agent.toml is the plain-text configuration file for an agent-intelligence.ai agent. It defines the agent's identity, system prompt, LLM model and provider, token budget, memory settings, toolbox connections, skills, A2A server settings, MCP server settings, and security policies. The entire agent is described in this single file — no code required.

How do I configure which LLM model an agent uses?

Set the [agent.model] section in agent.toml. For Anthropic Claude, set provider = "anthropic" and model = "claude-sonnet-4-6". For OpenAI-compatible APIs, set provider = "openai-compat", model = "gpt-5", and optionally base_url for local models. Add [[agent.model.fallback_chain]] entries to automatically fall back to a cheaper model if the primary exceeds budget.

How do I add tools to an agent?

Add tools via the [agent.toolbox] section in agent.toml. Each [[agent.toolbox.sources]] entry points to an MCP server endpoint. Use 'ai sidecar mcp-toolbox' to start the built-in mcp-toolbox sidecar which provides 48 source kinds including databases, APIs, and file systems. The agent connects automatically when 'ai serve' starts.

Config Reference

All agent configuration lives in a single agent.toml file in the project root. Generate it interactively with ai init, then tune by hand. Sensitive values (API keys) must always use ${ENV_VAR} references — inline secrets are rejected at load time.

Security: Fields agent.model.api_key and any [[agent.model.fallback_chain]] api_key must be ${ENV_VAR} references. Literal secrets are rejected with an error.

[agent]

Top-level agent identity and system prompt.

Field	Type	Default	Description
name	string	—	Required. Human-readable agent name (used in AgentCard and logs)
description	string	""	Short description of the agent's purpose (exposed via A2A AgentCard)
system_prompt	string	""	Base system prompt. Skill fragments are appended at serve time. Bare `$name` is never expanded — use `${VAR}` only for API keys

[agent.model]

Primary model selection and optional fallback chain.

Field	Type	Default	Description
provider	string	—	`"anthropic"` (uses anthropic-sdk-go) or `"openai-compat"` (any OpenAI-compatible endpoint)
model	string	—	Model ID, e.g. `"claude-sonnet-4-6"`, `"gpt-5-mini"`, `"llama3"` (Ollama), `"mistral"` (vLLM/Fireworks)
api_key	string	""	Must be `${ENV_VAR}`. E.g. `${ANTHROPIC_API_KEY}`
base_url	string	""	For `openai-compat`: endpoint URL (e.g. `http://localhost:11434/v1`)
max_response_tokens	int	8192	Maximum tokens per model response

[[agent.model.fallback_chain]]

Ordered list of fallback models. Tried in sequence if the primary model fails or hits the cost circuit breaker.

Field	Type	Default	Description
provider	string	—	`"anthropic"` or `"openai-compat"`
model	string	—	Fallback model ID
base_url	string	""	For `openai-compat` fallbacks
api_key	string	""	Must be `${ENV_VAR}` if set

[[agent.model.fallback_chain]]
provider = "openai-compat"
model    = "llama3"
base_url = "${OLLAMA_URL}"

[[agent.model.fallback_chain]]
provider = "anthropic"
model    = "claude-haiku-4-5-20251001"
api_key  = "${ANTHROPIC_API_KEY}"

[agent.budget]

Resource limits and context pressure thresholds for each session.

Field	Type	Default	Description
max_turns	int	10	Maximum agent turns per session before aborting
max_tokens_per_session	int	0	Max total tokens (input + output) per session. `0` = unlimited
max_usd_per_session	float	0.0	Cost circuit breaker in USD per session. `0.0` = unlimited
context_warn_ratio	float	0.70	Context fill ratio that triggers a warning log (0.0–1.0)
context_compact_ratio	float	0.80	Context fill ratio that triggers automatic compaction
context_abort_ratio	float	0.95	Context fill ratio that triggers session abort to prevent truncation

[agent.memory]

Session persistence and semantic memory backends.

Field	Type	Default	Description
session_store	string	"inmemory"	Session state backend: `"file"`, `"redis"`, or `"inmemory"`
semantic_memory	bool	false	Enable semantic memory sidecar (port 8092) for cross-session recall
trace_graph	bool	false	Write execution traces (turn-by-turn) to the graph DB for replay and evaluation

[agent.toolbox]

MCP tool server connection. Start mcp-toolbox with ai sidecar mcp-toolbox --config toolbox.yaml — it supports 48 database sources out of the box including Neo4j, PostgreSQL, MySQL, MongoDB, Redis, BigQuery, Snowflake, Cassandra, Elasticsearch, and more. See ai sidecar and the toolbox.yaml reference below.

Field	Type	Default	Description
endpoint	string	""	MCP server SSE URL, e.g. `"http://localhost:15001/mcp/sse"`
transport	string	"sse"	`"sse"` for HTTP/SSE (multi-session); `"stdio"` for subprocess / single-client

toolbox.yaml

Separate config file consumed by mcp-toolbox (not agent.toml). Defines database sources and the Cypher / SQL tools the agent can call.

