chore(main): release 0.14.0 (#1261 )

🤖 I have created a release *beep* *boop* --- ## [0.14.0](https://github.com/googleapis/genai-toolbox/compare/v0.13.0...v0.14.0) (2025-09-05) ### ⚠ BREAKING CHANGES * **bigquery:** Move `useClientOAuth` config from tool to source ([#1279](https://github.com/googleapis/genai-toolbox/issues/1279)) ([8d20a48](8d20a48f13)) * **tools/bigquerysql:** remove `useClientOAuth` from tools config ([#1312](https://github.com/googleapis/genai-toolbox/issues/1312)) ### Features * **clickhouse:** Add ClickHouse Source and Tools ([#1088](https://github.com/googleapis/genai-toolbox/issues/1088)) ([75a04a5](75a04a55dd)) * **prebuilt/alloydb-postgres:** Support ipType and IAM users ([#1324](https://github.com/googleapis/genai-toolbox/issues/1324)) ([0b2121e](0b2121ea72)) * **server/mcp:** Support toolbox auth in mcp ([#1140](https://github.com/googleapis/genai-toolbox/issues/1140)) ([ca353e0](ca353e0b66)) * **source/mysql:** Support `queryParams` in MySQL source ([#1299](https://github.com/googleapis/genai-toolbox/issues/1299)) ([3ae2526](3ae2526e0f)) * **tools/bigquery:** Support end-user credential passthrough on multiple BQ tools ([#1314](https://github.com/googleapis/genai-toolbox/issues/1314)) ([88f4b30](88f4b3028d)) * **tools/looker:** Add description for looker-get-models tool ([#1266](https://github.com/googleapis/genai-toolbox/issues/1266)) ([89af3a4](89af3a4ca3)) * **tools/looker:** Authenticate via end user credentials ([#1257](https://github.com/googleapis/genai-toolbox/issues/1257)) ([8755e3d](8755e3db34)) * **tools/looker:** Report field suggestions to agent ([#1267](https://github.com/googleapis/genai-toolbox/issues/1267)) ([2cad82e](2cad82e510)) ### Bug Fixes * Do not print usage on runtime error ([#1315](https://github.com/googleapis/genai-toolbox/issues/1315)) ([afba7a5](afba7a57cd)) * Update env var to allow empty string ([#1260](https://github.com/googleapis/genai-toolbox/issues/1260)) ([03aa9fa](03aa9fabac)) * **tools/firestore:** Add document/collection path validation ([#1229](https://github.com/googleapis/genai-toolbox/issues/1229)) ([14c2249](14c224939a)) * **tools/looker-get-dashboards:** Fix Looker client OAuth check ([#1338](https://github.com/googleapis/genai-toolbox/issues/1338)) ([36225aa](36225aa6db)) * **tools/oceanbase:** Fix encoded text with mysql driver ([#1283](https://github.com/googleapis/genai-toolbox/issues/1283)) ([d16f89f](d16f89fbb6)), closes [#1161](https://github.com/googleapis/genai-toolbox/issues/1161) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
chore: update release please extraFiles (#1342 )
2026-01-11 08:28:11 -05:00 · 2025-09-05 09:04:59 -07:00 · 2025-09-05 01:07:15 +00:00 · 2025-09-05 00:34:37 +00:00 · 2025-09-04 17:21:44 -07:00 · 2025-09-04 16:53:12 -07:00
151 changed files with 7439 additions and 1918 deletions
--- a/.ci/integration.cloudbuild.yaml
+++ b/.ci/integration.cloudbuild.yaml
@@ -152,25 +152,25 @@ steps:
          bigquery \
          bigquery

-  # - id: "dataplex"
-  #   name: golang:1
-  #   waitFor: ["compile-test-binary"]
-  #   entrypoint: /bin/bash
-  #   env:
-  #     - "GOPATH=/gopath"
-  #     - "DATAPLEX_PROJECT=$PROJECT_ID"
-  #     - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
-  #   secretEnv: ["CLIENT_ID"]
-  #   volumes:
-  #     - name: "go"
-  #       path: "/gopath"
-  #   args:
-  #     - -c
-  #     - |
-  #       .ci/test_with_coverage.sh \
-  #         "Dataplex" \
-  #         dataplex \
-  #         dataplex
+  - id: "dataplex"
+    name: golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "DATAPLEX_PROJECT=$PROJECT_ID"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+    secretEnv: ["CLIENT_ID"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "Dataplex" \
+          dataplex \
+          dataplex

  - id: "postgres"
    name: golang:1
@@ -464,7 +464,7 @@ steps:
          "OceanBase" \
          oceanbase \
          oceanbase
-          
+
  - id: "firestore"
    name: golang:1
    waitFor: ["compile-test-binary"]
@@ -575,6 +575,28 @@ steps:
          firebird \
          firebirdsql firebirdexecutesql

+  - id: "clickhouse"
+    name : golang:1
+    waitFor: ["compile-test-binary"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "CLICKHOUSE_DATABASE=$_CLICKHOUSE_DATABASE"
+      - "CLICKHOUSE_PORT=$_CLICKHOUSE_PORT"
+      - "CLICKHOUSE_PROTOCOL=$_CLICKHOUSE_PROTOCOL"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+    secretEnv: ["CLICKHOUSE_HOST", "CLICKHOUSE_USER", "CLIENT_ID"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        .ci/test_with_coverage.sh \
+          "ClickHouse" \
+          clickhouse \
+          clickhouse
+
  - id: "trino"
    name: golang:1
    waitFor: ["compile-test-binary"]
@@ -660,6 +682,10 @@ availableSecrets:
      env: TIDB_USER
    - versionName: projects/$PROJECT_ID/secrets/tidb_pass/versions/latest
      env: TIDB_PASS
+    - versionName: projects/$PROJECT_ID/secrets/clickhouse_host/versions/latest
+      env: CLICKHOUSE_HOST
+    - versionName: projects/$PROJECT_ID/secrets/clickhouse_user/versions/latest
+      env: CLICKHOUSE_USER
    - versionName: projects/$PROJECT_ID/secrets/firebird_user/versions/latest
      env: FIREBIRD_USER
    - versionName: projects/$PROJECT_ID/secrets/firebird_pass/versions/latest
@@ -707,6 +733,9 @@ substitutions:
  _LOOKER_VERIFY_SSL: "true"
  _TIDB_HOST: 127.0.0.1
  _TIDB_PORT: "4000"
+  _CLICKHOUSE_DATABASE: "default"
+  _CLICKHOUSE_PORT: "8123"
+  _CLICKHOUSE_PROTOCOL: "http"
  _FIREBIRD_HOST: 127.0.0.1
  _FIREBIRD_PORT: "3050"
  _TRINO_HOST: 127.0.0.1
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,16 +1,19 @@
 ## Description
+
 ---
 > Should include a concise description of the changes (bug or feature), it's
 > impact, along with a summary of the solution

 ## PR Checklist
+
 ---
 > Thank you for opening a Pull Request! Before submitting your PR, there are a
 > few things you can do to make sure it goes smoothly:
+
 - [ ] Make sure you reviewed
  [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md)
 - [ ] Make sure to open an issue as a
-  [bug/issue](https://github.com/googleapis/langchain-google-alloydb-pg-python/issues/new/choose)
+  [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose)
  before writing your code!  That way we can discuss the change, evaluate
  designs, and agree on the general idea
 - [ ] Ensure the tests and linter pass
@@ -18,4 +21,4 @@
 - [ ] Appropriate docs were updated (if necessary)
 - [ ] Make sure to add `!` if this involve a breaking change

-🛠️ Fixes #<issue_number_goes_here>
+🛠️ Fixes #<issue_number_goes_here>
--- a/.github/header-checker-lint.yaml
+++ b/.github/header-checker-lint.yaml
@@ -20,3 +20,5 @@ sourceFileExtensions:
  - 'go'
  - 'yaml'
  - 'yml'
+ignoreFiles:
+  - 'docs/en/getting-started/quickstart/**'
--- a/.github/release-please.yml
+++ b/.github/release-please.yml
@@ -20,26 +20,19 @@ extraFiles: [
    "README.md",
    "docs/en/getting-started/colab_quickstart.ipynb",
    "docs/en/getting-started/introduction/_index.md",
-    "docs/en/getting-started/local_quickstart.md",
-    "docs/en/getting-started/local_quickstart_js.md",
-    "docs/en/getting-started/local_quickstart_go.md",
    "docs/en/getting-started/mcp_quickstart/_index.md",
+    "docs/en/getting-started/quickstart/shared/configure_toolbox.md",
    "docs/en/samples/alloydb/_index.md",
+    "docs/en/samples/alloydb/mcp_quickstart.md",
+    "docs/en/samples/alloydb/ai-nl/alloydb_ai_nl.ipynb",
    "docs/en/samples/bigquery/local_quickstart.md",
    "docs/en/samples/bigquery/mcp_quickstart/_index.md",
    "docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb",
    "docs/en/samples/looker/looker_gemini.md",
-    "docs/en/samples/looker/looker_mcp_inspector.md",
-    "docs/en/how-to/connect-ide/alloydb_pg_mcp.md",
-    "docs/en/how-to/connect-ide/alloydb_pg_admin_mcp.md",
-    "docs/en/how-to/connect-ide/bigquery_mcp.md",
-    "docs/en/how-to/connect-ide/cloud_sql_pg_mcp.md",
-    "docs/en/how-to/connect-ide/cloud_sql_mssql_mcp.md",
-    "docs/en/how-to/connect-ide/cloud_sql_mysql_mcp.md",
-    "docs/en/how-to/connect-ide/firestore_mcp.md",
+    "docs/en/samples/looker/looker_gemini_oauth/_index.md",
+    "docs/en/samples/looker/looker_mcp_inspector/_index.md",
    "docs/en/how-to/connect-ide/looker_mcp.md",
    "docs/en/how-to/connect-ide/mysql_mcp.md",
    "docs/en/how-to/connect-ide/mssql_mcp.md",
    "docs/en/how-to/connect-ide/postgres_mcp.md",
-    "docs/en/how-to/connect-ide/spanner_mcp.md",
 ]
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -36,7 +36,7 @@ jobs:
    steps:
      - name: Remove PR Label
        if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -41,7 +41,7 @@ jobs:
    steps:
      - name: Remove PR label
        if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,64 @@
 # Changelog

+## [0.14.0](https://github.com/googleapis/genai-toolbox/compare/v0.13.0...v0.14.0) (2025-09-05)
+
+
+### ⚠ BREAKING CHANGES
+
+* **bigquery:** Move `useClientOAuth` config from tool to source ([#1279](https://github.com/googleapis/genai-toolbox/issues/1279)) ([8d20a48](https://github.com/googleapis/genai-toolbox/commit/8d20a48f13bcda853d41bdf80a162de12b076d1b))
+* **tools/bigquerysql:** remove `useClientOAuth` from tools config ([#1312](https://github.com/googleapis/genai-toolbox/issues/1312))
+
+### Features
+
+* **clickhouse:** Add ClickHouse Source and Tools ([#1088](https://github.com/googleapis/genai-toolbox/issues/1088)) ([75a04a5](https://github.com/googleapis/genai-toolbox/commit/75a04a55dd2259bed72fe95119a7a51a906c0b21))
+* **prebuilt/alloydb-postgres:** Support ipType and IAM users ([#1324](https://github.com/googleapis/genai-toolbox/issues/1324)) ([0b2121e](https://github.com/googleapis/genai-toolbox/commit/0b2121ea72eb81348dcd9c740a62ccd32e71fe37))
+* **server/mcp:** Support toolbox auth in mcp ([#1140](https://github.com/googleapis/genai-toolbox/issues/1140)) ([ca353e0](https://github.com/googleapis/genai-toolbox/commit/ca353e0b66fedc00e9110df57db18632aef49018))
+* **source/mysql:** Support `queryParams` in MySQL source ([#1299](https://github.com/googleapis/genai-toolbox/issues/1299)) ([3ae2526](https://github.com/googleapis/genai-toolbox/commit/3ae2526e0fe36b57b05a9b54f1d99f3fc68d9657))
+* **tools/bigquery:** Support end-user credential passthrough on multiple BQ tools ([#1314](https://github.com/googleapis/genai-toolbox/issues/1314)) ([88f4b30](https://github.com/googleapis/genai-toolbox/commit/88f4b3028df3b6a400936cdf8a035bf55021924c))
+* **tools/looker:** Add description for looker-get-models tool ([#1266](https://github.com/googleapis/genai-toolbox/issues/1266)) ([89af3a4](https://github.com/googleapis/genai-toolbox/commit/89af3a4ca332f029615b2a739d1f6cd50519638d))
+* **tools/looker:** Authenticate via end user credentials ([#1257](https://github.com/googleapis/genai-toolbox/issues/1257)) ([8755e3d](https://github.com/googleapis/genai-toolbox/commit/8755e3db3476abb35629b3cca9c78db7366757a4))
+* **tools/looker:** Report field suggestions to agent ([#1267](https://github.com/googleapis/genai-toolbox/issues/1267)) ([2cad82e](https://github.com/googleapis/genai-toolbox/commit/2cad82e5107566dd6c9b75e34e9976af63af0bb5))
+
+
+### Bug Fixes
+
+* Do not print usage on runtime error ([#1315](https://github.com/googleapis/genai-toolbox/issues/1315)) ([afba7a5](https://github.com/googleapis/genai-toolbox/commit/afba7a57cdd4fe7c1b0741dbf8f8c78b14a68089))
+* Update env var to allow empty string ([#1260](https://github.com/googleapis/genai-toolbox/issues/1260)) ([03aa9fa](https://github.com/googleapis/genai-toolbox/commit/03aa9fabacda06f860c9f178485126bddb7d5782))
+* **tools/firestore:** Add document/collection path validation ([#1229](https://github.com/googleapis/genai-toolbox/issues/1229)) ([14c2249](https://github.com/googleapis/genai-toolbox/commit/14c224939a2f9bb349fa00a7d5227877198530c2))
+* **tools/looker-get-dashboards:** Fix Looker client OAuth check ([#1338](https://github.com/googleapis/genai-toolbox/issues/1338)) ([36225aa](https://github.com/googleapis/genai-toolbox/commit/36225aa6db7f8426ad87930866530fde4e9bf0cd))
+* **tools/oceanbase:** Fix encoded text with mysql driver ([#1283](https://github.com/googleapis/genai-toolbox/issues/1283)) ([d16f89f](https://github.com/googleapis/genai-toolbox/commit/d16f89fbb6e49c03998f114ef7dc2b584b5e4967)), closes [#1161](https://github.com/googleapis/genai-toolbox/issues/1161)
+
+## [0.13.0](https://github.com/googleapis/genai-toolbox/compare/v0.12.0...v0.13.0) (2025-08-27)
+
+### ⚠ BREAKING CHANGES
+
+* **prebuilt/alloydb:** Add bearer token support for alloydb-wait-for-operation ([#1183](https://github.com/googleapis/genai-toolbox/issues/1183))
+
+
+### Features
+
+* Add capability to set default for environment variable in config ([#1248](https://github.com/googleapis/genai-toolbox/issues/1248)) ([5bcd52e](https://github.com/googleapis/genai-toolbox/commit/5bcd52e7dcd0773ded723585f4abe29d044e1540))
+* **firebird:** Add Firebird SQL 2.5+ source and tool ([#1011](https://github.com/googleapis/genai-toolbox/issues/1011)) ([4f6b806](https://github.com/googleapis/genai-toolbox/commit/4f6b806de947efc4e12bdb50dff7781aedb7b966))
+* **oceanbase:** Add Oceanbase source and tool  ([#895](https://github.com/googleapis/genai-toolbox/issues/895)) ([6fc4982](https://github.com/googleapis/genai-toolbox/commit/6fc49826d43f46c84028e752ebebddf3d94b3d13))
+* **server/mcp:** Support `ping` mechanism ([#1178](https://github.com/googleapis/genai-toolbox/issues/1178)) ([5dcc66c](https://github.com/googleapis/genai-toolbox/commit/5dcc66c84fa72c75ec50a9ac5198018212ec2979))
+* **server:** Fail-fast on environment variable substitution ([#1177](https://github.com/googleapis/genai-toolbox/issues/1177)) ([212aaba](https://github.com/googleapis/genai-toolbox/commit/212aaba74c8b431de8a5f7b9822a0af4afcaaa0e))
+* **server:** Implement Tool call auth error propagation ([#1235](https://github.com/googleapis/genai-toolbox/issues/1235)) ([b94a021](https://github.com/googleapis/genai-toolbox/commit/b94a021ca11c6637cf8038449483b5e75f2012b3))
+* **sources/bigquery:** Add support for user-credential passthrough  ([#1067](https://github.com/googleapis/genai-toolbox/issues/1067)) ([650e2e2](https://github.com/googleapis/genai-toolbox/commit/650e2e26f51bff75ce66343f64944d0a89a58b69))
+* **tool/looker:** Add support for `description` field in looker tool ([#1199](https://github.com/googleapis/genai-toolbox/issues/1199)) ([97f0dd2](https://github.com/googleapis/genai-toolbox/commit/97f0dd2acf26caf28ecad65abea8779c196a27f1))
+* **tools/bigquery-ask-data-insights:** Add bigquery `ask-data-insights` tool ([#932](https://github.com/googleapis/genai-toolbox/issues/932)) ([7651357](https://github.com/googleapis/genai-toolbox/commit/7651357d424a2b6656d8b6818cebc5c8a86ed053))
+* **tools/bigquery-forecast:** Add bigqueryforecast tool ([#1148](https://github.com/googleapis/genai-toolbox/issues/1148)) ([2ad0ccf](https://github.com/googleapis/genai-toolbox/commit/2ad0ccf83df542340087742468d6762f81eedee6))
+* **tools/firestore-add-documents:** Add firestore-add-documents tool ([#1107](https://github.com/googleapis/genai-toolbox/issues/1107)) ([ee4a70a](https://github.com/googleapis/genai-toolbox/commit/ee4a70a0e82b346b07b5b4c60dfa060da2273f50))
+* **tools/firestore-update-document:** Add firestore-update-document tool ([#1191](https://github.com/googleapis/genai-toolbox/issues/1191)) ([0010123](https://github.com/googleapis/genai-toolbox/commit/00101232a39c70288aac5715649c184858d351e3))
+* **tools/looker:** Control over whether hidden objects are surfaced ([#1222](https://github.com/googleapis/genai-toolbox/issues/1222)) ([bc91559](https://github.com/googleapis/genai-toolbox/commit/bc91559cc4e5b20385b84cc562b624fabf7e47a8))
+* **trino:** Add Trino source and tools ([#948](https://github.com/googleapis/genai-toolbox/issues/948)) ([7dd123b](https://github.com/googleapis/genai-toolbox/commit/7dd123b3d76b8eb2b74b5d960959c1f90684b37e))
+
+
+### Bug Fixes
+
+* **tools/looker:** Lookergetdashboards uses proper Authorized helper func ([#1255](https://github.com/googleapis/genai-toolbox/issues/1255)) ([00866bc](https://github.com/googleapis/genai-toolbox/commit/00866bc7fc33115c547213e60316ae889735fdbb))
+* **tools/mongodb-find-one:** ProjectPayload unmarshaling ([#1167](https://github.com/googleapis/genai-toolbox/issues/1167)) ([8ea6a98](https://github.com/googleapis/genai-toolbox/commit/8ea6a98bd9096ba97722e5f807366887e864004f))
+* **tools/mysql:** Fix encoded text for mysql ([#1161](https://github.com/googleapis/genai-toolbox/issues/1161)) ([a37cfa8](https://github.com/googleapis/genai-toolbox/commit/a37cfa841d151b9995d4fab73cfc5e4d30d2cc57)), closes [#840](https://github.com/googleapis/genai-toolbox/issues/840)
+
 ## [0.12.0](https://github.com/googleapis/genai-toolbox/compare/v0.11.0...v0.12.0) (2025-08-14)


--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -25,33 +25,42 @@ This project follows

 ## Contribution process

-### Code reviews
+> [!NOTE]
+> New contributions should always include both unit and integration tests.
+ 

 All submissions, including submissions by project members, require review. We
 use GitHub pull requests for this purpose. Consult
 [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
 information on using pull requests.

-Within 2-5 days, a reviewer will review your PR. They may approve it, or request
-changes. When requesting changes, reviewers should self-assign the PR to ensure
+### Code reviews
+
+* Within 2-5 days, a reviewer will review your PR. They may approve it, or request
+changes. 
+* When requesting changes, reviewers should self-assign the PR to ensure
 they are aware of any updates.
-If additional changes are needed, push additional commits to your PR branch -
-this helps the reviewer know which parts of the PR have changed. Commits will be
+* If additional changes are needed, push additional commits to your PR branch -
+this helps the reviewer know which parts of the PR have changed. 
+* Commits will be
 squashed when merged.
-Please follow up with changes promptly. If a PR is awaiting changes by the
+* Please follow up with changes promptly. 
+* If a PR is awaiting changes by the
 author for more than 10 days, maintainers may mark that PR as Draft. PRs that
 are inactive for more than 30 days may be closed.

-### Adding a New Database Source and Tool
+## Adding a New Database Source or Tool

-We recommend creating an
+Please create an
 [issue](https://github.com/googleapis/genai-toolbox/issues) before
-implementation to ensure we can accept the contribution and no duplicated work.
-If you have any questions, reach out on our
-[Discord](https://discord.gg/Dmm69peqjh) to chat directly with the team. New
-contributions should be added with both unit tests and integration tests.
+implementation to ensure we can accept the contribution and no duplicated work. This issue
+should include an overview of the API design. If you have any questions, reach out on our
+[Discord](https://discord.gg/Dmm69peqjh) to chat directly with the team.  

-#### 1. Implement the New Data Source
+> [!NOTE]
+> New tools can be added for [pre-existing data sources](https://github.com/googleapis/genai-toolbox/tree/main/internal/sources). However, any new database source should also include at least one new tool type.
+
+### Adding a New Database Source

 We recommend looking at an [example source
 implementation](https://github.com/googleapis/genai-toolbox/blob/main/internal/sources/postgres/postgres.go).
@@ -78,7 +87,7 @@ implementation](https://github.com/googleapis/genai-toolbox/blob/main/internal/s
 * **Implement `init()`** to register the new Source.
 * **Implement Unit Tests** in a file named `newdb_test.go`.

-#### 2. Implement the New Tool
+### Adding a New Tool

 We recommend looking at an [example tool
 implementation](https://github.com/googleapis/genai-toolbox/tree/main/internal/tools/postgres/postgressql).
@@ -111,7 +120,7 @@ tools.
 * **Implement `init()`** to register the new Tool.
 * **Implement Unit Tests** in a file named `newdb_test.go`.

-#### 3. Add Integration Tests
+### Adding Integration Tests

 * **Add a test file** under a new directory `tests/newdb`.
 * **Add pre-defined integration test suites** in the
@@ -153,7 +162,7 @@ tools.
 [temp-param-doc]:
    https://googleapis.github.io/genai-toolbox/resources/tools/#template-parameters

-#### 4. Add Documentation
+### Adding Documentation

 * **Update the documentation** to include information about your new data source
  and tool. This includes:
@@ -163,7 +172,7 @@ tools.

 * **(Optional) Add samples** to the `docs/en/samples/<newdb>` directory.

-#### (Optional) 5. Add Prebuilt Tools
+### (Optional) Adding Prebuilt Tools

 You can provide developers with a set of "build-time" tools to aid common
 software development user journeys like viewing and creating tables/collections
@@ -177,7 +186,7 @@ and data.
  [internal/prebuiltconfigs/prebuiltconfigs_test.go](internal/prebuiltconfigs/prebuiltconfigs_test.go)
  and [cmd/root_test.go](cmd/root_test.go).

-#### 6. Submit a Pull Request
+## Submitting a Pull Request

 Submit a pull request to the repository with your changes. Be sure to include a
 detailed description of your changes and any requests for long term testing
@@ -218,4 +227,4 @@ resources.
 * **PR Description:** PR description should **always** be included. It should
  include a concise description of the changes, it's impact, along with a
  summary of the solution. If the PR is related to a specific issue, the issue
-  number should be mentioned in the PR description (e.g. `Fixes #1`).
+  number should be mentioned in the PR description (e.g. `Fixes #1`).
--- a/README.md
+++ b/README.md
@@ -117,7 +117,7 @@ To install Toolbox as a binary:
 <!-- {x-release-please-start-version} -->
 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.14.0
 curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 chmod +x toolbox
 ```
@@ -130,7 +130,7 @@ You can also install Toolbox as a container:

 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.14.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```

@@ -154,7 +154,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:

 ```sh
-go install github.com/googleapis/genai-toolbox@v0.12.0
+go install github.com/googleapis/genai-toolbox@v0.14.0
 ```
 <!-- {x-release-please-end} -->

@@ -165,22 +165,66 @@ go install github.com/googleapis/genai-toolbox@v0.12.0
 [Configure](#configuration) a `tools.yaml` to define your tools, and then
 execute `toolbox` to start the server:

+<details open>
+<summary>Binary</summary>
+
+To run Toolbox from binary:
+
 ```sh
 ./toolbox --tools-file "tools.yaml"
 ```

-> [!NOTE]
-> Toolbox enables dynamic reloading by default. To disable, use the
-> `--disable-reload` flag.
+ⓘ **NOTE:**  
+Toolbox enables dynamic reloading by default. To disable, use the `--disable-reload` flag.

-#### Homebrew Users
+</details>

-If you installed Toolbox using Homebrew, the `toolbox` binary is available in your system path. You can start the server with the same command:
+<details>
+
+<summary>Container image</summary>
+
+To run the server after pulling the [container image](#installing-the-server):
+
+```sh
+export VERSION=0.11.0 # Use the version you pulled
+docker run -p 5000:5000 \
+-v $(pwd)/tools.yaml:/app/tools.yaml \
+us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION \
+--tools-file "/app/tools.yaml"
+```
+
+ⓘ **NOTE:**  
+The `-v` flag mounts your local `tools.yaml` into the container, and `-p` maps the container's port `5000` to your host's port `5000`.
+
+</details>
+
+<details>
+
+<summary>Source</summary>
+
+To run the server directly from source, navigate to the project root directory and run:
+
+```sh
+go run .
+```
+
+ⓘ **NOTE:**  
+This command runs the project from source, and is more suitable for development and testing. It does **not** compile a binary into your `$GOPATH`. If you want to compile a binary instead, refer the [Developer Documentation](./DEVELOPER.md#building-the-binary).
+
+</details>
+
+<details>
+
+<summary>Homebrew</summary>
+
+If you installed Toolbox using [Homebrew](https://brew.sh/), the `toolbox` binary is available in your system path. You can start the server with the same command:

 ```sh
 toolbox --tools-file "tools.yaml"
 ```

+</details>
+
 You can use `toolbox help` for a full list of flags! To stop the server, send a
 terminate signal (`ctrl+c` on most platforms).

@@ -188,6 +232,7 @@ For more detailed documentation on deploying to different environments, check
 out the resources in the [How-to
 section](https://googleapis.github.io/genai-toolbox/how-to/)

+
 ### Integrating your application

 Once your server is up and running, you can load the tools into your
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -43,6 +43,7 @@ import (

 	// Import tool packages for side effect of registration
 	_ "github.com/googleapis/genai-toolbox/internal/tools/alloydbainl"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryconversationalanalytics"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryexecutesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryforecast"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigquerygetdatasetinfo"
@@ -51,6 +52,8 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigquerylisttableids"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigquerysql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/bigtable"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/clickhouse/clickhouseexecutesql"
+	_ "github.com/googleapis/genai-toolbox/internal/tools/clickhouse/clickhousesql"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/couchbase"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/dataplex/dataplexlookupentry"
 	_ "github.com/googleapis/genai-toolbox/internal/tools/dataplex/dataplexsearchaspecttypes"
@@ -119,6 +122,7 @@ import (
 	_ "github.com/googleapis/genai-toolbox/internal/sources/alloydbpg"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/bigquery"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/bigtable"
+	_ "github.com/googleapis/genai-toolbox/internal/sources/clickhouse"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/cloudsqlmssql"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/cloudsqlmysql"
 	_ "github.com/googleapis/genai-toolbox/internal/sources/cloudsqlpg"
@@ -215,6 +219,9 @@ func NewCommand(opts ...Option) *Command {
 		o(cmd)
 	}

+	// Do not print Usage on runtime error
+	cmd.SilenceUsage = true
+
 	// Set server version
 	cmd.cfg.Version = versionString

@@ -264,8 +271,9 @@ type ToolsFile struct {
 }

 // parseEnv replaces environment variables ${ENV_NAME} with their values.
+// also support ${ENV_NAME:default_value}.
 func parseEnv(input string) (string, error) {
-	re := regexp.MustCompile(`\$\{(\w+)\}`)
+	re := regexp.MustCompile(`\$\{(\w+)(:(\w*))?\}`)

 	var err error
 	output := re.ReplaceAllStringFunc(input, func(match string) string {
@@ -276,6 +284,9 @@ func parseEnv(input string) (string, error) {
 		if value, found := os.LookupEnv(variableName); found {
 			return value
 		}
+		if parts[2] != "" {
+			return parts[3]
+		}
 		err = fmt.Errorf("environment variable not found: %q", variableName)
 		return ""
 	})
@@ -829,7 +840,7 @@ func run(cmd *Command) error {
 		}
 		cmd.logger.InfoContext(ctx, "Server ready to serve!")
 		if cmd.cfg.UI {
-			cmd.logger.InfoContext(ctx, fmt.Sprintf("Toolbox UI is up and running at: http://localhost:%d/ui", cmd.cfg.Port))
+			cmd.logger.InfoContext(ctx, fmt.Sprintf("Toolbox UI is up and running at: http://%s:%d/ui", cmd.cfg.Address, cmd.cfg.Port))
 		}

 		go func() {
--- a/cmd/root_test.go
+++ b/cmd/root_test.go
@@ -206,6 +206,72 @@ func TestServerConfigFlags(t *testing.T) {
 	}
 }

+func TestParseEnv(t *testing.T) {
+	tcs := []struct {
+		desc      string
+		env       map[string]string
+		in        string
+		want      string
+		err       bool
+		errString string
+	}{
+		{
+			desc:      "without default without env",
+			in:        "${FOO}",
+			want:      "",
+			err:       true,
+			errString: `environment variable not found: "FOO"`,
+		},
+		{
+			desc: "without default with env",
+			env: map[string]string{
+				"FOO": "bar",
+			},
+			in:   "${FOO}",
+			want: "bar",
+		},
+		{
+			desc: "with empty default",
+			in:   "${FOO:}",
+			want: "",
+		},
+		{
+			desc: "with default",
+			in:   "${FOO:bar}",
+			want: "bar",
+		},
+		{
+			desc: "with default with env",
+			env: map[string]string{
+				"FOO": "hello",
+			},
+			in:   "${FOO:bar}",
+			want: "hello",
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			if tc.env != nil {
+				for k, v := range tc.env {
+					t.Setenv(k, v)
+				}
+			}
+			got, err := parseEnv(tc.in)
+			if tc.err {
+				if err == nil {
+					t.Fatalf("expected error not found")
+				}
+				if tc.errString != err.Error() {
+					t.Fatalf("incorrect error string: got %s, want %s", err, tc.errString)
+				}
+			}
+			if tc.want != got {
+				t.Fatalf("unexpected want: got %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
 func TestToolFileFlag(t *testing.T) {
 	tcs := []struct {
 		desc string
@@ -1166,6 +1232,7 @@ func TestPrebuiltTools(t *testing.T) {
 	alloydb_admin_config, _ := prebuiltconfigs.Get("alloydb-postgres-admin")
 	alloydb_config, _ := prebuiltconfigs.Get("alloydb-postgres")
 	bigquery_config, _ := prebuiltconfigs.Get("bigquery")
+	clickhouse_config, _ := prebuiltconfigs.Get("clickhouse")
 	cloudsqlpg_config, _ := prebuiltconfigs.Get("cloud-sql-postgres")
 	cloudsqlmysql_config, _ := prebuiltconfigs.Get("cloud-sql-mysql")
 	cloudsqlmssql_config, _ := prebuiltconfigs.Get("cloud-sql-mssql")
@@ -1198,6 +1265,13 @@ func TestPrebuiltTools(t *testing.T) {
 	t.Setenv("ALLOYDB_POSTGRES_USER", "your_alloydb_user")
 	t.Setenv("ALLOYDB_POSTGRES_PASSWORD", "your_alloydb_password")

+	t.Setenv("CLICKHOUSE_PROTOCOL", "your_clickhouse_protocol")
+	t.Setenv("CLICKHOUSE_DATABASE", "your_clickhouse_database")
+	t.Setenv("CLICKHOUSE_PASSWORD", "your_clickhouse_password")
+	t.Setenv("CLICKHOUSE_USER", "your_clickhouse_user")
+	t.Setenv("CLICKHOUSE_HOST", "your_clickhosue_host")
+	t.Setenv("CLICKHOUSE_PORT", "8123")
+
 	t.Setenv("CLOUD_SQL_POSTGRES_PROJECT", "your_pg_project")
 	t.Setenv("CLOUD_SQL_POSTGRES_INSTANCE", "your_pg_instance")
 	t.Setenv("CLOUD_SQL_POSTGRES_DATABASE", "your_pg_db")
@@ -1279,7 +1353,17 @@ func TestPrebuiltTools(t *testing.T) {
 			wantToolset: server.ToolsetConfigs{
 				"bigquery-database-tools": tools.ToolsetConfig{
 					Name:      "bigquery-database-tools",
-					ToolNames: []string{"execute_sql", "forecast", "get_dataset_info", "get_table_info", "list_dataset_ids", "list_table_ids"},
+					ToolNames: []string{"ask_data_insights", "execute_sql", "forecast", "get_dataset_info", "get_table_info", "list_dataset_ids", "list_table_ids"},
+				},
+			},
+		},
+		{
+			name: "clickhouse prebuilt tools",
+			in:   clickhouse_config,
+			wantToolset: server.ToolsetConfigs{
+				"clickhouse-database-tools": tools.ToolsetConfig{
+					Name:      "clickhouse-database-tools",
+					ToolNames: []string{"execute_sql"},
 				},
 			},
 		},
--- a/cmd/version.txt
+++ b/cmd/version.txt
@@ -1 +1 @@
-0.12.0
+0.14.0
--- a/docs/en/getting-started/colab_quickstart.ipynb
+++ b/docs/en/getting-started/colab_quickstart.ipynb
@@ -234,7 +234,7 @@
      },
      "outputs": [],
      "source": [
-        "version = \"0.12.0\" # x-release-please-version\n",
+        "version = \"0.14.0\" # x-release-please-version\n",
        "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
        "\n",
        "# Make the binary executable\n",
--- a/docs/en/getting-started/configure.md
+++ b/docs/en/getting-started/configure.md
@@ -22,6 +22,11 @@ etc., you could use environment variables instead with the format `${ENV_NAME}`.
  user: ${USER_NAME}
  password: ${PASSWORD}
 ```
+A default value can be specified like `${ENV_NAME:default}`.
+
+```yaml
+  port: ${DB_PORT:3306}
+```

