConfigType() string {
+	// Returns BigQuery source type
+	return SourceType
 }
 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
 	if r.WriteMode == "" {
 		r.WriteMode = WriteModeAllowed
 	}

+	if r.MaxQueryResultRows == 0 {
+		r.MaxQueryResultRows = 50
+	}
+
 	if r.WriteMode == WriteModeProtected && r.UseClientOAuth {
 		// The protected mode only allows write operations to the session's temporary datasets.
 		// when using client OAuth, a new session is created every
@@ -150,7 +155,7 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 		Client:             client,
 		RestService:        restService,
 		TokenSource:        tokenSource,
-		MaxQueryResultRows: 50,
+		MaxQueryResultRows: r.MaxQueryResultRows,
 		ClientCreator:      clientCreator,
 	}

@@ -297,9 +302,9 @@ type Session struct {
 	LastUsed     time.Time
 }

-func (s *Source) SourceKind() string {
-	// Returns BigQuery Google SQL source kind
-	return SourceKind
+func (s *Source) SourceType() string {
+	// Returns BigQuery Google SQL source type
+	return SourceType
 }

 func (s *Source) ToConfig() sources.SourceConfig {
@@ -567,7 +572,7 @@ func (s *Source) RunSQL(ctx context.Context, bqClient *bigqueryapi.Client, state
 	}

 	var out []any
-	for {
+	for s.MaxQueryResultRows <= 0 || len(out) < s.MaxQueryResultRows {
 		var val []bigqueryapi.Value
 		err = it.Next(&val)
 		if err == iterator.Done {
@@ -660,7 +665,7 @@ func initBigQueryConnection(
 	impersonateServiceAccount string,
 	scopes []string,
 ) (*bigqueryapi.Client, *bigqueryrestapi.Service, oauth2.TokenSource, error) {
-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, name)
 	defer span.End()

 	userAgent, err := util.UserAgentFromContext(ctx)
@@ -736,7 +741,7 @@ func initBigQueryConnectionWithOAuthToken(
 	tokenString string,
 	wantRestService bool,
 ) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, name)
 	defer span.End()
 	// Construct token source
 	token := &oauth2.Token{
@@ -796,7 +801,7 @@ func initDataplexConnection(
 	var clientCreator DataplexClientCreator
 	var err error

-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, name)
 	defer span.End()

 	userAgent, err := util.UserAgentFromContext(ctx)
--- a/internal/sources/bigquery/bigquery_test.go
+++ b/internal/sources/bigquery/bigquery_test.go
@@ -15,15 +15,18 @@
 package bigquery_test

 import (
+	"context"
 	"math/big"
 	"reflect"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/sources/bigquery"
 	"github.com/googleapis/genai-toolbox/internal/testutils"
+	"github.com/googleapis/genai-toolbox/internal/util"
+	"go.opentelemetry.io/otel/trace/noop"
 )

