OpenShellUse Providers v2 to keep Microsoft Graph access tokens short lived while sandboxes receive a stable MS_GRAPH_ACCESS_TOKEN placeholder. OpenShell stores the non-injectable refresh material at the gateway, refreshes the Microsoft Graph access token before it expires, updates the provider record, and injects the current credential into newly launched sandbox processes.
After completing this tutorial, you have:
oauth2-refresh-token.curl to read Microsoft Graph mail through provider-owned policy.This tutorial starts after your OAuth client has already completed the initial Microsoft sign-in flow. It does not publish a token bootstrap script. Use the Microsoft identity platform documentation for the device authorization grant flow or authorization code flow, and use any standards-compliant client that returns an access token, refresh token, and expiry.
Mail.Read allows reading the signed-in user’s mailbox; see the Microsoft Graph permissions reference.
OAuth material from your initial Microsoft sign-in flow:MS_GRAPH_ACCESS_TOKEN_EXPIRES_AT can be an RFC3339 timestamp such as 2026-01-01T00:00:00Z or a Unix epoch millisecond timestamp.
Do not commit access tokens, refresh tokens, or local .env files. The commands below pass token material to the gateway; they are not examples of values to store in source control.
Create microsoft-graph-mail.yaml with this profile:
Lint and import the profile:
The profile defines the refresh strategy and Graph network policy. The tenant_id refresh material selects the Microsoft token endpoint during gateway-managed refresh.
Create the provider with the current Microsoft Graph access token:
The current CLI requires an initial credential at provider creation time. Refresh material is configured separately and is not injected into the sandbox.
Configure gateway-managed OAuth2 refresh-token rotation:
--secret-material-key refresh_token names the material key to mark as sensitive. It is not the refresh-token value. If Microsoft returns a rotated refresh token during refresh, OpenShell stores the new refresh_token material and marks it secret automatically.
Force the first refresh immediately:
Check refresh status:
The status output shows refresh state, expiry, next refresh, and last refresh timing. It does not print access-token values or refresh material.
Launch a sandbox with the Microsoft Graph provider attached:
Provider policy allows curl to reach graph.microsoft.com:443. The sandbox process receives MS_GRAPH_ACCESS_TOKEN as an OpenShell placeholder, and the proxy resolves that placeholder to the current gateway-managed access token when curl sends it in the authorization header.
Inside the sandbox, list a small page of mailbox messages:
The request uses the Microsoft Graph list messages API. If the token has delegated mail read permission, Microsoft Graph returns message metadata for the signed-in user’s mailbox.
Provider refresh updates the provider record at the gateway. Running sandboxes poll for provider environment revisions, but already-running processes keep the environment they started with.
If you attach this provider to an existing sandbox or update provider credentials after a process has already started, launch a new process inside the sandbox before expecting MS_GRAPH_ACCESS_TOKEN to appear in that process environment.