 ### Sources

--- a/docs/en/getting-started/introduction/_index.md
+++ b/docs/en/getting-started/introduction/_index.md
@@ -86,7 +86,7 @@ To install Toolbox as a binary:

 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.14.0
 curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/linux/amd64/toolbox
 chmod +x toolbox
 ```
@@ -97,7 +97,7 @@ You can also install Toolbox as a container:

 ```sh
 # see releases page for other versions
-export VERSION=0.12.0
+export VERSION=0.14.0
 docker pull us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION
 ```

@@ -115,7 +115,7 @@ To install from source, ensure you have the latest version of
 [Go installed](https://go.dev/doc/install), and then run the following command:

 ```sh
-go install github.com/googleapis/genai-toolbox@v0.12.0
+go install github.com/googleapis/genai-toolbox@v0.14.0
 ```

 {{% /tab %}}
--- a/docs/en/getting-started/local_quickstart.md
+++ b/docs/en/getting-started/local_quickstart.md
@@ -94,305 +94,23 @@ pip install google-genai
   code to create an agent:
    {{< tabpane persist=header >}}
 {{< tab header="ADK" lang="python" >}}
-from google.adk.agents import Agent
-from google.adk.runners import Runner
-from google.adk.sessions import InMemorySessionService
-from google.adk.artifacts.in_memory_artifact_service import InMemoryArtifactService
-from google.genai import types
-from toolbox_core import ToolboxSyncClient

-import asyncio
-import os
+{{< include "quickstart/python/adk/quickstart.py" >}}

-# TODO(developer): replace this with your Google API key
-
-os.environ['GOOGLE_API_KEY'] = 'your-api-key'
-
-async def main():
-  with ToolboxSyncClient("<http://127.0.0.1:5000>") as toolbox_client:
-
-      prompt = """
-        You're a helpful hotel assistant. You handle hotel searching, booking and
-        cancellations. When the user searches for a hotel, mention it's name, id,
-        location and price tier. Always mention hotel ids while performing any
-        searches. This is very important for any operations. For any bookings or
-        cancellations, please provide the appropriate confirmation. Be sure to
-        update checkin or checkout dates if mentioned by the user.
-        Don't ask for confirmations from the user.
-      """
-
-      root_agent = Agent(
-          model='gemini-2.0-flash-001',
-          name='hotel_agent',
-          description='A helpful AI assistant.',
-          instruction=prompt,
-          tools=toolbox_client.load_toolset("my-toolset"),
-      )
-
-      session_service = InMemorySessionService()
-      artifacts_service = InMemoryArtifactService()
-      session = await session_service.create_session(
-          state={}, app_name='hotel_agent', user_id='123'
-      )
-      runner = Runner(
-          app_name='hotel_agent',
-          agent=root_agent,
-          artifact_service=artifacts_service,
-          session_service=session_service,
-      )
-
-      queries = [
-          "Find hotels in Basel with Basel in its name.",
-          "Can you book the Hilton Basel for me?",
-          "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-          "My check in dates would be from April 10, 2024 to April 19, 2024.",
-      ]
-
-      for query in queries:
-          content = types.Content(role='user', parts=[types.Part(text=query)])
-          events = runner.run(session_id=session.id,
-                              user_id='123', new_message=content)
-
-          responses = (
-            part.text
-            for event in events
-            for part in event.content.parts
-            if part.text is not None
-          )
-
-          for text in responses:
-            print(text)
-
-asyncio.run(main())
 {{< /tab >}}
 {{< tab header="LangChain" lang="python" >}}
-import asyncio

-from langgraph.prebuilt import create_react_agent
+{{< include "quickstart/python/langchain/quickstart.py" >}}

-# TODO(developer): replace this with another import if needed
-
-from langchain_google_vertexai import ChatVertexAI
-
-# from langchain_google_genai import ChatGoogleGenerativeAI
-
-# from langchain_anthropic import ChatAnthropic
-
-from langgraph.checkpoint.memory import MemorySaver
-
-from toolbox_langchain import ToolboxClient
-
-prompt = """
-  You're a helpful hotel assistant. You handle hotel searching, booking and
-  cancellations. When the user searches for a hotel, mention it's name, id,
-  location and price tier. Always mention hotel ids while performing any
-  searches. This is very important for any operations. For any bookings or
-  cancellations, please provide the appropriate confirmation. Be sure to
-  update checkin or checkout dates if mentioned by the user.
-  Don't ask for confirmations from the user.
-"""
-
-queries = [
-    "Find hotels in Basel with Basel in its name.",
-    "Can you book the Hilton Basel for me?",
-    "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-    "My check in dates would be from April 10, 2024 to April 19, 2024.",
-]
-
-async def run_application():
-    # TODO(developer): replace this with another model if needed
-    model = ChatVertexAI(model_name="gemini-2.0-flash-001")
-    # model = ChatGoogleGenerativeAI(model="gemini-2.0-flash-001")
-    # model = ChatAnthropic(model="claude-3-5-sonnet-20240620")
-
-    # Load the tools from the Toolbox server
-    async with ToolboxClient("http://127.0.0.1:5000") as client:
-        tools = await client.aload_toolset()
-
-        agent = create_react_agent(model, tools, checkpointer=MemorySaver())
-
-        config = {"configurable": {"thread_id": "thread-1"}}
-        for query in queries:
-            inputs = {"messages": [("user", prompt + query)]}
-            response = agent.invoke(inputs, stream_mode="values", config=config)
-            print(response["messages"][-1].content)
-
-asyncio.run(run_application())
 {{< /tab >}}
 {{< tab header="LlamaIndex" lang="python" >}}
-import asyncio
-import os

-from llama_index.core.agent.workflow import AgentWorkflow
+{{< include "quickstart/python/llamaindex/quickstart.py" >}}

-from llama_index.core.workflow import Context
-
-# TODO(developer): replace this with another import if needed
-
-from llama_index.llms.google_genai import GoogleGenAI
-
-# from llama_index.llms.anthropic import Anthropic
-
-from toolbox_llamaindex import ToolboxClient
-
-prompt = """
-  You're a helpful hotel assistant. You handle hotel searching, booking and
-  cancellations. When the user searches for a hotel, mention it's name, id,
-  location and price tier. Always mention hotel ids while performing any
-  searches. This is very important for any operations. For any bookings or
-  cancellations, please provide the appropriate confirmation. Be sure to
-  update checkin or checkout dates if mentioned by the user.
-  Don't ask for confirmations from the user.
-"""
-
-queries = [
-    "Find hotels in Basel with Basel in its name.",
-    "Can you book the Hilton Basel for me?",
-    "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-    "My check in dates would be from April 10, 2024 to April 19, 2024.",
-]
-
-async def run_application():
-    # TODO(developer): replace this with another model if needed
-    llm = GoogleGenAI(
-        model="gemini-2.0-flash-001",
-        vertexai_config={"project": "project-id", "location": "us-central1"},
-    )
-    # llm = GoogleGenAI(
-    #     api_key=os.getenv("GOOGLE_API_KEY"),
-    #     model="gemini-2.0-flash-001",
-    # )
-    # llm = Anthropic(
-    #   model="claude-3-7-sonnet-latest",
-    #   api_key=os.getenv("ANTHROPIC_API_KEY")
-    # )
-
-    # Load the tools from the Toolbox server
-    async with ToolboxClient("http://127.0.0.1:5000") as client:
-        tools = await client.aload_toolset()
-
-        agent = AgentWorkflow.from_tools_or_functions(
-            tools,
-            llm=llm,
-            system_prompt=prompt,
-        )
-        ctx = Context(agent)
-        for query in queries:
-            response = await agent.run(user_msg=query, ctx=ctx)
-            print(f"---- {query} ----")
-            print(str(response))
-
-asyncio.run(run_application())
 {{< /tab >}}
 {{< tab header="Core" lang="python" >}}
-import asyncio

-from google import genai
-from google.genai.types import (
-    Content,
-    FunctionDeclaration,
-    GenerateContentConfig,
-    Part,
-    Tool,
-)
-
-from toolbox_core import ToolboxClient
-
-prompt = """
-  You're a helpful hotel assistant. You handle hotel searching, booking and
-  cancellations. When the user searches for a hotel, mention it's name, id,
-  location and price tier. Always mention hotel id while performing any
-  searches. This is very important for any operations. For any bookings or
-  cancellations, please provide the appropriate confirmation. Be sure to
-  update checkin or checkout dates if mentioned by the user.
-  Don't ask for confirmations from the user.
-"""
-
-queries = [
-    "Find hotels in Basel with Basel in its name.",
-    "Please book the hotel Hilton Basel for me.",
-    "This is too expensive. Please cancel it.",
-    "Please book Hyatt Regency for me",
-    "My check in dates for my booking would be from April 10, 2024 to April 19, 2024.",
-]
-
-async def run_application():
-    async with ToolboxClient("<http://127.0.0.1:5000>") as toolbox_client:
-
-        # The toolbox_tools list contains Python callables (functions/methods) designed for LLM tool-use
-        # integration. While this example uses Google's genai client, these callables can be adapted for
-        # various function-calling or agent frameworks. For easier integration with supported frameworks
-        # (https://github.com/googleapis/mcp-toolbox-python-sdk/tree/main/packages), use the
-        # provided wrapper packages, which handle framework-specific boilerplate.
-        toolbox_tools = await toolbox_client.load_toolset("my-toolset")
-        genai_client = genai.Client(
-            vertexai=True, project="project-id", location="us-central1"
-        )
-
-        genai_tools = [
-            Tool(
-                function_declarations=[
-                    FunctionDeclaration.from_callable_with_api_option(callable=tool)
-                ]
-            )
-            for tool in toolbox_tools
-        ]
-        history = []
-        for query in queries:
-            user_prompt_content = Content(
-                role="user",
-                parts=[Part.from_text(text=query)],
-            )
-            history.append(user_prompt_content)
-
-            response = genai_client.models.generate_content(
-                model="gemini-2.0-flash-001",
-                contents=history,
-                config=GenerateContentConfig(
-                    system_instruction=prompt,
-                    tools=genai_tools,
-                ),
-            )
-            history.append(response.candidates[0].content)
-            function_response_parts = []
-            for function_call in response.function_calls:
-                fn_name = function_call.name
-                # The tools are sorted alphabetically
-                if fn_name == "search-hotels-by-name":
-                    function_result = await toolbox_tools[3](**function_call.args)
-                elif fn_name == "search-hotels-by-location":
-                    function_result = await toolbox_tools[2](**function_call.args)
-                elif fn_name == "book-hotel":
-                    function_result = await toolbox_tools[0](**function_call.args)
-                elif fn_name == "update-hotel":
-                    function_result = await toolbox_tools[4](**function_call.args)
-                elif fn_name == "cancel-hotel":
-                    function_result = await toolbox_tools[1](**function_call.args)
-                else:
-                    raise ValueError("Function name not present.")
-                function_response = {"result": function_result}
-                function_response_part = Part.from_function_response(
-                    name=function_call.name,
-                    response=function_response,
-                )
-                function_response_parts.append(function_response_part)
-
-            if function_response_parts:
-                tool_response_content = Content(role="tool", parts=function_response_parts)
-                history.append(tool_response_content)
-
-            response2 = genai_client.models.generate_content(
-                model="gemini-2.0-flash-001",
-                contents=history,
-                config=GenerateContentConfig(
-                    tools=genai_tools,
-                ),
-            )
-            final_model_response_content = response2.candidates[0].content
-            history.append(final_model_response_content)
-            print(response2.text)
-
-asyncio.run(run_application())
+{{< include "quickstart/python/core/quickstart.py" >}}

 {{< /tab >}}
 {{< /tabpane >}}
--- a/docs/en/getting-started/local_quickstart_js.md
+++ b/docs/en/getting-started/local_quickstart_js.md
@@ -64,384 +64,26 @@ npm install @google/genai
    {{< tabpane persist=header >}}
 {{< tab header="LangChain" lang="js" >}}

-import { ChatGoogleGenerativeAI } from "@langchain/google-genai";
-import { ToolboxClient } from "@toolbox-sdk/core";
-import { tool } from "@langchain/core/tools";
-import { createReactAgent } from "@langchain/langgraph/prebuilt";
-import { MemorySaver } from "@langchain/langgraph";
-
-// Replace it with your API key
-process.env.GOOGLE_API_KEY = 'your-api-key';
-
-const prompt = `
-You're a helpful hotel assistant. You handle hotel searching, booking, and
-cancellations. When the user searches for a hotel, mention its name, id,
-location and price tier. Always mention hotel ids while performing any
-searches. This is very important for any operations. For any bookings or
-cancellations, please provide the appropriate confirmation. Be sure to
-update checkin or checkout dates if mentioned by the user.
-Don't ask for confirmations from the user.
-`;
-
-const queries = [
-  "Find hotels in Basel with Basel in its name.",
-  "Can you book the Hilton Basel for me?",
-  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-  "My check in dates would be from April 10, 2024 to April 19, 2024.",
-];
-
-async function runApplication() {
-  const model = new ChatGoogleGenerativeAI({
-    model: "gemini-2.0-flash",
-  });
-
-  const client = new ToolboxClient("http://127.0.0.1:5000");
-  const toolboxTools = await client.loadToolset("my-toolset");
-
-  // Define the basics of the tool: name, description, schema and core logic
-  const getTool = (toolboxTool) => tool(toolboxTool, {
-    name: toolboxTool.getName(),
-    description: toolboxTool.getDescription(),
-    schema: toolboxTool.getParamSchema()
-  });
-  const tools = toolboxTools.map(getTool);
-
-  const agent = createReactAgent({
-    llm: model,
-    tools: tools,
-    checkpointer: new MemorySaver(),
-    systemPrompt: prompt,
-  });
-
-  const langGraphConfig = {
-    configurable: {
-        thread_id: "test-thread",
-    },
-  };
-
-  for (const query of queries) {
-    const agentOutput = await agent.invoke(
-    {
-        messages: [
-        {
-            role: "user",
-            content: query,
-        },
-        ],
-        verbose: true,
-    },
-    langGraphConfig
-    );
-    const response = agentOutput.messages[agentOutput.messages.length - 1].content;
-    console.log(response);
-  }
-}
-
-runApplication()
-  .catch(console.error)
-  .finally(() => console.log("\nApplication finished."));
+{{< include "quickstart/js/langchain/quickstart.js" >}}

 {{< /tab >}}

 {{< tab header="GenkitJS" lang="js" >}}

-import { ToolboxClient } from "@toolbox-sdk/core";
-import { genkit } from "genkit";
-import { googleAI } from '@genkit-ai/googleai';
+{{< include "quickstart/js/genkit/quickstart.js" >}}

-// Replace it with your API key
-process.env.GOOGLE_API_KEY = 'your-api-key';
-
-const systemPrompt = `
-You're a helpful hotel assistant. You handle hotel searching, booking, and
-cancellations. When the user searches for a hotel, mention its name, id,
-location and price tier. Always mention hotel ids while performing any
-searches. This is very important for any operations. For any bookings or
-cancellations, please provide the appropriate confirmation. Be sure to
-update checkin or checkout dates if mentioned by the user.
-Don't ask for confirmations from the user.
-`;
-
-const queries = [
-  "Find hotels in Basel with Basel in its name.",
-  "Can you book the Hilton Basel for me?",
-  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-  "My check in dates would be from April 10, 2024 to April 19, 2024.",
-];
-
-async function run() {
-  const toolboxClient = new ToolboxClient("http://127.0.0.1:5000");
-
-  const ai = genkit({
-    plugins: [
-      googleAI({
-        apiKey: process.env.GEMINI_API_KEY || process.env.GOOGLE_API_KEY
-      })
-    ],
-    model: googleAI.model('gemini-2.0-flash'),
-  });
-
-  const toolboxTools = await toolboxClient.loadToolset("my-toolset");
-  const toolMap = Object.fromEntries(
-    toolboxTools.map((tool) => {
-      const definedTool = ai.defineTool(
-        {
-          name: tool.getName(),
-          description: tool.getDescription(),
-          inputSchema: tool.getParamSchema(),
-        },
-        tool
-      );
-      return [tool.getName(), definedTool];
-    })
-  );
-  const tools = Object.values(toolMap);
-
-  let conversationHistory = [{ role: "system", content: [{ text: systemPrompt }] }];
-
-  for (const query of queries) {
-    conversationHistory.push({ role: "user", content: [{ text: query }] });
-    const response = await ai.generate({
-      messages: conversationHistory,
-      tools: tools,
-    });
-    conversationHistory.push(response.message);
-
-    const toolRequests = response.toolRequests;
-    if (toolRequests?.length > 0) {
-      // Execute tools concurrently and collect their responses.
-      const toolResponses = await Promise.all(
-        toolRequests.map(async (call) => {
-          try {
-            const toolOutput = await toolMap[call.name].invoke(call.input);
-            return { role: "tool", content: [{ toolResponse: { name: call.name, output: toolOutput } }] };
-          } catch (e) {
-            console.error(`Error executing tool ${call.name}:`, e);
-            return { role: "tool", content: [{ toolResponse: { name: call.name, output: { error: e.message } } }] };
-          }
-        })
-      );
-
-      conversationHistory.push(...toolResponses);
-
-      // Call the AI again with the tool results.
-      response = await ai.generate({ messages: conversationHistory, tools });
-      conversationHistory.push(response.message);
-    }
-
-    console.log(response.text);
-  }
-}
-
-run();
 {{< /tab >}}

 {{< tab header="LlamaIndex" lang="js" >}}

-import { gemini, GEMINI_MODEL } from "@llamaindex/google";
-import { agent } from "@llamaindex/workflow";
-import { createMemory, staticBlock, tool } from "llamaindex";
-import { ToolboxClient } from "@toolbox-sdk/core";
-
-const TOOLBOX_URL = "http://127.0.0.1:5000"; // Update if needed
-process.env.GOOGLE_API_KEY = 'your-api-key'; // Replace it with your API key
-
-const prompt = `
-
-You're a helpful hotel assistant. You handle hotel searching, booking and cancellations.
-When the user searches for a hotel, mention its name, id, location and price tier.
-Always mention hotel ids while performing any searches â€” this is very important for operations.
-For any bookings or cancellations, please provide the appropriate confirmation.
-Update check-in or check-out dates if mentioned by the user.
-Don't ask for confirmations from the user.
-
-`;
-
-const queries = [
-  "Find hotels in Basel with Basel in its name.",
-  "Can you book the Hilton Basel for me?",
-  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-  "My check in dates would be from April 10, 2024 to April 19, 2024.",
-];
-
-async function main() {
-  // Connect to MCP Toolbox
-  const client = new ToolboxClient(TOOLBOX_URL);
-  const toolboxTools = await client.loadToolset("my-toolset");
-  const tools = toolboxTools.map((toolboxTool) => {
-    return tool({
-      name: toolboxTool.getName(),
-      description: toolboxTool.getDescription(),
-      parameters: toolboxTool.getParamSchema(),
-      execute: toolboxTool,
-    });
-  });
-
-  // Initialize LLM
-  const llm = gemini({
-    model: GEMINI_MODEL.GEMINI_2_0_FLASH,
-    apiKey: process.env.GOOGLE_API_KEY,
-  });
-
-  const memory = createMemory({
-    memoryBlocks: [
-      staticBlock({
-        content: prompt,
-      }),
-    ],
-  });
-
-  // Create the Agent
-  const myAgent = agent({
-    tools: tools,
-    llm,
-    memory,
-    systemPrompt: prompt,
-  });
-
-  for (const query of queries) {
-    const result = await myAgent.run(query);
-    const output = result.data.result;
-
-    console.log(`\nUser: ${query}`);
-    if (typeof output === "string") {
-      console.log(output.trim());
-    } else if (typeof output === "object" && "text" in output) {
-      console.log(output.text.trim());
-    } else {
-      console.log(JSON.stringify(output));
-    }
-  }
-  //You may observe some extra logs during execution due to the run method provided by Llama.
-  console.log("Agent run finished.");
-}
-
-main();
+{{< include "quickstart/js/llamaindex/quickstart.js" >}}

 {{< /tab >}}

 {{< tab header="GoogleGenAI" lang="js" >}}
-import { GoogleGenAI } from "@google/genai";
-import { ToolboxClient } from "@toolbox-sdk/core";

+{{< include "quickstart/js/genAI/quickstart.js" >}}

-const TOOLBOX_URL = "http://127.0.0.1:5000"; // Update if needed
-const GOOGLE_API_KEY = 'enter your api here'; // Replace it with your API key
-
-const prompt = `
-You're a helpful hotel assistant. You handle hotel searching, booking, and
-cancellations. When the user searches for a hotel, you MUST use the available tools to find information. Mention its name, id,
-location and price tier. Always mention hotel id while performing any
-searches. This is very important for any operations. For any bookings or
-cancellations, please provide the appropriate confirmation. Be sure to
-update checkin or checkout dates if mentioned by the user.
-Don't ask for confirmations from the user.
-`;
-
-const queries = [
-  "Find hotels in Basel with Basel in its name.",
-  "Can you book the Hilton Basel for me?",
-  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
-  "My check in dates would be from April 10, 2024 to April 19, 2024.",
-];
-
-function mapZodTypeToOpenAPIType(zodTypeName) {
-
-    console.log(zodTypeName)
-    const typeMap = {
-        'ZodString': 'string',
-        'ZodNumber': 'number',
-        'ZodBoolean': 'boolean',
-        'ZodArray': 'array',
-        'ZodObject': 'object',
-    };
-    return typeMap[zodTypeName] || 'string';
-}
-
-async function runApplication() {
-   
-    const toolboxClient = new ToolboxClient(TOOLBOX_URL); 
-    const toolboxTools = await toolboxClient.loadToolset("my-toolset");
-    
-    const geminiTools = [{
-        functionDeclarations: toolboxTools.map(tool => {
-            
-            const schema = tool.getParamSchema();
-            const properties = {};
-            const required = [];
-
-         
-            for (const [key, param] of Object.entries(schema.shape)) {
-                properties[key] = {
-                        type: mapZodTypeToOpenAPIType(param.constructor.name),
-                        description: param.description || '',
-                    };
-                required.push(key)
-                }
-            
-            return {
-                name: tool.getName(),
-                description: tool.getDescription(),
-                parameters: { type: 'object', properties, required },
-            };
-        })
-    }];
-
-
-    const genAI = new GoogleGenAI({ apiKey: GOOGLE_API_KEY });
-    
-    const chat = genAI.chats.create({
-        model: "gemini-2.5-flash",
-        config: {
-            systemInstruction: prompt,
-            tools: geminiTools,
-        }
-    });
-
-    for (const query of queries) {
-        
-        let currentResult = await chat.sendMessage({ message: query });
-        
-        let finalResponseGiven = false
-        while (!finalResponseGiven) {
-            
-            const response = currentResult;
-            const functionCalls = response.functionCalls || [];
-
-            if (functionCalls.length === 0) {
-                console.log(response.text)
-                finalResponseGiven = true;
-            } else {
-                const toolResponses = [];
-                for (const call of functionCalls) {
-                    const toolName = call.name
-                    const toolToExecute = toolboxTools.find(t => t.getName() === toolName);
-                    
-                    if (toolToExecute) {
-                        try {
-                            const functionResult = await toolToExecute(call.args);
-                            toolResponses.push({
-                                functionResponse: { name: call.name, response: { result: functionResult } }
-                            });
-                        } catch (e) {
-                            console.error(`Error executing tool '${toolName}':`, e);
-                            toolResponses.push({
-                                functionResponse: { name: call.name, response: { error: e.message } }
-                            });
-                        }
-                    }
-                }
-                
-                currentResult = await chat.sendMessage({ message: toolResponses });
-            }
-        }
-        
-    }
-}
-
-runApplication()
-  .catch(console.error)
-  .finally(() => console.log("\nApplication finished."));
 {{< /tab >}}

 {{< /tabpane >}}
--- a/docs/en/getting-started/mcp_quickstart/_index.md
+++ b/docs/en/getting-started/mcp_quickstart/_index.md
@@ -105,7 +105,7 @@ In this section, we will download Toolbox, configure our tools in a
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/getting-started/quickstart/js/genAI/quickstart.js
+++ b/docs/en/getting-started/quickstart/js/genAI/quickstart.js
@@ -0,0 +1,119 @@
+import { GoogleGenAI } from "@google/genai";
+import { ToolboxClient } from "@toolbox-sdk/core";
+
+
+const TOOLBOX_URL = "http://127.0.0.1:5000"; // Update if needed
+const GOOGLE_API_KEY = 'enter your api here'; // Replace it with your API key
+
+const prompt = `
+You're a helpful hotel assistant. You handle hotel searching, booking, and
+cancellations. When the user searches for a hotel, you MUST use the available tools to find information. Mention its name, id,
+location and price tier. Always mention hotel id while performing any
+searches. This is very important for any operations. For any bookings or
+cancellations, please provide the appropriate confirmation. Be sure to
+update checkin or checkout dates if mentioned by the user.
+Don't ask for confirmations from the user.
+`;
+
+const queries = [
+  "Find hotels in Basel with Basel in its name.",
+  "Can you book the Hilton Basel for me?",
+  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+  "My check in dates would be from April 10, 2024 to April 19, 2024.",
+];
+
+function mapZodTypeToOpenAPIType(zodTypeName) {
+
+    console.log(zodTypeName)
+    const typeMap = {
+        'ZodString': 'string',
+        'ZodNumber': 'number',
+        'ZodBoolean': 'boolean',
+        'ZodArray': 'array',
+        'ZodObject': 'object',
+    };
+    return typeMap[zodTypeName] || 'string';
+}
+
+async function main() {
+   
+    const toolboxClient = new ToolboxClient(TOOLBOX_URL); 
+    const toolboxTools = await toolboxClient.loadToolset("my-toolset");
+    
+    const geminiTools = [{
+        functionDeclarations: toolboxTools.map(tool => {
+            
+            const schema = tool.getParamSchema();
+            const properties = {};
+            const required = [];
+
+         
+            for (const [key, param] of Object.entries(schema.shape)) {
+                properties[key] = {
+                        type: mapZodTypeToOpenAPIType(param.constructor.name),
+                        description: param.description || '',
+                    };
+                required.push(key)
+                }
+            
+            return {
+                name: tool.getName(),
+                description: tool.getDescription(),
+                parameters: { type: 'object', properties, required },
+            };
+        })
+    }];
+
+
+    const genAI = new GoogleGenAI({ apiKey: GOOGLE_API_KEY });
+    
+    const chat = genAI.chats.create({
+        model: "gemini-2.5-flash",
+        config: {
+            systemInstruction: prompt,
+            tools: geminiTools,
+        }
+    });
+
+    for (const query of queries) {
+        
+        let currentResult = await chat.sendMessage({ message: query });
+        
+        let finalResponseGiven = false
+        while (!finalResponseGiven) {
+            
+            const response = currentResult;
+            const functionCalls = response.functionCalls || [];
+
+            if (functionCalls.length === 0) {
+                console.log(response.text)
+                finalResponseGiven = true;
+            } else {
+                const toolResponses = [];
+                for (const call of functionCalls) {
+                    const toolName = call.name
+                    const toolToExecute = toolboxTools.find(t => t.getName() === toolName);
+                    
+                    if (toolToExecute) {
+                        try {
+                            const functionResult = await toolToExecute(call.args);
+                            toolResponses.push({
+                                functionResponse: { name: call.name, response: { result: functionResult } }
+                            });
+                        } catch (e) {
+                            console.error(`Error executing tool '${toolName}':`, e);
+                            toolResponses.push({
+                                functionResponse: { name: call.name, response: { error: e.message } }
+                            });
+                        }
+                    }
+                }
+                
+                currentResult = await chat.sendMessage({ message: toolResponses });
+            }
+        }
+        
+    }
+}
+
+main();
--- a/docs/en/getting-started/quickstart/js/genkit/quickstart.js
+++ b/docs/en/getting-started/quickstart/js/genkit/quickstart.js
@@ -0,0 +1,89 @@
+import { ToolboxClient } from "@toolbox-sdk/core";
+import { genkit } from "genkit";
+import { googleAI } from '@genkit-ai/googleai';
+
+// Replace it with your API key
+process.env.GOOGLE_API_KEY = 'your-api-key';
+
+const systemPrompt = `
+You're a helpful hotel assistant. You handle hotel searching, booking, and
+cancellations. When the user searches for a hotel, mention its name, id,
+location and price tier. Always mention hotel ids while performing any
+searches. This is very important for any operations. For any bookings or
+cancellations, please provide the appropriate confirmation. Be sure to
+update checkin or checkout dates if mentioned by the user.
+Don't ask for confirmations from the user.
+`;
+
+const queries = [
+  "Find hotels in Basel with Basel in its name.",
+  "Can you book the Hilton Basel for me?",
+  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+  "My check in dates would be from April 10, 2024 to April 19, 2024.",
+];
+
+async function main() {
+  const toolboxClient = new ToolboxClient("http://127.0.0.1:5000");
+
+  const ai = genkit({
+    plugins: [
+      googleAI({
+        apiKey: process.env.GEMINI_API_KEY || process.env.GOOGLE_API_KEY
+      })
+    ],
+    model: googleAI.model('gemini-2.0-flash'),
+  });
+
+  const toolboxTools = await toolboxClient.loadToolset("my-toolset");
+  const toolMap = Object.fromEntries(
+    toolboxTools.map((tool) => {
+      const definedTool = ai.defineTool(
+        {
+          name: tool.getName(),
+          description: tool.getDescription(),
+          inputSchema: tool.getParamSchema(),
+        },
+        tool
+      );
+      return [tool.getName(), definedTool];
+    })
+  );
+  const tools = Object.values(toolMap);
+
+  let conversationHistory = [{ role: "system", content: [{ text: systemPrompt }] }];
+
+  for (const query of queries) {
+    conversationHistory.push({ role: "user", content: [{ text: query }] });
+    const response = await ai.generate({
+      messages: conversationHistory,
+      tools: tools,
+    });
+    conversationHistory.push(response.message);
+
+    const toolRequests = response.toolRequests;
+    if (toolRequests?.length > 0) {
+      // Execute tools concurrently and collect their responses.
+      const toolResponses = await Promise.all(
+        toolRequests.map(async (call) => {
+          try {
+            const toolOutput = await toolMap[call.name].invoke(call.input);
+            return { role: "tool", content: [{ toolResponse: { name: call.name, output: toolOutput } }] };
+          } catch (e) {
+            console.error(`Error executing tool ${call.name}:`, e);
+            return { role: "tool", content: [{ toolResponse: { name: call.name, output: { error: e.message } } }] };
+          }
+        })
+      );
+
+      conversationHistory.push(...toolResponses);
+
+      // Call the AI again with the tool results.
+      response = await ai.generate({ messages: conversationHistory, tools });
+      conversationHistory.push(response.message);
+    }
+
+    console.log(response.text);
+  }
+}
+
+main();
--- a/docs/en/getting-started/quickstart/js/langchain/quickstart.js
+++ b/docs/en/getting-started/quickstart/js/langchain/quickstart.js
@@ -0,0 +1,74 @@
+import { ChatGoogleGenerativeAI } from "@langchain/google-genai";
+import { ToolboxClient } from "@toolbox-sdk/core";
+import { tool } from "@langchain/core/tools";
+import { createReactAgent } from "@langchain/langgraph/prebuilt";
+import { MemorySaver } from "@langchain/langgraph";
+
+// Replace it with your API key
+process.env.GOOGLE_API_KEY = 'your-api-key';
+
+const prompt = `
+You're a helpful hotel assistant. You handle hotel searching, booking, and
+cancellations. When the user searches for a hotel, mention its name, id,
+location and price tier. Always mention hotel ids while performing any
+searches. This is very important for any operations. For any bookings or
+cancellations, please provide the appropriate confirmation. Be sure to
+update checkin or checkout dates if mentioned by the user.
+Don't ask for confirmations from the user.
+`;
+
+const queries = [
+  "Find hotels in Basel with Basel in its name.",
+  "Can you book the Hilton Basel for me?",
+  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+  "My check in dates would be from April 10, 2024 to April 19, 2024.",
+];
+
+async function main() {
+  const model = new ChatGoogleGenerativeAI({
+    model: "gemini-2.0-flash",
+  });
+
+  const client = new ToolboxClient("http://127.0.0.1:5000");
+  const toolboxTools = await client.loadToolset("my-toolset");
+
+  // Define the basics of the tool: name, description, schema and core logic
+  const getTool = (toolboxTool) => tool(toolboxTool, {
+    name: toolboxTool.getName(),
+    description: toolboxTool.getDescription(),
+    schema: toolboxTool.getParamSchema()
+  });
+  const tools = toolboxTools.map(getTool);
+
+  const agent = createReactAgent({
+    llm: model,
+    tools: tools,
+    checkpointer: new MemorySaver(),
+    systemPrompt: prompt,
+  });
+
+  const langGraphConfig = {
+    configurable: {
+        thread_id: "test-thread",
+    },
+  };
+
+  for (const query of queries) {
+    const agentOutput = await agent.invoke(
+    {
+        messages: [
+        {
+            role: "user",
+            content: query,
+        },
+        ],
+        verbose: true,
+    },
+    langGraphConfig
+    );
+    const response = agentOutput.messages[agentOutput.messages.length - 1].content;
+    console.log(response);
+  }
+}
+
+main();
--- a/docs/en/getting-started/quickstart/js/llamaindex/quickstart.js
+++ b/docs/en/getting-started/quickstart/js/llamaindex/quickstart.js
@@ -0,0 +1,79 @@
+import { gemini, GEMINI_MODEL } from "@llamaindex/google";
+import { agent } from "@llamaindex/workflow";
+import { createMemory, staticBlock, tool } from "llamaindex";
+import { ToolboxClient } from "@toolbox-sdk/core";
+
+const TOOLBOX_URL = "http://127.0.0.1:5000"; // Update if needed
+process.env.GOOGLE_API_KEY = 'your-api-key'; // Replace it with your API key
+
+const prompt = `
+
+You're a helpful hotel assistant. You handle hotel searching, booking and cancellations.
+When the user searches for a hotel, mention its name, id, location and price tier.
+Always mention hotel ids while performing any searches â€” this is very important for operations.
+For any bookings or cancellations, please provide the appropriate confirmation.
+Update check-in or check-out dates if mentioned by the user.
+Don't ask for confirmations from the user.
+
+`;
+
+const queries = [
+  "Find hotels in Basel with Basel in its name.",
+  "Can you book the Hilton Basel for me?",
+  "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+  "My check in dates would be from April 10, 2024 to April 19, 2024.",
+];
+
+async function main() {
+  // Connect to MCP Toolbox
+  const client = new ToolboxClient(TOOLBOX_URL);
+  const toolboxTools = await client.loadToolset("my-toolset");
+  const tools = toolboxTools.map((toolboxTool) => {
+    return tool({
+      name: toolboxTool.getName(),
+      description: toolboxTool.getDescription(),
+      parameters: toolboxTool.getParamSchema(),
+      execute: toolboxTool,
+    });
+  });
+
+  // Initialize LLM
+  const llm = gemini({
+    model: GEMINI_MODEL.GEMINI_2_0_FLASH,
+    apiKey: process.env.GOOGLE_API_KEY,
+  });
+
+  const memory = createMemory({
+    memoryBlocks: [
+      staticBlock({
+        content: prompt,
+      }),
+    ],
+  });
+
+  // Create the Agent
+  const myAgent = agent({
+    tools: tools,
+    llm,
+    memory,
+    systemPrompt: prompt,
+  });
+
+  for (const query of queries) {
+    const result = await myAgent.run(query);
+    const output = result.data.result;
+
+    console.log(`\nUser: ${query}`);
+    if (typeof output === "string") {
+      console.log(output.trim());
+    } else if (typeof output === "object" && "text" in output) {
+      console.log(output.text.trim());
+    } else {
+      console.log(JSON.stringify(output));
+    }
+  }
+  //You may observe some extra logs during execution due to the run method provided by Llama.
+  console.log("Agent run finished.");
+}
+
+main();
--- a/docs/en/getting-started/quickstart/python/adk/quickstart.py
+++ b/docs/en/getting-started/quickstart/python/adk/quickstart.py
@@ -0,0 +1,70 @@
+from google.adk.agents import Agent
+from google.adk.runners import Runner
+from google.adk.sessions import InMemorySessionService
+from google.adk.artifacts.in_memory_artifact_service import InMemoryArtifactService
+from google.genai import types
+from toolbox_core import ToolboxSyncClient
+
+import asyncio
+import os
+
+# TODO(developer): replace this with your Google API key
+
+os.environ['GOOGLE_API_KEY'] = 'your-api-key'
+
+async def main():
+  with ToolboxSyncClient("http://127.0.0.1:5000") as toolbox_client:
+
+      prompt = """
+        You're a helpful hotel assistant. You handle hotel searching, booking and
+        cancellations. When the user searches for a hotel, mention it's name, id,
+        location and price tier. Always mention hotel ids while performing any
+        searches. This is very important for any operations. For any bookings or
+        cancellations, please provide the appropriate confirmation. Be sure to
+        update checkin or checkout dates if mentioned by the user.
+        Don't ask for confirmations from the user.
+      """
+
+      root_agent = Agent(
+          model='gemini-2.0-flash-001',
+          name='hotel_agent',
+          description='A helpful AI assistant.',
+          instruction=prompt,
+          tools=toolbox_client.load_toolset("my-toolset"),
+      )
+
+      session_service = InMemorySessionService()
+      artifacts_service = InMemoryArtifactService()
+      session = await session_service.create_session(
+          state={}, app_name='hotel_agent', user_id='123'
+      )
+      runner = Runner(
+          app_name='hotel_agent',
+          agent=root_agent,
+          artifact_service=artifacts_service,
+          session_service=session_service,
+      )
+
+      queries = [
+          "Find hotels in Basel with Basel in its name.",
+          "Can you book the Hilton Basel for me?",
+          "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+          "My check in dates would be from April 10, 2024 to April 19, 2024.",
+      ]
+
+      for query in queries:
+          content = types.Content(role='user', parts=[types.Part(text=query)])
+          events = runner.run(session_id=session.id,
+                              user_id='123', new_message=content)
+
+          responses = (
+            part.text
+            for event in events
+            for part in event.content.parts
+            if part.text is not None
+          )
+
+          for text in responses:
+            print(text)
+
+asyncio.run(main())
--- a/docs/en/getting-started/quickstart/python/core/quickstart.py
+++ b/docs/en/getting-started/quickstart/python/core/quickstart.py
@@ -0,0 +1,108 @@
+import asyncio
+
+from google import genai
+from google.genai.types import (
+    Content,
+    FunctionDeclaration,
+    GenerateContentConfig,
+    Part,
+    Tool,
+)
+
+from toolbox_core import ToolboxClient
+
+prompt = """
+  You're a helpful hotel assistant. You handle hotel searching, booking and
+  cancellations. When the user searches for a hotel, mention it's name, id,
+  location and price tier. Always mention hotel id while performing any
+  searches. This is very important for any operations. For any bookings or
+  cancellations, please provide the appropriate confirmation. Be sure to
+  update checkin or checkout dates if mentioned by the user.
+  Don't ask for confirmations from the user.
+"""
+
+queries = [
+    "Find hotels in Basel with Basel in its name.",
+    "Please book the hotel Hilton Basel for me.",
+    "This is too expensive. Please cancel it.",
+    "Please book Hyatt Regency for me",
+    "My check in dates for my booking would be from April 10, 2024 to April 19, 2024.",
+]
+
+async def main():
+    async with ToolboxClient("http://127.0.0.1:5000") as toolbox_client:
+
+        # The toolbox_tools list contains Python callables (functions/methods) designed for LLM tool-use
+        # integration. While this example uses Google's genai client, these callables can be adapted for
+        # various function-calling or agent frameworks. For easier integration with supported frameworks
+        # (https://github.com/googleapis/mcp-toolbox-python-sdk/tree/main/packages), use the
+        # provided wrapper packages, which handle framework-specific boilerplate.
+        toolbox_tools = await toolbox_client.load_toolset("my-toolset")
+        genai_client = genai.Client(
+            vertexai=True, project="project-id", location="us-central1"
+        )
+
+        genai_tools = [
+            Tool(
+                function_declarations=[
+                    FunctionDeclaration.from_callable_with_api_option(callable=tool)
+                ]
+            )
+            for tool in toolbox_tools
+        ]
+        history = []
+        for query in queries:
+            user_prompt_content = Content(
+                role="user",
+                parts=[Part.from_text(text=query)],
+            )
+            history.append(user_prompt_content)
+
+            response = genai_client.models.generate_content(
+                model="gemini-2.0-flash-001",
+                contents=history,
+                config=GenerateContentConfig(
+                    system_instruction=prompt,
+                    tools=genai_tools,
+                ),
+            )
+            history.append(response.candidates[0].content)
+            function_response_parts = []
+            for function_call in response.function_calls:
+                fn_name = function_call.name
+                # The tools are sorted alphabetically
+                if fn_name == "search-hotels-by-name":
+                    function_result = await toolbox_tools[3](**function_call.args)
+                elif fn_name == "search-hotels-by-location":
+                    function_result = await toolbox_tools[2](**function_call.args)
+                elif fn_name == "book-hotel":
+                    function_result = await toolbox_tools[0](**function_call.args)
+                elif fn_name == "update-hotel":
+                    function_result = await toolbox_tools[4](**function_call.args)
+                elif fn_name == "cancel-hotel":
+                    function_result = await toolbox_tools[1](**function_call.args)
+                else:
+                    raise ValueError("Function name not present.")
+                function_response = {"result": function_result}
+                function_response_part = Part.from_function_response(
+                    name=function_call.name,
+                    response=function_response,
+                )
+                function_response_parts.append(function_response_part)
+
+            if function_response_parts:
+                tool_response_content = Content(role="tool", parts=function_response_parts)
+                history.append(tool_response_content)
+
+            response2 = genai_client.models.generate_content(
+                model="gemini-2.0-flash-001",
+                contents=history,
+                config=GenerateContentConfig(
+                    tools=genai_tools,
+                ),
+            )
+            final_model_response_content = response2.candidates[0].content
+            history.append(final_model_response_content)
+            print(response2.text)
+
+asyncio.run(main())
--- a/docs/en/getting-started/quickstart/python/langchain/quickstart.py
+++ b/docs/en/getting-started/quickstart/python/langchain/quickstart.py
@@ -0,0 +1,52 @@
+import asyncio
+
+from langgraph.prebuilt import create_react_agent
+
+# TODO(developer): replace this with another import if needed
+
+from langchain_google_vertexai import ChatVertexAI
+
+# from langchain_google_genai import ChatGoogleGenerativeAI
+
+# from langchain_anthropic import ChatAnthropic
+
+from langgraph.checkpoint.memory import MemorySaver
+
+from toolbox_langchain import ToolboxClient
+
+prompt = """
+  You're a helpful hotel assistant. You handle hotel searching, booking and
+  cancellations. When the user searches for a hotel, mention it's name, id,
+  location and price tier. Always mention hotel ids while performing any
+  searches. This is very important for any operations. For any bookings or
+  cancellations, please provide the appropriate confirmation. Be sure to
+  update checkin or checkout dates if mentioned by the user.
+  Don't ask for confirmations from the user.
+"""
+
+queries = [
+    "Find hotels in Basel with Basel in its name.",
+    "Can you book the Hilton Basel for me?",
+    "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+    "My check in dates would be from April 10, 2024 to April 19, 2024.",
+]
+
+async def main():
+    # TODO(developer): replace this with another model if needed
+    model = ChatVertexAI(model_name="gemini-2.0-flash-001")
+    # model = ChatGoogleGenerativeAI(model="gemini-2.0-flash-001")
+    # model = ChatAnthropic(model="claude-3-5-sonnet-20240620")
+
+    # Load the tools from the Toolbox server
+    async with ToolboxClient("http://127.0.0.1:5000") as client:
+        tools = await client.aload_toolset()
+
+        agent = create_react_agent(model, tools, checkpointer=MemorySaver())
+
+        config = {"configurable": {"thread_id": "thread-1"}}
+        for query in queries:
+            inputs = {"messages": [("user", prompt + query)]}
+            response = agent.invoke(inputs, stream_mode="values", config=config)
+            print(response["messages"][-1].content)
+
+asyncio.run(main())
--- a/docs/en/getting-started/quickstart/python/llamaindex/quickstart.py
+++ b/docs/en/getting-started/quickstart/python/llamaindex/quickstart.py
@@ -0,0 +1,63 @@
+import asyncio
+import os
+
+from llama_index.core.agent.workflow import AgentWorkflow
+
+from llama_index.core.workflow import Context
+
+# TODO(developer): replace this with another import if needed
+
+from llama_index.llms.google_genai import GoogleGenAI
+
+# from llama_index.llms.anthropic import Anthropic
+
+from toolbox_llamaindex import ToolboxClient
+
+prompt = """
+  You're a helpful hotel assistant. You handle hotel searching, booking and
+  cancellations. When the user searches for a hotel, mention it's name, id,
+  location and price tier. Always mention hotel ids while performing any
+  searches. This is very important for any operations. For any bookings or
+  cancellations, please provide the appropriate confirmation. Be sure to
+  update checkin or checkout dates if mentioned by the user.
+  Don't ask for confirmations from the user.
+"""
+
+queries = [
+    "Find hotels in Basel with Basel in its name.",
+    "Can you book the Hilton Basel for me?",
+    "Oh wait, this is too expensive. Please cancel it and book the Hyatt Regency instead.",
+    "My check in dates would be from April 10, 2024 to April 19, 2024.",
+]
+
+async def main():
+    # TODO(developer): replace this with another model if needed
+    llm = GoogleGenAI(
+        model="gemini-2.0-flash-001",
+        vertexai_config={"project": "project-id", "location": "us-central1"},
+    )
+    # llm = GoogleGenAI(
+    #     api_key=os.getenv("GOOGLE_API_KEY"),
+    #     model="gemini-2.0-flash-001",
+    # )
+    # llm = Anthropic(
+    #   model="claude-3-7-sonnet-latest",
+    #   api_key=os.getenv("ANTHROPIC_API_KEY")
+    # )
+
+    # Load the tools from the Toolbox server
+    async with ToolboxClient("http://127.0.0.1:5000") as client:
+        tools = await client.aload_toolset()
+
+        agent = AgentWorkflow.from_tools_or_functions(
+            tools,
+            llm=llm,
+            system_prompt=prompt,
+        )
+        ctx = Context(agent)
+        for query in queries:
+            response = await agent.run(user_msg=query, ctx=ctx)
+            print(f"---- {query} ----")
+            print(str(response))
+
+asyncio.run(main())
--- a/docs/en/getting-started/quickstart/shared/configure_toolbox.md
+++ b/docs/en/getting-started/quickstart/shared/configure_toolbox.md
@@ -13,7 +13,7 @@ In this section, we will download Toolbox, configure our tools in a
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/how-to/connect-ide/firestore_mcp.md
+++ b/docs/en/how-to/connect-ide/firestore_mcp.md
@@ -6,328 +6,9 @@ description: >
  Connect your IDE to Firestore using Toolbox.
 ---

-[Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) is
-an open protocol for connecting Large Language Models (LLMs) to data sources
-like Firestore. This guide covers how to use [MCP Toolbox for Databases][toolbox]
-to expose your developer assistant tools to a Firestore instance:
-
-* [Cursor][cursor]
-* [Windsurf][windsurf] (Codium)
-* [Visual Studio Code][vscode] (Copilot)
-* [Cline][cline]  (VS Code extension)
-* [Claude desktop][claudedesktop]
-* [Claude code][claudecode]
-* [Gemini CLI][geminicli]
-* [Gemini Code Assist][geminicodeassist]
-
-[toolbox]: https://github.com/googleapis/genai-toolbox
-[cursor]: #configure-your-mcp-client
-[windsurf]: #configure-your-mcp-client
-[vscode]: #configure-your-mcp-client
-[cline]: #configure-your-mcp-client
-[claudedesktop]: #configure-your-mcp-client
-[claudecode]: #configure-your-mcp-client
-[geminicli]: #configure-your-mcp-client
-[geminicodeassist]: #configure-your-mcp-client
-
-## Set up Firestore
-
-1. Create or select a Google Cloud project.
-
-    * [Create a new
-      project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
-    * [Select an existing
-      project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects)
-
-1. [Enable the Firestore
-   API](https://console.cloud.google.com/apis/library/firestore.googleapis.com)
-   for your project.
-
-1. [Create a Firestore
-   database](https://cloud.google.com/firestore/docs/create-database-web-mobile-client-library)
-   if you haven't already.
-
-1. Set up authentication for your local environment.
-
-    * [Install gcloud CLI](https://cloud.google.com/sdk/docs/install)
-    * Run `gcloud auth application-default login` to authenticate
-
-## Install MCP Toolbox
-
-1. Download the latest version of Toolbox as a binary. Select the [correct
-   binary](https://github.com/googleapis/genai-toolbox/releases) corresponding
-   to your OS and CPU architecture. You are required to use Toolbox version
-   V0.10.0+:
-
-   <!-- {x-release-please-start-version} -->
-   {{< tabpane persist=header >}}
-{{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
-{{< /tab >}}
-
-{{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
-{{< /tab >}}
-
-{{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
-{{< /tab >}}
-
-{{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox
-{{< /tab >}}
-{{< /tabpane >}}
-    <!-- {x-release-please-end} -->
-
-1. Make the binary executable:
-
-    ```bash
-    chmod +x toolbox
-    ```
-
-1. Verify the installation:
-
-    ```bash
-    ./toolbox --version
-    ```
-
-## Configure your MCP Client
-
-{{< tabpane text=true >}}
-{{% tab header="Claude code" lang="en" %}}
-
-1. Install [Claude
-   Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude-code/overview).
-1. Create a `.mcp.json` file in your project root if it doesn't exist.
-1. Add the following configuration, replace the environment variables with your
-   values, and save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-    ```
-
-1. Restart Claude code to apply the new configuration.
-{{% /tab %}}
-
-{{% tab header="Claude desktop" lang="en" %}}
-
-1. Open [Claude desktop](https://claude.ai/download) and navigate to Settings.
-1. Under the Developer tab, tap Edit Config to open the configuration file.
-1. Add the following configuration, replace the environment variables with your
-   values, and save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-    ```
-
-1. Restart Claude desktop.
-1. From the new chat screen, you should see a hammer (MCP) icon appear with the
-   new MCP server available.
-{{% /tab %}}
-
-{{% tab header="Cline" lang="en" %}}
-
-1. Open the [Cline](https://github.com/cline/cline) extension in VS Code and tap
-   the **MCP Servers** icon.
-1. Tap Configure MCP Servers to open the configuration file.
-1. Add the following configuration, replace the environment variables with your
-   values, and save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-    ```
-
-1. You should see a green active status after the server is successfully
-   connected.
-{{% /tab %}}
-
-{{% tab header="Cursor" lang="en" %}}
-
-1. Create a `.cursor` directory in your project root if it doesn't exist.
-1. Create a `.cursor/mcp.json` file if it doesn't exist and open it.
-1. Add the following configuration, replace the environment variables with your
-   values, and save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-    ```
-
-1. [Cursor](https://www.cursor.com/) and navigate to **Settings > Cursor
-   Settings > MCP**. You should see a green active status after the server is
-   successfully connected.
-{{% /tab %}}
-
-{{% tab header="Visual Studio Code (Copilot)" lang="en" %}}
-
-1. Open [VS Code](https://code.visualstudio.com/docs/copilot/overview) and
-   create a `.vscode` directory in your project root if it doesn't exist.
-1. Create a `.vscode/mcp.json` file if it doesn't exist and open it.
-1. Add the following configuration, replace the environment variables with your
-   values, and save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-    ```
-
-{{% /tab %}}
-
-{{% tab header="Windsurf" lang="en" %}}
-
-1. Open [Windsurf](https://docs.codeium.com/windsurf) and navigate to the
-   Cascade assistant.
-1. Tap on the hammer (MCP) icon, then Configure to open the configuration file.
-1. Add the following configuration, replace the environment variables with your
-   values, and save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-
-    ```
-
-{{% /tab %}}
-{{% tab header="Gemini CLI" lang="en" %}}
-
-1. Install the [Gemini
-   CLI](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quickstart).
-1. In your working directory, create a folder named `.gemini`. Within it, create
-   a `settings.json` file.
-1. Add the following configuration, replace the environment variables with your
-   values, and then save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-
-    ```
-
-{{% /tab %}}
-{{% tab header="Gemini Code Assist" lang="en" %}}
-
-1. Install the [Gemini Code
-   Assist](https://marketplace.visualstudio.com/items?itemName=Google.geminicodeassist)
-   extension in Visual Studio Code.
-1. Enable Agent Mode in Gemini Code Assist chat.
-1. In your working directory, create a folder named `.gemini`. Within it, create
-   a `settings.json` file.
-1. Add the following configuration, replace the environment variables with your
-   values, and then save:
-
-    ```json
-    {
-      "mcpServers": {
-        "firestore": {
-          "command": "./PATH/TO/toolbox",
-          "args": ["--prebuilt","firestore","--stdio"],
-          "env": {
-            "FIRESTORE_PROJECT": "your-project-id",
-            "FIRESTORE_DATABASE": "(default)"
-          }
-        }
-      }
-    }
-
-    ```
-
-{{% /tab %}}
-{{< /tabpane >}}
-
-## Use Tools
-
-Your AI tool is now connected to Firestore using MCP. Try asking your AI
-assistant to list collections, get documents, query collections, or manage
-security rules.
-
-The following tools are available to the LLM:
-
-1. **firestore-get-documents**: Gets multiple documents from Firestore by their
-   paths
-1. **firestore-list-collections**: List Firestore collections for a given parent
-   path
-1. **firestore-delete-documents**: Delete multiple documents from Firestore
-1. **firestore-query-collection**: Query documents from a collection with
-   filtering, ordering, and limit options
-1. **firestore-get-rules**: Retrieves the active Firestore security rules for
-   the current project
-1. **firestore-validate-rules**: Validates Firestore security rules syntax and
-   errors
-
-{{< notice note >}}
-Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs
-will adapt to the tools available, so this shouldn't affect most users.
-{{< /notice >}}
+<html>
+  <head>
+    <link rel="canonical" href="https://cloud.google.com/firestore/native/docs/connect-ide-using-mcp-toolbox"/>
+    <meta http-equiv="refresh" content="0;url=https://cloud.google.com/firestore/native/docs/connect-ide-using-mcp-toolbox"/>
+  </head>
+</html>
--- a/docs/en/how-to/connect-ide/looker_mcp.md
+++ b/docs/en/how-to/connect-ide/looker_mcp.md
@@ -48,19 +48,19 @@ to expose your developer assistant tools to a Looker instance:
   <!-- {x-release-please-start-version} -->
 {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
@@ -235,7 +235,7 @@ curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolb

    ```json
    {
-      "mcpServers": {
+      "servers": {
        "looker-toolbox": {
          "command": "./PATH/TO/toolbox",
          "args": ["--stdio", "--prebuilt", "looker"],
--- a/docs/en/how-to/connect-ide/mssql_mcp.md
+++ b/docs/en/how-to/connect-ide/mssql_mcp.md
@@ -37,19 +37,19 @@ description: "Connect your IDE to SQL Server using Toolbox."
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
@@ -182,19 +182,17 @@ curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolb

    ```json
    {
-    "mcp" : {
-        "servers": {
-        "cloud-sql-sqlserver": {
-            "command": "./PATH/TO/toolbox",
-            "args": ["--prebuilt","cloud-sql-mssql","--stdio"],
-            "env": {
-              "MSSQL_HOST": "",
-              "MSSQL_PORT": "",
-              "MSSQL_DATABASE": "",
-              "MSSQL_USER": "",
-              "MSSQL_PASSWORD": ""
-            }
-         }
+      "servers": {
+        "mssql": {
+          "command": "./PATH/TO/toolbox",
+          "args": ["--prebuilt","mssql","--stdio"],
+          "env": {
+            "MSSQL_HOST": "",
+            "MSSQL_PORT": "",
+            "MSSQL_DATABASE": "",
+            "MSSQL_USER": "",
+            "MSSQL_PASSWORD": ""
+          }
        }
      }
    }
@@ -286,4 +284,4 @@ The following tools are available to the LLM:

 {{< notice note >}}
 Prebuilt tools are pre-1.0, so expect some tool changes between versions. LLMs will adapt to the tools available, so this shouldn't affect most users.
-{{< /notice >}}
+{{< /notice >}}
--- a/docs/en/how-to/connect-ide/mysql_mcp.md
+++ b/docs/en/how-to/connect-ide/mysql_mcp.md
@@ -37,19 +37,19 @@ description: "Connect your IDE to MySQL using Toolbox."
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
@@ -182,7 +182,7 @@ curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolb

    ```json
    {
-      "mcpServers": {
+      "servers": {
        "mysql": {
          "command": "./PATH/TO/toolbox",
          "args": ["--prebuilt","mysql","--stdio"],
--- a/docs/en/how-to/connect-ide/postgres_mcp.md
+++ b/docs/en/how-to/connect-ide/postgres_mcp.md
@@ -56,19 +56,19 @@ Omni](https://cloud.google.com/alloydb/omni/current/docs/overview).
   <!-- {x-release-please-start-version} -->
   {{< tabpane persist=header >}}
 {{< tab header="linux/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/linux/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/linux/amd64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/arm64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/arm64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/arm64/toolbox
 {{< /tab >}}

 {{< tab header="darwin/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/darwin/amd64/toolbox
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/darwin/amd64/toolbox
 {{< /tab >}}

 {{< tab header="windows/amd64" lang="bash" >}}
-curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolbox.exe
+curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/windows/amd64/toolbox.exe
 {{< /tab >}}
 {{< /tabpane >}}
    <!-- {x-release-please-end} -->
@@ -217,7 +217,7 @@ curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/windows/amd64/toolb

    ```json
    {
-      "mcpServers": {
+      "servers": {
        "postgres": {
          "command": "./PATH/TO/toolbox",
          "args": ["--prebuilt","postgres","--stdio"],
--- a/docs/en/reference/prebuilt-tools.md
+++ b/docs/en/reference/prebuilt-tools.md
@@ -19,8 +19,10 @@ See guides, [Connect from your IDE](../how-to/connect-ide/_index.md), for detail
    *   `ALLOYDB_POSTGRES_CLUSTER`: The ID of your AlloyDB cluster.
    *   `ALLOYDB_POSTGRES_INSTANCE`: The ID of your AlloyDB instance.
    *   `ALLOYDB_POSTGRES_DATABASE`: The name of the database to connect to.
-    *   `ALLOYDB_POSTGRES_USER`: The database username.
-    *   `ALLOYDB_POSTGRES_PASSWORD`: The password for the database user.
+    *   `ALLOYDB_POSTGRES_USER`: The database username. Defaults to IAM authentication if unspecified.
+    *   `ALLOYDB_POSTGRES_PASSWORD`: The password for the database user. Defaults to IAM authentication if unspecified.
+    *   `ALLOYDB_POSTGRES_IP_TYPE`: The IP type i.e. "Public
+     or "Private" (Default: Public).
 *   **Permissions:**
    *   **AlloyDB Client** (`roles/alloydb.client`) to connect to the instance.
    *   Database-level permissions (e.g., `SELECT`, `INSERT`) are required to execute queries.
@@ -53,8 +55,11 @@ See guides, [Connect from your IDE](../how-to/connect-ide/_index.md), for detail
    *   **BigQuery User** (`roles/bigquery.user`) to execute queries and view metadata.
    *   **BigQuery Metadata Viewer** (`roles/bigquery.metadataViewer`) to view all datasets.
    *   **BigQuery Data Editor** (`roles/bigquery.dataEditor`) to create or modify datasets and tables.
+    *   **Gemini for Google Cloud** (`roles/cloudaicompanion.user`) to use the conversational analytics API.
 *   **Tools:**
+    *   `ask_data_insights`: Use this tool to perform data analysis, get insights, or answer complex questions about the contents of specific BigQuery tables. For more information on required roles, API setup, and IAM configuration, see the setup and authentication section of the [Conversational Analytics API documentation](https://cloud.google.com/gemini/docs/conversational-analytics-api/overview).
    *   `execute_sql`: Executes a SQL statement.
+    *   `forecast`: Use this tool to forecast time series data.
    *   `get_dataset_info`: Gets dataset metadata.
    *   `get_table_info`: Gets table metadata.
    *   `list_dataset_ids`: Lists datasets.
--- a/docs/en/resources/sources/bigquery.md
+++ b/docs/en/resources/sources/bigquery.md
@@ -36,12 +36,15 @@ avoiding full table scans or complex filters.

 ## Available Tools

- [`bigquery-sql`](../tools/bigquery/bigquery-sql.md)  
-  Run SQL queries directly against BigQuery datasets.
+- [`bigquery-conversational-analytics`](../tools/bigquery/bigquery-conversational-analytics.md)
+  Allows conversational interaction with a BigQuery source.

 - [`bigquery-execute-sql`](../tools/bigquery/bigquery-execute-sql.md)  
  Execute structured queries using parameters.

+- [`bigquery-forecast`](../tools/bigquery/bigquery-forecast.md)
+  Forecasts time series data in BigQuery.
+
 - [`bigquery-get-dataset-info`](../tools/bigquery/bigquery-get-dataset-info.md)  
  Retrieve metadata for a specific dataset.

@@ -54,6 +57,9 @@ avoiding full table scans or complex filters.
 - [`bigquery-list-table-ids`](../tools/bigquery/bigquery-list-table-ids.md)  
  List tables in a given dataset.

+- [`bigquery-sql`](../tools/bigquery/bigquery-sql.md)  
+  Run SQL queries directly against BigQuery datasets.
+
 ### Pre-built Configurations

 - [BigQuery using MCP](https://googleapis.github.io/genai-toolbox/how-to/connect-ide/bigquery_mcp/)  
@@ -65,34 +71,64 @@ Connect your IDE to BigQuery using Toolbox.

 BigQuery uses [Identity and Access Management (IAM)][iam-overview] to control
 user and group access to BigQuery resources like projects, datasets, and tables.
-Toolbox will use your [Application Default Credentials (ADC)][adc] to authorize
-and authenticate when interacting with [BigQuery][bigquery-docs].

-In addition to [setting the ADC for your server][set-adc], you need to ensure
-the IAM identity has been given the correct IAM permissions for the queries
-you intend to run. Common roles include `roles/bigquery.user` (which includes
-permissions to run jobs and read data) or `roles/bigquery.dataViewer`. See
-[Introduction to BigQuery IAM][grant-permissions] for more information on
-applying IAM permissions and roles to an identity.
+### Authentication via Application Default Credentials (ADC)
+
+By **default**, Toolbox will use your [Application Default Credentials (ADC)][adc] to authorize and authenticate when interacting with [BigQuery][bigquery-docs].
+
+When using this method, you need to ensure the IAM identity associated with your
+ADC (such as a service account) has the correct permissions for the queries you
+intend to run. Common roles include `roles/bigquery.user` (which includes
+permissions to run jobs and read data) or `roles/bigbigquery.dataViewer`.
+Follow this [guide][set-adc] to set up your ADC.
+
+### Authentication via User's OAuth Access Token
+
+If the `useClientOAuth` parameter is set to `true`, Toolbox will instead use the
+OAuth access token for authentication. This token is parsed from the
+`Authorization` header passed in with the tool invocation request. This method
+allows Toolbox to make queries to [BigQuery][bigquery-docs] on behalf of the
+client or the end-user.
+
+When using this on-behalf-of authentication, you must ensure that the
+identity used has been granted the correct IAM permissions. Currently,
+this option is only supported by the following BigQuery tools:
+
+- [`bigquery-sql`](../tools/bigquery/bigquery-sql.md)  
+  Run SQL queries directly against BigQuery datasets.

 [iam-overview]: https://cloud.google.com/bigquery/docs/access-control
 [adc]: https://cloud.google.com/docs/authentication#adc
 [set-adc]: https://cloud.google.com/docs/authentication/provide-credentials-adc
-[grant-permissions]: https://cloud.google.com/bigquery/docs/access-control

 ## Example

+Initialize a BigQuery source that uses ADC:
+
 ```yaml
 sources:
  my-bigquery-source:
    kind: "bigquery"
    project: "my-project-id"
+    # location: "US" # Optional: Specifies the location for query jobs.
+```
+
+Initialize a BigQuery source that uses the client's access token:
+
+```yaml
+sources:
+  my-bigquery-client-auth-source:
+    kind: "bigquery"
+    project: "my-project-id"
+    useClientOAuth: true
+    # location: "US" # Optional: Specifies the location for query jobs.
 ```

 ## Reference

-| **field** | **type** | **required** | **description**                                                               |
-|-----------|:--------:|:------------:|-------------------------------------------------------------------------------|
-| kind      |  string  |     true     | Must be "bigquery".                                                           |
-| project   |  string  |     true     | Id of the GCP project that the cluster was created in (e.g. "my-project-id"). |
-| location  |  string  |    false     | Specifies the location (e.g., 'us', 'asia-northeast1') in which to run the query job. This location must match the location of any tables referenced in the query. The default behavior is for it to be executed in the US multi-region |
+| **field**      | **type** | **required** | **description**                                                                                                                                                                                                                         |
+|----------------|:--------:|:------------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| kind           |  string  |     true     | Must be "bigquery".                                                                                                                                                                                                                     |
+| project        |  string  |     true     | Id of the Google Cloud project to use for billing and as the default project for BigQuery resources.                                                                               |
+| location       |  string  |    false     | Specifies the location (e.g., 'us', 'asia-northeast1') in which to run the query job. This location must match the location of any tables referenced in the query. Defaults to the table's location or 'US' if the location cannot be determined. [Learn More](https://cloud.google.com/bigquery/docs/locations) |
+| useClientOAuth |   bool   |    false     | If true, forwards the client's OAuth access token from the "Authorization" header to downstream queries.                                                                                                                                |
--- a/docs/en/resources/sources/clickhouse.md
+++ b/docs/en/resources/sources/clickhouse.md
@@ -0,0 +1,91 @@
+---
+title: "ClickHouse"
+type: docs
+weight: 1
+description: >
+  ClickHouse is an open-source, OLTP database.
+
+---
+
+## About
+
+[ClickHouse][clickhouse-docs] is a fast, open-source, column-oriented database 
+
+[clickhouse-docs]: https://clickhouse.com/docs
+
+## Available Tools
+
+- [`clickhouse-execute-sql`](../tools/clickhouse/clickhouse-execute-sql.md)  
+  Execute parameterized SQL queries in ClickHouse with query logging.
+
+- [`clickhouse-sql`](../tools/clickhouse/clickhouse-sql.md)  
+  Execute SQL queries as prepared statements in ClickHouse.
+
+
+## Requirements
+
+### Database User
+
+This source uses standard ClickHouse authentication. You will need to [create a
+ClickHouse user][clickhouse-users] (or with [ClickHouse Cloud][clickhouse-cloud]) to connect to the database with. The user
+should have appropriate permissions for the operations you plan to perform.
+
+[clickhouse-cloud]: https://clickhouse.com/docs/getting-started/quick-start/cloud#connect-with-your-app
+[clickhouse-users]: https://clickhouse.com/docs/en/sql-reference/statements/create/user
+
+### Network Access
+
+ClickHouse supports multiple protocols:
+
+- **HTTPS protocol** (default port 8443) - Secure HTTP access (default)
+- **HTTP protocol** (default port 8123) - Good for web-based access
+
+## Example
+
+### Secure Connection Example
+
+```yaml
+sources:
+    secure-clickhouse-source:
+        kind: clickhouse
+        host: clickhouse.example.com
+        port: "8443"
+        database: analytics
+        user: ${CLICKHOUSE_USER}
+        password: ${CLICKHOUSE_PASSWORD}
+        protocol: https
+        secure: true
+```
+
+### HTTP Protocol Example
+
+```yaml
+sources:
+    http-clickhouse-source:
+        kind: clickhouse
+        host: localhost
+        port: "8123"
+        database: logs
+        user: ${CLICKHOUSE_USER}
+        password: ${CLICKHOUSE_PASSWORD}
+        protocol: http
+        secure: false
+```
+
+{{< notice tip >}}
+Use environment variable replacement with the format ${ENV_NAME}
+instead of hardcoding your secrets into the configuration file.
+{{< /notice >}}
+
+## Reference
+
+| **field**   | **type** | **required** | **description**                                                                    |
+|-------------|:--------:|:------------:|------------------------------------------------------------------------------------|
+| kind        |  string  |     true     | Must be "clickhouse".                                                              |
+| host        |  string  |     true     | IP address or hostname to connect to (e.g. "127.0.0.1" or "clickhouse.example.com") |
+| port        |  string  |     true     | Port to connect to (e.g. "8443" for HTTPS, "8123" for HTTP)                     |
+| database    |  string  |     true     | Name of the ClickHouse database to connect to (e.g. "my_database").              |
+| user        |  string  |     true     | Name of the ClickHouse user to connect as (e.g. "analytics_user").               |
+| password    |  string  |    false     | Password of the ClickHouse user (e.g. "my-password").                             |
+| protocol    |  string  |    false     | Connection protocol: "https" (default) or "http".                      |
+| secure      |  boolean |    false     | Whether to use a secure connection (TLS). Default: false.                         |
--- a/docs/en/resources/sources/looker.md
+++ b/docs/en/resources/sources/looker.md
@@ -47,7 +47,8 @@ a self-signed ssl certificate for the Looker server. Anything other than "true"
 will be interpreted as false.

 The client id and client secret are seemingly random character sequences
-assigned by the looker server.
+assigned by the looker server. If you are using Looker OAuth you don't need
+these settings

 {{< notice tip >}}
 Use environment variable replacement with the format ${ENV_NAME}
@@ -56,11 +57,15 @@ instead of hardcoding your secrets into the configuration file.

 ## Reference

-| **field**     | **type** | **required** | **description**                                                                           |
-| ------------- | :------: | :----------: | ----------------------------------------------------------------------------------------- |
-| kind          |  string  |     true     | Must be "looker".                                                                         |
-| base_url      |  string  |     true     | The URL of your Looker server with no trailing /).                                        |
-| client_id     |  string  |     true     | The client id assigned by Looker.                                                         |
-| client_secret |  string  |     true     | The client secret assigned by Looker.                                                     |
-| verify_ssl    |  string  |     true     | Whether to check the ssl certificate of the server.                                       |
-| timeout       |  string  |    false     | Maximum time to wait for query execution (e.g. "30s", "2m"). By default, 120s is applied. |
+| **field**            | **type** | **required** | **description**                                                                           |
+| -------------------- | :------: | :----------: | ----------------------------------------------------------------------------------------- |
+| kind                 |  string  |     true     | Must be "looker".                                                                         |
+| base_url             |  string  |     true     | The URL of your Looker server with no trailing /).                                        |
+| client_id            |  string  |    false     | The client id assigned by Looker.                                                         |
+| client_secret        |  string  |    false     | The client secret assigned by Looker.                                                     |
+| verify_ssl           |  string  |    false     | Whether to check the ssl certificate of the server.                                       |
+| timeout              |  string  |    false     | Maximum time to wait for query execution (e.g. "30s", "2m"). By default, 120s is applied. |
+| use_client_oauth     |  string  |    false     | Use OAuth tokens instead of client_id and client_secret. (default: false)                 |
+| show_hidden_models   |  string  |    false     | Show or hide hidden models. (default: true)                                               |
+| show_hidden_explores |  string  |    false     | Show or hide hidden explores. (default: true)                                             |
+| show_hidden_fields   |  string  |    false     | Show or hide hidden fields. (default: true)                                               |
--- a/docs/en/resources/sources/mysql.md
+++ b/docs/en/resources/sources/mysql.md
@@ -42,6 +42,9 @@ sources:
        database: my_db
        user: ${USER_NAME}
        password: ${PASSWORD}
+        # Optional TLS and other driver parameters. For example, enable preferred TLS:
+        # queryParams:
+        #     tls: preferred
        queryTimeout: 30s # Optional: query timeout duration
 ```