 func TestParseFromYamlBigQuery(t *testing.T) {
@@ -35,15 +38,15 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 		{
 			desc: "basic example",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-instance": bigquery.Config{
 					Name:      "my-instance",
-					Kind:      bigquery.SourceKind,
+					Type:      bigquery.SourceType,
 					Project:   "my-project",
 					Location:  "",
 					WriteMode: "",
@@ -53,17 +56,17 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 		{
 			desc: "all fields specified",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
-					location: asia
-					writeMode: blocked
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: asia
+			writeMode: blocked
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-instance": bigquery.Config{
 					Name:           "my-instance",
-					Kind:           bigquery.SourceKind,
+					Type:           bigquery.SourceType,
 					Project:        "my-project",
 					Location:       "asia",
 					WriteMode:      "blocked",
@@ -74,17 +77,17 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 		{
 			desc: "use client auth example",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
-					location: us
-					useClientOAuth: true
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: us
+			useClientOAuth: true
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-instance": bigquery.Config{
 					Name:           "my-instance",
-					Kind:           bigquery.SourceKind,
+					Type:           bigquery.SourceType,
 					Project:        "my-project",
 					Location:       "us",
 					UseClientOAuth: true,
@@ -94,18 +97,18 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 		{
 			desc: "with allowed datasets example",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
-					location: us
-					allowedDatasets:
-						- my_dataset
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: us
+			allowedDatasets:
+			- my_dataset
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-instance": bigquery.Config{
 					Name:            "my-instance",
-					Kind:            bigquery.SourceKind,
+					Type:            bigquery.SourceType,
 					Project:         "my-project",
 					Location:        "us",
 					AllowedDatasets: []string{"my_dataset"},
@@ -115,17 +118,17 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 		{
 			desc: "with service account impersonation example",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
-					location: us
-					impersonateServiceAccount: service-account@my-project.iam.gserviceaccount.com
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: us
+			impersonateServiceAccount: service-account@my-project.iam.gserviceaccount.com
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-instance": bigquery.Config{
 					Name:                      "my-instance",
-					Kind:                      bigquery.SourceKind,
+					Type:                      bigquery.SourceType,
 					Project:                   "my-project",
 					Location:                  "us",
 					ImpersonateServiceAccount: "service-account@my-project.iam.gserviceaccount.com",
@@ -135,42 +138,57 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 		{
 			desc: "with custom scopes example",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
-					location: us
-					scopes:
-						- https://www.googleapis.com/auth/bigquery
-						- https://www.googleapis.com/auth/cloud-platform
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: us
+			scopes:
+			- https://www.googleapis.com/auth/bigquery
+			- https://www.googleapis.com/auth/cloud-platform
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-instance": bigquery.Config{
 					Name:     "my-instance",
-					Kind:     bigquery.SourceKind,
+					Type:     bigquery.SourceType,
 					Project:  "my-project",
 					Location: "us",
 					Scopes:   []string{"https://www.googleapis.com/auth/bigquery", "https://www.googleapis.com/auth/cloud-platform"},
 				},
 			},
 		},
+		{
+			desc: "with max query result rows example",
+			in: `
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: us
+			maxQueryResultRows: 10
+			`,
+			want: map[string]sources.SourceConfig{
+				"my-instance": bigquery.Config{
+					Name:               "my-instance",
+					Type:               bigquery.SourceType,
+					Project:            "my-project",
+					Location:           "us",
+					MaxQueryResultRows: 10,
+				},
+			},
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if diff := cmp.Diff(tc.want, got); diff != "" {
+				t.Fatalf("incorrect parse (-want +got):\n%s", diff)
 			}
 		})
 	}
-
 }

 func TestFailParseFromYaml(t *testing.T) {
@@ -182,33 +200,29 @@ func TestFailParseFromYaml(t *testing.T) {
 		{
 			desc: "extra field",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					project: my-project
-					location: us
-					foo: bar
+			kind: sources
+			name: my-instance
+			type: bigquery
+			project: my-project
+			location: us
+			foo: bar
 			`,
-			err: "unable to parse source \"my-instance\" as \"bigquery\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | kind: bigquery\n   3 | location: us\n   4 | project: my-project",
+			err: "error unmarshaling sources: unable to parse source \"my-instance\" as \"bigquery\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | location: us\n   3 | name: my-instance\n   4 | project: my-project\n   5 | ",
 		},
 		{
 			desc: "missing required field",
 			in: `
-			sources:
-				my-instance:
-					kind: bigquery
-					location: us
+			kind: sources
+			name: my-instance
+			type: bigquery
+			location: us
 			`,
-			err: "unable to parse source \"my-instance\" as \"bigquery\": Key: 'Config.Project' Error:Field validation for 'Project' failed on the 'required' tag",
+			err: "error unmarshaling sources: unable to parse source \"my-instance\" as \"bigquery\": Key: 'Config.Project' Error:Field validation for 'Project' failed on the 'required' tag",
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
@@ -220,6 +234,59 @@ func TestFailParseFromYaml(t *testing.T) {
 	}
 }