Supported source kinds (48 total)

Category	Sources
Graph	`neo4j`, `dgraph`
Document	`mongodb`, `firestore`, `couchbase`, `elasticsearch`
Relational	`postgres`, `mysql`, `mariadb`, `mssql`, `oracle`, `sqlite`, `cockroachdb`, `tidb`, `yugabytedb`, `clickhouse`, `trino`, `singlestore`, `oceanbase`, `firebird`, `mindsdb`
Key-value / Cache	`redis`, `valkey`, `cassandra`, `bigtable`
Cloud analytics	`bigquery`, `spanner`, `snowflake`, `looker`, `cloud-gda`, `dataplex`, `dataproc`
Google Cloud SQL	`alloydb-pg`, `cloud-sql-mysql`, `cloud-sql-pg`, `cloud-sql-mssql`
Other	`cloud-healthcare`, `cloud-logging-admin`, `cloud-monitoring`, `http`

Minimal Neo4j example

sources:
  my_graph:
    kind: neo4j
    uri:      "${NEO4J_URI}"
    username: "${NEO4J_USERNAME}"
    password: "${NEO4J_PASSWORD}"
    database: "${NEO4J_DATABASE}"

tools:
  search_companies:
    source:      my_graph
    description: "Find companies by name (case-insensitive partial match)"
    parameters:
      - name: query
        type: string
        description: "Company name fragment"
    statement: |
      MATCH (c:Company)
      WHERE toLower(c.name) CONTAINS toLower($query)
      RETURN c.name AS name LIMIT 10

toolsets:
  default:
    - search_companies

Minimal PostgreSQL example

sources:
  my_db:
    kind: postgres
    host:     "${PG_HOST}"
    port:     5432
    database: "${PG_DATABASE}"
    user:     "${PG_USER}"
    password: "${PG_PASSWORD}"

tools:
  list_orders:
    source:      my_db
    description: "List recent orders for a customer"
    parameters:
      - name: customer_id
        type: integer
        description: "Customer ID"
    statement: |
      SELECT id, status, total FROM orders
      WHERE customer_id = $customer_id
      ORDER BY created_at DESC LIMIT 20

Start the server: ai sidecar mcp-toolbox --config toolbox.yaml --port 15001

Connect the agent: set [agent.toolbox] endpoint = "http://localhost:15001/mcp/sse"

[[agent.tools]]

Explicit tool entries that supplement toolbox-discovered tools. Repeated table.

Field	Type	Default	Description
name	string	—	Tool name (must match a tool registered in the tool registry)
description	string	""	Optional override for the tool's description shown to the model

[agent.skills]

List of skills to load at serve time. Each skill contributes system prompt fragments and tool requirements.

Field	Type	Default	Description
skills	[]string	[]	Skill names or GitHub refs, e.g. `["graph-search", "memory-recall"]`

[agent.a2a]

Inbound Agent-to-Agent (A2A) protocol server configuration.

Field	Type	Default	Description
enabled	bool	true	Enable the inbound A2A HTTP server
port	int	8080	Port for the A2A server to listen on
endpoint	string	""	Outbound URL for task handoff to another agent (used by `StepHandoff`)

[agent.mcp_server]

Outward-facing MCP server surface — exposes agent skills as MCP prompts to Claude Desktop, Cursor, and other MCP hosts.

Field	Type	Default	Description
enabled	bool	false	Enable the outward MCP server
transport	string	"http"	`"stdio"` (single host, e.g. Claude Desktop) or `"http"` (multi-client SSE)
port	int	8081	Port for the MCP HTTP server

[agent.security]

Authentication and prompt injection protection.

Field	Type	Default	Description
require_auth	bool	false	Require Bearer token auth on all A2A endpoints
injection_detection	bool	false	Scan incoming messages and tool results for prompt injection patterns

When require_auth = true, all A2A requests must include Authorization: Bearer <token>. Task ownership is enforced — clients can only access tasks they created.

Full Example

A complete annotated agent.toml:

# agent.toml — complete example

[agent]
name         = "companies-researcher"
description  = "Research companies using the knowledge graph"
system_prompt = """
You are a research agent. Use available tools to answer questions about companies.
Prefer targeted lookups over broad queries. Cite your sources.
"""

[agent.model]
provider            = "anthropic"
model               = "claude-sonnet-4-6"
api_key             = "${ANTHROPIC_API_KEY}"
max_response_tokens = 8192

[[agent.model.fallback_chain]]
provider = "openai-compat"
model    = "llama3"
base_url = "${OLLAMA_URL}"

[agent.budget]
max_turns              = 15
max_tokens_per_session = 0        # 0 = unlimited
max_usd_per_session    = 0.50
context_warn_ratio     = 0.70
context_compact_ratio  = 0.80
context_abort_ratio    = 0.95

[agent.memory]
session_store   = "file"     # file | redis | inmemory
semantic_memory = true
trace_graph     = true       # write execution traces to graph DB

[agent.toolbox]
endpoint  = "http://localhost:15000/mcp/sse"
transport = "http"         # stdio | http

[agent.skills]
skills = ["graph-search", "memory-recall"]

[agent.a2a]
enabled = true
port    = 8080

[agent.mcp_server]
enabled    = true
transport  = "http"       # stdio | http
port       = 8081

[agent.security]
require_auth        = true
injection_detection = true