@@ -61,3 +64,4 @@ instead of hardcoding your secrets into the configuration file.
 | user         |  string  |     true     | Name of the MySQL user to connect as (e.g. "my-mysql-user").                                    |
 | password     |  string  |     true     | Password of the MySQL user (e.g. "my-password").                                                |
 | queryTimeout |  string  |    false     | Maximum time to wait for query execution (e.g. "30s", "2m"). By default, no timeout is applied. |
+| queryParams | map<string,string> | false | Arbitrary DSN parameters passed to the driver (e.g. `tls: preferred`, `charset: utf8mb4`). Useful for enabling TLS or other connection options. |
--- a/docs/en/resources/tools/bigquery/bigquery-conversational-analytics.md
+++ b/docs/en/resources/tools/bigquery/bigquery-conversational-analytics.md
@@ -0,0 +1,54 @@
+---
+title: "bigquery-conversational-analytics"
+type: docs
+weight: 1
+description: > 
+  A "bigquery-conversational-analytics" tool allows conversational interaction with a BigQuery source.
+aliases:
+- /resources/tools/bigquery-conversational-analytics
+---
+
+## About
+
+A `bigquery-conversational-analytics` tool allows you to ask questions about your data in natural language. 
+
+This function takes a user's question (which can include conversational history for context) 
+and references to specific BigQuery tables, and sends them to a stateless conversational API.
+
+The API uses a GenAI agent to understand the question, generate and execute SQL queries 
+and Python code, and formulate an answer. This function returns a detailed, sequential 
+log of this entire process, which includes any generated SQL or Python code, the data 
+retrieved, and the final text answer.
+
+**Note**: This tool requires additional setup in your project. Please refer to the 
+official [Conversational Analytics API documentation](https://cloud.google.com/gemini/docs/conversational-analytics-api/overview)
+for instructions.
+
+It's compatible with the following sources:
+
+- [bigquery](../sources/bigquery.md)
+
+The tool takes the following input parameters:
+
+*   `user_query_with_context`: The user's question, potentially including conversation history and system instructions for context.
+*   `table_references`: A JSON string of a list of BigQuery tables to use as context. Each object in the list must contain `projectId`, `datasetId`, and `tableId`. Example: `'[{"projectId": "my-gcp-project", "datasetId": "my_dataset", "tableId": "my_table"}]'`
+
+## Example
+
+```yaml
+tools:
+  ask_data_insights:
+    kind: bigquery-conversational-analytics
+    source: my-bigquery-source
+    description: |
+      Use this tool to perform data analysis, get insights, or answer complex 
+      questions about the contents of specific BigQuery tables.
+```
+
+## Reference
+| **field**   |                  **type**                  | **required** | **description**                                                                                  |
+|-------------|:------------------------------------------:|:------------:|--------------------------------------------------------------------------------------------------|
+| kind        |                   string                   |     true     | Must be "bigquery-conversational-analytics".                                                     |
+| source      |                   string                   |     true     | Name of the source for chat.                                                    |
+| description |                   string                   |     true     | Description of the tool 
+that is passed to the LLM.                                               |
--- a/docs/en/resources/tools/clickhouse/_index.md
+++ b/docs/en/resources/tools/clickhouse/_index.md
@@ -0,0 +1,7 @@
+---
+title: "ClickHouse"
+type: docs
+weight: 1
+description: >
+  Tools for interacting with ClickHouse databases and tables.
+---
--- a/docs/en/resources/tools/clickhouse/clickhouse-execute-sql.md
+++ b/docs/en/resources/tools/clickhouse/clickhouse-execute-sql.md
@@ -0,0 +1,46 @@
+---
+title: "clickhouse-execute-sql"
+type: docs
+weight: 1
+description: >
+  A "clickhouse-execute-sql" tool executes a SQL statement against a ClickHouse
+  database.
+aliases:
+- /resources/tools/clickhouse-execute-sql
+---
+
+## About
+
+A `clickhouse-execute-sql` tool executes a SQL statement against a ClickHouse
+database. It's compatible with the [clickhouse](../../sources/clickhouse.md) source.
+
+`clickhouse-execute-sql` takes one input parameter `sql` and runs the SQL
+statement against the specified `source`. This tool includes query logging
+capabilities for monitoring and debugging purposes.
+
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
+## Example
+
+```yaml
+tools:
+  execute_sql_tool:
+    kind: clickhouse-execute-sql
+    source: my-clickhouse-instance
+    description: Use this tool to execute SQL statements against ClickHouse.
+```
+
+## Parameters
+
+| **parameter** | **type** | **required** | **description**                                    |
+|---------------|:--------:|:------------:|----------------------------------------------------|
+| sql           |  string  |     true     | The SQL statement to execute against the database |
+
+## Reference
+
+| **field**   | **type** | **required** | **description**                                         |
+|-------------|:--------:|:------------:|---------------------------------------------------------|
+| kind        |  string  |     true     | Must be "clickhouse-execute-sql".                      |
+| source      |  string  |     true     | Name of the ClickHouse source to execute SQL against.  |
+| description |  string  |     true     | Description of the tool that is passed to the LLM.     |
--- a/docs/en/resources/tools/clickhouse/clickhouse-sql.md
+++ b/docs/en/resources/tools/clickhouse/clickhouse-sql.md
@@ -0,0 +1,81 @@
+---
+title: "clickhouse-sql"
+type: docs
+weight: 2
+description: >
+  A "clickhouse-sql" tool executes SQL queries as prepared statements in ClickHouse.
+aliases:
+- /resources/tools/clickhouse-sql
+---
+
+## About
+
+A `clickhouse-sql` tool executes SQL queries as prepared statements against a 
+ClickHouse database. It's compatible with the [clickhouse](../../sources/clickhouse.md) source.
+
+This tool supports both template parameters (for SQL statement customization) 
+and regular parameters (for prepared statement values), providing flexible 
+query execution capabilities.
+
+## Example
+
+```yaml
+tools:
+  my_analytics_query:
+    kind: clickhouse-sql
+    source: my-clickhouse-instance
+    description: Get user analytics for a specific date range
+    statement: |
+      SELECT 
+        user_id,
+        count(*) as event_count,
+        max(timestamp) as last_event
+      FROM events 
+      WHERE date >= ? AND date <= ?
+      GROUP BY user_id
+      ORDER BY event_count DESC
+      LIMIT ?
+    parameters:
+      - name: start_date
+        description: Start date for the query (YYYY-MM-DD format)
+      - name: end_date  
+        description: End date for the query (YYYY-MM-DD format)
+      - name: limit
+        description: Maximum number of results to return
+```
+
+## Template Parameters Example
+
+```yaml
+tools:
+  flexible_table_query:
+    kind: clickhouse-sql
+    source: my-clickhouse-instance
+    description: Query any table with flexible columns
+    statement: |
+      SELECT {{columns}}
+      FROM {{table_name}}
+      WHERE created_date >= ?
+      LIMIT ?
+    templateParameters:
+      - name: columns
+        description: Comma-separated list of columns to select
+      - name: table_name
+        description: Name of the table to query
+    parameters:
+      - name: start_date
+        description: Start date filter
+      - name: limit
+        description: Maximum number of results
+```
+
+## Reference
+
+| **field**          | **type**           | **required** | **description**                                           |
+|--------------------|:------------------:|:------------:|-----------------------------------------------------------|
+| kind               | string             | true         | Must be "clickhouse-sql".                                |
+| source             | string             | true         | Name of the ClickHouse source to execute SQL against.    |
+| description        | string             | true         | Description of the tool that is passed to the LLM.       |
+| statement          | string             | true         | The SQL statement template to execute.                    |
+| parameters         | array of Parameter | false        | Parameters for prepared statement values.                 |
+| templateParameters | array of Parameter | false        | Parameters for SQL statement template customization.     |
--- a/docs/en/resources/tools/looker/looker-get-dimensions.md
+++ b/docs/en/resources/tools/looker/looker-get-dimensions.md
@@ -33,6 +33,29 @@ tools:

          It takes two parameters, the model_name looked up from get_models and the
          explore_name looked up from get_explores.
+
+          If this returns a suggestions field for a dimension, the contents of suggestions
+          can be used as filters for this field. If this returns a suggest_explore and
+          suggest_dimension, a query against that explore and dimension can be used to find
+          valid filters for this field.
+
+```
+
+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...],
+  "suggestions": ["suggestion", ...],
+  "suggest_explore": "explore",
+  "suggest_dimension": "dimension"
+}
 ```

 ## Reference
--- a/docs/en/resources/tools/looker/looker-get-explores.md
+++ b/docs/en/resources/tools/looker/looker-get-explores.md
@@ -21,6 +21,16 @@ It's compatible with the following sources:
 `looker-get-explores` accepts one parameter, the
 `model` id.

+The return type is an array of maps, each map is formatted like:
+
+```json
+{
+    "name": "explore name",
+    "description": "explore description",
+    "label": "explore label",
+    "group_label": "group label"
+}
+```
 ## Example

 ```yaml
--- a/docs/en/resources/tools/looker/looker-get-filters.md
+++ b/docs/en/resources/tools/looker/looker-get-filters.md
@@ -35,6 +35,24 @@ tools:
          explore_name looked up from get_explores.
 ```

+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...],
+  "suggestions": ["suggestion", ...],
+  "suggest_explore": "explore",
+  "suggest_dimension": "dimension"
+}
+```
+
+
 ## Reference

 | **field**   |                  **type**                  | **required** | **description**                                                                                  |
--- a/docs/en/resources/tools/looker/looker-get-measures.md
+++ b/docs/en/resources/tools/looker/looker-get-measures.md
@@ -33,8 +33,32 @@ tools:

          It takes two parameters, the model_name looked up from get_models and the
          explore_name looked up from get_explores.
+
+          If this returns a suggestions field for a measure, the contents of suggestions
+          can be used as filters for this field. If this returns a suggest_explore and
+          suggest_dimension, a query against that explore and dimension can be used to find
+          valid filters for this field.
+
 ```

+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...],
+  "suggestions": ["suggestion", ...],
+  "suggest_explore": "explore",
+  "suggest_dimension": "dimension"
+}
+```
+
+
 ## Reference