+func TestInitialize_MaxQueryResultRows(t *testing.T) {
+	ctx, err := testutils.ContextWithNewLogger()
+	if err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+	ctx = util.WithUserAgent(ctx, "test-agent")
+	tracer := noop.NewTracerProvider().Tracer("")
+
+	tcs := []struct {
+		desc string
+		cfg  bigquery.Config
+		want int
+	}{
+		{
+			desc: "default value",
+			cfg: bigquery.Config{
+				Name:           "test-default",
+				Type:           bigquery.SourceType,
+				Project:        "test-project",
+				UseClientOAuth: true,
+			},
+			want: 50,
+		},
+		{
+			desc: "configured value",
+			cfg: bigquery.Config{
+				Name:               "test-configured",
+				Type:               bigquery.SourceType,
+				Project:            "test-project",
+				UseClientOAuth:     true,
+				MaxQueryResultRows: 100,
+			},
+			want: 100,
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			src, err := tc.cfg.Initialize(ctx, tracer)
+			if err != nil {
+				t.Fatalf("Initialize failed: %v", err)
+			}
+			bqSrc, ok := src.(*bigquery.Source)
+			if !ok {
+				t.Fatalf("Expected *bigquery.Source, got %T", src)
+			}
+			if bqSrc.MaxQueryResultRows != tc.want {
+				t.Errorf("MaxQueryResultRows = %d, want %d", bqSrc.MaxQueryResultRows, tc.want)
+			}
+		})
+	}
+}
+
 func TestNormalizeValue(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/internal/sources/bigtable/bigtable.go
+++ b/internal/sources/bigtable/bigtable.go
@@ -27,14 +27,14 @@ import (
 	"google.golang.org/api/option"
 )

-const SourceKind string = "bigtable"
+const SourceType string = "bigtable"

 // validate interface
 var _ sources.SourceConfig = Config{}

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -48,13 +48,13 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	Name     string `yaml:"name" validate:"required"`
-	Kind     string `yaml:"kind" validate:"required"`
+	Type     string `yaml:"type" validate:"required"`
 	Project  string `yaml:"project" validate:"required"`
 	Instance string `yaml:"instance" validate:"required"`
 }

-func (r Config) SourceConfigKind() string {
-	return SourceKind
+func (r Config) SourceConfigType() string {
+	return SourceType
 }

 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
@@ -77,8 +77,8 @@ type Source struct {
 	Client *bigtable.Client
 }

-func (s *Source) SourceKind() string {
-	return SourceKind
+func (s *Source) SourceType() string {
+	return SourceType
 }

 func (s *Source) ToConfig() sources.SourceConfig {
@@ -179,7 +179,7 @@ func (s *Source) RunSQL(ctx context.Context, statement string, configParam param

 func initBigtableClient(ctx context.Context, tracer trace.Tracer, name, project, instance string) (*bigtable.Client, error) {
 	//nolint:all // Reassigned ctx
-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, name)
 	defer span.End()

 	// Set up Bigtable data operations client.
--- a/internal/sources/bigtable/bigtable_test.go
+++ b/internal/sources/bigtable/bigtable_test.go
@@ -15,9 +15,9 @@
 package bigtable_test

 import (
+	"context"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources"
@@ -34,16 +34,16 @@ func TestParseFromYamlBigtableDb(t *testing.T) {
 		{
 			desc: "can configure with a bigtable table",
 			in: `
-			sources:
-				my-bigtable-instance:
-					kind: bigtable
-					project: my-project
-					instance: my-instance
+			kind: sources
+			name: my-bigtable-instance
+			type: bigtable
+			project: my-project
+			instance: my-instance
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-bigtable-instance": bigtable.Config{
 					Name:     "my-bigtable-instance",
-					Kind:     bigtable.SourceKind,
+					Type:     bigtable.SourceType,
 					Project:  "my-project",
 					Instance: "my-instance",
 				},
@@ -52,16 +52,12 @@ func TestParseFromYamlBigtableDb(t *testing.T) {
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got)
 			}
 		})
 	}
@@ -77,33 +73,29 @@ func TestFailParseFromYaml(t *testing.T) {
 		{
 			desc: "extra field",
 			in: `
-			sources:
-				my-bigtable-instance:
-					kind: bigtable
-					project: my-project
-					instance: my-instance
-					foo: bar
+			kind: sources
+			name: my-bigtable-instance
+			type: bigtable
+			project: my-project
+			instance: my-instance
+			foo: bar
 			`,
-			err: "unable to parse source \"my-bigtable-instance\" as \"bigtable\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | instance: my-instance\n   3 | kind: bigtable\n   4 | project: my-project",
+			err: "error unmarshaling sources: unable to parse source \"my-bigtable-instance\" as \"bigtable\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | instance: my-instance\n   3 | name: my-bigtable-instance\n   4 | project: my-project\n   5 | ",
 		},
 		{
 			desc: "missing required field",
 			in: `
-			sources:
-				my-bigtable-instance:
-					kind: bigtable
-					project: my-project
+			kind: sources
+			name: my-bigtable-instance
+			type: bigtable
+			project: my-project
 			`,
-			err: "unable to parse source \"my-bigtable-instance\" as \"bigtable\": Key: 'Config.Instance' Error:Field validation for 'Instance' failed on the 'required' tag",
+			err: "error unmarshaling sources: unable to parse source \"my-bigtable-instance\" as \"bigtable\": Key: 'Config.Instance' Error:Field validation for 'Instance' failed on the 'required' tag",
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
--- a/internal/sources/cassandra/cassandra.go
+++ b/internal/sources/cassandra/cassandra.go
@@ -25,11 +25,11 @@ import (
 	"go.opentelemetry.io/otel/trace"
 )

