Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request implements TLS support for the toolbox server, adding CLI flags for HTTPS configuration and updating the server listener to handle encrypted connections. The changes include comprehensive test coverage for both HTTP and HTTPS modes and updated documentation. Review feedback recommends enforcing TLS 1.2 as the minimum version for better security and removing default values for certificate and key flags to prevent user confusion when TLS is enabled.
kurtisvg
requested changes
Apr 24, 2026
Yuan325
force-pushed
the
https
branch
3 times, most recently
from
cbf887a to
daaeaf9
Compare
kurtisvg
approved these changes
Apr 24, 2026
Yuan325
added
the
docs: deploy-preview
github-actions
Bot
removed
the
docs: deploy-preview
Contributor
|
🚀 Cloudflare Preview Ready! 🔎 View Preview: https://pr-3126.toolbox-docs-6xc.pages.dev (Note: Subsequent pushes to this PR will automatically update the preview at this same URL) |
Contributor
|
🧨 Preview deployments removed. Cloudflare Pages environments for |
github-actions Bot
pushed a commit
that referenced
this pull request
Apr 24, 2026
This PR introduces the ability to run the Toolbox server over HTTPS.
While the server still defaults to HTTP for local development, users can
now enable TLS encryption via command-line flags. This is essential for
secure communication when the Toolbox is exposed over a network or used
in production-like environments.
**New Flags:**
* `--tls`: Boolean flag to enable HTTPS.
* `--tls-cert`: String flag specifying the path to the PEM-encoded
certificate file.
* `--tls-key`: String flag specifying the path to the PEM-encoded
private key file.
**Use Case: How the Server Obtains .pem Files**
In a typical deployment, the server does not generate these files
itself; it expects them to be provided by the environment.
1. Local Development: Users can use tools like mkcert to generate a
locally-trusted cert.pem and key.pem.
2. Production (Manual): Users obtain certificates from a Certificate
Authority (CA) like Let's Encrypt via Certbot. Certbot handles the
domain validation and saves the .pem files to a specific directory
(e.g., /etc/letsencrypt/live/).
3. Execution: The user starts the Toolbox and points it to those
specific paths:
```
./toolbox --tls --tls-cert=cert.pem --tls-key=key.pem
```
4. Loading: The server uses tls.LoadX509KeyPair to read these files from
the disk and injects them into the listener before the HTTP server
starts processing requests.
🛠️ Related #3113 8bc385d
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Apr 24, 2026
This PR introduces the ability to run the Toolbox server over HTTPS.
While the server still defaults to HTTP for local development, users can
now enable TLS encryption via command-line flags. This is essential for
secure communication when the Toolbox is exposed over a network or used
in production-like environments.
**New Flags:**
* `--tls`: Boolean flag to enable HTTPS.
* `--tls-cert`: String flag specifying the path to the PEM-encoded
certificate file.
* `--tls-key`: String flag specifying the path to the PEM-encoded
private key file.
**Use Case: How the Server Obtains .pem Files**
In a typical deployment, the server does not generate these files
itself; it expects them to be provided by the environment.
1. Local Development: Users can use tools like mkcert to generate a
locally-trusted cert.pem and key.pem.
2. Production (Manual): Users obtain certificates from a Certificate
Authority (CA) like Let's Encrypt via Certbot. Certbot handles the
domain validation and saves the .pem files to a specific directory
(e.g., /etc/letsencrypt/live/).
3. Execution: The user starts the Toolbox and points it to those
specific paths:
```
./toolbox --tls --tls-cert=cert.pem --tls-key=key.pem
```
4. Loading: The server uses tls.LoadX509KeyPair to read these files from
the disk and injects them into the listener before the HTTP server
starts processing requests.
🛠️ Related googleapis#3113 8bc385d
github-actions Bot
pushed a commit
to pepe57/genai-toolbox
that referenced
this pull request
Apr 25, 2026
This PR introduces the ability to run the Toolbox server over HTTPS.
While the server still defaults to HTTP for local development, users can
now enable TLS encryption via command-line flags. This is essential for
secure communication when the Toolbox is exposed over a network or used
in production-like environments.