 | **field**   |                  **type**                  | **required** | **description**                                                                                  |
--- a/docs/en/resources/tools/looker/looker-get-parameters.md
+++ b/docs/en/resources/tools/looker/looker-get-parameters.md
@@ -35,6 +35,24 @@ tools:
          explore_name looked up from get_explores.
 ```

+The response is a json array with the following elements:
+
+```json
+{
+  "name": "field name",
+  "description": "field description",
+  "type": "field type",
+  "label": "field label",
+  "label_short": "field short label",
+  "tags": ["tags", ...],
+  "synonyms": ["synonyms", ...],
+  "suggestions": ["suggestion", ...],
+  "suggest_explore": "explore",
+  "suggest_dimension": "dimension"
+}
+```
+
+
 ## Reference

 | **field**   |                  **type**                  | **required** | **description**                                                                                  |
--- a/docs/en/samples/alloydb/ai-nl/alloydb_ai_nl.ipynb
+++ b/docs/en/samples/alloydb/ai-nl/alloydb_ai_nl.ipynb
@@ -767,7 +767,7 @@
      },
      "outputs": [],
      "source": [
-        "version = \"0.11.0\" # x-release-please-version\n",
+        "version = \"0.14.0\" # x-release-please-version\n",
        "! curl -L -o /content/toolbox https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
        "\n",
        "# Make the binary executable\n",
--- a/docs/en/samples/alloydb/mcp_quickstart.md
+++ b/docs/en/samples/alloydb/mcp_quickstart.md
@@ -114,7 +114,7 @@ In this section, we will download and install the Toolbox binary.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    export VERSION="0.11.0"
+    export VERSION="0.14.0"
    curl -O https://storage.googleapis.com/genai-toolbox/v$VERSION/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->
--- a/docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb
+++ b/docs/en/samples/bigquery/colab_quickstart_bigquery.ipynb
@@ -220,7 +220,7 @@
      },
      "outputs": [],
      "source": [
-        "version = \"0.12.0\" # x-release-please-version\n",
+        "version = \"0.14.0\" # x-release-please-version\n",
        "! curl -O https://storage.googleapis.com/genai-toolbox/v{version}/linux/amd64/toolbox\n",
        "\n",
        "# Make the binary executable\n",
--- a/docs/en/samples/bigquery/local_quickstart.md
+++ b/docs/en/samples/bigquery/local_quickstart.md
@@ -179,7 +179,7 @@ to use BigQuery, and then run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/bigquery/mcp_quickstart/_index.md
+++ b/docs/en/samples/bigquery/mcp_quickstart/_index.md
@@ -98,7 +98,7 @@ In this section, we will download Toolbox, configure our tools in a
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/looker/looker_gemini.md
+++ b/docs/en/samples/looker/looker_gemini.md
@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/docs/en/samples/looker/looker_gemini_oauth/_index.md
+++ b/docs/en/samples/looker/looker_gemini_oauth/_index.md
@@ -0,0 +1,140 @@
+---
+title: "Gemini-CLI and OAuth"
+type: docs
+weight: 2
+description: >
+  How to connect to Looker from Gemini-CLI with end-user credentials
+---
+
+## Overview
+
+Gemini-CLI can be configured to get an OAuth token from Looker, then send this
+token to MCP Toolbox as part of the request. MCP Toolbox can then use this token
+to authentincate with Looker. This means that there is no need to get a Looker
+Client ID and Client Secret. This also means that MCP Toolbox can be set up as a
+shared resource.
+
+This configuration requires Toolbox v0.14.0 or later.
+
+## Step 1: Register the OAuth App in Looker
+
+You first need to register the OAuth application. Refer to the documentation
+[here](https://cloud.google.com/looker/docs/api-cors#registering_an_oauth_client_application).
+You may need to ask an administrator to do this for you.
+
+1. Go to the API Explorer application, locate "Register OAuth App", and press
+   the "Run It" button.
+1. Set the `client_guid` to "gemini-cli".
+1. Set the `redirect_uri` to "http://localhost:7777/oauth/callback".
+1. The `display_name` and `description` can be "Gemini-CLI" or anything
+   meaningful.
+1. Set `enabled` to "true".
+1. Check the box confirming that you understand this API will change data.
+1. Click the "Run" button.
+
+    ![OAuth Registration](./registration.png)
+
+## Step 2: Install and configure Toolbox
+
+In this section, we will download Toolbox and run the Toolbox server.
+
+1. Download the latest version of Toolbox as a binary:
+
+    {{< notice tip >}}
+   Select the
+   [correct binary](https://github.com/googleapis/genai-toolbox/releases)
+   corresponding to your OS and CPU architecture.
+    {{< /notice >}}
+    <!-- {x-release-please-start-version} -->
+    ```bash
+    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
+    ```
+    <!-- {x-release-please-end} -->
+
+1. Make the binary executable:
+
+    ```bash
+    chmod +x toolbox
+    ```
+
+1. Create a file `looker_env` with the settings for your
+   Looker instance.
+
+   ```bash
+    export LOOKER_BASE_URL=https://looker.example.com
+    export LOOKER_VERIFY_SSL=true
+   ```
+
+   In some instances you may need to append `:19999` to
+   the LOOKER_BASE_URL.
+
+1. Load the looker_env file into your environment.
+
+   ```bash
+   source looker_env
+   ```
+
+1. Run the Toolbox server using the prebuilt Looker tools.
+
+    ```bash
+    ./toolbox --prebuilt looker
+    ```
+
+    The toolbox server will begin listening on localhost port 5000. Leave it
+    running and continue in another terminal.
+
+    Later, when it is time to shut everything down, you can quit the toolbox
+    server with Ctrl-C in this terminal window.
+
+## Step 3: Configure Gemini-CLI
+
+1. Edit the file `~/.gemini/settings.json`. Add the following, substituting your
+   Looker server host name for `looker.example.com`.
+
+    ```json
+    "mcpServers": {
+        "looker": {
+            "httpUrl": "http://localhost:5000/mcp",
+            "oauth": {
+                "enabled": true,
+                "clientId": "gemini-cli",
+                "authorizationUrl": "https://looker.example.com/auth",
+                "tokenUrl": "https://looker.example.com/api/token",
+                "scopes": ["cors_api"]
+            }
+        }
+    }
+    ```
+
+    The `authorizationUrl` should point to the URL you use to access Looker via the
+    web UI. The `tokenUrl` should point to the URL you use to access Looker via
+    the API. In some cases you will need to use the port number `:19999` after
+    the host name but before the `/api/token` part.
+
+1. Start Gemini-CLI.
+
+1. Authenticate with the command `/mcp auth looker`. Gemini-CLI will open up a
+   browser where you will confirm that you want to access Looker with your
+   account.
+
+   ![Authorizing](./authorize.png)
+
+   ![Authenticated](./authenticated.png)
+
+1. Use Gemini-CLI with your tools.
+
+## Using Toolbox as a Shared Service
+
+Toolbox can be run on another server as a shared service accessed by multiple
+users. We strongly recommend running toolbox behind a web proxy such as `nginx`
+which will provide SSL encryption. Google Cloud Run is another good way to run
+toolbox. You will connect to a service like `https://toolbox.example.com/mcp`.
+The proxy server will handle the SSL encryption and certificates. Then it will
+foward the requests to `http://localhost:5000/mcp` running in that environment.
+The details of the config are beyond the scope of this document, but will be
+familiar to your system administrators.
+
+To use the shared service, just change the `localhost:5000` in the `httpUrl` in
+`~/.gemini/settings.json` to the host name and possibly the port of the shared
+service.
--- a/docs/en/samples/looker/looker_gemini_oauth/authenticated.png
+++ b/docs/en/samples/looker/looker_gemini_oauth/authenticated.png
--- a/docs/en/samples/looker/looker_gemini_oauth/authorize.png
+++ b/docs/en/samples/looker/looker_gemini_oauth/authorize.png
--- a/docs/en/samples/looker/looker_gemini_oauth/registration.png
+++ b/docs/en/samples/looker/looker_gemini_oauth/registration.png
--- a/docs/en/samples/looker/looker_mcp_inspector/_index.md
+++ b/docs/en/samples/looker/looker_mcp_inspector/_index.md
@@ -34,7 +34,7 @@ In this section, we will download Toolbox and run the Toolbox server.
    <!-- {x-release-please-start-version} -->
    ```bash
    export OS="linux/amd64" # one of linux/amd64, darwin/arm64, darwin/amd64, or windows/amd64
-    curl -O https://storage.googleapis.com/genai-toolbox/v0.12.0/$OS/toolbox
+    curl -O https://storage.googleapis.com/genai-toolbox/v0.14.0/$OS/toolbox
    ```
    <!-- {x-release-please-end} -->

--- a/go.mod
+++ b/go.mod
@@ -1,24 +1,25 @@
 module github.com/googleapis/genai-toolbox

-go 1.24
+go 1.24.0

-toolchain go1.25.0
+toolchain go1.25.1

 require (
 	cloud.google.com/go/alloydbconn v1.15.5
 	cloud.google.com/go/bigquery v1.69.0
-	cloud.google.com/go/bigtable v1.38.0
-	cloud.google.com/go/cloudsqlconn v1.18.0
+	cloud.google.com/go/bigtable v1.39.0
+	cloud.google.com/go/cloudsqlconn v1.18.1
 	cloud.google.com/go/dataplex v1.26.0
 	cloud.google.com/go/firestore v1.18.0
 	cloud.google.com/go/spanner v1.84.1
+	github.com/ClickHouse/clickhouse-go/v2 v2.40.1
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.29.0
 	github.com/cenkalti/backoff/v5 v5.0.3
-	github.com/couchbase/gocb/v2 v2.10.1
+	github.com/couchbase/gocb/v2 v2.11.0
 	github.com/couchbase/tools-common/http v1.0.9
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/go-chi/chi/v5 v5.2.2
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/httplog/v2 v2.1.1
 	github.com/go-chi/render v1.0.3
 	github.com/go-goquery/goquery v1.0.1
@@ -30,10 +31,10 @@ require (
 	github.com/jackc/pgx/v5 v5.7.5
 	github.com/json-iterator/go v1.1.12
 	github.com/looker-open-source/sdk-codegen/go v0.25.10
-	github.com/microsoft/go-mssqldb v1.9.2
+	github.com/microsoft/go-mssqldb v1.9.3
 	github.com/nakagami/firebirdsql v0.9.15
-	github.com/neo4j/neo4j-go-driver/v5 v5.28.2
-	github.com/redis/go-redis/v9 v9.12.1
+	github.com/neo4j/neo4j-go-driver/v5 v5.28.3
+	github.com/redis/go-redis/v9 v9.13.0
 	github.com/spf13/cobra v1.9.1
 	github.com/thlib/go-timezone-local v0.0.7
 	github.com/trinodb/trino-go-client v0.328.0
@@ -49,19 +50,27 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0
 	golang.org/x/oauth2 v0.30.0
 	google.golang.org/api v0.248.0
-	google.golang.org/genproto v0.0.0-20250818200422-3122310a409c
+	google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1
 	modernc.org/sqlite v1.38.2
 )

 require (
+	github.com/ClickHouse/ch-go v0.67.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/go-faster/city v1.0.1 // indirect
+	github.com/go-faster/errors v0.7.1 // indirect
+	github.com/paulmach/orb v0.11.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
 	gonum.org/v1/gonum v0.16.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 require (
 	cel.dev/expr v0.24.0 // indirect
-	cloud.google.com/go v0.121.4 // indirect
+	cloud.google.com/go v0.121.6 // indirect
 	cloud.google.com/go/alloydb v1.18.0 // indirect
 	cloud.google.com/go/auth v0.16.5 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
@@ -79,7 +88,7 @@ require (
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
-	github.com/couchbase/gocbcore/v10 v10.7.1 // indirect
+	github.com/couchbase/gocbcore/v10 v10.8.0 // indirect
 	github.com/couchbase/gocbcoreps v0.1.3 // indirect
 	github.com/couchbase/goprotostellar v1.0.2 // indirect
 	github.com/couchbase/tools-common/errors v1.0.0 // indirect
@@ -132,7 +141,6 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
@@ -145,7 +153,7 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.37.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.37.0 // indirect
@@ -164,10 +172,10 @@ require (
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/grpc v1.74.2 // indirect
-	google.golang.org/protobuf v1.36.7 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -38,8 +38,8 @@ cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRY
 cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM=
 cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
 cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-cloud.google.com/go v0.121.4 h1:cVvUiY0sX0xwyxPwdSU2KsF9knOVmtRyAMt8xou0iTs=
-cloud.google.com/go v0.121.4/go.mod h1:XEBchUiHFJbz4lKBZwYBDHV/rSyfFktk737TLDU089s=
+cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
+cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI=
 cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4=
 cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw=
 cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E=
@@ -139,8 +139,8 @@ cloud.google.com/go/bigquery v1.49.0/go.mod h1:Sv8hMmTFFYBlt/ftw2uN6dFdQPzBlREY9
 cloud.google.com/go/bigquery v1.50.0/go.mod h1:YrleYEh2pSEbgTBZYMJ5SuSr0ML3ypjRB1zgf7pvQLU=
 cloud.google.com/go/bigquery v1.69.0 h1:rZvHnjSUs5sHK3F9awiuFk2PeOaB8suqNuim21GbaTc=
 cloud.google.com/go/bigquery v1.69.0/go.mod h1:TdGLquA3h/mGg+McX+GsqG9afAzTAcldMjqhdjHTLew=
-cloud.google.com/go/bigtable v1.38.0 h1:L/PnUXRtAzFfa7qMULJHt4cXa/O2dqPJEkzYNGA4hfo=
-cloud.google.com/go/bigtable v1.38.0/go.mod h1:o/lntJarF3Y5C0XYLMJLjLYwxaRbcrtM0BiV57ymXbI=
+cloud.google.com/go/bigtable v1.39.0 h1:NF0aaSend+Z5CKND2vWY9fgDwaeZ4bDgzUdgw8rk75Y=
+cloud.google.com/go/bigtable v1.39.0/go.mod h1:zgL2Vxux9Bx+TcARDJDUxVyE+BCUfP2u4Zm9qeHF+g0=
 cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY=
 cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s=
 cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI=
@@ -167,8 +167,8 @@ cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb
 cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM=
 cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk=
 cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA=
-cloud.google.com/go/cloudsqlconn v1.18.0 h1:mP6TY/7I+nrnIh6vmbWCRJPxpFBZSL6AZhW6HaYC/OI=
-cloud.google.com/go/cloudsqlconn v1.18.0/go.mod h1:58bxZZ17Mz5D83ddMT8x6w56yKpcmVXyaOwGWkzGcMw=
+cloud.google.com/go/cloudsqlconn v1.18.1 h1:IIvs7QJ8eqKUUHSon13Joie9oH7/i7MJwNzBLG+FrhM=
+cloud.google.com/go/cloudsqlconn v1.18.1/go.mod h1:58bxZZ17Mz5D83ddMT8x6w56yKpcmVXyaOwGWkzGcMw=
 cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY=
 cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI=
 cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4=
@@ -563,8 +563,8 @@ cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeL
 cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
 cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
 cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
-cloud.google.com/go/storage v1.55.0 h1:NESjdAToN9u1tmhVqhXCaCwYBuvEhZLLv0gBr+2znf0=
-cloud.google.com/go/storage v1.55.0/go.mod h1:ztSmTTwzsdXe5syLVS0YsbFxXuvEmEyZj7v7zChEmuY=
+cloud.google.com/go/storage v1.56.0 h1:iixmq2Fse2tqxMbWhLWC9HfBj1qdxqAmiK8/eqtsLxI=
+cloud.google.com/go/storage v1.56.0/go.mod h1:Tpuj6t4NweCLzlNbw9Z9iwxEkrSem20AetIeH/shgVU=
 cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w=
 cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I=
 cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4=
@@ -632,8 +632,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS
 cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
 cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
 cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
@@ -655,6 +655,10 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJ
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/ClickHouse/ch-go v0.67.0 h1:18MQF6vZHj+4/hTRaK7JbS/TIzn4I55wC+QzO24uiqc=
+github.com/ClickHouse/ch-go v0.67.0/go.mod h1:2MSAeyVmgt+9a2k2SQPPG1b4qbTPzdGDpf1+bcHh+18=
+github.com/ClickHouse/clickhouse-go/v2 v2.40.1 h1:PbwsHBgqXRydU7jKULD1C8CHmifczffvQqmFvltM2W4=
+github.com/ClickHouse/clickhouse-go/v2 v2.40.1/go.mod h1:GDzSBLVhladVm8V01aEB36IoBOVLLICfyeuiIp/8Ezc=
 github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 h1:2afWGsMzkIcN8Qm4mgPJKZWyroE5QBszMiDMYEBrnfw=
 github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc=
@@ -684,6 +688,8 @@ github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -770,10 +776,10 @@ github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
 github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
-github.com/couchbase/gocb/v2 v2.10.1 h1:5r1jngGxw3dTZdtq6Xmjq3pdU6hOwRvynvbVIp58T64=
-github.com/couchbase/gocb/v2 v2.10.1/go.mod h1:GGEJuYjrfnPHCQLcxTcIco+Puy63PS2p8QQd8FRw66I=
-github.com/couchbase/gocbcore/v10 v10.7.1 h1:6jsNDtqyfoQ8Xg6kv99rzccc3CrHbp7FjeY+ahWXTF4=
-github.com/couchbase/gocbcore/v10 v10.7.1/go.mod h1:Q8JWVenMCEOuRgrDQKApHbzzPif38HzefGgRVe9apAI=
+github.com/couchbase/gocb/v2 v2.11.0 h1:OVB+KlVeXlKVtziKx/LWZT7DClLsoQHQFrI4wan5Ijc=
+github.com/couchbase/gocb/v2 v2.11.0/go.mod h1:Y+lODSgyVzDSaf0Sy8sIzIa0RTAw3vlZUsjY6+FUq9Y=
+github.com/couchbase/gocbcore/v10 v10.8.0 h1:zDcJyYqOirFyC8T/aVvNL4N9oj6GI4qtaBuTGGWCDb4=
+github.com/couchbase/gocbcore/v10 v10.8.0/go.mod h1:OWKfU9R5Nm5V3QZBtfdZl5qCfgxtxTqOgXiNr4pn9/c=
 github.com/couchbase/gocbcoreps v0.1.3 h1:fILaKGCjxFIeCgAUG8FGmRDSpdrRggohOMKEgO9CUpg=
 github.com/couchbase/gocbcoreps v0.1.3/go.mod h1:hBFpDNPnRno6HH5cRXExhqXYRmTsFJlFHQx7vztcXPk=
 github.com/couchbase/goprotostellar v1.0.2 h1:yoPbAL9sCtcyZ5e/DcU5PRMOEFaJrF9awXYu3VPfGls=
@@ -796,8 +802,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
 github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY=
-github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -840,12 +846,16 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
-github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/httplog/v2 v2.1.1 h1:ojojiu4PIaoeJ/qAO4GWUxJqvYUTobeo7zmuHQJAxRk=
 github.com/go-chi/httplog/v2 v2.1.1/go.mod h1:/XXdxicJsp4BA5fapgIC3VuTD+z0Z/VzukoB3VDc1YE=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-faster/city v1.0.1 h1:4WAxSZ3V2Ws4QRDrscLEDcibJY8uf41H6AhXDrNDcGw=
+github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw=
+github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg=
+github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo=
 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
 github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
 github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
@@ -933,6 +943,7 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
@@ -1088,6 +1099,7 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
+github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
@@ -1119,8 +1131,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/microsoft/go-mssqldb v1.9.2 h1:nY8TmFMQOHpm2qVWo6y4I2mAmVdZqlGiMGAYt64Ibbs=
-github.com/microsoft/go-mssqldb v1.9.2/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
+github.com/microsoft/go-mssqldb v1.9.3 h1:hy4p+LDC8LIGvI3JATnLVmBOLMJbmn5X400mr5j0lPs=
+github.com/microsoft/go-mssqldb v1.9.3/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -1134,6 +1146,7 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/nakagami/chacha20 v0.1.0 h1:2fbf5KeVUw7oRpAe6/A7DqvBJLYYu0ka5WstFbnkEVo=
@@ -1142,19 +1155,22 @@ github.com/nakagami/firebirdsql v0.9.15 h1:Mf05jaFI8+kjy6sBstsAu76zOkJ44AGd6cpAp
 github.com/nakagami/firebirdsql v0.9.15/go.mod h1:bZKRs3rpHAjJgXAoc9YiPobTz3R22i41Zjo+llIS2B0=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
-github.com/neo4j/neo4j-go-driver/v5 v5.28.2 h1:uG7nMK0zS/a/iSWMZgCIY40SfYzWBc6uSrMONhiIS0U=
-github.com/neo4j/neo4j-go-driver/v5 v5.28.2/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
+github.com/neo4j/neo4j-go-driver/v5 v5.28.3 h1:OHP/vzX0oZ2YUY5DnGUp7QY21BIpOzw+Pp+Dga8zYl4=
+github.com/neo4j/neo4j-go-driver/v5 v5.28.3/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
 github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs=
 github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/ory/dockertest/v3 v3.11.0 h1:OiHcxKAvSDUwsEVh2BjxQQc/5EHz9n0va9awCtNGuyA=
 github.com/ory/dockertest/v3 v3.11.0/go.mod h1:VIPxS1gwT9NpPOrfD3rACs8Y9Z7yhzO4SB194iUDnUI=
+github.com/paulmach/orb v0.11.1 h1:3koVegMC4X/WeiXYz9iswopaTwMem53NzTJuTF20JzU=
+github.com/paulmach/orb v0.11.1/go.mod h1:5mULz1xQfs3bmQm63QEJA6lNGujuRafwA5S/EnuLaLU=
+github.com/paulmach/protoscan v0.2.1/go.mod h1:SpcSwydNLrxUGSDvXvO0P7g7AuhJ7lcKfDlhJCDw2gY=
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
@@ -1179,8 +1195,8 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/redis/go-redis/v9 v9.12.1 h1:k5iquqv27aBtnTm2tIkROUDp8JBXhXZIVu1InSgvovg=
-github.com/redis/go-redis/v9 v9.12.1/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.13.0 h1:PpmlVykE0ODh8P43U0HqC+2NXHXwG+GUtQyz+MPKGRg=
+github.com/redis/go-redis/v9 v9.13.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
@@ -1193,8 +1209,10 @@ github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWN
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
-github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -1228,14 +1246,17 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/thlib/go-timezone-local v0.0.7 h1:fX8zd3aJydqLlTs/TrROrIIdztzsdFV23OzOQx31jII=
 github.com/thlib/go-timezone-local v0.0.7/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI=
+github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/trinodb/trino-go-client v0.328.0 h1:X6hrGGysA3nvyVcz8kJbBS98srLNTNsnNYwRkMC1atA=
 github.com/trinodb/trino-go-client v0.328.0/go.mod h1:e/nck9W6hy+9bbyZEpXKFlNsufn3lQGpUgDL1d5f1FI=
 github.com/valkey-io/valkey-go v1.0.64 h1:3u4+b6D6zs9JQs254TLy4LqitCMHHr9XorP9GGk7XY4=
 github.com/valkey-io/valkey-go v1.0.64/go.mod h1:bHmwjIEOrGq/ubOJfh5uMRs7Xj6mV3mQ/ZXUbmqpjqY=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
 github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
+github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
 github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
@@ -1244,6 +1265,9 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1261,6 +1285,7 @@ github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b h1:7gd+rd8P3bqcn/96gOZa3F5dpJr/vEiDQYlNb/y2uNs=
 gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b/go.mod h1:T3BPAOm2cqquPa0MKWeNkmOM5RQsRhkrwMWonFMN7fE=
+go.mongodb.org/mongo-driver v1.11.4/go.mod h1:PTSz5yu21bkT/wXpkS7WR5f0ddqw5quethTUn9WM+2g=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1276,8 +1301,8 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw=
 go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 h1:rbRJ8BBoVMsQShESYZ0FkvcITu8X8QNwJogcLUmDNNw=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0/go.mod h1:ru6KHrNtNHxM4nD/vd6QrLVWgKhxPYgblq4VAtNawTQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
 go.opentelemetry.io/contrib/propagators/autoprop v0.62.0 h1:1+EHlhAe/tukctfePZRrDruB9vn7MdwyC+rf36nUSPM=
@@ -1330,6 +1355,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
@@ -1439,6 +1465,7 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -1936,10 +1963,10 @@ google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOl
 google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
 google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
 google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
-google.golang.org/genproto v0.0.0-20250818200422-3122310a409c h1:ZERoum3uuqL0PRSc6SXielu26FN96T4BUGaaW0oL+c8=
-google.golang.org/genproto v0.0.0-20250818200422-3122310a409c/go.mod h1:Q8kep885BJnK3Jt6QZXIFeLHSzoAQtlI1CCloQigiyU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a h1:DMCgtIAIQGZqJXMVzJF4MV8BlWoJh2ZuFiRdAleyr58=
-google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a/go.mod h1:y2yVLIE/CSMCPXaHnSKXxu1spLPnglFLegmgdY23uuE=
+google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1 h1:Nm5SEGIguOIBDXs5rhfz2aKwEVWlgwC58UcmEnLDc8Y=
+google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1/go.mod h1:Jz9LrroM7Mcm+a0QrLh4UpZ1B/WhjIbqwEcUf4y08nQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -2003,10 +2030,11 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.61.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
--- a/internal/prebuiltconfigs/prebuiltconfigs_test.go
+++ b/internal/prebuiltconfigs/prebuiltconfigs_test.go
@@ -24,6 +24,7 @@ var expectedToolSources = []string{
 	"alloydb-postgres-admin",
 	"alloydb-postgres",
 	"bigquery",
+	"clickhouse",
 	"cloud-sql-mssql",
 	"cloud-sql-mysql",
 	"cloud-sql-postgres",
@@ -85,6 +86,7 @@ func TestGetPrebuiltTool(t *testing.T) {
 	alloydb_admin_config, _ := Get("alloydb-postgres-admin")
 	alloydb_config, _ := Get("alloydb-postgres")
 	bigquery_config, _ := Get("bigquery")
+	clickhouse_config, _ := Get("clickhouse")
 	cloudsqlpg_config, _ := Get("cloud-sql-postgres")
 	cloudsqlmysql_config, _ := Get("cloud-sql-mysql")
 	cloudsqlmssql_config, _ := Get("cloud-sql-mssql")
@@ -105,6 +107,9 @@ func TestGetPrebuiltTool(t *testing.T) {
 	if len(bigquery_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch bigquery prebuilt tools yaml")
 	}
+	if len(clickhouse_config) <= 0 {
+		t.Fatalf("unexpected error: could not fetch clickhouse prebuilt tools yaml")
+	}
 	if len(cloudsqlpg_config) <= 0 {
 		t.Fatalf("unexpected error: could not fetch cloud sql pg prebuilt tools yaml")
 	}
--- a/internal/prebuiltconfigs/tools/alloydb-postgres.yaml
+++ b/internal/prebuiltconfigs/tools/alloydb-postgres.yaml
@@ -1,3 +1,16 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 sources:
    alloydb-pg-source:
        kind: "alloydb-postgres"
@@ -6,8 +19,9 @@ sources:
        cluster: ${ALLOYDB_POSTGRES_CLUSTER}
        instance: ${ALLOYDB_POSTGRES_INSTANCE}
        database: ${ALLOYDB_POSTGRES_DATABASE}
-        user: ${ALLOYDB_POSTGRES_USER}
-        password: ${ALLOYDB_POSTGRES_PASSWORD}
+        user: ${ALLOYDB_POSTGRES_USER:}
+        password: ${ALLOYDB_POSTGRES_PASSWORD:}
+        ipType: ${ALLOYDB_POSTGRES_IP_TYPE:public}

 tools:
    execute_sql:
@@ -92,7 +106,7 @@ tools:
                        'constraints', COALESCE((SELECT json_agg(json_build_object('constraint_name',cons.constraint_name,'constraint_type',cons.constraint_type,'constraint_definition',cons.constraint_definition,'constraint_columns',cons.constraint_columns,'foreign_key_referenced_table',cons.foreign_key_referenced_table,'foreign_key_referenced_columns',cons.foreign_key_referenced_columns)) FROM constraints_info cons WHERE cons.table_oid = ti.table_oid), '[]'::json),
                        'indexes', COALESCE((SELECT json_agg(json_build_object('index_name',ii.index_name,'index_definition',ii.index_definition,'is_unique',ii.is_unique,'is_primary',ii.is_primary,'index_method',ii.index_method,'index_columns',ii.index_columns)) FROM indexes_info ii WHERE ii.table_oid = ti.table_oid), '[]'::json),
                        'triggers', COALESCE((SELECT json_agg(json_build_object('trigger_name',tri.trigger_name,'trigger_definition',tri.trigger_definition,'trigger_enabled_state',tri.trigger_enabled_state)) FROM triggers_info tri WHERE tri.table_oid = ti.table_oid), '[]'::json)
-                    ) 
+                    )
                END AS object_details
            FROM table_info ti ORDER BY ti.schema_name, ti.table_name;
        parameters:
--- a/internal/prebuiltconfigs/tools/bigquery.yaml
+++ b/internal/prebuiltconfigs/tools/bigquery.yaml
@@ -4,6 +4,14 @@ sources:
    project: ${BIGQUERY_PROJECT}

 tools:
+  ask_data_insights:
+    kind: bigquery-conversational-analytics
+    source: bigquery-source
+    description: |
+      Use this tool to perform data analysis, get insights,
+      or answer complex questions about the contents of specific
+      BigQuery tables.
+
  execute_sql:
    kind: bigquery-execute-sql
    source: bigquery-source
@@ -36,6 +44,7 @@ tools:

 toolsets:
  bigquery-database-tools:
+    - ask_data_insights
    - execute_sql
    - forecast
    - get_dataset_info
--- a/internal/prebuiltconfigs/tools/clickhouse.yaml
+++ b/internal/prebuiltconfigs/tools/clickhouse.yaml
@@ -0,0 +1,19 @@
+sources:
+  clickhouse-source:
+    kind: clickhouse
+    host: ${CLICKHOUSE_HOST}
+    port: ${CLICKHOUSE_PORT}
+    user: ${CLICKHOUSE_USER}
+    password: ${CLICKHOUSE_PASSWORD}
+    database: ${CLICKHOUSE_DATABASE}
+    protocol: ${CLICKHOUSE_PROTOCOL}
+
+tools:
+  execute_sql:
+    kind: clickhouse-execute-sql
+    source: clickhouse-source
+    description: Use this tool to execute SQL.
+
+toolsets:
+  clickhouse-database-tools:
+    - execute_sql
--- a/internal/prebuiltconfigs/tools/looker.yaml
+++ b/internal/prebuiltconfigs/tools/looker.yaml
@@ -1,11 +1,29 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 sources:
    looker-source:
        kind: looker
        base_url: ${LOOKER_BASE_URL}
-        client_id: ${LOOKER_CLIENT_ID}
-        client_secret: ${LOOKER_CLIENT_SECRET}
-        verify_ssl: ${LOOKER_VERIFY_SSL}
+        client_id: ${LOOKER_CLIENT_ID:}
+        client_secret: ${LOOKER_CLIENT_SECRET:}
+        verify_ssl: ${LOOKER_VERIFY_SSL:true}
        timeout: 600s
+        use_client_oauth: ${LOOKER_USE_CLIENT_OAUTH:false}
+        show_hidden_models: ${LOOKER_SHOW_HIDDEN_MODELS:true}
+        show_hidden_explores: ${LOOKER_SHOW_HIDDEN_EXPLORES:true}
+        show_hidden_fields: ${LOOKER_SHOW_HIDDEN_FIELDS:true}

 tools:
    get_models:
@@ -35,6 +53,11 @@ tools:
          It takes two parameters, the model_name looked up from get_models and the
          explore_name looked up from get_explores.

+          If this returns a suggestions field for a dimension, the contents of suggestions
+          can be used as filters for this field. If this returns a suggest_explore and
+          suggest_dimension, a query against that explore and dimension can be used to find
+          valid filters for this field.
+
    get_measures:
        kind: looker-get-measures
        source: looker-source
@@ -45,6 +68,11 @@ tools:
          It takes two parameters, the model_name looked up from get_models and the
          explore_name looked up from get_explores.

+          If this returns a suggestions field for a measure, the contents of suggestions
+          can be used as filters for this field. If this returns a suggest_explore and
+          suggest_dimension, a query against that explore and dimension can be used to find
+          valid filters for this field.
+
    get_filters:
        kind: looker-get-filters
        source: looker-source
@@ -88,7 +116,8 @@ tools:
          Filters are provided as a map of {"field.id": "condition",
          "field.id2": "condition2", ...}. Do not put the field.id in
          quotes. Filter expressions can be found at
-          https://cloud.google.com/looker/docs/filter-expressions.
+          https://cloud.google.com/looker/docs/filter-expressions. There
+          is one mistake in that, however, Use `not null` instead of `-NULL`.

          Sorts can be specified like [ "field.id desc 0" ].

@@ -215,6 +244,7 @@ tools:

          ### Pie / Donut

+          *   Pie charts must have exactly one dimension and one numerical measure.
          *   `type`: Must be `looker_pie`.
          *   `value_labels`: Where to display values (`'legend'`, `'labels'`).
          *   `label_type`: The format of data labels (`'labPer'`, `'labVal'`, `'lab'`, `'val'`, `'per'`).
--- a/internal/server/api.go
+++ b/internal/server/api.go
@@ -16,8 +16,10 @@ package server

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
+	"strings"

 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@@ -165,6 +167,20 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Extract OAuth access token from the "Authorization" header (currently for
+	// BigQuery end-user credentials usage only)
+	accessToken := tools.AccessToken(r.Header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			err = fmt.Errorf("tool requires client authorization but access token is missing from the request header")
+			s.logger.DebugContext(ctx, err.Error())
+			_ = render.Render(w, r, newErrResponse(err, http.StatusUnauthorized))
+			return
+		}
+	}
+
 	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
 	claimsFromAuth := make(map[string]map[string]any)
@@ -210,6 +226,12 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {

 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
+		// If auth error, return 401
+		if errors.Is(err, tools.ErrUnauthorized) {
+			s.logger.DebugContext(ctx, fmt.Sprintf("error parsing authenticated parameters from ID token: %s", err))
+			_ = render.Render(w, r, newErrResponse(err, http.StatusUnauthorized))
+			return
+		}
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
 		s.logger.DebugContext(ctx, err.Error())
 		_ = render.Render(w, r, newErrResponse(err, http.StatusBadRequest))
@@ -217,12 +239,34 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 	}
 	s.logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))

-	// Extract OAuth access token from the "Authorization" header (currently for
-	// BigQuery end-user credentials usage only)
-	accessToken := tools.AccessToken(r.Header.Get("Authorization"))
-
 	res, err := tool.Invoke(ctx, params, accessToken)
+
+	// Determine what error to return to the users.
 	if err != nil {
+		errStr := err.Error()
+		var statusCode int
+
+		// Upstream API auth error propagation
+		switch {
+		case strings.Contains(errStr, "Error 401"):
+			statusCode = http.StatusUnauthorized
+		case strings.Contains(errStr, "Error 403"):
+			statusCode = http.StatusForbidden
+		}
+
+		if statusCode == http.StatusUnauthorized || statusCode == http.StatusForbidden {
+			if tool.RequiresClientAuthorization() {
+				// Propagate the original 401/403 error.
+				s.logger.DebugContext(ctx, fmt.Sprintf("error invoking tool. Client credentials lack authorization to the source: %v", err))
+				_ = render.Render(w, r, newErrResponse(err, statusCode))
+				return
+			}
+			// ADC lacking permission or credentials configuration error.
+			internalErr := fmt.Errorf("unexpected auth error occured during Tool invocation: %w", err)
+			s.logger.ErrorContext(ctx, internalErr.Error())
+			_ = render.Render(w, r, newErrResponse(internalErr, http.StatusInternalServerError))
+			return
+		}
 		err = fmt.Errorf("error while invoking tool: %w", err)
 		s.logger.DebugContext(ctx, err.Error())
 		_ = render.Render(w, r, newErrResponse(err, http.StatusBadRequest))
--- a/internal/server/api_test.go
+++ b/internal/server/api_test.go
@@ -212,7 +212,7 @@ func TestToolGetEndpoint(t *testing.T) {
 }

 func TestToolInvokeEndpoint(t *testing.T) {
-	mockTools := []MockTool{tool1, tool2}
+	mockTools := []MockTool{tool1, tool2, tool4, tool5}
 	toolsMap, toolsets := setUpResources(t, mockTools)
 	r, shutdown := setUpServer(t, "api", toolsMap, toolsets)
 	defer shutdown()
@@ -247,6 +247,20 @@ func TestToolInvokeEndpoint(t *testing.T) {
 			want:        "",
 			isErr:       true,
 		},
+		{
+			name:        "tool4",
+			toolName:    tool4.Name,
+			requestBody: bytes.NewBuffer([]byte(`{}`)),
+			want:        "",
+			isErr:       true,
+		},
+		{
+			name:        "tool5",
+			toolName:    tool5.Name,
+			requestBody: bytes.NewBuffer([]byte(`{}`)),
+			want:        "",
+			isErr:       true,
+		},
 	}

 	for _, tc := range testCases {
--- a/internal/server/common_test.go
+++ b/internal/server/common_test.go
@@ -36,10 +36,12 @@ var _ tools.Tool = &MockTool{}

 // MockTool is used to mock tools in tests
 type MockTool struct {
-	Name        string
-	Description string
-	Params      []tools.Parameter
-	manifest    tools.Manifest
+	Name                         string
+	Description                  string
+	Params                       []tools.Parameter
+	manifest                     tools.Manifest
+	unauthorized                 bool
+	requiresClientAuthrorization bool
 }

 func (t MockTool) Invoke(context.Context, tools.ParamValues, tools.AccessToken) (any, error) {
@@ -59,12 +61,15 @@ func (t MockTool) Manifest() tools.Manifest {
 	}
 	return tools.Manifest{Description: t.Description, Parameters: pMs}
 }
+
 func (t MockTool) Authorized(verifiedAuthServices []string) bool {
-	return true
+	// defaulted to true
+	return !t.unauthorized
 }

 func (t MockTool) RequiresClientAuthorization() bool {
-	return false
+	// defaulted to false
+	return t.requiresClientAuthrorization
 }

 func (t MockTool) McpManifest() tools.McpManifest {
@@ -111,6 +116,18 @@ var tool3 = MockTool{
 	},
 }

+var tool4 = MockTool{
+	Name:         "unauthorized_tool",
+	Params:       []tools.Parameter{},
+	unauthorized: true,
+}
+
+var tool5 = MockTool{
+	Name:                         "require_client_auth_tool",
+	Params:                       []tools.Parameter{},
+	requiresClientAuthrorization: true,
+}
+
 // setUpResources setups resources to test against
 func setUpResources(t *testing.T, mockTools []MockTool) (map[string]tools.Tool, map[string]tools.Toolset) {
 	toolsMap := make(map[string]tools.Tool)
--- a/internal/server/config.go
+++ b/internal/server/config.go
@@ -218,6 +218,11 @@ func (c *ToolConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interfac
 			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
 		}

+		// `authRequired` and `useClientOAuth` cannot be specified together
+		if v["authRequired"] != nil && v["useClientOAuth"] == true {
+			return fmt.Errorf("`authRequired` and `useClientOAuth` are mutually exclusive. Choose only one authentication method")
+		}
+
 		// Make `authRequired` an empty list instead of nil for Tool manifest
 		if v["authRequired"] == nil {
 			v["authRequired"] = []string{}
--- a/internal/server/mcp.go
+++ b/internal/server/mcp.go
@@ -19,9 +19,11 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 	"sync"
 	"time"

@@ -142,7 +144,7 @@ func (s *stdioSession) readInputStream(ctx context.Context) error {
 			}
 			return err
 		}
-		v, res, err := processMcpMessage(ctx, []byte(line), s.server, s.protocol, "", "")
+		v, res, err := processMcpMessage(ctx, []byte(line), s.server, s.protocol, "", nil)
 		if err != nil {
 			// errors during the processing of message will generate a valid MCP Error response.
 			// server can continue to run.
@@ -330,6 +332,8 @@ func methodNotAllowed(s *Server, w http.ResponseWriter, r *http.Request) {

 // httpHandler handles all mcp messages.
 func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
 	ctx, span := s.instrumentation.Tracer.Start(r.Context(), "toolbox/server/mcp")
 	r = r.WithContext(ctx)
 	ctx = util.WithLogger(r.Context(), s.logger)
@@ -402,9 +406,11 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	accessToken := tools.AccessToken(r.Header.Get("Authorization"))
+	v, res, err := processMcpMessage(ctx, body, s, protocolVersion, toolsetName, r.Header)
+	if err != nil {
+		s.logger.DebugContext(ctx, fmt.Errorf("error processing message: %w", err).Error())
+	}

-	v, res, err := processMcpMessage(ctx, body, s, protocolVersion, toolsetName, accessToken)
 	// notifications will return empty string
 	if res == nil {
 		// Notifications do not expect a response
@@ -412,9 +418,6 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusAccepted)
 		return
 	}
-	if err != nil {
-		s.logger.DebugContext(ctx, err.Error())
-	}

 	// for v20250326, add the `Mcp-Session-Id` header
 	if v == v20250326.PROTOCOL_VERSION {
@@ -434,13 +437,29 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 			s.logger.DebugContext(ctx, "unable to add to event queue")
 		}
 	}
+	if rpcResponse, ok := res.(jsonrpc.JSONRPCError); ok {
+		code := rpcResponse.Error.Code
+		switch code {
+		case jsonrpc.INTERNAL_ERROR:
+			w.WriteHeader(http.StatusInternalServerError)
+		case jsonrpc.INVALID_REQUEST:
+			errStr := err.Error()
+			if errors.Is(err, tools.ErrUnauthorized) {
+				w.WriteHeader(http.StatusUnauthorized)
+			} else if strings.Contains(errStr, "Error 401") {
+				w.WriteHeader(http.StatusUnauthorized)
+			} else if strings.Contains(errStr, "Error 403") {
+				w.WriteHeader(http.StatusForbidden)
+			}
+		}
+	}

 	// send HTTP response
 	render.JSON(w, r, res)
 }

 // processMcpMessage process the messages received from clients
-func processMcpMessage(ctx context.Context, body []byte, s *Server, protocolVersion string, toolsetName string, accessToken tools.AccessToken) (string, any, error) {
+func processMcpMessage(ctx context.Context, body []byte, s *Server, protocolVersion string, toolsetName string, header http.Header) (string, any, error) {