-const SourceKind string = "cassandra"
+const SourceType string = "cassandra"

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -43,7 +43,7 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	Name                   string   `yaml:"name" validate:"required"`
-	Kind                   string   `yaml:"kind" validate:"required"`
+	Type                   string   `yaml:"type" validate:"required"`
 	Hosts                  []string `yaml:"hosts" validate:"required"`
 	Keyspace               string   `yaml:"keyspace"`
 	ProtoVersion           int      `yaml:"protoVersion"`
@@ -68,9 +68,9 @@ func (c Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 	return s, nil
 }

-// SourceConfigKind implements sources.SourceConfig.
-func (c Config) SourceConfigKind() string {
-	return SourceKind
+// SourceConfigType implements sources.SourceConfig.
+func (c Config) SourceConfigType() string {
+	return SourceType
 }

 var _ sources.SourceConfig = Config{}
@@ -89,9 +89,9 @@ func (s *Source) ToConfig() sources.SourceConfig {
 	return s.Config
 }

-// SourceKind implements sources.Source.
-func (s *Source) SourceKind() string {
-	return SourceKind
+// SourceType implements sources.Source.
+func (s *Source) SourceType() string {
+	return SourceType
 }

 func (s *Source) RunSQL(ctx context.Context, statement string, params parameters.ParamValues) (any, error) {
@@ -120,7 +120,7 @@ var _ sources.Source = &Source{}

 func initCassandraSession(ctx context.Context, tracer trace.Tracer, c Config) (*gocql.Session, error) {
 	//nolint:all // Reassigned ctx
-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, c.Name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, c.Name)
 	defer span.End()

 	// Validate authentication configuration
--- a/internal/sources/cassandra/cassandra_test.go
+++ b/internal/sources/cassandra/cassandra_test.go
@@ -15,11 +15,12 @@
 package cassandra_test