**New Flags:**
* `--tls`: Boolean flag to enable HTTPS.
* `--tls-cert`: String flag specifying the path to the PEM-encoded
certificate file.
* `--tls-key`: String flag specifying the path to the PEM-encoded
private key file.
**Use Case: How the Server Obtains .pem Files**
In a typical deployment, the server does not generate these files
itself; it expects them to be provided by the environment.
1. Local Development: Users can use tools like mkcert to generate a
locally-trusted cert.pem and key.pem.
2. Production (Manual): Users obtain certificates from a Certificate
Authority (CA) like Let's Encrypt via Certbot. Certbot handles the
domain validation and saves the .pem files to a specific directory
(e.g., /etc/letsencrypt/live/).
3. Execution: The user starts the Toolbox and points it to those
specific paths:
```
./toolbox --tls --tls-cert=cert.pem --tls-key=key.pem
```
4. Loading: The server uses tls.LoadX509KeyPair to read these files from
the disk and injects them into the listener before the HTTP server
starts processing requests.
🛠️ Related googleapis#3113 8bc385d
github-actions Bot
pushed a commit
to Jaleel-zhu/genai-toolbox
that referenced
this pull request
Apr 25, 2026
This PR introduces the ability to run the Toolbox server over HTTPS.
While the server still defaults to HTTP for local development, users can
now enable TLS encryption via command-line flags. This is essential for
secure communication when the Toolbox is exposed over a network or used
in production-like environments.
**New Flags:**
* `--tls`: Boolean flag to enable HTTPS.
* `--tls-cert`: String flag specifying the path to the PEM-encoded
certificate file.
* `--tls-key`: String flag specifying the path to the PEM-encoded
private key file.
**Use Case: How the Server Obtains .pem Files**
In a typical deployment, the server does not generate these files
itself; it expects them to be provided by the environment.
1. Local Development: Users can use tools like mkcert to generate a
locally-trusted cert.pem and key.pem.
2. Production (Manual): Users obtain certificates from a Certificate
Authority (CA) like Let's Encrypt via Certbot. Certbot handles the
domain validation and saves the .pem files to a specific directory
(e.g., /etc/letsencrypt/live/).
3. Execution: The user starts the Toolbox and points it to those
specific paths:
```
./toolbox --tls --tls-cert=cert.pem --tls-key=key.pem
```
4. Loading: The server uses tls.LoadX509KeyPair to read these files from
the disk and injects them into the listener before the HTTP server
starts processing requests.
🛠️ Related googleapis#3113 8bc385d
Yuan325
added a commit
that referenced
this pull request
May 7, 2026
🤖 I have created a release *beep* *boop* --- ## [1.2.0](v1.1.0...v1.2.0) (2026-05-07) ### Features * Add support for HTTPS/TLS listener ([#3126](#3126)) ([8bc385d](8bc385d)) * **source/bigquery:** Add maximumBytesBilled source config ([#2724](#2724)) ([42f2d07](42f2d07)) * **source/cloud-storage:** Add bucket and object management tools ([#3129](#3129)) ([8de9bcf](8de9bcf)) * **source/cloud-storage:** Add Cloud Storage source with list_objects and read_object tools ([#3081](#3081)) ([da27b37](da27b37)) * **source/cloud-storage:** Add write/copy/move/delete object tools ([#3139](#3139)) ([b225fc4](b225fc4)) * **tools/knowledge-catalog:** Search Data Quality Scans ([#2444](#2444)) ([1c63551](1c63551)) ### Bug Fixes * Allow converting string literal block with list ([#3050](#3050)) ([36ab2a9](36ab2a9)), closes [#3023](#3023) * **mcp:** Implement router-level logger injection for MCP auth ([#3067](#3067)) ([ccc7cf5](ccc7cf5)) * Prevent test.db from being created during unit tests ([#3042](#3042)) ([d10d2ca](d10d2ca)) * Remove hardcoded * allowed origin for sse ([#3054](#3054)) ([c4c7bd9](c4c7bd9)) * **sources/postgres:** Apply URL encoding to query string params ([#3020](#3020)) ([6b860f4](6b860f4)) * **tool/looker-conversational-analytics:** OAuth token in GDA payload fix ([#3058](#3058)) ([6632d96](6632d96)) * **tools/bigquery-execute-sql:** Avoid surfacing invalid queries as MCP 500s ([#3056](#3056)) ([7ed92c8](7ed92c8)) * **tools/looker:** Fix OAuth for Converational Analytics ([#3044](#3044)) ([f9e3e55](f9e3e55)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <[email protected]>