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
 		return "", jsonrpc.NewError("", jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
@@ -495,7 +514,7 @@ func processMcpMessage(ctx context.Context, body []byte, s *Server, protocolVers
 			err = fmt.Errorf("toolset does not exist")
 			return "", jsonrpc.NewError(baseMessage.Id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
 		}
-		res, err := mcp.ProcessMethod(ctx, protocolVersion, baseMessage.Id, baseMessage.Method, toolset, s.ResourceMgr.GetToolsMap(), body, accessToken)
+		res, err := mcp.ProcessMethod(ctx, protocolVersion, baseMessage.Id, baseMessage.Method, toolset, s.ResourceMgr.GetToolsMap(), s.ResourceMgr.GetAuthServiceMap(), body, header)
 		return "", res, err
 	}
 }
--- a/internal/server/mcp/jsonrpc/jsonrpc_test.go
+++ b/internal/server/mcp/jsonrpc/jsonrpc_test.go
@@ -0,0 +1,39 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package jsonrpc
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestNewError(t *testing.T) {
+	var id interface{} = "foo"
+	code := 111
+	message := "foo bar"
+	want := JSONRPCError{
+		Jsonrpc: "2.0",
+		Id:      "foo",
+		Error: Error{
+			Code:    111,
+			Message: "foo bar",
+		},
+	}
+
+	got := NewError(id, code, message, nil)
+	if !reflect.DeepEqual(want, got) {
+		t.Fatalf("unexpected error: got %+v, want %+v", got, want)
+	}
+}
--- a/internal/server/mcp/mcp.go
+++ b/internal/server/mcp/mcp.go
@@ -18,8 +18,10 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"slices"

+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	mcputil "github.com/googleapis/genai-toolbox/internal/server/mcp/util"
 	v20241105 "github.com/googleapis/genai-toolbox/internal/server/mcp/v20241105"
@@ -93,14 +95,14 @@ func NotificationHandler(ctx context.Context, body []byte) error {

 // ProcessMethod returns a response for the request.
 // This is the Operation phase of the lifecycle for MCP client-server connections.
-func ProcessMethod(ctx context.Context, mcpVersion string, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func ProcessMethod(ctx context.Context, mcpVersion string, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch mcpVersion {
 	case v20250618.PROTOCOL_VERSION:
-		return v20250618.ProcessMethod(ctx, id, method, toolset, tools, body, accessToken)
+		return v20250618.ProcessMethod(ctx, id, method, toolset, tools, authServices, body, header)
 	case v20250326.PROTOCOL_VERSION:
-		return v20250326.ProcessMethod(ctx, id, method, toolset, tools, body, accessToken)
+		return v20250326.ProcessMethod(ctx, id, method, toolset, tools, authServices, body, header)
 	default:
-		return v20241105.ProcessMethod(ctx, id, method, toolset, tools, body, accessToken)
+		return v20241105.ProcessMethod(ctx, id, method, toolset, tools, authServices, body, header)
 	}
 }

--- a/internal/server/mcp/util/lifecycle.go
+++ b/internal/server/mcp/util/lifecycle.go
@@ -14,7 +14,9 @@

 package util

-import "github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
+import (
+	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
+)

 const (
 	// SERVER_NAME is the server name used in Implementation.
--- a/internal/server/mcp/v20241105/method.go
+++ b/internal/server/mcp/v20241105/method.go
@@ -18,22 +18,26 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/http"
+	"strings"

+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 )

 // ProcessMethod returns a response for the request.
-func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch method {
 	case PING:
 		return pingHandler(id)
 	case TOOLS_LIST:
 		return toolsListHandler(id, toolset, body)
 	case TOOLS_CALL:
-		return toolsCallHandler(ctx, id, tools, body, accessToken)
+		return toolsCallHandler(ctx, id, tools, authServices, body, header)
 	default:
 		err := fmt.Errorf("invalid method %s", method)
 		return jsonrpc.NewError(id, jsonrpc.METHOD_NOT_FOUND, err.Error(), nil), err
@@ -67,7 +71,7 @@ func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte)
 }

 // toolsCallHandler generate a response for tools call.
-func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, toolsMap map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	// retrieve logger from context
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -83,12 +87,22 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	toolName := req.Params.Name
 	toolArgument := req.Params.Arguments
 	logger.DebugContext(ctx, fmt.Sprintf("tool name: %s", toolName))
-	tool, ok := tools[toolName]
+	tool, ok := toolsMap[toolName]
 	if !ok {
 		err = fmt.Errorf("invalid tool name: tool with name %q does not exist", toolName)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_PARAMS, err.Error(), nil), err
 	}

+	// Get access token
+	accessToken := tools.AccessToken(header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), tools.ErrUnauthorized
+		}
+	}
+
 	// marshal arguments and decode it using decodeJSON instead to prevent loss between floats/int.
 	aMarshal, err := json.Marshal(toolArgument)
 	if err != nil {
@@ -102,10 +116,42 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 		return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 	}

+	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
-	// Since MCP doesn't support auth, an empty map will be use every time.
 	claimsFromAuth := make(map[string]map[string]any)

+	// if using stdio, header will be nil and auth will not be supported
+	if header != nil {
+		for _, aS := range authServices {
+			claims, err := aS.GetClaimsFromHeader(ctx, header)
+			if err != nil {
+				logger.DebugContext(ctx, err.Error())
+				continue
+			}
+			if claims == nil {
+				// authService not present in header
+				continue
+			}
+			claimsFromAuth[aS.GetName()] = claims
+		}
+	}
+
+	// Tool authorization check
+	verifiedAuthServices := make([]string, len(claimsFromAuth))
+	i := 0
+	for k := range claimsFromAuth {
+		verifiedAuthServices[i] = k
+		i++
+	}
+
+	// Check if any of the specified auth services is verified
+	isAuthorized := tool.Authorized(verifiedAuthServices)
+	if !isAuthorized {
+		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", tools.ErrUnauthorized)
+		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+	}
+	logger.DebugContext(ctx, "tool invocation authorized")
+
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -113,14 +159,24 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	}
 	logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))

-	if !tool.Authorized([]string{}) {
-		err = fmt.Errorf("unauthorized Tool call: `authRequired` is set for the target Tool")
-		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-	}
-
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, params, accessToken)
 	if err != nil {
+		errStr := err.Error()
+		// Missing authService tokens.
+		if errors.Is(err, tools.ErrUnauthorized) {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		}
+		// Upstream auth error
+		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
+			if tool.RequiresClientAuthorization() {
+				// Error with client credentials should pass down to the client
+				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+			}
+			// Auth error with ADC should raise internal 500 error
+			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
+		}
+
 		text := TextContent{
 			Type: "text",
 			Text: err.Error(),
--- a/internal/server/mcp/v20250326/method.go
+++ b/internal/server/mcp/v20250326/method.go
@@ -18,22 +18,26 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/http"
+	"strings"

+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 )

 // ProcessMethod returns a response for the request.
-func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch method {
 	case PING:
 		return pingHandler(id)
 	case TOOLS_LIST:
 		return toolsListHandler(id, toolset, body)
 	case TOOLS_CALL:
-		return toolsCallHandler(ctx, id, tools, body, accessToken)
+		return toolsCallHandler(ctx, id, tools, authServices, body, header)
 	default:
 		err := fmt.Errorf("invalid method %s", method)
 		return jsonrpc.NewError(id, jsonrpc.METHOD_NOT_FOUND, err.Error(), nil), err
@@ -67,7 +71,7 @@ func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte)
 }

 // toolsCallHandler generate a response for tools call.
-func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, toolsMap map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	// retrieve logger from context
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -83,12 +87,22 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	toolName := req.Params.Name
 	toolArgument := req.Params.Arguments
 	logger.DebugContext(ctx, fmt.Sprintf("tool name: %s", toolName))
-	tool, ok := tools[toolName]
+	tool, ok := toolsMap[toolName]
 	if !ok {
 		err = fmt.Errorf("invalid tool name: tool with name %q does not exist", toolName)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_PARAMS, err.Error(), nil), err
 	}

+	// Get access token
+	accessToken := tools.AccessToken(header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), tools.ErrUnauthorized
+		}
+	}
+
 	// marshal arguments and decode it using decodeJSON instead to prevent loss between floats/int.
 	aMarshal, err := json.Marshal(toolArgument)
 	if err != nil {
@@ -102,10 +116,42 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 		return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 	}

+	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
-	// Since MCP doesn't support auth, an empty map will be use every time.
 	claimsFromAuth := make(map[string]map[string]any)

+	// if using stdio, header will be nil and auth will not be supported
+	if header != nil {
+		for _, aS := range authServices {
+			claims, err := aS.GetClaimsFromHeader(ctx, header)
+			if err != nil {
+				logger.DebugContext(ctx, err.Error())
+				continue
+			}
+			if claims == nil {
+				// authService not present in header
+				continue
+			}
+			claimsFromAuth[aS.GetName()] = claims
+		}
+	}
+
+	// Tool authorization check
+	verifiedAuthServices := make([]string, len(claimsFromAuth))
+	i := 0
+	for k := range claimsFromAuth {
+		verifiedAuthServices[i] = k
+		i++
+	}
+
+	// Check if any of the specified auth services is verified
+	isAuthorized := tool.Authorized(verifiedAuthServices)
+	if !isAuthorized {
+		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", tools.ErrUnauthorized)
+		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+	}
+	logger.DebugContext(ctx, "tool invocation authorized")
+
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -113,14 +159,23 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	}
 	logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))

-	if !tool.Authorized([]string{}) {
-		err = fmt.Errorf("unauthorized Tool call: `authRequired` is set for the target Tool")
-		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-	}
-
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, params, accessToken)
 	if err != nil {
+		errStr := err.Error()
+		// Missing authService tokens.
+		if errors.Is(err, tools.ErrUnauthorized) {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		}
+		// Upstream auth error
+		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
+			if tool.RequiresClientAuthorization() {
+				// Error with client credentials should pass down to the client
+				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+			}
+			// Auth error with ADC should raise internal 500 error
+			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
+		}
 		text := TextContent{
 			Type: "text",
 			Text: err.Error(),
--- a/internal/server/mcp/v20250618/method.go
+++ b/internal/server/mcp/v20250618/method.go
@@ -18,22 +18,26 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/http"
+	"strings"

+	"github.com/googleapis/genai-toolbox/internal/auth"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 )

 // ProcessMethod returns a response for the request.
-func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func ProcessMethod(ctx context.Context, id jsonrpc.RequestId, method string, toolset tools.Toolset, tools map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	switch method {
 	case PING:
 		return pingHandler(id)
 	case TOOLS_LIST:
 		return toolsListHandler(id, toolset, body)
 	case TOOLS_CALL:
-		return toolsCallHandler(ctx, id, tools, body, accessToken)
+		return toolsCallHandler(ctx, id, tools, authServices, body, header)
 	default:
 		err := fmt.Errorf("invalid method %s", method)
 		return jsonrpc.NewError(id, jsonrpc.METHOD_NOT_FOUND, err.Error(), nil), err
@@ -67,7 +71,7 @@ func toolsListHandler(id jsonrpc.RequestId, toolset tools.Toolset, body []byte)
 }

 // toolsCallHandler generate a response for tools call.
-func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[string]tools.Tool, body []byte, accessToken tools.AccessToken) (any, error) {
+func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, toolsMap map[string]tools.Tool, authServices map[string]auth.AuthService, body []byte, header http.Header) (any, error) {
 	// retrieve logger from context
 	logger, err := util.LoggerFromContext(ctx)
 	if err != nil {
@@ -83,12 +87,22 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	toolName := req.Params.Name
 	toolArgument := req.Params.Arguments
 	logger.DebugContext(ctx, fmt.Sprintf("tool name: %s", toolName))
-	tool, ok := tools[toolName]
+	tool, ok := toolsMap[toolName]
 	if !ok {
 		err = fmt.Errorf("invalid tool name: tool with name %q does not exist", toolName)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_PARAMS, err.Error(), nil), err
 	}

+	// Get access token
+	accessToken := tools.AccessToken(header.Get("Authorization"))
+
+	// Check if this specific tool requires the standard authorization header
+	if tool.RequiresClientAuthorization() {
+		if accessToken == "" {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), tools.ErrUnauthorized
+		}
+	}
+
 	// marshal arguments and decode it using decodeJSON instead to prevent loss between floats/int.
 	aMarshal, err := json.Marshal(toolArgument)
 	if err != nil {
@@ -102,10 +116,42 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 		return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 	}

+	// Tool authentication
 	// claimsFromAuth maps the name of the authservice to the claims retrieved from it.
-	// Since MCP doesn't support auth, an empty map will be use every time.
 	claimsFromAuth := make(map[string]map[string]any)

+	// if using stdio, header will be nil and auth will not be supported
+	if header != nil {
+		for _, aS := range authServices {
+			claims, err := aS.GetClaimsFromHeader(ctx, header)
+			if err != nil {
+				logger.DebugContext(ctx, err.Error())
+				continue
+			}
+			if claims == nil {
+				// authService not present in header
+				continue
+			}
+			claimsFromAuth[aS.GetName()] = claims
+		}
+	}
+
+	// Tool authorization check
+	verifiedAuthServices := make([]string, len(claimsFromAuth))
+	i := 0
+	for k := range claimsFromAuth {
+		verifiedAuthServices[i] = k
+		i++
+	}
+
+	// Check if any of the specified auth services is verified
+	isAuthorized := tool.Authorized(verifiedAuthServices)
+	if !isAuthorized {
+		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", tools.ErrUnauthorized)
+		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+	}
+	logger.DebugContext(ctx, "tool invocation authorized")
+
 	params, err := tool.ParseParams(data, claimsFromAuth)
 	if err != nil {
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -113,14 +159,23 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, tools map[strin
 	}
 	logger.DebugContext(ctx, fmt.Sprintf("invocation params: %s", params))

-	if !tool.Authorized([]string{}) {
-		err = fmt.Errorf("unauthorized Tool call: `authRequired` is set for the target Tool")
-		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-	}
-
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, params, accessToken)
 	if err != nil {
+		errStr := err.Error()
+		// Missing authService tokens.
+		if errors.Is(err, tools.ErrUnauthorized) {
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		}
+		// Upstream auth error
+		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
+			if tool.RequiresClientAuthorization() {
+				// Error with client credentials should pass down to the client
+				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+			}
+			// Auth error with ADC should raise internal 500 error
+			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
+		}
 		text := TextContent{
 			Type: "text",
 			Text: err.Error(),
--- a/internal/server/mcp_test.go
+++ b/internal/server/mcp_test.go
@@ -39,7 +39,7 @@ const protocolVersion20250326 = "2025-03-26"
 const protocolVersion20250618 = "2025-06-18"
 const serverName = "Toolbox"

-var tool1InputSchema = map[string]any{
+var basicInputSchema = map[string]any{
 	"type":       "object",
 	"properties": map[string]any{},
 	"required":   []any{},
@@ -67,7 +67,7 @@ var tool3InputSchema = map[string]any{
 }

 func TestMcpEndpointWithoutInitialized(t *testing.T) {
-	mockTools := []MockTool{tool1, tool2, tool3}
+	mockTools := []MockTool{tool1, tool2, tool3, tool4, tool5}
 	toolsMap, toolsets := setUpResources(t, mockTools)
 	r, shutdown := setUpServer(t, "mcp", toolsMap, toolsets)
 	defer shutdown()
@@ -116,7 +116,7 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 					"tools": []any{
 						map[string]any{
 							"name":        "no_params",
-							"inputSchema": tool1InputSchema,
+							"inputSchema": basicInputSchema,
 						},
 						map[string]any{
 							"name":        "some_params",
@@ -127,6 +127,14 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 							"description": "some description",
 							"inputSchema": tool3InputSchema,
 						},
+						map[string]any{
+							"name":        "unauthorized_tool",
+							"inputSchema": basicInputSchema,
+						},
+						map[string]any{
+							"name":        "require_client_auth_tool",
+							"inputSchema": basicInputSchema,
+						},
 					},
 				},
 			},
@@ -169,6 +177,76 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "call tool1 unauthorized tool",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "tools-call-tool1",
+				Request: jsonrpc.Request{
+					Method: "tools/call",
+				},
+				Params: map[string]any{
+					"name": "no_params",
+				},
+			},
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "tools-call-tool1",
+				"result": map[string]any{
+					"content": []any{
+						map[string]any{
+							"type": "text",
+							"text": `"no_params"`,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "call tool4 unauthorized tool",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "tools-call-tool4",
+				Request: jsonrpc.Request{
+					Method: "tools/call",
+				},
+				Params: map[string]any{
+					"name": "unauthorized_tool",
+				},
+			},
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "tools-call-tool4",
+				"error": map[string]any{
+					"code":    -32600.0,
+					"message": "unauthorized Tool call: Please make sure your specify correct auth headers: unauthorized",
+				},
+			},
+		},
+		{
+			name: "call tool5 unauthorized tool",
+			url:  "/",
+			body: jsonrpc.JSONRPCRequest{
+				Jsonrpc: jsonrpcVersion,
+				Id:      "tools-call-tool5",
+				Request: jsonrpc.Request{
+					Method: "tools/call",
+				},
+				Params: map[string]any{
+					"name": "require_client_auth_tool",
+				},
+			},
+			want: map[string]any{
+				"jsonrpc": "2.0",
+				"id":      "tools-call-tool5",
+				"error": map[string]any{
+					"code":    -32600.0,
+					"message": "missing access token in the 'Authorization' header",
+				},
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -258,7 +336,7 @@ func runInitializeLifecycle(t *testing.T, ts *httptest.Server, protocolVersion s
 }

 func TestMcpEndpoint(t *testing.T) {
-	mockTools := []MockTool{tool1, tool2, tool3}
+	mockTools := []MockTool{tool1, tool2, tool3, tool4, tool5}
 	toolsMap, toolsets := setUpResources(t, mockTools)
 	r, shutdown := setUpServer(t, "mcp", toolsMap, toolsets)
 	defer shutdown()
@@ -334,11 +412,12 @@ func TestMcpEndpoint(t *testing.T) {
 			}

 			testCases := []struct {
-				name  string
-				url   string
-				isErr bool
-				body  any
-				want  map[string]any
+				name           string
+				url            string
+				isErr          bool
+				body           any
+				wantStatusCode int
+				want           map[string]any
 			}{
 				{
 					name: "basic notification",
@@ -349,6 +428,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "notification",
 						},
 					},
+					wantStatusCode: http.StatusAccepted,
 				},
 				{
 					name: "ping",
@@ -360,6 +440,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "ping",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "ping-test-123",
@@ -376,6 +457,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "tools/list",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "tools-list",
@@ -383,7 +465,7 @@ func TestMcpEndpoint(t *testing.T) {
 							"tools": []any{
 								map[string]any{
 									"name":        "no_params",
-									"inputSchema": tool1InputSchema,
+									"inputSchema": basicInputSchema,
 								},
 								map[string]any{
 									"name":        "some_params",
@@ -394,6 +476,14 @@ func TestMcpEndpoint(t *testing.T) {
 									"description": "some description",
 									"inputSchema": tool3InputSchema,
 								},
+								map[string]any{
+									"name":        "unauthorized_tool",
+									"inputSchema": basicInputSchema,
+								},
+								map[string]any{
+									"name":        "require_client_auth_tool",
+									"inputSchema": basicInputSchema,
+								},
 							},
 						},
 					},
@@ -408,6 +498,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "tools/list",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "tools-list-tool1",
@@ -415,7 +506,7 @@ func TestMcpEndpoint(t *testing.T) {
 							"tools": []any{
 								map[string]any{
 									"name":        "no_params",
-									"inputSchema": tool1InputSchema,
+									"inputSchema": basicInputSchema,
 								},
 							},
 						},
@@ -432,6 +523,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "tools/list",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "tools-list-invalid-toolset",
@@ -450,6 +542,7 @@ func TestMcpEndpoint(t *testing.T) {
 						Id:      "missing-method",
 						Request: jsonrpc.Request{},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "missing-method",
@@ -470,6 +563,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "foo",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "invalid-method",
@@ -490,6 +584,7 @@ func TestMcpEndpoint(t *testing.T) {
 							Method: "foo",
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"id":      "invalid-jsonrpc-version",
@@ -519,6 +614,7 @@ func TestMcpEndpoint(t *testing.T) {
 							},
 						},
 					},
+					wantStatusCode: http.StatusOK,
 					want: map[string]any{
 						"jsonrpc": "2.0",
 						"error": map[string]any{
@@ -527,6 +623,79 @@ func TestMcpEndpoint(t *testing.T) {
 						},
 					},
 				},
+				{
+					name: "call tool1 unauthorized tool",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "tools-call-tool1",
+						Request: jsonrpc.Request{
+							Method: "tools/call",
+						},
+						Params: map[string]any{
+							"name": "no_params",
+						},
+					},
+					wantStatusCode: http.StatusOK,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "tools-call-tool1",
+						"result": map[string]any{
+							"content": []any{
+								map[string]any{
+									"type": "text",
+									"text": `"no_params"`,
+								},
+							},
+						},
+					},
+				},
+				{
+					name: "call tool4 unauthorized tool",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "tools-call-tool4",
+						Request: jsonrpc.Request{
+							Method: "tools/call",
+						},
+						Params: map[string]any{
+							"name": "unauthorized_tool",
+						},
+					},
+					wantStatusCode: http.StatusUnauthorized,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "tools-call-tool4",
+						"error": map[string]any{
+							"code":    -32600.0,
+							"message": "unauthorized Tool call: Please make sure your specify correct auth headers: unauthorized",
+						},
+					},
+				},
+				{
+					name: "call tool5 unauthorized tool",
+					url:  "/",
+					body: jsonrpc.JSONRPCRequest{
+						Jsonrpc: jsonrpcVersion,
+						Id:      "tools-call-tool5",
+						Request: jsonrpc.Request{
+							Method: "tools/call",
+						},
+						Params: map[string]any{
+							"name": "require_client_auth_tool",
+						},
+					},
+					wantStatusCode: http.StatusUnauthorized,
+					want: map[string]any{
+						"jsonrpc": "2.0",
+						"id":      "tools-call-tool5",
+						"error": map[string]any{
+							"code":    -32600.0,
+							"message": "missing access token in the 'Authorization' header",
+						},
+					},
+				},
 			}
 			for _, tc := range testCases {
 				t.Run(tc.name, func(t *testing.T) {
@@ -540,10 +709,15 @@ func TestMcpEndpoint(t *testing.T) {
 					}

 					resp, body, err := runRequest(ts, http.MethodPost, tc.url, bytes.NewBuffer(reqMarshal), header)
+
 					if err != nil {
 						t.Fatalf("unexpected error during request: %s", err)
 					}

+					if resp.StatusCode != tc.wantStatusCode {
+						t.Errorf("StatusCode mismatch: got %d, want %d", resp.StatusCode, tc.wantStatusCode)
+					}
+
 					// Notifications don't expect a response.
 					if tc.want != nil {
 						if contentType := resp.Header.Get("Content-type"); contentType != "application/json" {
--- a/internal/sources/bigquery/bigquery.go
+++ b/internal/sources/bigquery/bigquery.go
@@ -21,8 +21,10 @@ import (
 	bigqueryapi "cloud.google.com/go/bigquery"
 	"github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/tools"
 	"github.com/googleapis/genai-toolbox/internal/util"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	bigqueryrestapi "google.golang.org/api/bigquery/v2"
 	"google.golang.org/api/option"
@@ -33,6 +35,8 @@ const SourceKind string = "bigquery"
 // validate interface
 var _ sources.SourceConfig = Config{}

+type BigqueryClientCreator func(tokenString tools.AccessToken, wantRestService bool) (*bigqueryapi.Client, *bigqueryrestapi.Service, error)
+
 func init() {
 	if !sources.Register(SourceKind, newConfig) {
 		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
@@ -49,10 +53,11 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources

 type Config struct {
 	// BigQuery configs
-	Name     string `yaml:"name" validate:"required"`
-	Kind     string `yaml:"kind" validate:"required"`
-	Project  string `yaml:"project" validate:"required"`
-	Location string `yaml:"location"`
+	Name           string `yaml:"name" validate:"required"`
+	Kind           string `yaml:"kind" validate:"required"`
+	Project        string `yaml:"project" validate:"required"`
+	Location       string `yaml:"location"`
+	UseClientOAuth bool   `yaml:"useClientOAuth"`
 }

 func (r Config) SourceConfigKind() string {
@@ -61,18 +66,36 @@ func (r Config) SourceConfigKind() string {
 }

 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
-	// Initializes a BigQuery Google SQL source
-	client, restService, err := initBigQueryConnection(ctx, tracer, r.Name, r.Project, r.Location)
-	if err != nil {
-		return nil, err
+	var client *bigqueryapi.Client
+	var restService *bigqueryrestapi.Service
+	var tokenSource oauth2.TokenSource
+	var clientCreator BigqueryClientCreator
+	var err error
+
+	if r.UseClientOAuth {
+		clientCreator, err = newBigQueryClientCreator(ctx, tracer, r.Project, r.Location, r.Name)
+		if err != nil {
+			return nil, fmt.Errorf("error constructing client creator: %w", err)
+		}
+	} else {
+		// Initializes a BigQuery Google SQL source
+		client, restService, tokenSource, err = initBigQueryConnection(ctx, tracer, r.Name, r.Project, r.Location)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from ADC: %w", err)
+		}
 	}

 	s := &Source{
-		Name:        r.Name,
-		Kind:        SourceKind,
-		Client:      client,
-		RestService: restService,
-		Location:    r.Location,
+		Name:               r.Name,
+		Kind:               SourceKind,
+		Project:            r.Project,
+		Location:           r.Location,
+		Client:             client,
+		RestService:        restService,
+		TokenSource:        tokenSource,
+		MaxQueryResultRows: 50,
+		ClientCreator:      clientCreator,
+		UseClientOAuth:     r.UseClientOAuth,
 	}
 	return s, nil

@@ -82,11 +105,16 @@ var _ sources.Source = &Source{}

 type Source struct {
 	// BigQuery Google SQL struct with client
-	Name        string `yaml:"name"`
-	Kind        string `yaml:"kind"`
-	Client      *bigqueryapi.Client
-	RestService *bigqueryrestapi.Service
-	Location    string `yaml:"location"`
+	Name               string `yaml:"name"`
+	Kind               string `yaml:"kind"`
+	Project            string
+	Location           string
+	Client             *bigqueryapi.Client
+	RestService        *bigqueryrestapi.Service
+	TokenSource        oauth2.TokenSource
+	MaxQueryResultRows int
+	ClientCreator      BigqueryClientCreator
+	UseClientOAuth     bool
 }

 func (s *Source) SourceKind() string {
@@ -102,38 +130,121 @@ func (s *Source) BigQueryRestService() *bigqueryrestapi.Service {
 	return s.RestService
 }

+func (s *Source) UseClientAuthorization() bool {
+	return s.UseClientOAuth
+}
+
+func (s *Source) BigQueryProject() string {
+	return s.Project
+}
+
+func (s *Source) BigQueryLocation() string {
+	return s.Location
+}
+
+func (s *Source) BigQueryTokenSource() oauth2.TokenSource {
+	return s.TokenSource
+}
+
+func (s *Source) GetMaxQueryResultRows() int {
+	return s.MaxQueryResultRows
+}
+
+func (s *Source) BigQueryClientCreator() BigqueryClientCreator {
+	return s.ClientCreator
+}
+
 func initBigQueryConnection(
 	ctx context.Context,
 	tracer trace.Tracer,
 	name string,
 	project string,
 	location string,
-) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+) (*bigqueryapi.Client, *bigqueryrestapi.Service, oauth2.TokenSource, error) {
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
 	defer span.End()

 	cred, err := google.FindDefaultCredentials(ctx, bigqueryapi.Scope)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to find default Google Cloud credentials with scope %q: %w", bigqueryapi.Scope, err)
+		return nil, nil, nil, fmt.Errorf("failed to find default Google Cloud credentials with scope %q: %w", bigqueryapi.Scope, err)
 	}

 	userAgent, err := util.UserAgentFromContext(ctx)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}

 	// Initialize the high-level BigQuery client
 	client, err := bigqueryapi.NewClient(ctx, project, option.WithUserAgent(userAgent), option.WithCredentials(cred))
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create BigQuery client for project %q: %w", project, err)
+		return nil, nil, nil, fmt.Errorf("failed to create BigQuery client for project %q: %w", project, err)
 	}
 	client.Location = location

 	// Initialize the low-level BigQuery REST service using the same credentials
 	restService, err := bigqueryrestapi.NewService(ctx, option.WithUserAgent(userAgent), option.WithCredentials(cred))
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create BigQuery v2 service: %w", err)
+		return nil, nil, nil, fmt.Errorf("failed to create BigQuery v2 service: %w", err)
 	}

-	return client, restService, nil
+	return client, restService, cred.TokenSource, nil
+}
+
+// initBigQueryConnectionWithOAuthToken initialize a BigQuery client with an
+// OAuth access token.
+func initBigQueryConnectionWithOAuthToken(
+	ctx context.Context,
+	tracer trace.Tracer,
+	project string,
+	location string,
+	name string,
+	userAgent string,
+	tokenString tools.AccessToken,
+	wantRestService bool,
+) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	defer span.End()
+	// Construct token source
+	token := &oauth2.Token{
+		AccessToken: string(tokenString),
+	}
+	ts := oauth2.StaticTokenSource(token)
+
+	// Initialize the BigQuery client with tokenSource
+	client, err := bigqueryapi.NewClient(ctx, project, option.WithUserAgent(userAgent), option.WithTokenSource(ts))
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create BigQuery client for project %q: %w", project, err)
+	}
+	client.Location = location
+
+	if wantRestService {
+		// Initialize the low-level BigQuery REST service using the same credentials
+		restService, err := bigqueryrestapi.NewService(ctx, option.WithUserAgent(userAgent), option.WithTokenSource(ts))
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create BigQuery v2 service: %w", err)
+		}
+		return client, restService, nil
+	}
+
+	return client, nil, nil
+}
+
+// newBigQueryClientCreator sets the project parameters for the init helper
+// function. The returned function takes in an OAuth access token and uses it to
+// create a BQ client.
+func newBigQueryClientCreator(
+	ctx context.Context,
+	tracer trace.Tracer,
+	project string,
+	location string,
+	name string,
+) (func(tools.AccessToken, bool) (*bigqueryapi.Client, *bigqueryrestapi.Service, error), error) {
+	userAgent, err := util.UserAgentFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return func(tokenString tools.AccessToken, wantRestService bool) (*bigqueryapi.Client, *bigqueryrestapi.Service, error) {
+		return initBigQueryConnectionWithOAuthToken(ctx, tracer, project, location, name, userAgent, tokenString, wantRestService)
+	}, nil
 }
--- a/internal/sources/bigquery/bigquery_test.go
+++ b/internal/sources/bigquery/bigquery_test.go
@@ -41,10 +41,31 @@ func TestParseFromYamlBigQuery(t *testing.T) {
 			`,
 			want: server.SourceConfigs{
 				"my-instance": bigquery.Config{
-					Name:     "my-instance",
-					Kind:     bigquery.SourceKind,
-					Project:  "my-project",
-					Location: "us",
+					Name:           "my-instance",
+					Kind:           bigquery.SourceKind,
+					Project:        "my-project",
+					Location:       "us",
+					UseClientOAuth: false,
+				},
+			},
+		},
+		{
+			desc: "use client auth example",
+			in: `
+			sources:
+				my-instance:
+					kind: bigquery
+					project: my-project
+					location: us
+					useClientOAuth: true
+			`,
+			want: server.SourceConfigs{
+				"my-instance": bigquery.Config{
+					Name:           "my-instance",
+					Kind:           bigquery.SourceKind,
+					Project:        "my-project",
+					Location:       "us",
+					UseClientOAuth: true,
 				},
 			},
 		},
--- a/internal/sources/clickhouse/clickhouse.go
+++ b/internal/sources/clickhouse/clickhouse.go
@@ -0,0 +1,145 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"net/url"
+	"time"
+
+	_ "github.com/ClickHouse/clickhouse-go/v2"
+	"github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	"go.opentelemetry.io/otel/trace"
+)
+
+const SourceKind string = "clickhouse"
+
+// validate interface
+var _ sources.SourceConfig = Config{}
+
+func init() {
+	if !sources.Register(SourceKind, newConfig) {
+		panic(fmt.Sprintf("source kind %q already registered", SourceKind))
+	}
+}
+
+func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources.SourceConfig, error) {
+	actual := Config{Name: name}
+	if err := decoder.DecodeContext(ctx, &actual); err != nil {
+		return nil, err
+	}
+	return actual, nil
+}
+
+type Config struct {
+	Name     string `yaml:"name" validate:"required"`
+	Kind     string `yaml:"kind" validate:"required"`
+	Host     string `yaml:"host" validate:"required"`
+	Port     string `yaml:"port" validate:"required"`
+	Database string `yaml:"database" validate:"required"`
+	User     string `yaml:"user" validate:"required"`
+	Password string `yaml:"password"`
+	Protocol string `yaml:"protocol"`
+	Secure   bool   `yaml:"secure"`
+}
+
+func (r Config) SourceConfigKind() string {
+	return SourceKind
+}
+
+func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
+	pool, err := initClickHouseConnectionPool(ctx, tracer, r.Name, r.Host, r.Port, r.User, r.Password, r.Database, r.Protocol, r.Secure)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create pool: %w", err)
+	}
+
+	err = pool.PingContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to connect successfully: %w", err)
+	}
+
+	s := &Source{
+		Name: r.Name,
+		Kind: SourceKind,
+		Pool: pool,
+	}
+	return s, nil
+}
+
+var _ sources.Source = &Source{}
+
+type Source struct {
+	Name string `yaml:"name"`
+	Kind string `yaml:"kind"`
+	Pool *sql.DB
+}
+
+func (s *Source) SourceKind() string {
+	return SourceKind
+}
+
+func (s *Source) ClickHousePool() *sql.DB {
+	return s.Pool
+}
+
+func validateConfig(protocol string) error {
+	validProtocols := map[string]bool{"http": true, "https": true}
+
+	if protocol != "" && !validProtocols[protocol] {
+		return fmt.Errorf("invalid protocol: %s, must be one of: http, https", protocol)
+	}
+	return nil
+}
+
+func initClickHouseConnectionPool(ctx context.Context, tracer trace.Tracer, name, host, port, user, pass, dbname, protocol string, secure bool) (*sql.DB, error) {
+	//nolint:all // Reassigned ctx
+	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
+	defer span.End()
+
+	if protocol == "" {
+		protocol = "https"
+	}
+
+	if err := validateConfig(protocol); err != nil {
+		return nil, err
+	}
+
+	encodedUser := url.QueryEscape(user)
+	encodedPass := url.QueryEscape(pass)
+
+	var dsn string
+	scheme := protocol
+	if protocol == "http" && secure {
+		scheme = "https"
+	}
+	dsn = fmt.Sprintf("%s://%s:%s@%s:%s/%s", scheme, encodedUser, encodedPass, host, port, dbname)
+	if scheme == "https" {
+		dsn += "?secure=true&skip_verify=false"
+	}
+
+	pool, err := sql.Open("clickhouse", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("sql.Open: %w", err)
+	}
+
+	pool.SetMaxOpenConns(25)
+	pool.SetMaxIdleConns(5)
+	pool.SetConnMaxLifetime(5 * time.Minute)
+
+	return pool, nil
+}
--- a/internal/sources/clickhouse/clickhouse_test.go
+++ b/internal/sources/clickhouse/clickhouse_test.go
@@ -0,0 +1,348 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+	"go.opentelemetry.io/otel"
+)
+
+func TestConfigSourceConfigKind(t *testing.T) {
+	config := Config{}
+	if config.SourceConfigKind() != SourceKind {
+		t.Errorf("Expected %s, got %s", SourceKind, config.SourceConfigKind())
+	}
+}
+
+func TestNewConfig(t *testing.T) {
+	tests := []struct {
+		name     string
+		yaml     string
+		expected Config
+	}{
+		{
+			name: "all fields specified",
+			yaml: `
+				name: test-clickhouse
+				kind: clickhouse
+				host: localhost
+				port: "8443"
+				user: default
+				password: "mypass"
+				database: mydb
+				protocol: https
+				secure: true
+			`,
+			expected: Config{
+				Name:     "test-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "localhost",
+				Port:     "8443",
+				User:     "default",
+				Password: "mypass",
+				Database: "mydb",
+				Protocol: "https",
+				Secure:   true,
+			},
+		},
+		{
+			name: "minimal configuration with defaults",
+			yaml: `
+				name: minimal-clickhouse
+				kind: clickhouse
+				host: 127.0.0.1
+				port: "8123"
+				user: testuser
+				database: testdb
+			`,
+			expected: Config{
+				Name:     "minimal-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "127.0.0.1",
+				Port:     "8123",
+				User:     "testuser",
+				Password: "",
+				Database: "testdb",
+				Protocol: "",
+				Secure:   false,
+			},
+		},
+		{
+			name: "http protocol",
+			yaml: `
+				name: http-clickhouse
+				kind: clickhouse
+				host: clickhouse.example.com
+				port: "8123"
+				user: analytics
+				password: "securepass"
+				database: analytics_db
+				protocol: http
+				secure: false
+			`,
+			expected: Config{
+				Name:     "http-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "clickhouse.example.com",
+				Port:     "8123",
+				User:     "analytics",
+				Password: "securepass",
+				Database: "analytics_db",
+				Protocol: "http",
+				Secure:   false,
+			},
+		},
+		{
+			name: "https with secure connection",
+			yaml: `
+				name: secure-clickhouse
+				kind: clickhouse
+				host: secure.clickhouse.io
+				port: "8443"
+				user: secureuser
+				password: "verysecure"
+				database: production
+				protocol: https
+				secure: true
+			`,
+			expected: Config{
+				Name:     "secure-clickhouse",