 import (
+	"context"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/sources/cassandra"
 	"github.com/googleapis/genai-toolbox/internal/testutils"
 )
@@ -33,17 +34,17 @@ func TestParseFromYamlCassandra(t *testing.T) {
 		{
 			desc: "basic example (without optional fields)",
 			in: `
-			sources:
-				my-cassandra-instance:
-					kind: cassandra
-					hosts:
-						- "my-host1"
-						- "my-host2"
+			kind: sources
+			name: my-cassandra-instance
+			type: cassandra
+			hosts:
+				- "my-host1"
+				- "my-host2"
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-cassandra-instance": cassandra.Config{
 					Name:                   "my-cassandra-instance",
-					Kind:                   cassandra.SourceKind,
+					Type:                   cassandra.SourceType,
 					Hosts:                  []string{"my-host1", "my-host2"},
 					Username:               "",
 					Password:               "",
@@ -59,25 +60,25 @@ func TestParseFromYamlCassandra(t *testing.T) {
 		{
 			desc: "with optional fields",
 			in: `
-			sources:
-				my-cassandra-instance:
-					kind: cassandra
-					hosts:
-						- "my-host1"
-						- "my-host2"
-					username: "user"
-					password: "pass"
-					keyspace: "example_keyspace"
-					protoVersion: 4
-					caPath: "path/to/ca.crt"
-					certPath: "path/to/cert"
-					keyPath: "path/to/key"
-					enableHostVerification: true
+			kind: sources
+			name: my-cassandra-instance
+			type: cassandra
+			hosts:
+				- "my-host1"
+				- "my-host2"
+			username: "user"
+			password: "pass"
+			keyspace: "example_keyspace"
+			protoVersion: 4
+			caPath: "path/to/ca.crt"
+			certPath: "path/to/cert"
+			keyPath: "path/to/key"
+			enableHostVerification: true
 			`,
-			want: server.SourceConfigs{
+			want: map[string]sources.SourceConfig{
 				"my-cassandra-instance": cassandra.Config{
 					Name:                   "my-cassandra-instance",
-					Kind:                   cassandra.SourceKind,
+					Type:                   cassandra.SourceType,
 					Hosts:                  []string{"my-host1", "my-host2"},
 					Username:               "user",
 					Password:               "pass",
@@ -93,16 +94,12 @@ func TestParseFromYamlCassandra(t *testing.T) {
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got)
 			}
 		})
 	}
@@ -118,33 +115,29 @@ func TestFailParseFromYaml(t *testing.T) {
 		{
 			desc: "extra field",
 			in: `
-			sources:
-				my-cassandra-instance:
-					kind: cassandra
-					hosts:
-						- "my-host"
-					foo: bar
+			kind: sources
+			name: my-cassandra-instance
+			type: cassandra
+			hosts:
+				- "my-host"
+			foo: bar
 			`,
-			err: "unable to parse source \"my-cassandra-instance\" as \"cassandra\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | hosts:\n   3 | - my-host\n   4 | kind: cassandra",
+			err: "error unmarshaling sources: unable to parse source \"my-cassandra-instance\" as \"cassandra\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | hosts:\n   3 | - my-host\n   4 | name: my-cassandra-instance\n   5 | ",
 		},
 		{
 			desc: "missing required field",
 			in: `
-			sources:
-				my-cassandra-instance:
-					kind: cassandra
+			kind: sources
+			name: my-cassandra-instance
+			type: cassandra
 			`,
-			err: "unable to parse source \"my-cassandra-instance\" as \"cassandra\": Key: 'Config.Hosts' Error:Field validation for 'Hosts' failed on the 'required' tag",
+			err: "error unmarshaling sources: unable to parse source \"my-cassandra-instance\" as \"cassandra\": Key: 'Config.Hosts' Error:Field validation for 'Hosts' failed on the 'required' tag",
 		},
 	}

 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
--- a/internal/sources/clickhouse/clickhouse.go
+++ b/internal/sources/clickhouse/clickhouse.go
@@ -28,14 +28,14 @@ import (
 	"go.opentelemetry.io/otel/trace"
 )

-const SourceKind string = "clickhouse"
+const SourceType string = "clickhouse"

 // validate interface
 var _ sources.SourceConfig = Config{}

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -49,7 +49,7 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	Name     string `yaml:"name" validate:"required"`
-	Kind     string `yaml:"kind" validate:"required"`
+	Type     string `yaml:"type" validate:"required"`
 	Host     string `yaml:"host" validate:"required"`
 	Port     string `yaml:"port" validate:"required"`
 	Database string `yaml:"database" validate:"required"`
@@ -59,8 +59,8 @@ type Config struct {
 	Secure   bool   `yaml:"secure"`
 }

-func (r Config) SourceConfigKind() string {
-	return SourceKind
+func (r Config) SourceConfigType() string {
+	return SourceType
 }

 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
@@ -88,8 +88,8 @@ type Source struct {
 	Pool *sql.DB
 }

-func (s *Source) SourceKind() string {
-	return SourceKind
+func (s *Source) SourceType() string {
+	return SourceType
 }

 func (s *Source) ToConfig() sources.SourceConfig {
@@ -174,7 +174,7 @@ func validateConfig(protocol string) error {

 func initClickHouseConnectionPool(ctx context.Context, tracer trace.Tracer, name, host, port, user, pass, dbname, protocol string, secure bool) (*sql.DB, error) {
 	//nolint:all // Reassigned ctx
-	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, name)
 	defer span.End()

 	if protocol == "" {
--- a/internal/sources/clickhouse/clickhouse_test.go
+++ b/internal/sources/clickhouse/clickhouse_test.go
@@ -21,137 +21,113 @@ import (

 	"github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/testutils"
 	"go.opentelemetry.io/otel"
 )