pavankrishna13
pushed a commit
to pavankrishna13/genai-toolbox
that referenced
this pull request
May 19, 2026
🤖 I have created a release *beep* *boop* --- ## [1.2.0](googleapis/mcp-toolbox@v1.1.0...v1.2.0) (2026-05-07) ### Features * Add support for HTTPS/TLS listener ([googleapis#3126](googleapis#3126)) ([8bc385d](googleapis@8bc385d)) * **source/bigquery:** Add maximumBytesBilled source config ([googleapis#2724](googleapis#2724)) ([42f2d07](googleapis@42f2d07)) * **source/cloud-storage:** Add bucket and object management tools ([googleapis#3129](googleapis#3129)) ([8de9bcf](googleapis@8de9bcf)) * **source/cloud-storage:** Add Cloud Storage source with list_objects and read_object tools ([googleapis#3081](googleapis#3081)) ([da27b37](googleapis@da27b37)) * **source/cloud-storage:** Add write/copy/move/delete object tools ([googleapis#3139](googleapis#3139)) ([b225fc4](googleapis@b225fc4)) * **tools/knowledge-catalog:** Search Data Quality Scans ([googleapis#2444](googleapis#2444)) ([1c63551](googleapis@1c63551)) ### Bug Fixes * Allow converting string literal block with list ([googleapis#3050](googleapis#3050)) ([36ab2a9](googleapis@36ab2a9)), closes [googleapis#3023](googleapis#3023) * **mcp:** Implement router-level logger injection for MCP auth ([googleapis#3067](googleapis#3067)) ([ccc7cf5](googleapis@ccc7cf5)) * Prevent test.db from being created during unit tests ([googleapis#3042](googleapis#3042)) ([d10d2ca](googleapis@d10d2ca)) * Remove hardcoded * allowed origin for sse ([googleapis#3054](googleapis#3054)) ([c4c7bd9](googleapis@c4c7bd9)) * **sources/postgres:** Apply URL encoding to query string params ([googleapis#3020](googleapis#3020)) ([6b860f4](googleapis@6b860f4)) * **tool/looker-conversational-analytics:** OAuth token in GDA payload fix ([googleapis#3058](googleapis#3058)) ([6632d96](googleapis@6632d96)) * **tools/bigquery-execute-sql:** Avoid surfacing invalid queries as MCP 500s ([googleapis#3056](googleapis#3056)) ([7ed92c8](googleapis@7ed92c8)) * **tools/looker:** Fix OAuth for Converational Analytics ([googleapis#3044](googleapis#3044)) ([f9e3e55](googleapis@f9e3e55)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces the ability to run the Toolbox server over HTTPS. While the server still defaults to HTTP for local development, users can now enable TLS encryption via command-line flags. This is essential for secure communication when the Toolbox is exposed over a network or used in production-like environments.
New Flags:
--tls: Boolean flag to enable HTTPS.--tls-cert: String flag specifying the path to the PEM-encoded certificate file.--tls-key: String flag specifying the path to the PEM-encoded private key file.Use Case: How the Server Obtains .pem Files
In a typical deployment, the server does not generate these files itself; it expects them to be provided by the environment.
Local Development: Users can use tools like mkcert to generate a locally-trusted cert.pem and key.pem.
Production (Manual): Users obtain certificates from a Certificate Authority (CA) like Let's Encrypt via Certbot. Certbot handles the domain validation and saves the .pem files to a specific directory (e.g., /etc/letsencrypt/live/).
Execution: The user starts the Toolbox and points it to those specific paths:
Loading: The server uses tls.LoadX509KeyPair to read these files from the disk and injects them into the listener before the HTTP server starts processing requests.
🛠️ Related #3113