+				Kind:     "clickhouse",
+				Host:     "secure.clickhouse.io",
+				Port:     "8443",
+				User:     "secureuser",
+				Password: "verysecure",
+				Database: "production",
+				Protocol: "https",
+				Secure:   true,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			decoder := yaml.NewDecoder(strings.NewReader(string(testutils.FormatYaml(tt.yaml))))
+			config, err := newConfig(context.Background(), tt.expected.Name, decoder)
+			if err != nil {
+				t.Fatalf("Failed to create config: %v", err)
+			}
+
+			clickhouseConfig, ok := config.(Config)
+			if !ok {
+				t.Fatalf("Expected Config type, got %T", config)
+			}
+
+			if diff := cmp.Diff(tt.expected, clickhouseConfig); diff != "" {
+				t.Errorf("Config mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestNewConfigInvalidYAML(t *testing.T) {
+	tests := []struct {
+		name        string
+		yaml        string
+		expectError bool
+	}{
+		{
+			name: "invalid yaml syntax",
+			yaml: `
+				name: test-clickhouse
+				kind: clickhouse
+				host: [invalid
+			`,
+			expectError: true,
+		},
+		{
+			name: "missing required fields",
+			yaml: `
+				name: test-clickhouse
+				kind: clickhouse
+			`,
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			decoder := yaml.NewDecoder(strings.NewReader(string(testutils.FormatYaml(tt.yaml))))
+			_, err := newConfig(context.Background(), "test-clickhouse", decoder)
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+		})
+	}
+}
+
+func TestSource_SourceKind(t *testing.T) {
+	source := &Source{}
+	if source.SourceKind() != SourceKind {
+		t.Errorf("Expected %s, got %s", SourceKind, source.SourceKind())
+	}
+}
+
+func TestValidateConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		protocol    string
+		expectError bool
+	}{
+		{
+			name:        "valid https protocol",
+			protocol:    "https",
+			expectError: false,
+		},
+		{
+			name:        "valid http protocol",
+			protocol:    "http",
+			expectError: false,
+		},
+		{
+			name:        "invalid protocol",
+			protocol:    "invalid",
+			expectError: true,
+		},
+		{
+			name:        "invalid protocol - native not supported",
+			protocol:    "native",
+			expectError: true,
+		},
+		{
+			name:        "empty values use defaults",
+			protocol:    "",
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateConfig(tt.protocol)
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+		})
+	}
+}
+
+func TestInitClickHouseConnectionPoolDSNGeneration(t *testing.T) {
+	tracer := otel.Tracer("test")
+	ctx := context.Background()
+
+	tests := []struct {
+		name      string
+		host      string
+		port      string
+		user      string
+		pass      string
+		dbname    string
+		protocol  string
+		secure    bool
+		shouldErr bool
+	}{
+		{
+			name:      "http protocol with defaults",
+			host:      "localhost",
+			port:      "8123",
+			user:      "default",
+			pass:      "",
+			dbname:    "default",
+			protocol:  "http",
+			secure:    false,
+			shouldErr: true,
+		},
+		{
+			name:      "https protocol with secure",
+			host:      "localhost",
+			port:      "8443",
+			user:      "default",
+			pass:      "",
+			dbname:    "default",
+			protocol:  "https",
+			secure:    true,
+			shouldErr: true,
+		},
+		{
+			name:      "special characters in password",
+			host:      "localhost",
+			port:      "8443",
+			user:      "test@user",
+			pass:      "pass@word:with/special&chars",
+			dbname:    "default",
+			protocol:  "https",
+			secure:    true,
+			shouldErr: true,
+		},
+		{
+			name:      "invalid protocol should fail",
+			host:      "localhost",
+			port:      "9000",
+			user:      "default",
+			pass:      "",
+			dbname:    "default",
+			protocol:  "invalid",
+			secure:    false,
+			shouldErr: true,
+		},
+		{
+			name:      "empty protocol defaults to https",
+			host:      "localhost",
+			port:      "8443",
+			user:      "user",
+			pass:      "pass",
+			dbname:    "testdb",
+			protocol:  "",
+			secure:    true,
+			shouldErr: true,
+		},
+		{
+			name:      "http with secure flag should upgrade to https",
+			host:      "example.com",
+			port:      "8443",
+			user:      "user",
+			pass:      "pass",
+			dbname:    "db",
+			protocol:  "http",
+			secure:    true,
+			shouldErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pool, err := initClickHouseConnectionPool(ctx, tracer, "test", tt.host, tt.port, tt.user, tt.pass, tt.dbname, tt.protocol, tt.secure)
+
+			if !tt.shouldErr && err != nil {
+				t.Errorf("Expected no error, got: %v", err)
+			}
+
+			if pool != nil {
+				pool.Close()
+			}
+		})
+	}
+}
--- a/internal/sources/looker/looker.go
+++ b/internal/sources/looker/looker.go
@@ -39,7 +39,15 @@ func init() {
 }

 func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources.SourceConfig, error) {
-	actual := Config{Name: name, SslVerification: "true", Timeout: "600s"} // Default Ssl,timeout
+	actual := Config{
+		Name:               name,
+		SslVerification:    true,
+		Timeout:            "600s",
+		UseClientOAuth:     false,
+		ShowHiddenModels:   true,
+		ShowHiddenExplores: true,
+		ShowHiddenFields:   true,
+	} // Default Ssl,timeout, ShowHidden
 	if err := decoder.DecodeContext(ctx, &actual); err != nil {
 		return nil, err
 	}
@@ -47,13 +55,17 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources
 }

 type Config struct {
-	Name            string `yaml:"name" validate:"required"`
-	Kind            string `yaml:"kind" validate:"required"`
-	BaseURL         string `yaml:"base_url" validate:"required"`
-	ClientId        string `yaml:"client_id" validate:"required"`
-	ClientSecret    string `yaml:"client_secret" validate:"required"`
-	SslVerification string `yaml:"verify_ssl"`
-	Timeout         string `yaml:"timeout"`
+	Name               string `yaml:"name" validate:"required"`
+	Kind               string `yaml:"kind" validate:"required"`
+	BaseURL            string `yaml:"base_url" validate:"required"`
+	ClientId           string `yaml:"client_id" validate:"required"`
+	ClientSecret       string `yaml:"client_secret" validate:"required"`
+	SslVerification    bool   `yaml:"verify_ssl"`
+	UseClientOAuth     bool   `yaml:"use_client_oauth"`
+	Timeout            string `yaml:"timeout"`
+	ShowHiddenModels   bool   `yaml:"show_hidden_models"`
+	ShowHiddenExplores bool   `yaml:"show_hidden_explores"`
+	ShowHiddenFields   bool   `yaml:"show_hidden_fields"`
 }

 func (r Config) SourceConfigKind() string {
@@ -77,33 +89,42 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 		return nil, fmt.Errorf("unable to parse Timeout string as time.Duration: %s", err)
 	}

-	if r.SslVerification != "true" {
+	if !r.SslVerification {
 		logger.WarnContext(ctx, "Insecure HTTP is enabled for Looker source %s. TLS certificate verification is skipped.\n", r.Name)
 	}
 	cfg := rtl.ApiSettings{
 		AgentTag:     userAgent,
 		BaseUrl:      r.BaseURL,
 		ApiVersion:   "4.0",
-		VerifySsl:    (r.SslVerification == "true"),
+		VerifySsl:    r.SslVerification,
 		Timeout:      int32(duration.Seconds()),
 		ClientId:     r.ClientId,
 		ClientSecret: r.ClientSecret,
 	}

-	sdk := v4.NewLookerSDK(rtl.NewAuthSession(cfg))
-	me, err := sdk.Me("", &cfg)
-	if err != nil {
-		return nil, fmt.Errorf("unable to log in: %s", err)
-	}
-	logger.DebugContext(ctx, fmt.Sprintf("logged in as user %v %v.\n", *me.FirstName, *me.LastName))
-
 	s := &Source{
-		Name:        r.Name,
-		Kind:        SourceKind,
-		Timeout:     r.Timeout,
-		Client:      sdk,
-		ApiSettings: &cfg,
+		Name:               r.Name,
+		Kind:               SourceKind,
+		Timeout:            r.Timeout,
+		UseClientOAuth:     r.UseClientOAuth,
+		ApiSettings:        &cfg,
+		ShowHiddenModels:   r.ShowHiddenModels,
+		ShowHiddenExplores: r.ShowHiddenExplores,
+		ShowHiddenFields:   r.ShowHiddenFields,
 	}
+
+	if !r.UseClientOAuth {
+		if r.ClientId == "" || r.ClientSecret == "" {
+			return nil, fmt.Errorf("client_id and client_secret need to be specified")
+		}
+		s.Client = v4.NewLookerSDK(rtl.NewAuthSession(cfg))
+		resp, err := s.Client.Me("", s.ApiSettings)
+		if err != nil {
+			return nil, fmt.Errorf("incorrect settings: %w", err)
+		}
+		logger.DebugContext(ctx, fmt.Sprintf("logged in as %s %s", *resp.FirstName, *resp.LastName))
+	}
+
 	return s, nil

 }
@@ -111,11 +132,15 @@ func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.So
 var _ sources.Source = &Source{}

 type Source struct {
-	Name        string `yaml:"name"`
-	Kind        string `yaml:"kind"`
-	Timeout     string `yaml:"timeout"`
-	Client      *v4.LookerSDK
-	ApiSettings *rtl.ApiSettings
+	Name               string `yaml:"name"`
+	Kind               string `yaml:"kind"`
+	Timeout            string `yaml:"timeout"`
+	Client             *v4.LookerSDK
+	ApiSettings        *rtl.ApiSettings
+	UseClientOAuth     bool `yaml:"use_client_oauth"`
+	ShowHiddenModels   bool `yaml:"show_hidden_models"`
+	ShowHiddenExplores bool `yaml:"show_hidden_explores"`
+	ShowHiddenFields   bool `yaml:"show_hidden_fields"`
 }

 func (s *Source) SourceKind() string {
--- a/internal/sources/looker/looker_test.go
+++ b/internal/sources/looker/looker_test.go
@@ -43,13 +43,17 @@ func TestParseFromYamlLooker(t *testing.T) {
 			`,
 			want: map[string]sources.SourceConfig{
 				"my-looker-instance": looker.Config{
-					Name:            "my-looker-instance",
-					Kind:            looker.SourceKind,
-					BaseURL:         "http://example.looker.com/",
-					ClientId:        "jasdl;k;tjl",
-					ClientSecret:    "sdakl;jgflkasdfkfg",
-					Timeout:         "600s",
-					SslVerification: "true",
+					Name:               "my-looker-instance",
+					Kind:               looker.SourceKind,
+					BaseURL:            "http://example.looker.com/",
+					ClientId:           "jasdl;k;tjl",
+					ClientSecret:       "sdakl;jgflkasdfkfg",
+					Timeout:            "600s",
+					SslVerification:    true,
+					UseClientOAuth:     false,
+					ShowHiddenModels:   true,
+					ShowHiddenExplores: true,
+					ShowHiddenFields:   true,
 				},
 			},
 		},
--- a/internal/sources/mysql/mysql.go
+++ b/internal/sources/mysql/mysql.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"net/url"
 	"time"

 	_ "github.com/go-sql-driver/mysql"
@@ -46,14 +47,15 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources
 }

 type Config struct {
-	Name         string `yaml:"name" validate:"required"`
-	Kind         string `yaml:"kind" validate:"required"`
-	Host         string `yaml:"host" validate:"required"`
-	Port         string `yaml:"port" validate:"required"`
-	User         string `yaml:"user" validate:"required"`
-	Password     string `yaml:"password" validate:"required"`
-	Database     string `yaml:"database" validate:"required"`
-	QueryTimeout string `yaml:"queryTimeout"`
+	Name         string            `yaml:"name" validate:"required"`
+	Kind         string            `yaml:"kind" validate:"required"`
+	Host         string            `yaml:"host" validate:"required"`
+	Port         string            `yaml:"port" validate:"required"`
+	User         string            `yaml:"user" validate:"required"`
+	Password     string            `yaml:"password" validate:"required"`
+	Database     string            `yaml:"database" validate:"required"`
+	QueryTimeout string            `yaml:"queryTimeout"`
+	QueryParams  map[string]string `yaml:"queryParams"`
 }

 func (r Config) SourceConfigKind() string {
@@ -61,7 +63,7 @@ func (r Config) SourceConfigKind() string {
 }

 func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
-	pool, err := initMySQLConnectionPool(ctx, tracer, r.Name, r.Host, r.Port, r.User, r.Password, r.Database, r.QueryTimeout)
+	pool, err := initMySQLConnectionPool(ctx, tracer, r.Name, r.Host, r.Port, r.User, r.Password, r.Database, r.QueryTimeout, r.QueryParams)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create pool: %w", err)
 	}
@@ -95,21 +97,34 @@ func (s *Source) MySQLPool() *sql.DB {
 	return s.Pool
 }

-func initMySQLConnectionPool(ctx context.Context, tracer trace.Tracer, name, host, port, user, pass, dbname, queryTimeout string) (*sql.DB, error) {
+func initMySQLConnectionPool(ctx context.Context, tracer trace.Tracer, name, host, port, user, pass, dbname, queryTimeout string, queryParams map[string]string) (*sql.DB, error) {
 	//nolint:all // Reassigned ctx
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceKind, name)
 	defer span.End()

-	// Configure the driver to connect to the database
-	dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?parseTime=true", user, pass, host, port, dbname)
+	// Build query parameters via url.Values for deterministic order and proper escaping.
+	values := url.Values{}

-	// Add query timeout to DSN if specified
+	// Derive readTimeout from queryTimeout when provided.
 	if queryTimeout != "" {
 		timeout, err := time.ParseDuration(queryTimeout)
 		if err != nil {
 			return nil, fmt.Errorf("invalid queryTimeout %q: %w", queryTimeout, err)
 		}
-		dsn += "&readTimeout=" + timeout.String()
+		values.Set("readTimeout", timeout.String())
+	}
+
+	// Custom user parameters
+	for k, v := range queryParams {
+		if v == "" {
+			continue // skip empty values
+		}
+		values.Set(k, v)
+	}
+
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?parseTime=true", user, pass, host, port, dbname)
+	if enc := values.Encode(); enc != "" {
+		dsn += "&" + enc
 	}

 	// Interact with the driver directly as you normally would
--- a/internal/sources/mysql/mysql_test.go
+++ b/internal/sources/mysql/mysql_test.go
@@ -15,10 +15,15 @@
 package mysql_test

 import (
+	"context"
+	"strings"
 	"testing"

 	yaml "github.com/goccy/go-yaml"
 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"go.opentelemetry.io/otel/trace/noop"
+
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources/mysql"
 	"github.com/googleapis/genai-toolbox/internal/testutils"
@@ -80,9 +85,41 @@ func TestParseFromYamlCloudSQLMySQL(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "with query params",
+			in: `
+			sources:
+				my-mysql-instance:
+					kind: mysql
+					host: 0.0.0.0
+					port: my-port
+					database: my_db
+					user: my_user
+					password: my_pass
+					queryParams:
+						tls: preferred
+						charset: utf8mb4
+			`,
+			want: server.SourceConfigs{
+				"my-mysql-instance": mysql.Config{
+					Name:     "my-mysql-instance",
+					Kind:     mysql.SourceKind,
+					Host:     "0.0.0.0",
+					Port:     "my-port",
+					Database: "my_db",
+					User:     "my_user",
+					Password: "my_pass",
+					QueryParams: map[string]string{
+						"tls":     "preferred",
+						"charset": "utf8mb4",
+					},
+				},
+			},
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
+			t.Parallel()
 			got := struct {
 				Sources server.SourceConfigs `yaml:"sources"`
 			}{}
@@ -91,8 +128,8 @@ func TestParseFromYamlCloudSQLMySQL(t *testing.T) {
 			if err != nil {
 				t.Fatalf("unable to unmarshal: %s", err)
 			}
-			if !cmp.Equal(tc.want, got.Sources) {
-				t.Fatalf("incorrect parse: want %v, got %v", tc.want, got.Sources)
+			if diff := cmp.Diff(tc.want, got.Sources, cmpopts.EquateEmpty()); diff != "" {
+				t.Fatalf("mismatch (-want +got):\n%s", diff)
 			}
 		})
 	}
@@ -118,7 +155,7 @@ func TestFailParseFromYaml(t *testing.T) {
 					password: my_pass
 					foo: bar
 			`,
-			err: "unable to parse source \"my-mysql-instance\" as \"mysql\": [2:1] unknown field \"foo\"\n   1 | database: my_db\n>  2 | foo: bar\n       ^\n   3 | host: 0.0.0.0\n   4 | kind: mysql\n   5 | password: my_pass\n   6 | ",
+			err: "unknown field \"foo\"",
 		},
 		{
 			desc: "missing required field",
@@ -131,11 +168,27 @@ func TestFailParseFromYaml(t *testing.T) {
 					user: my_user
 					password: my_pass
 			`,
-			err: "unable to parse source \"my-mysql-instance\" as \"mysql\": Key: 'Config.Host' Error:Field validation for 'Host' failed on the 'required' tag",
+			err: "Field validation for 'Host' failed",
+		},
+		{
+			desc: "invalid query params type",
+			in: `
+			sources:
+				my-mysql-instance:
+					kind: mysql
+					host: 0.0.0.0
+					port: 3306
+					database: my_db
+					user: my_user
+					password: my_pass
+					queryParams: not-a-map
+			`,
+			err: "string was used where mapping is expected",
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
+			t.Parallel()
 			got := struct {
 				Sources server.SourceConfigs `yaml:"sources"`
 			}{}
@@ -145,9 +198,32 @@ func TestFailParseFromYaml(t *testing.T) {
 				t.Fatalf("expect parsing to fail")
 			}
 			errStr := err.Error()
-			if errStr != tc.err {
-				t.Fatalf("unexpected error: got %q, want %q", errStr, tc.err)
+			if !strings.Contains(errStr, tc.err) {
+				t.Fatalf("unexpected error: got %q, want substring %q", errStr, tc.err)
 			}
 		})
 	}
 }
+
+// TestFailInitialization test error during initialization without attempting a DB connection.
+func TestFailInitialization(t *testing.T) {
+	t.Parallel()
+
+	cfg := mysql.Config{
+		Name:         "instance",
+		Kind:         "mysql",
+		Host:         "localhost",
+		Port:         "3306",
+		Database:     "db",
+		User:         "user",
+		Password:     "pass",
+		QueryTimeout: "abc", // invalid duration
+	}
+	_, err := cfg.Initialize(context.Background(), noop.NewTracerProvider().Tracer("test"))
+	if err == nil {
+		t.Fatalf("expected error for invalid queryTimeout, got nil")
+	}
+	if !strings.Contains(err.Error(), "invalid queryTimeout") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
--- a/internal/tools/bigquery/bigqueryconversationalanalytics/bigqueryconversationalanalytics.go
+++ b/internal/tools/bigquery/bigqueryconversationalanalytics/bigqueryconversationalanalytics.go
@@ -0,0 +1,544 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bigqueryconversationalanalytics
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	bigqueryapi "cloud.google.com/go/bigquery"
+	yaml "github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	bigqueryds "github.com/googleapis/genai-toolbox/internal/sources/bigquery"
+	"github.com/googleapis/genai-toolbox/internal/tools"
+	"golang.org/x/oauth2"
+)
+
+const kind string = "bigquery-conversational-analytics"
+
+const instructions = `**INSTRUCTIONS - FOLLOW THESE RULES:**
+1. **CONTENT:** Your answer should present the supporting data and then provide a conclusion based on that data.
+2. **OUTPUT FORMAT:** Your entire response MUST be in plain text format ONLY.
+3. **NO CHARTS:** You are STRICTLY FORBIDDEN from generating any charts, graphs, images, or any other form of visualization.`
+
+func init() {
+	if !tools.Register(kind, newConfig) {
+		panic(fmt.Sprintf("tool kind %q already registered", kind))
+	}
+}
+
+func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.ToolConfig, error) {
+	actual := Config{Name: name}
+	if err := decoder.DecodeContext(ctx, &actual); err != nil {
+		return nil, err
+	}
+	return actual, nil
+}
+
+type compatibleSource interface {
+	BigQueryClient() *bigqueryapi.Client
+	BigQueryTokenSource() oauth2.TokenSource
+	BigQueryProject() string
+	BigQueryLocation() string
+	GetMaxQueryResultRows() int
+	UseClientAuthorization() bool
+}
+
+type BQTableReference struct {
+	ProjectID string `json:"projectId"`
+	DatasetID string `json:"datasetId"`
+	TableID   string `json:"tableId"`
+}
+
+// Structs for building the JSON payload
+type UserMessage struct {
+	Text string `json:"text"`
+}
+type Message struct {
+	UserMessage UserMessage `json:"userMessage"`
+}
+type BQDatasource struct {
+	TableReferences []BQTableReference `json:"tableReferences"`
+}
+type DatasourceReferences struct {
+	BQ BQDatasource `json:"bq"`
+}
+type ImageOptions struct {
+	NoImage map[string]any `json:"noImage"`
+}
+type ChartOptions struct {
+	Image ImageOptions `json:"image"`
+}
+type Options struct {
+	Chart ChartOptions `json:"chart"`
+}
+type InlineContext struct {
+	DatasourceReferences DatasourceReferences `json:"datasourceReferences"`
+	Options              Options              `json:"options"`
+}
+
+type CAPayload struct {
+	Project       string        `json:"project"`
+	Messages      []Message     `json:"messages"`
+	InlineContext InlineContext `json:"inlineContext"`
+}
+
+// validate compatible sources are still compatible
+var _ compatibleSource = &bigqueryds.Source{}
+
+var compatibleSources = [...]string{bigqueryds.SourceKind}
+
+type Config struct {
+	Name         string   `yaml:"name" validate:"required"`
+	Kind         string   `yaml:"kind" validate:"required"`
+	Source       string   `yaml:"source" validate:"required"`
+	Description  string   `yaml:"description" validate:"required"`
+	AuthRequired []string `yaml:"authRequired"`
+}
+
+// validate interface
+var _ tools.ToolConfig = Config{}
+
+func (cfg Config) ToolConfigKind() string {
+	return kind
+}
+
+func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error) {
+	// verify source exists
+	rawS, ok := srcs[cfg.Source]
+	if !ok {
+		return nil, fmt.Errorf("no source named %q configured", cfg.Source)
+	}
+
+	// verify the source is compatible
+	s, ok := rawS.(compatibleSource)
+	if !ok {
+		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
+	}
+
+	userQueryParameter := tools.NewStringParameter("user_query_with_context", "The user's question, potentially including conversation history and system instructions for context.")
+	tableRefsParameter := tools.NewStringParameter("table_references", `A JSON string of a list of BigQuery tables to use as context. Each object in the list must contain 'projectId', 'datasetId', and 'tableId'. Example: '[{"projectId": "my-gcp-project", "datasetId": "my_dataset", "tableId": "my_table"}]'`)
+
+	parameters := tools.Parameters{userQueryParameter, tableRefsParameter}
+
+	mcpManifest := tools.McpManifest{
+		Name:        cfg.Name,
+		Description: cfg.Description,
+		InputSchema: parameters.McpManifest(),
+	}
+
+	// finish tool setup
+	t := Tool{
+		Name:               cfg.Name,
+		Kind:               kind,
+		Project:            s.BigQueryProject(),
+		Location:           s.BigQueryLocation(),
+		Parameters:         parameters,
+		AuthRequired:       cfg.AuthRequired,
+		Client:             s.BigQueryClient(),
+		UseClientOAuth:     s.UseClientAuthorization(),
+		TokenSource:        s.BigQueryTokenSource(),
+		manifest:           tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:        mcpManifest,
+		MaxQueryResultRows: s.GetMaxQueryResultRows(),
+	}
+	return t, nil
+}
+
+// validate interface
+var _ tools.Tool = Tool{}
+
+type Tool struct {
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`
+
+	Project            string
+	Location           string
+	Client             *bigqueryapi.Client
+	TokenSource        oauth2.TokenSource
+	manifest           tools.Manifest
+	mcpManifest        tools.McpManifest
+	MaxQueryResultRows int
+}
+
+func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
+	var tokenStr string
+
+	// Get credentials for the API call
+	if t.UseClientOAuth {
+		// Use client-side access token
+		if accessToken == "" {
+			return nil, fmt.Errorf("tool is configured for client OAuth but no token was provided in the request header")
+		}
+		tokenStr = string(accessToken)
+	} else {
+		// Use ADC
+		if t.TokenSource == nil {
+			return nil, fmt.Errorf("ADC is missing a valid token source")
+		}
+		token, err := t.TokenSource.Token()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get token from ADC: %w", err)
+		}
+		tokenStr = token.AccessToken
+	}
+
+	// Extract parameters from the map
+	mapParams := params.AsMap()
+	userQuery, _ := mapParams["user_query_with_context"].(string)
+
+	finalQueryText := fmt.Sprintf("%s\n**User Query and Context:**\n%s", instructions, userQuery)
+
+	tableRefsJSON, _ := mapParams["table_references"].(string)
+	var tableRefs []BQTableReference
+	if tableRefsJSON != "" {
+		if err := json.Unmarshal([]byte(tableRefsJSON), &tableRefs); err != nil {
+			return nil, fmt.Errorf("failed to parse 'table_references' JSON string: %w", err)
+		}
+	}
+
+	// Construct URL, headers, and payload
+	projectID := t.Project
+	location := t.Location
+	if location == "" {
+		location = "us"
+	}
+	caURL := fmt.Sprintf("https://geminidataanalytics.googleapis.com/v1alpha/projects/%s/locations/%s:chat", projectID, location)
+
+	headers := map[string]string{
+		"Authorization": fmt.Sprintf("Bearer %s", tokenStr),
+		"Content-Type":  "application/json",
+	}
+
+	payload := CAPayload{
+		Project:  fmt.Sprintf("projects/%s", projectID),
+		Messages: []Message{{UserMessage: UserMessage{Text: finalQueryText}}},
+		InlineContext: InlineContext{
+			DatasourceReferences: DatasourceReferences{
+				BQ: BQDatasource{TableReferences: tableRefs},
+			},
+			Options: Options{Chart: ChartOptions{Image: ImageOptions{NoImage: map[string]any{}}}},
+		},
+	}
+
+	// Call the streaming API
+	response, err := getStream(caURL, payload, headers, t.MaxQueryResultRows)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get response from conversational analytics API: %w", err)
+	}
+
+	return response, nil
+}
+
+func (t Tool) ParseParams(data map[string]any, claims map[string]map[string]any) (tools.ParamValues, error) {
+	return tools.ParseParams(t.Parameters, data, claims)
+}
+
+func (t Tool) Manifest() tools.Manifest {
+	return t.manifest
+}
+
+func (t Tool) McpManifest() tools.McpManifest {
+	return t.mcpManifest
+}
+
+func (t Tool) Authorized(verifiedAuthServices []string) bool {
+	return tools.IsAuthorized(t.AuthRequired, verifiedAuthServices)
+}
+
+func (t Tool) RequiresClientAuthorization() bool {
+	return t.UseClientOAuth
+}
+
+// StreamMessage represents a single message object from the streaming API response.
+type StreamMessage struct {
+	SystemMessage *SystemMessage `json:"systemMessage,omitempty"`
+	Error         *ErrorResponse `json:"error,omitempty"`
+}
+
+// SystemMessage contains different types of system-generated content.
+type SystemMessage struct {
+	Text   *TextResponse   `json:"text,omitempty"`
+	Schema *SchemaResponse `json:"schema,omitempty"`
+	Data   *DataResponse   `json:"data,omitempty"`
+}
+
+// TextResponse contains textual parts of a message.
+type TextResponse struct {
+	Parts []string `json:"parts"`
+}
+
+// SchemaResponse contains schema-related information.
+type SchemaResponse struct {
+	Query  *SchemaQuery  `json:"query,omitempty"`
+	Result *SchemaResult `json:"result,omitempty"`
+}
+
+// SchemaQuery holds the question that prompted a schema lookup.
+type SchemaQuery struct {
+	Question string `json:"question"`
+}
+
+// SchemaResult contains the datasources with their schemas.
+type SchemaResult struct {
+	Datasources []Datasource `json:"datasources"`
+}
+
+// Datasource represents a data source with its reference and schema.
+type Datasource struct {
+	BigQueryTableReference *BQTableReference `json:"bigqueryTableReference,omitempty"`
+	Schema                 *BQSchema         `json:"schema,omitempty"`
+}
+
+// BQSchema defines the structure of a BigQuery table.
+type BQSchema struct {
+	Fields []BQField `json:"fields"`
+}
+
+// BQField describes a single column in a BigQuery table.
+type BQField struct {
+	Name        string `json:"name"`
+	Type        string `json:"type"`
+	Description string `json:"description"`
+	Mode        string `json:"mode"`
+}
+
+// DataResponse contains data-related information, like queries and results.
+type DataResponse struct {
+	Query        *DataQuery  `json:"query,omitempty"`
+	GeneratedSQL string      `json:"generatedSql,omitempty"`
+	Result       *DataResult `json:"result,omitempty"`
+}
+
+// DataQuery holds information about a data retrieval query.
+type DataQuery struct {
+	Name     string `json:"name"`
+	Question string `json:"question"`
+}
+
+// DataResult contains the schema and rows of a query result.
+type DataResult struct {
+	Schema BQSchema         `json:"schema"`
+	Data   []map[string]any `json:"data"`
+}
+
+// ErrorResponse represents an error message from the API.
+type ErrorResponse struct {
+	Code    float64 `json:"code"` // JSON numbers are float64 by default
+	Message string  `json:"message"`
+}
+
+func getStream(url string, payload CAPayload, headers map[string]string, maxRows int) (string, error) {
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal payload: %w", err)
+	}
+
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(payloadBytes))
+	if err != nil {
+		return "", fmt.Errorf("failed to create request: %w", err)
+	}
+	for k, v := range headers {
+		req.Header.Set(k, v)
+	}
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to send request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return "", fmt.Errorf("API returned non-200 status: %d %s", resp.StatusCode, string(body))
+	}
+
+	var messages []map[string]any
+	decoder := json.NewDecoder(resp.Body)
+
+	// The response is a JSON array, so we read the opening bracket.
+	if _, err := decoder.Token(); err != nil {
+		if err == io.EOF {
+			return "", nil // Empty response is valid
+		}
+		return "", fmt.Errorf("error reading start of json array: %w", err)
+	}
+
+	for decoder.More() {
+		var msg StreamMessage
+		if err := decoder.Decode(&msg); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return "", fmt.Errorf("error decoding stream message: %w", err)
+		}
+
+		var newMessage map[string]any
+		if msg.SystemMessage != nil {
+			if msg.SystemMessage.Text != nil {
+				newMessage = handleTextResponse(msg.SystemMessage.Text)
+			} else if msg.SystemMessage.Schema != nil {
+				newMessage = handleSchemaResponse(msg.SystemMessage.Schema)
+			} else if msg.SystemMessage.Data != nil {
+				newMessage = handleDataResponse(msg.SystemMessage.Data, maxRows)
+			}
+		} else if msg.Error != nil {
+			newMessage = handleError(msg.Error)
+		}
+		messages = appendMessage(messages, newMessage)
+	}
+
+	var acc strings.Builder
+	for i, msg := range messages {
+		jsonBytes, err := json.MarshalIndent(msg, "", "  ")
+		if err != nil {
+			return "", fmt.Errorf("error marshalling message: %w", err)
+		}
+		acc.Write(jsonBytes)
+		if i < len(messages)-1 {
+			acc.WriteString("\n")
+		}
+	}
+
+	return acc.String(), nil
+}
+
+func formatBqTableRef(tableRef *BQTableReference) string {
+	return fmt.Sprintf("%s.%s.%s", tableRef.ProjectID, tableRef.DatasetID, tableRef.TableID)
+}
+
+func formatSchemaAsDict(data *BQSchema) map[string]any {
+	headers := []string{"Column", "Type", "Description", "Mode"}
+	if data == nil {
+		return map[string]any{"headers": headers, "rows": []any{}}
+	}
+
+	var rows [][]any
+	for _, field := range data.Fields {
+		rows = append(rows, []any{field.Name, field.Type, field.Description, field.Mode})
+	}
+	return map[string]any{"headers": headers, "rows": rows}
+}
+
+func formatDatasourceAsDict(datasource *Datasource) map[string]any {
+	var sourceName string
+	if datasource.BigQueryTableReference != nil {
+		sourceName = formatBqTableRef(datasource.BigQueryTableReference)
+	}
+
+	var schema map[string]any
+	if datasource.Schema != nil {
+		schema = formatSchemaAsDict(datasource.Schema)
+	}
+
+	return map[string]any{"source_name": sourceName, "schema": schema}
+}
+
+func handleTextResponse(resp *TextResponse) map[string]any {
+	return map[string]any{"Answer": strings.Join(resp.Parts, "")}
+}
+
+func handleSchemaResponse(resp *SchemaResponse) map[string]any {
+	if resp.Query != nil {
+		return map[string]any{"Question": resp.Query.Question}
+	}
+	if resp.Result != nil {
+		var formattedSources []map[string]any
+		for _, ds := range resp.Result.Datasources {
+			formattedSources = append(formattedSources, formatDatasourceAsDict(&ds))
+		}
+		return map[string]any{"Schema Resolved": formattedSources}
+	}
+	return nil
+}
+
+func handleDataResponse(resp *DataResponse, maxRows int) map[string]any {
+	if resp.Query != nil {
+		return map[string]any{
+			"Retrieval Query": map[string]any{
+				"Query Name": resp.Query.Name,
+				"Question":   resp.Query.Question,
+			},
+		}
+	}
+	if resp.GeneratedSQL != "" {
+		return map[string]any{"SQL Generated": resp.GeneratedSQL}
+	}
+	if resp.Result != nil {
+		var headers []string
+		for _, f := range resp.Result.Schema.Fields {
+			headers = append(headers, f.Name)
+		}
+
+		totalRows := len(resp.Result.Data)
+		var compactRows [][]any
+		numRowsToDisplay := totalRows
+		if numRowsToDisplay > maxRows {
+			numRowsToDisplay = maxRows
+		}
+
+		for _, rowVal := range resp.Result.Data[:numRowsToDisplay] {
+			var rowValues []any
+			for _, header := range headers {
+				rowValues = append(rowValues, rowVal[header])
+			}
+			compactRows = append(compactRows, rowValues)
+		}
+
+		summary := fmt.Sprintf("Showing all %d rows.", totalRows)
+		if totalRows > maxRows {
+			summary = fmt.Sprintf("Showing the first %d of %d total rows.", numRowsToDisplay, totalRows)
+		}
+
+		return map[string]any{
+			"Data Retrieved": map[string]any{
+				"headers": headers,
+				"rows":    compactRows,
+				"summary": summary,
+			},
+		}
+	}
+	return nil
+}
+
+func handleError(resp *ErrorResponse) map[string]any {
+	return map[string]any{
+		"Error": map[string]any{
+			"Code":    int(resp.Code),
+			"Message": resp.Message,
+		},
+	}
+}
+
+func appendMessage(messages []map[string]any, newMessage map[string]any) []map[string]any {
+	if newMessage == nil {
+		return messages
+	}
+	if len(messages) > 0 {
+		if _, ok := messages[len(messages)-1]["Data Retrieved"]; ok {
+			messages = messages[:len(messages)-1]
+		}
+	}
+	return append(messages, newMessage)
+}
--- a/internal/tools/bigquery/bigqueryconversationalanalytics/bigqueryconversationalanalytics_test.go
+++ b/internal/tools/bigquery/bigqueryconversationalanalytics/bigqueryconversationalanalytics_test.go
@@ -0,0 +1,72 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bigqueryconversationalanalytics_test
+
+import (
+	"testing"
+
+	yaml "github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+	"github.com/googleapis/genai-toolbox/internal/tools/bigquery/bigqueryconversationalanalytics"
+)
+
+func TestParseFromYamlBigQueryConversationalAnalytics(t *testing.T) {
+	ctx, err := testutils.ContextWithNewLogger()
+	if err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+	tcs := []struct {
+		desc string
+		in   string
+		want server.ToolConfigs
+	}{
+		{
+			desc: "basic example",
+			in: `
+			tools:
+				example_tool:
+					kind: bigquery-conversational-analytics
+					source: my-instance
+					description: some description
+			`,
+			want: server.ToolConfigs{
+				"example_tool": bigqueryconversationalanalytics.Config{
+					Name:         "example_tool",
+					Kind:         "bigquery-conversational-analytics",
+					Source:       "my-instance",
+					Description:  "some description",
+					AuthRequired: []string{},
+				},
+			},
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Tools server.ToolConfigs `yaml:"tools"`
+			}{}
+			// Parse contents
+			err := yaml.UnmarshalContext(ctx, testutils.FormatYaml(tc.in), &got)
+			if err != nil {
+				t.Fatalf("unable to unmarshal: %s", err)
+			}
+			if diff := cmp.Diff(tc.want, got.Tools); diff != "" {
+				t.Fatalf("incorrect parse: diff %v", diff)
+			}
+		})
+	}
+}
--- a/internal/tools/bigquery/bigqueryexecutesql/bigqueryexecutesql.go
+++ b/internal/tools/bigquery/bigqueryexecutesql/bigqueryexecutesql.go
@@ -48,6 +48,8 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T
 type compatibleSource interface {
 	BigQueryClient() *bigqueryapi.Client
 	BigQueryRestService() *bigqueryrestapi.Service
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -100,14 +102,16 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)

 	// finish tool setup
 	t := Tool{
-		Name:         cfg.Name,
-		Kind:         kind,
-		Parameters:   parameters,
-		AuthRequired: cfg.AuthRequired,
-		Client:       s.BigQueryClient(),
-		RestService:  s.BigQueryRestService(),
-		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
-		mcpManifest:  mcpManifest,
+		Name:           cfg.Name,
+		Kind:           kind,
+		Parameters:     parameters,
+		AuthRequired:   cfg.AuthRequired,
+		UseClientOAuth: s.UseClientAuthorization(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		Client:         s.BigQueryClient(),
+		RestService:    s.BigQueryRestService(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -116,14 +120,17 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 var _ tools.Tool = Tool{}

 type Tool struct {
-	Name         string           `yaml:"name"`
-	Kind         string           `yaml:"kind"`
-	AuthRequired []string         `yaml:"authRequired"`
-	Parameters   tools.Parameters `yaml:"parameters"`
-	Client       *bigqueryapi.Client
-	RestService  *bigqueryrestapi.Service
-	manifest     tools.Manifest
-	mcpManifest  tools.McpManifest
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`
+
+	Client        *bigqueryapi.Client
+	RestService   *bigqueryrestapi.Service
+	ClientCreator bigqueryds.BigqueryClientCreator
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -137,7 +144,19 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("unable to cast dry_run parameter %s", paramsMap["dry_run"])
 	}

-	dryRunJob, err := dryRunQuery(ctx, t.RestService, t.Client.Project(), t.Client.Location, sql)
+	bqClient := t.Client
+	restService := t.RestService
+
+	var err error
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, restService, err = t.ClientCreator(accessToken, true)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+
+	dryRunJob, err := dryRunQuery(ctx, restService, bqClient.Project(), bqClient.Location, sql)
 	if err != nil {
 		return nil, fmt.Errorf("query validation failed during dry run: %w", err)
 	}
@@ -156,8 +175,8 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken

 	statementType := dryRunJob.Statistics.Query.StatementType
 	// JobStatistics.QueryStatistics.StatementType
-	query := t.Client.Query(sql)
-	query.Location = t.Client.Location
+	query := bqClient.Query(sql)
+	query.Location = bqClient.Location

 	// Log the query executed for debugging.
 	logger, err := util.LoggerFromContext(ctx)
@@ -223,7 +242,7 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }

 // dryRunQuery performs a dry run of the SQL query to validate it and get metadata.
--- a/internal/tools/bigquery/bigqueryforecast/bigqueryforecast.go
+++ b/internal/tools/bigquery/bigqueryforecast/bigqueryforecast.go
@@ -48,6 +48,8 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T
 type compatibleSource interface {
 	BigQueryClient() *bigqueryapi.Client
 	BigQueryRestService() *bigqueryrestapi.Service
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -104,14 +106,16 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)

 	// finish tool setup
 	t := Tool{
-		Name:         cfg.Name,
-		Kind:         kind,
-		Parameters:   parameters,
-		AuthRequired: cfg.AuthRequired,
-		Client:       s.BigQueryClient(),
-		RestService:  s.BigQueryRestService(),
-		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
-		mcpManifest:  mcpManifest,
+		Name:           cfg.Name,
+		Kind:           kind,
+		Parameters:     parameters,
+		AuthRequired:   cfg.AuthRequired,
+		UseClientOAuth: s.UseClientAuthorization(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		Client:         s.BigQueryClient(),
+		RestService:    s.BigQueryRestService(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -120,14 +124,17 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 var _ tools.Tool = Tool{}

 type Tool struct {
-	Name         string           `yaml:"name"`
-	Kind         string           `yaml:"kind"`
-	AuthRequired []string         `yaml:"authRequired"`
-	Parameters   tools.Parameters `yaml:"parameters"`
-	Client       *bigqueryapi.Client
-	RestService  *bigqueryrestapi.Service
-	manifest     tools.Manifest
-	mcpManifest  tools.McpManifest
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`
+
+	Client        *bigqueryapi.Client
+	RestService   *bigqueryrestapi.Service
+	ClientCreator bigqueryds.BigqueryClientCreator
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -187,9 +194,20 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 			horizon => %d%s)`,
 		historyDataSource, dataCol, timestampCol, horizon, idColsArg)

+	bqClient := t.Client
+	var err error
+
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, _, err = t.ClientCreator(accessToken, false)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+