-func TestConfigSourceConfigKind(t *testing.T) {
-	config := Config{}
-	if config.SourceConfigKind() != SourceKind {
-		t.Errorf("Expected %s, got %s", SourceKind, config.SourceConfigKind())
+func TestParseFromYamlClickhouse(t *testing.T) {
+	tcs := []struct {
+		desc string
+		in   string
+		want server.SourceConfigs
+	}{
+		{
+			desc: "all fields specified",
+			in: `
+			kind: sources
+			name: test-clickhouse
+			type: clickhouse
+			host: localhost
+			port: "8443"
+			user: default
+			password: "mypass"
+			database: mydb
+			protocol: https
+			secure: true
+			`,
+			want: map[string]sources.SourceConfig{
+				"test-clickhouse": Config{
+					Name:     "test-clickhouse",
+					Type:     "clickhouse",
+					Host:     "localhost",
+					Port:     "8443",
+					User:     "default",
+					Password: "mypass",
+					Database: "mydb",
+					Protocol: "https",
+					Secure:   true,
+				},
+			},
+		},
+		{
+			desc: "minimal configuration with defaults",
+			in: `
+			kind: sources
+			name: minimal-clickhouse
+			type: clickhouse
+			host: 127.0.0.1
+			port: "8123"
+			user: testuser
+			database: testdb
+			`,
+			want: map[string]sources.SourceConfig{
+				"minimal-clickhouse": Config{
+					Name:     "minimal-clickhouse",
+					Type:     "clickhouse",
+					Host:     "127.0.0.1",
+					Port:     "8123",
+					User:     "testuser",
+					Password: "",
+					Database: "testdb",
+					Protocol: "",
+					Secure:   false,
+				},
+			},
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
+			if err != nil {
+				t.Fatalf("unable to unmarshal: %s", err)
+			}
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got)
+			}
+		})
 	}
 }

-func TestNewConfig(t *testing.T) {
-	tests := []struct {
-		name     string
-		yaml     string
-		expected Config
+func TestFailParseFromYaml(t *testing.T) {
+	tcs := []struct {
+		desc string
+		in   string
+		err  string
 	}{
 		{
-			name: "all fields specified",
-			yaml: `
-				name: test-clickhouse
-				kind: clickhouse
-				host: localhost
-				port: "8443"
-				user: default
-				password: "mypass"
-				database: mydb
-				protocol: https
-				secure: true
+			desc: "extra field",
+			in: `
+			kind: sources
+			name: test-clickhouse
+			type: clickhouse
+			host: localhost
+			foo: bar
 			`,
-			expected: Config{
-				Name:     "test-clickhouse",
-				Kind:     "clickhouse",
-				Host:     "localhost",
-				Port:     "8443",
-				User:     "default",
-				Password: "mypass",
-				Database: "mydb",
-				Protocol: "https",
-				Secure:   true,
-			},
-		},
-		{
-			name: "minimal configuration with defaults",
-			yaml: `
-				name: minimal-clickhouse
-				kind: clickhouse
-				host: 127.0.0.1
-				port: "8123"
-				user: testuser
-				database: testdb
-			`,
-			expected: Config{
-				Name:     "minimal-clickhouse",
-				Kind:     "clickhouse",
-				Host:     "127.0.0.1",
-				Port:     "8123",
-				User:     "testuser",
-				Password: "",
-				Database: "testdb",
-				Protocol: "",
-				Secure:   false,
-			},
-		},
-		{
-			name: "http protocol",
-			yaml: `
-				name: http-clickhouse
-				kind: clickhouse
-				host: clickhouse.example.com
-				port: "8123"
-				user: analytics
-				password: "securepass"
-				database: analytics_db
-				protocol: http
-				secure: false
-			`,
-			expected: Config{
-				Name:     "http-clickhouse",
-				Kind:     "clickhouse",
-				Host:     "clickhouse.example.com",
-				Port:     "8123",
-				User:     "analytics",
-				Password: "securepass",
-				Database: "analytics_db",
-				Protocol: "http",
-				Secure:   false,
-			},
-		},
-		{
-			name: "https with secure connection",
-			yaml: `
-				name: secure-clickhouse
-				kind: clickhouse
-				host: secure.clickhouse.io
-				port: "8443"
-				user: secureuser
-				password: "verysecure"
-				database: production
-				protocol: https
-				secure: true
-			`,
-			expected: Config{
-				Name:     "secure-clickhouse",
-				Kind:     "clickhouse",
-				Host:     "secure.clickhouse.io",
-				Port:     "8443",
-				User:     "secureuser",
-				Password: "verysecure",
-				Database: "production",
-				Protocol: "https",
-				Secure:   true,
-			},
+			err: "error unmarshaling sources: unable to parse source \"test-clickhouse\" as \"clickhouse\": [1:1] unknown field \"foo\"\n>  1 | foo: bar\n       ^\n   2 | host: localhost\n   3 | name: test-clickhouse\n   4 | type: clickhouse",
 		},
 	}

-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			decoder := yaml.NewDecoder(strings.NewReader(string(testutils.FormatYaml(tt.yaml))))
-			config, err := newConfig(context.Background(), tt.expected.Name, decoder)
-			if err != nil {
-				t.Fatalf("Failed to create config: %v", err)
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
+			if err == nil {
+				t.Fatalf("expect parsing to fail")
 			}
-
-			clickhouseConfig, ok := config.(Config)
-			if !ok {
-				t.Fatalf("Expected Config type, got %T", config)
-			}
-
-			if diff := cmp.Diff(tt.expected, clickhouseConfig); diff != "" {
-				t.Errorf("Config mismatch (-want +got):\n%s", diff)
+			errStr := err.Error()
+			if errStr != tc.err {
+				t.Fatalf("unexpected error: got %q, want %q", errStr, tc.err)
 			}
 		})
 	}
@@ -167,19 +143,11 @@ func TestNewConfigInvalidYAML(t *testing.T) {
 			name: "invalid yaml syntax",
 			yaml: `
 				name: test-clickhouse
-				kind: clickhouse
+				type: clickhouse
 				host: [invalid
 			`,
 			expectError: true,
 		},
-		{
-			name: "missing required fields",
-			yaml: `
-				name: test-clickhouse
-				kind: clickhouse
-			`,
-			expectError: false,
-		},
 	}

 	for _, tt := range tests {
@@ -196,10 +164,10 @@ func TestNewConfigInvalidYAML(t *testing.T) {
 	}
 }

-func TestSource_SourceKind(t *testing.T) {
+func TestSource_SourceType(t *testing.T) {
 	source := &Source{}
-	if source.SourceKind() != SourceKind {
-		t.Errorf("Expected %s, got %s", SourceKind, source.SourceKind())
+	if source.SourceType() != SourceType {
+		t.Errorf("Expected %s, got %s", SourceType, source.SourceType())
 	}
 }

--- a/internal/sources/cloudgda/cloud_gda.go
+++ b/internal/sources/cloudgda/cloud_gda.go
@@ -29,15 +29,15 @@ import (
 	"golang.org/x/oauth2/google"
 )

-const SourceKind string = "cloud-gemini-data-analytics"
+const SourceType string = "cloud-gemini-data-analytics"
 const Endpoint string = "https://geminidataanalytics.googleapis.com"

 // validate interface
 var _ sources.SourceConfig = Config{}

 func init() {
-	if !sources.Register(SourceKind, newConfig) {
-		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	if !sources.Register(SourceType, newConfig) {
+		panic(fmt.Sprintf("source type %q already registered", SourceType))
 	}
 }

@@ -51,13 +51,13 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	Name           string `yaml:"name" validate:"required"`
-	Kind           string `yaml:"kind" validate:"required"`
+	Type           string `yaml:"type" validate:"required"`
 	ProjectID      string `yaml:"projectId" validate:"required"`
 	UseClientOAuth bool   `yaml:"useClientOAuth"`
 }

-func (r Config) SourceConfigKind() string {
-	return SourceKind
+func (r Config) SourceConfigType() string {
+	return SourceType
 }

 // Initialize initializes a Gemini Data Analytics Source instance.
@@ -102,8 +102,8 @@ type Source struct {
 	userAgent string
 }

-func (s *Source) SourceKind() string {
-	return SourceKind
+func (s *Source) SourceType() string {
+	return SourceType
 }

 func (s *Source) ToConfig() sources.SourceConfig {
--- a/internal/sources/cloudgda/cloud_gda_test.go
+++ b/internal/sources/cloudgda/cloud_gda_test.go
@@ -20,7 +20,6 @@ import (
 	"path/filepath"
 	"testing"