 	// JobStatistics.QueryStatistics.StatementType
-	query := t.Client.Query(sql)
-	query.Location = t.Client.Location
+	query := bqClient.Query(sql)
+	query.Location = bqClient.Location

 	// Log the query executed for debugging.
 	logger, err := util.LoggerFromContext(ctx)
@@ -247,5 +265,5 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }
--- a/internal/tools/bigquery/bigquerygetdatasetinfo/bigquerygetdatasetinfo.go
+++ b/internal/tools/bigquery/bigquerygetdatasetinfo/bigquerygetdatasetinfo.go
@@ -44,7 +44,10 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T
 }

 type compatibleSource interface {
+	BigQueryProject() string
 	BigQueryClient() *bigqueryapi.Client
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -80,7 +83,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
 	}

-	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryClient().Project(), "The Google Cloud project ID containing the dataset.")
+	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryProject(), "The Google Cloud project ID containing the dataset.")
 	datasetParameter := tools.NewStringParameter(datasetKey, "The dataset to get metadata information.")
 	parameters := tools.Parameters{projectParameter, datasetParameter}

@@ -92,13 +95,15 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)

 	// finish tool setup
 	t := Tool{
-		Name:         cfg.Name,
-		Kind:         kind,
-		Parameters:   parameters,
-		AuthRequired: cfg.AuthRequired,
-		Client:       s.BigQueryClient(),
-		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
-		mcpManifest:  mcpManifest,
+		Name:           cfg.Name,
+		Kind:           kind,
+		Parameters:     parameters,
+		AuthRequired:   cfg.AuthRequired,
+		UseClientOAuth: s.UseClientAuthorization(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		Client:         s.BigQueryClient(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -107,15 +112,17 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 var _ tools.Tool = Tool{}

 type Tool struct {
-	Name         string           `yaml:"name"`
-	Kind         string           `yaml:"kind"`
-	AuthRequired []string         `yaml:"authRequired"`
-	Parameters   tools.Parameters `yaml:"parameters"`
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`

-	Client      *bigqueryapi.Client
-	Statement   string
-	manifest    tools.Manifest
-	mcpManifest tools.McpManifest
+	Client        *bigqueryapi.Client
+	ClientCreator bigqueryds.BigqueryClientCreator
+	Statement     string
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -130,11 +137,21 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("invalid or missing '%s' parameter; expected a string", datasetKey)
 	}

-	dsHandle := t.Client.DatasetInProject(projectId, datasetId)
+	bqClient := t.Client
+	var err error
+
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, _, err = t.ClientCreator(accessToken, false)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+	dsHandle := bqClient.DatasetInProject(projectId, datasetId)

 	metadata, err := dsHandle.Metadata(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get metadata for dataset %s (in project %s): %w", datasetId, t.Client.Project(), err)
+		return nil, fmt.Errorf("failed to get metadata for dataset %s (in project %s): %w", datasetId, bqClient.Project(), err)
 	}

 	return metadata, nil
@@ -157,5 +174,5 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }
--- a/internal/tools/bigquery/bigquerygettableinfo/bigquerygettableinfo.go
+++ b/internal/tools/bigquery/bigquerygettableinfo/bigquerygettableinfo.go
@@ -45,7 +45,10 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T
 }

 type compatibleSource interface {
+	BigQueryProject() string
 	BigQueryClient() *bigqueryapi.Client
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -81,7 +84,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
 	}

-	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryClient().Project(), "The Google Cloud project ID containing the dataset and table.")
+	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryProject(), "The Google Cloud project ID containing the dataset and table.")
 	datasetParameter := tools.NewStringParameter(datasetKey, "The table's parent dataset.")
 	tableParameter := tools.NewStringParameter(tableKey, "The table to get metadata information.")
 	parameters := tools.Parameters{projectParameter, datasetParameter, tableParameter}
@@ -94,13 +97,15 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)

 	// finish tool setup
 	t := Tool{
-		Name:         cfg.Name,
-		Kind:         kind,
-		Parameters:   parameters,
-		AuthRequired: cfg.AuthRequired,
-		Client:       s.BigQueryClient(),
-		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
-		mcpManifest:  mcpManifest,
+		Name:           cfg.Name,
+		Kind:           kind,
+		Parameters:     parameters,
+		AuthRequired:   cfg.AuthRequired,
+		UseClientOAuth: s.UseClientAuthorization(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		Client:         s.BigQueryClient(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -109,15 +114,17 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 var _ tools.Tool = Tool{}

 type Tool struct {
-	Name         string           `yaml:"name"`
-	Kind         string           `yaml:"kind"`
-	AuthRequired []string         `yaml:"authRequired"`
-	Parameters   tools.Parameters `yaml:"parameters"`
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`

-	Client      *bigqueryapi.Client
-	Statement   string
-	manifest    tools.Manifest
-	mcpManifest tools.McpManifest
+	Client        *bigqueryapi.Client
+	ClientCreator bigqueryds.BigqueryClientCreator
+	Statement     string
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -137,7 +144,18 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("invalid or missing '%s' parameter; expected a string", tableKey)
 	}

-	dsHandle := t.Client.DatasetInProject(projectId, datasetId)
+	bqClient := t.Client
+
+	var err error
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, _, err = t.ClientCreator(accessToken, false)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+
+	dsHandle := bqClient.DatasetInProject(projectId, datasetId)
 	tableHandle := dsHandle.Table(tableId)

 	metadata, err := tableHandle.Metadata(ctx)
@@ -165,5 +183,5 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }
--- a/internal/tools/bigquery/bigquerylistdatasetids/bigquerylistdatasetids.go
+++ b/internal/tools/bigquery/bigquerylistdatasetids/bigquerylistdatasetids.go
@@ -44,7 +44,10 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T
 }

 type compatibleSource interface {
+	BigQueryProject() string
 	BigQueryClient() *bigqueryapi.Client
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -80,7 +83,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
 	}

-	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryClient().Project(), "The Google Cloud project to list dataset ids.")
+	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryProject(), "The Google Cloud project to list dataset ids.")

 	parameters := tools.Parameters{projectParameter}

@@ -92,13 +95,15 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)

 	// finish tool setup
 	t := Tool{
-		Name:         cfg.Name,
-		Kind:         kind,
-		Parameters:   parameters,
-		AuthRequired: cfg.AuthRequired,
-		Client:       s.BigQueryClient(),
-		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
-		mcpManifest:  mcpManifest,
+		Name:           cfg.Name,
+		Kind:           kind,
+		Parameters:     parameters,
+		AuthRequired:   cfg.AuthRequired,
+		UseClientOAuth: s.UseClientAuthorization(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		Client:         s.BigQueryClient(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -107,15 +112,17 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 var _ tools.Tool = Tool{}

 type Tool struct {
-	Name         string           `yaml:"name"`
-	Kind         string           `yaml:"kind"`
-	AuthRequired []string         `yaml:"authRequired"`
-	Parameters   tools.Parameters `yaml:"parameters"`
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`

-	Client      *bigqueryapi.Client
-	Statement   string
-	manifest    tools.Manifest
-	mcpManifest tools.McpManifest
+	Client        *bigqueryapi.Client
+	ClientCreator bigqueryds.BigqueryClientCreator
+	Statement     string
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -124,7 +131,17 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 	if !ok {
 		return nil, fmt.Errorf("invalid or missing '%s' parameter; expected a string", projectKey)
 	}
-	datasetIterator := t.Client.Datasets(ctx)
+
+	bqClient := t.Client
+	var err error
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, _, err = t.ClientCreator(accessToken, false)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+	datasetIterator := bqClient.Datasets(ctx)
 	datasetIterator.ProjectID = projectId

 	var datasetIds []any
@@ -165,5 +182,5 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }
--- a/internal/tools/bigquery/bigquerylisttableids/bigquerylisttableids.go
+++ b/internal/tools/bigquery/bigquerylisttableids/bigquerylisttableids.go
@@ -46,6 +46,9 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T

 type compatibleSource interface {
 	BigQueryClient() *bigqueryapi.Client
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	BigQueryProject() string
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -81,7 +84,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
 	}

-	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryClient().Project(), "The Google Cloud project ID containing the dataset.")
+	projectParameter := tools.NewStringParameterWithDefault(projectKey, s.BigQueryProject(), "The Google Cloud project ID containing the dataset.")
 	datasetParameter := tools.NewStringParameter(datasetKey, "The dataset to list table ids.")
 	parameters := tools.Parameters{projectParameter, datasetParameter}

@@ -93,13 +96,15 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)

 	// finish tool setup
 	t := Tool{
-		Name:         cfg.Name,
-		Kind:         kind,
-		Parameters:   parameters,
-		AuthRequired: cfg.AuthRequired,
-		Client:       s.BigQueryClient(),
-		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
-		mcpManifest:  mcpManifest,
+		Name:           cfg.Name,
+		Kind:           kind,
+		Parameters:     parameters,
+		AuthRequired:   cfg.AuthRequired,
+		UseClientOAuth: s.UseClientAuthorization(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		Client:         s.BigQueryClient(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -108,15 +113,17 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 var _ tools.Tool = Tool{}

 type Tool struct {
-	Name         string           `yaml:"name"`
-	Kind         string           `yaml:"kind"`
-	AuthRequired []string         `yaml:"authRequired"`
-	Parameters   tools.Parameters `yaml:"parameters"`
+	Name           string           `yaml:"name"`
+	Kind           string           `yaml:"kind"`
+	AuthRequired   []string         `yaml:"authRequired"`
+	UseClientOAuth bool             `yaml:"useClientOAuth"`
+	Parameters     tools.Parameters `yaml:"parameters"`

-	Client      *bigqueryapi.Client
-	Statement   string
-	manifest    tools.Manifest
-	mcpManifest tools.McpManifest
+	Client        *bigqueryapi.Client
+	ClientCreator bigqueryds.BigqueryClientCreator
+	Statement     string
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -131,7 +138,17 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("invalid or missing '%s' parameter; expected a string", datasetKey)
 	}

-	dsHandle := t.Client.DatasetInProject(projectId, datasetId)
+	bqClient := t.Client
+	var err error
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, _, err = t.ClientCreator(accessToken, false)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+
+	dsHandle := bqClient.DatasetInProject(projectId, datasetId)

 	var tableIds []any
 	tableIterator := dsHandle.Tables(ctx)
@@ -141,7 +158,7 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 			break
 		}
 		if err != nil {
-			return nil, fmt.Errorf("failed to iterate through tables in dataset %s.%s: %w", t.Client.Project(), datasetId, err)
+			return nil, fmt.Errorf("failed to iterate through tables in dataset %s.%s: %w", bqClient.Project(), datasetId, err)
 		}

 		// Remove leading and trailing quotes
@@ -172,5 +189,5 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }
--- a/internal/tools/bigquery/bigquerysql/bigquerysql.go
+++ b/internal/tools/bigquery/bigquerysql/bigquerysql.go
@@ -23,6 +23,7 @@ import (
 	bigqueryapi "cloud.google.com/go/bigquery"
 	yaml "github.com/goccy/go-yaml"
 	"github.com/googleapis/genai-toolbox/internal/sources"
+
 	bigqueryds "github.com/googleapis/genai-toolbox/internal/sources/bigquery"
 	"github.com/googleapis/genai-toolbox/internal/tools"
 	bigqueryrestapi "google.golang.org/api/bigquery/v2"
@@ -48,6 +49,8 @@ func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.T
 type compatibleSource interface {
 	BigQueryClient() *bigqueryapi.Client
 	BigQueryRestService() *bigqueryrestapi.Service
+	BigQueryClientCreator() bigqueryds.BigqueryClientCreator
+	UseClientAuthorization() bool
 }

 // validate compatible sources are still compatible
@@ -101,15 +104,18 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 	t := Tool{
 		Name:               cfg.Name,
 		Kind:               kind,
+		AuthRequired:       cfg.AuthRequired,
 		Parameters:         cfg.Parameters,
 		TemplateParameters: cfg.TemplateParameters,
 		AllParams:          allParameters,
-		Statement:          cfg.Statement,
-		AuthRequired:       cfg.AuthRequired,
-		Client:             s.BigQueryClient(),
-		RestService:        s.BigQueryRestService(),
-		manifest:           tools.Manifest{Description: cfg.Description, Parameters: paramManifest, AuthRequired: cfg.AuthRequired},
-		mcpManifest:        mcpManifest,
+
+		Statement:      cfg.Statement,
+		UseClientOAuth: s.UseClientAuthorization(),
+		Client:         s.BigQueryClient(),
+		RestService:    s.BigQueryRestService(),
+		ClientCreator:  s.BigQueryClientCreator(),
+		manifest:       tools.Manifest{Description: cfg.Description, Parameters: paramManifest, AuthRequired: cfg.AuthRequired},
+		mcpManifest:    mcpManifest,
 	}
 	return t, nil
 }
@@ -121,14 +127,17 @@ type Tool struct {
 	Name               string           `yaml:"name"`
 	Kind               string           `yaml:"kind"`
 	AuthRequired       []string         `yaml:"authRequired"`
+	UseClientOAuth     bool             `yaml:"useClientOAuth"`
 	Parameters         tools.Parameters `yaml:"parameters"`
 	TemplateParameters tools.Parameters `yaml:"templateParameters"`
 	AllParams          tools.Parameters `yaml:"allParams"`
-	Statement          string
-	Client             *bigqueryapi.Client
-	RestService        *bigqueryrestapi.Service
-	manifest           tools.Manifest
-	mcpManifest        tools.McpManifest
+
+	Statement     string
+	Client        *bigqueryapi.Client
+	RestService   *bigqueryrestapi.Service
+	ClientCreator bigqueryds.BigqueryClientCreator
+	manifest      tools.Manifest
+	mcpManifest   tools.McpManifest
 }

 func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken tools.AccessToken) (any, error) {
@@ -208,11 +217,22 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		lowLevelParams = append(lowLevelParams, lowLevelParam)
 	}

-	query := t.Client.Query(newStatement)
-	query.Parameters = highLevelParams
-	query.Location = t.Client.Location
+	bqClient := t.Client
+	restService := t.RestService

-	dryRunJob, err := dryRunQuery(ctx, t.RestService, t.Client.Project(), t.Client.Location, newStatement, lowLevelParams, query.ConnectionProperties)
+	// Initialize new client if using user OAuth token
+	if t.UseClientOAuth {
+		bqClient, restService, err = t.ClientCreator(accessToken, true)
+		if err != nil {
+			return nil, fmt.Errorf("error creating client from OAuth access token: %w", err)
+		}
+	}
+
+	query := bqClient.Query(newStatement)
+	query.Parameters = highLevelParams
+	query.Location = bqClient.Location
+
+	dryRunJob, err := dryRunQuery(ctx, restService, bqClient.Project(), bqClient.Location, newStatement, lowLevelParams, query.ConnectionProperties)
 	if err != nil {
 		// This is a fallback check in case the switch logic was bypassed.
 		return nil, fmt.Errorf("final query validation failed: %w", err)
@@ -277,8 +297,9 @@ func (t Tool) Authorized(verifiedAuthServices []string) bool {
 }

 func (t Tool) RequiresClientAuthorization() bool {
-	return false
+	return t.UseClientOAuth
 }
+
 func BQTypeStringFromToolType(toolType string) (string, error) {
 	switch toolType {
 	case "string":
--- a/internal/tools/clickhouse/clickhouseexecutesql/clickhouseexecutesql.go
+++ b/internal/tools/clickhouse/clickhouseexecutesql/clickhouseexecutesql.go
@@ -0,0 +1,191 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	yaml "github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/tools"
+)
+
+type compatibleSource interface {
+	ClickHousePool() *sql.DB
+}
+
+var compatibleSources = []string{"clickhouse"}
+
+const executeSQLKind string = "clickhouse-execute-sql"
+
+func init() {
+	if !tools.Register(executeSQLKind, newExecuteSQLConfig) {
+		panic(fmt.Sprintf("tool kind %q already registered", executeSQLKind))
+	}
+}
+
+func newExecuteSQLConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.ToolConfig, error) {
+	actual := Config{Name: name}
+	if err := decoder.DecodeContext(ctx, &actual); err != nil {
+		return nil, err
+	}
+	return actual, nil
+}
+
+type Config struct {
+	Name         string   `yaml:"name" validate:"required"`
+	Kind         string   `yaml:"kind" validate:"required"`
+	Source       string   `yaml:"source" validate:"required"`
+	Description  string   `yaml:"description" validate:"required"`
+	AuthRequired []string `yaml:"authRequired"`
+}
+
+var _ tools.ToolConfig = Config{}
+
+func (cfg Config) ToolConfigKind() string {
+	return executeSQLKind
+}
+
+func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error) {
+	rawS, ok := srcs[cfg.Source]
+	if !ok {
+		return nil, fmt.Errorf("no source named %q configured", cfg.Source)
+	}
+
+	s, ok := rawS.(compatibleSource)
+	if !ok {
+		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", executeSQLKind, compatibleSources)
+	}
+
+	sqlParameter := tools.NewStringParameter("sql", "The SQL statement to execute.")
+	parameters := tools.Parameters{sqlParameter}
+
+	mcpManifest := tools.McpManifest{
+		Name:        cfg.Name,
+		Description: cfg.Description,
+		InputSchema: parameters.McpManifest(),
+	}
+
+	t := ExecuteSQLTool{
+		Name:         cfg.Name,
+		Kind:         executeSQLKind,
+		Parameters:   parameters,
+		AuthRequired: cfg.AuthRequired,
+		Pool:         s.ClickHousePool(),
+		manifest:     tools.Manifest{Description: cfg.Description, Parameters: parameters.Manifest(), AuthRequired: cfg.AuthRequired},
+		mcpManifest:  mcpManifest,
+	}
+	return t, nil
+}
+
+var _ tools.Tool = ExecuteSQLTool{}
+
+type ExecuteSQLTool struct {
+	Name         string           `yaml:"name"`
+	Kind         string           `yaml:"kind"`
+	AuthRequired []string         `yaml:"authRequired"`
+	Parameters   tools.Parameters `yaml:"parameters"`
+
+	Pool        *sql.DB
+	manifest    tools.Manifest
+	mcpManifest tools.McpManifest
+}
+
+func (t ExecuteSQLTool) Invoke(ctx context.Context, params tools.ParamValues, token tools.AccessToken) (any, error) {
+	paramsMap := params.AsMap()
+	sql, ok := paramsMap["sql"].(string)
+	if !ok {
+		return nil, fmt.Errorf("unable to cast sql parameter %s", paramsMap["sql"])
+	}
+
+	results, err := t.Pool.QueryContext(ctx, sql)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+	defer results.Close()
+
+	cols, err := results.Columns()
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve rows column name: %w", err)
+	}
+
+	// create an array of values for each column, which can be re-used to scan each row
+	rawValues := make([]any, len(cols))
+	values := make([]any, len(cols))
+	for i := range rawValues {
+		values[i] = &rawValues[i]
+	}
+
+	colTypes, err := results.ColumnTypes()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get column types: %w", err)
+	}
+
+	var out []any
+	for results.Next() {
+		err := results.Scan(values...)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse row: %w", err)
+		}
+		vMap := make(map[string]any)
+		for i, name := range cols {
+			// ClickHouse driver may return specific types that need handling
+			switch colTypes[i].DatabaseTypeName() {
+			case "String", "FixedString":
+				if rawValues[i] != nil {
+					// Handle potential []byte to string conversion if needed
+					if b, ok := rawValues[i].([]byte); ok {
+						vMap[name] = string(b)
+					} else {
+						vMap[name] = rawValues[i]
+					}
+				} else {
+					vMap[name] = nil
+				}
+			default:
+				vMap[name] = rawValues[i]
+			}
+		}
+		out = append(out, vMap)
+	}
+
+	if err := results.Err(); err != nil {
+		return nil, fmt.Errorf("errors encountered by results.Scan: %w", err)
+	}
+
+	return out, nil
+}
+
+func (t ExecuteSQLTool) ParseParams(data map[string]any, claims map[string]map[string]any) (tools.ParamValues, error) {
+	return tools.ParseParams(t.Parameters, data, claims)
+}
+
+func (t ExecuteSQLTool) Manifest() tools.Manifest {
+	return t.manifest
+}
+
+func (t ExecuteSQLTool) McpManifest() tools.McpManifest {
+	return t.mcpManifest
+}
+
+func (t ExecuteSQLTool) Authorized(verifiedAuthServices []string) bool {
+	return tools.IsAuthorized(t.AuthRequired, verifiedAuthServices)
+}
+
+func (t ExecuteSQLTool) RequiresClientAuthorization() bool {
+	return false
+}
--- a/internal/tools/clickhouse/clickhouseexecutesql/clickhouseexecutesql_test.go
+++ b/internal/tools/clickhouse/clickhouseexecutesql/clickhouseexecutesql_test.go
@@ -0,0 +1,70 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"testing"
+
+	yaml "github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+)
+
+func TestParseFromYamlClickHouseExecuteSQL(t *testing.T) {
+	ctx, err := testutils.ContextWithNewLogger()
+	if err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+	tcs := []struct {
+		desc string
+		in   string
+		want server.ToolConfigs
+	}{
+		{
+			desc: "basic example",
+			in: `
+			tools:
+				example_tool:
+					kind: clickhouse-execute-sql
+					source: my-instance
+					description: some description
+			`,
+			want: server.ToolConfigs{
+				"example_tool": Config{
+					Name:         "example_tool",
+					Kind:         "clickhouse-execute-sql",
+					Source:       "my-instance",
+					Description:  "some description",
+					AuthRequired: []string{},
+				},
+			},
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Tools server.ToolConfigs `yaml:"tools"`
+			}{}
+			err := yaml.UnmarshalContext(ctx, testutils.FormatYaml(tc.in), &got)
+			if err != nil {
+				t.Fatalf("unable to unmarshal: %s", err)
+			}
+			if diff := cmp.Diff(tc.want, got.Tools); diff != "" {
+				t.Fatalf("incorrect parse: diff %v", diff)
+			}
+		})
+	}
+}
--- a/internal/tools/clickhouse/clickhousesql/clickhousesql.go
+++ b/internal/tools/clickhouse/clickhousesql/clickhousesql.go
@@ -0,0 +1,207 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	yaml "github.com/goccy/go-yaml"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/tools"
+)
+
+type compatibleSource interface {
+	ClickHousePool() *sql.DB
+}
+
+var compatibleSources = []string{"clickhouse"}
+
+const sqlKind string = "clickhouse-sql"
+
+func init() {
+	if !tools.Register(sqlKind, newSQLConfig) {
+		panic(fmt.Sprintf("tool kind %q already registered", sqlKind))
+	}
+}
+
+func newSQLConfig(ctx context.Context, name string, decoder *yaml.Decoder) (tools.ToolConfig, error) {
+	actual := Config{Name: name}
+	if err := decoder.DecodeContext(ctx, &actual); err != nil {
+		return nil, err
+	}
+	return actual, nil
+}
+
+type Config struct {
+	Name               string           `yaml:"name" validate:"required"`
+	Kind               string           `yaml:"kind" validate:"required"`
+	Source             string           `yaml:"source" validate:"required"`
+	Description        string           `yaml:"description" validate:"required"`
+	Statement          string           `yaml:"statement" validate:"required"`
+	AuthRequired       []string         `yaml:"authRequired"`
+	Parameters         tools.Parameters `yaml:"parameters"`
+	TemplateParameters tools.Parameters `yaml:"templateParameters"`
+}
+
+var _ tools.ToolConfig = Config{}
+
+func (cfg Config) ToolConfigKind() string {
+	return sqlKind
+}
+
+func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error) {
+	rawS, ok := srcs[cfg.Source]
+	if !ok {
+		return nil, fmt.Errorf("no source named %q configured", cfg.Source)
+	}
+
+	s, ok := rawS.(compatibleSource)
+	if !ok {
+		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", sqlKind, compatibleSources)
+	}
+
+	allParameters, paramManifest, paramMcpManifest, _ := tools.ProcessParameters(cfg.TemplateParameters, cfg.Parameters)
+
+	mcpManifest := tools.McpManifest{
+		Name:        cfg.Name,
+		Description: cfg.Description,
+		InputSchema: paramMcpManifest,
+	}
+
+	t := Tool{
+		Name:               cfg.Name,
+		Kind:               sqlKind,
+		Parameters:         cfg.Parameters,
+		TemplateParameters: cfg.TemplateParameters,
+		AllParams:          allParameters,
+		Statement:          cfg.Statement,
+		AuthRequired:       cfg.AuthRequired,
+		Pool:               s.ClickHousePool(),
+		manifest:           tools.Manifest{Description: cfg.Description, Parameters: paramManifest, AuthRequired: cfg.AuthRequired},
+		mcpManifest:        mcpManifest,
+	}
+	return t, nil
+}
+
+var _ tools.Tool = Tool{}
+
+type Tool struct {
+	Name               string           `yaml:"name"`
+	Kind               string           `yaml:"kind"`
+	AuthRequired       []string         `yaml:"authRequired"`
+	Parameters         tools.Parameters `yaml:"parameters"`
+	TemplateParameters tools.Parameters `yaml:"templateParameters"`
+	AllParams          tools.Parameters `yaml:"allParams"`
+
+	Pool        *sql.DB
+	Statement   string
+	manifest    tools.Manifest
+	mcpManifest tools.McpManifest
+}
+
+func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, token tools.AccessToken) (any, error) {
+	paramsMap := params.AsMap()
+	newStatement, err := tools.ResolveTemplateParams(t.TemplateParameters, t.Statement, paramsMap)
+	if err != nil {
+		return nil, fmt.Errorf("unable to extract template params: %w", err)
+	}
+
+	newParams, err := tools.GetParams(t.Parameters, paramsMap)
+	if err != nil {
+		return nil, fmt.Errorf("unable to extract standard params: %w", err)
+	}
+
+	sliceParams := newParams.AsSlice()
+	results, err := t.Pool.QueryContext(ctx, newStatement, sliceParams...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to execute query: %w", err)
+	}
+
+	cols, err := results.Columns()
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve rows column name: %w", err)
+	}
+
+	rawValues := make([]any, len(cols))
+	values := make([]any, len(cols))
+	for i := range rawValues {
+		values[i] = &rawValues[i]
+	}
+
+	colTypes, err := results.ColumnTypes()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get column types: %w", err)
+	}
+
+	var out []any
+	for results.Next() {
+		err := results.Scan(values...)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse row: %w", err)
+		}
+		vMap := make(map[string]any)
+		for i, name := range cols {
+			switch colTypes[i].DatabaseTypeName() {
+			case "String", "FixedString":
+				if rawValues[i] != nil {
+					// Handle potential []byte to string conversion if needed
+					if b, ok := rawValues[i].([]byte); ok {
+						vMap[name] = string(b)
+					} else {
+						vMap[name] = rawValues[i]
+					}
+				} else {
+					vMap[name] = nil
+				}
+			default:
+				vMap[name] = rawValues[i]
+			}
+		}
+		out = append(out, vMap)
+	}
+
+	err = results.Close()
+	if err != nil {
+		return nil, fmt.Errorf("unable to close rows: %w", err)
+	}
+
+	if err := results.Err(); err != nil {
+		return nil, fmt.Errorf("errors encountered by results.Scan: %w", err)
+	}
+
+	return out, nil
+}
+
+func (t Tool) ParseParams(data map[string]any, claims map[string]map[string]any) (tools.ParamValues, error) {
+	return tools.ParseParams(t.AllParams, data, claims)
+}
+
+func (t Tool) Manifest() tools.Manifest {
+	return t.manifest
+}
+
+func (t Tool) McpManifest() tools.McpManifest {
+	return t.mcpManifest
+}
+
+func (t Tool) Authorized(verifiedAuthServices []string) bool {
+	return tools.IsAuthorized(t.AuthRequired, verifiedAuthServices)
+}
+
+func (t Tool) RequiresClientAuthorization() bool {
+	return false
+}
--- a/internal/tools/clickhouse/clickhousesql/clickhousesql_test.go
+++ b/internal/tools/clickhouse/clickhousesql/clickhousesql_test.go
@@ -0,0 +1,276 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clickhouse
+
+import (
+	"testing"
+
+	"github.com/goccy/go-yaml"
+	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/server"
+	"github.com/googleapis/genai-toolbox/internal/sources"
+	"github.com/googleapis/genai-toolbox/internal/sources/clickhouse"
+	"github.com/googleapis/genai-toolbox/internal/testutils"
+	"github.com/googleapis/genai-toolbox/internal/tools"
+)
+
+func TestConfigToolConfigKind(t *testing.T) {
+	config := Config{}
+	if config.ToolConfigKind() != sqlKind {
+		t.Errorf("Expected %s, got %s", sqlKind, config.ToolConfigKind())
+	}
+}
+
+func TestParseFromYamlClickHouseSQL(t *testing.T) {
+	ctx, err := testutils.ContextWithNewLogger()
+	if err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+	tcs := []struct {
+		desc string
+		in   string
+		want server.ToolConfigs
+	}{
+		{
+			desc: "basic example",
+			in: `
+			tools:
+				example_tool:
+					kind: clickhouse-sql
+					source: my-instance
+					description: some description
+					statement: SELECT 1
+			`,
+			want: server.ToolConfigs{
+				"example_tool": Config{
+					Name:         "example_tool",
+					Kind:         "clickhouse-sql",
+					Source:       "my-instance",
+					Description:  "some description",
+					Statement:    "SELECT 1",
+					AuthRequired: []string{},
+				},
+			},
+		},
+		{
+			desc: "with parameters",
+			in: `
+			tools:
+				param_tool:
+					kind: clickhouse-sql
+					source: test-source
+					description: Test ClickHouse tool
+					statement: SELECT * FROM test_table WHERE id = $1
+					parameters:
+					  - name: id
+					    type: string
+					    description: Test ID
+			`,
+			want: server.ToolConfigs{
+				"param_tool": Config{
+					Name:        "param_tool",
+					Kind:        "clickhouse-sql",
+					Source:      "test-source",
+					Description: "Test ClickHouse tool",
+					Statement:   "SELECT * FROM test_table WHERE id = $1",
+					Parameters: tools.Parameters{
+						tools.NewStringParameter("id", "Test ID"),
+					},
+					AuthRequired: []string{},
+				},
+			},
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			got := struct {
+				Tools server.ToolConfigs `yaml:"tools"`
+			}{}
+			err := yaml.UnmarshalContext(ctx, testutils.FormatYaml(tc.in), &got)
+			if err != nil {
+				t.Fatalf("unable to unmarshal: %s", err)
+			}
+			if diff := cmp.Diff(tc.want, got.Tools); diff != "" {
+				t.Fatalf("incorrect parse: diff %v", diff)
+			}
+		})
+	}
+}
+
+func TestSQLConfigInitializeValidSource(t *testing.T) {
+	config := Config{
+		Name:        "test-tool",
+		Kind:        sqlKind,
+		Source:      "test-clickhouse",
+		Description: "Test tool",
+		Statement:   "SELECT 1",
+		Parameters:  tools.Parameters{},
+	}
+
+	// Create a mock ClickHouse source
+	mockSource := &clickhouse.Source{}
+
+	sources := map[string]sources.Source{
+		"test-clickhouse": mockSource,
+	}
+
+	tool, err := config.Initialize(sources)
+	if err != nil {
+		t.Fatalf("Expected no error, got: %v", err)
+	}
+
+	clickhouseTool, ok := tool.(Tool)
+	if !ok {
+		t.Fatalf("Expected Tool type, got %T", tool)
+	}
+
+	if clickhouseTool.Name != "test-tool" {
+		t.Errorf("Expected name 'test-tool', got %s", clickhouseTool.Name)
+	}
+}
+
+func TestSQLConfigInitializeMissingSource(t *testing.T) {
+	config := Config{
+		Name:        "test-tool",
+		Kind:        sqlKind,
+		Source:      "missing-source",
+		Description: "Test tool",
+		Statement:   "SELECT 1",
+		Parameters:  tools.Parameters{},
+	}
+
+	sources := map[string]sources.Source{}
+
+	_, err := config.Initialize(sources)
+	if err == nil {
+		t.Fatal("Expected error for missing source, got nil")
+	}
+
+	expectedErr := `no source named "missing-source" configured`
+	if err.Error() != expectedErr {
+		t.Errorf("Expected error %q, got %q", expectedErr, err.Error())
+	}
+}
+
+// mockIncompatibleSource is a mock source that doesn't implement the compatibleSource interface
+type mockIncompatibleSource struct{}
+
+func (m *mockIncompatibleSource) SourceKind() string {
+	return "mock"
+}
+
+func TestSQLConfigInitializeIncompatibleSource(t *testing.T) {
+	config := Config{
+		Name:        "test-tool",
+		Kind:        sqlKind,
+		Source:      "incompatible-source",
+		Description: "Test tool",
+		Statement:   "SELECT 1",
+		Parameters:  tools.Parameters{},
+	}
+
+	mockSource := &mockIncompatibleSource{}
+
+	sources := map[string]sources.Source{
+		"incompatible-source": mockSource,
+	}
+
+	_, err := config.Initialize(sources)
+	if err == nil {
+		t.Fatal("Expected error for incompatible source, got nil")
+	}
+
+	if err.Error() == "" {
+		t.Error("Expected non-empty error message")
+	}
+}
+
+func TestToolManifest(t *testing.T) {
+	tool := Tool{
+		manifest: tools.Manifest{
+			Description: "Test description",
+			Parameters:  []tools.ParameterManifest{},
+		},
+	}
+
+	manifest := tool.Manifest()
+	if manifest.Description != "Test description" {
+		t.Errorf("Expected description 'Test description', got %s", manifest.Description)
+	}
+}
+
+func TestToolMcpManifest(t *testing.T) {
+	tool := Tool{
+		mcpManifest: tools.McpManifest{
+			Name:        "test-tool",
+			Description: "Test description",
+		},
+	}
+
+	manifest := tool.McpManifest()
+	if manifest.Name != "test-tool" {
+		t.Errorf("Expected name 'test-tool', got %s", manifest.Name)
+	}
+	if manifest.Description != "Test description" {
+		t.Errorf("Expected description 'Test description', got %s", manifest.Description)
+	}
+}
+
+func TestToolAuthorized(t *testing.T) {
+	tests := []struct {
+		name                 string
+		authRequired         []string
+		verifiedAuthServices []string
+		expectedAuthorized   bool
+	}{
+		{
+			name:                 "no auth required",
+			authRequired:         []string{},
+			verifiedAuthServices: []string{},
+			expectedAuthorized:   true,
+		},
+		{
+			name:                 "auth required and verified",
+			authRequired:         []string{"google"},
+			verifiedAuthServices: []string{"google"},
+			expectedAuthorized:   true,
+		},
+		{
+			name:                 "auth required but not verified",
+			authRequired:         []string{"google"},
+			verifiedAuthServices: []string{},
+			expectedAuthorized:   false,
+		},
+		{
+			name:                 "auth required but different service verified",
+			authRequired:         []string{"google"},
+			verifiedAuthServices: []string{"aws"},
+			expectedAuthorized:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tool := Tool{
+				AuthRequired: tt.authRequired,
+			}
+
+			authorized := tool.Authorized(tt.verifiedAuthServices)
+			if authorized != tt.expectedAuthorized {
+				t.Errorf("Expected authorized %t, got %t", tt.expectedAuthorized, authorized)
+			}
+		})
+	}
+}
--- a/internal/tools/firestore/firestoreadddocuments/firestoreadddocuments.go
+++ b/internal/tools/firestore/firestoreadddocuments/firestoreadddocuments.go
@@ -85,7 +85,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 	// Create parameters
 	collectionPathParameter := tools.NewStringParameter(
 		collectionPathKey,
-		"The path of the collection where the document will be added to",
+		"The relative path of the collection where the document will be added to (e.g., 'users' or 'users/userId/posts'). Note: This is a relative path, NOT an absolute path like 'projects/{project_id}/databases/{database_id}/documents/...'",
 	)

 	documentDataParameter := tools.NewMapParameter(
@@ -159,6 +159,11 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("invalid or missing '%s' parameter", collectionPathKey)
 	}

+	// Validate collection path
+	if err := util.ValidateCollectionPath(collectionPath); err != nil {
+		return nil, fmt.Errorf("invalid collection path: %w", err)
+	}
+
 	// Get document data
 	documentDataRaw, ok := mapParams[documentDataKey]
 	if !ok {
--- a/internal/tools/firestore/firestoredeletedocuments/firestoredeletedocuments.go
+++ b/internal/tools/firestore/firestoredeletedocuments/firestoredeletedocuments.go
@@ -23,6 +23,7 @@ import (
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	firestoreds "github.com/googleapis/genai-toolbox/internal/sources/firestore"
 	"github.com/googleapis/genai-toolbox/internal/tools"
+	"github.com/googleapis/genai-toolbox/internal/tools/firestore/util"
 )

 const kind string = "firestore-delete-documents"
@@ -79,7 +80,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
 	}

-	documentPathsParameter := tools.NewArrayParameter(documentPathsKey, "Array of document paths to delete from Firestore.", tools.NewStringParameter("item", "Document path"))
+	documentPathsParameter := tools.NewArrayParameter(documentPathsKey, "Array of relative document paths to delete from Firestore (e.g., 'users/userId' or 'users/userId/posts/postId'). Note: These are relative paths, NOT absolute paths like 'projects/{project_id}/databases/{database_id}/documents/...'", tools.NewStringParameter("item", "Relative document path"))
 	parameters := tools.Parameters{documentPathsParameter}

 	mcpManifest := tools.McpManifest{
@@ -137,6 +138,13 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("unexpected type conversion error for document paths")
 	}

+	// Validate each document path
+	for i, path := range documentPaths {
+		if err := util.ValidateDocumentPath(path); err != nil {
+			return nil, fmt.Errorf("invalid document path at index %d: %w", i, err)
+		}
+	}
+
 	// Create a BulkWriter to handle multiple deletions efficiently
 	bulkWriter := t.Client.BulkWriter(ctx)

--- a/internal/tools/firestore/firestoregetdocuments/firestoregetdocuments.go
+++ b/internal/tools/firestore/firestoregetdocuments/firestoregetdocuments.go
@@ -23,6 +23,7 @@ import (
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	firestoreds "github.com/googleapis/genai-toolbox/internal/sources/firestore"
 	"github.com/googleapis/genai-toolbox/internal/tools"
+	"github.com/googleapis/genai-toolbox/internal/tools/firestore/util"
 )

 const kind string = "firestore-get-documents"
@@ -79,7 +80,7 @@ func (cfg Config) Initialize(srcs map[string]sources.Source) (tools.Tool, error)
 		return nil, fmt.Errorf("invalid source for %q tool: source kind must be one of %q", kind, compatibleSources)
 	}

-	documentPathsParameter := tools.NewArrayParameter(documentPathsKey, "Array of document paths to retrieve from Firestore.", tools.NewStringParameter("item", "Document path"))
+	documentPathsParameter := tools.NewArrayParameter(documentPathsKey, "Array of relative document paths to retrieve from Firestore (e.g., 'users/userId' or 'users/userId/posts/postId'). Note: These are relative paths, NOT absolute paths like 'projects/{project_id}/databases/{database_id}/documents/...'", tools.NewStringParameter("item", "Relative document path"))
 	parameters := tools.Parameters{documentPathsParameter}

 	mcpManifest := tools.McpManifest{
@@ -137,6 +138,13 @@ func (t Tool) Invoke(ctx context.Context, params tools.ParamValues, accessToken
 		return nil, fmt.Errorf("unexpected type conversion error for document paths")
 	}

+	// Validate each document path
+	for i, path := range documentPaths {
+		if err := util.ValidateDocumentPath(path); err != nil {
+			return nil, fmt.Errorf("invalid document path at index %d: %w", i, err)
+		}
+	}
+
 	// Create document references from paths
 	docRefs := make([]*firestoreapi.DocumentRef, len(documentPaths))
 	for i, path := range documentPaths {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .12.0
 .14.0