-	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources"
@@ -39,15 +38,15 @@ func TestParseFromYamlCloudGDA(t *testing.T) {
 		{
 			desc: "basic example",
 			in: `
-		            sources:
-		                my-gda-instance:
-		                    kind: cloud-gemini-data-analytics
-		                    projectId: test-project-id
-		            `,
+			kind: sources
+			name: my-gda-instance
+			type: cloud-gemini-data-analytics
+			projectId: test-project-id
+			`,
 			want: map[string]sources.SourceConfig{
 				"my-gda-instance": cloudgda.Config{
 					Name:           "my-gda-instance",
-					Kind:           cloudgda.SourceKind,
+					Type:           cloudgda.SourceType,
 					ProjectID:      "test-project-id",
 					UseClientOAuth: false,
 				},
@@ -56,16 +55,16 @@ func TestParseFromYamlCloudGDA(t *testing.T) {
 		{
 			desc: "use client auth example",
 			in: `
-			sources:
-				my-gda-instance:
-					kind: cloud-gemini-data-analytics
-					projectId: another-project
-					useClientOAuth: true
+			kind: sources
+			name: my-gda-instance
+			type: cloud-gemini-data-analytics
+			projectId: another-project
+			useClientOAuth: true
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-gda-instance": cloudgda.Config{
 					Name:           "my-gda-instance",
-					Kind:           cloudgda.SourceKind,
+					Type:           cloudgda.SourceType,
 					ProjectID:      "another-project",
 					UseClientOAuth: true,
 				},
@@ -76,16 +75,12 @@ func TestParseFromYamlCloudGDA(t *testing.T) {
 		tc := tc
 		t.Run(tc.desc, func(t *testing.T) {
 			t.Parallel()
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			got, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if !cmp.Equal(tc.want, got) {
+				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got)
 			}
 		})
 	}
@@ -101,22 +96,18 @@ func TestFailParseFromYaml(t *testing.T) {
 		{
 			desc: "missing projectId",
 			in: `
-			sources:
-				my-gda-instance:
-					kind: cloud-gemini-data-analytics
+			kind: sources
+			name: my-gda-instance
+			type: cloud-gemini-data-analytics
 			`,
-			err: "unable to parse source \"my-gda-instance\" as \"cloud-gemini-data-analytics\": Key: 'Config.ProjectID' Error:Field validation for 'ProjectID' failed on the 'required' tag",
+			err: "error unmarshaling sources: unable to parse source \"my-gda-instance\" as \"cloud-gemini-data-analytics\": Key: 'Config.ProjectID' Error:Field validation for 'ProjectID' failed on the 'required' tag",
 		},
 	}
 	for _, tc := range tcs {
 		tc := tc
 		t.Run(tc.desc, func(t *testing.T) {
 			t.Parallel()
-			got := struct {
-				Sources server.SourceConfigs `yaml:"sources"`
-			}{}
-			// Parse contents
-			err := yaml.Unmarshal(testutils.FormatYaml(tc.in), &got)
+			_, _, _, _, _, _, err := server.UnmarshalResourceConfig(context.Background(), testutils.FormatYaml(tc.in))
 			if err == nil {
 				t.Fatalf("expect parsing to fail")
 			}
@@ -153,12 +144,12 @@ func TestInitialize(t *testing.T) {
 	}{
 		{
 			desc:            "initialize with ADC",
-			cfg:             cloudgda.Config{Name: "test-gda", Kind: cloudgda.SourceKind, ProjectID: "test-proj"},
+			cfg:             cloudgda.Config{Name: "test-gda", Type: cloudgda.SourceType, ProjectID: "test-proj"},
 			wantClientOAuth: false,
 		},
 		{
 			desc:            "initialize with client OAuth",
-			cfg:             cloudgda.Config{Name: "test-gda-oauth", Kind: cloudgda.SourceKind, ProjectID: "test-proj", UseClientOAuth: true},
+			cfg:             cloudgda.Config{Name: "test-gda-oauth", Type: cloudgda.SourceType, ProjectID: "test-proj", UseClientOAuth: true},
 			wantClientOAuth: true,
 		},
 	}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .24.0
 .25.0