> ## Documentation Index > Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt > Use this file to discover all available pages before exploring further. # Vertex AI Credential Stubs > Set up Vertex AI credential stubs so MCP servers that need Google Cloud service account keys can start without manual setup. ## Applies to Any SDK or MCP server that reads Google Cloud Application Default Credentials (ADC): | SDK / Tool | Credential file | | ------------------------------ | ------------------------------------------------------- | | Anthropic Python SDK (Vertex) | `~/.config/gcloud/application_default_credentials.json` | | `google-cloud-aiplatform` | `~/.config/gcloud/application_default_credentials.json` | | Any `google-auth` based client | `~/.config/gcloud/application_default_credentials.json` | ## Create the stub Create the directory if it doesn't exist: `mkdir -p ~/.config/gcloud` ### `~/.config/gcloud/application_default_credentials.json` ```json theme={null} { "account": "onecli-managed", "client_id": "onecli-managed", "client_secret": "onecli-managed", "quota_project_id": "onecli-managed", "refresh_token": "onecli-managed", "type": "authorized_user", "universe_domain": "googleapis.com" } ``` ## Rules * **Never overwrite** existing files that don't contain `onecli-managed` values. The user likely has real gcloud credentials at this path. * All sentinel values use the string `onecli-managed` so they're easy to detect programmatically. * `type` must be `"authorized_user"` for the SDK to attempt the OAuth refresh flow. ## How it works The SDK reads the stub and sees dummy credentials. When it tries to exchange the refresh token at `oauth2.googleapis.com/token`, the OneCLI gateway intercepts the request and returns a real access token from the Vertex AI app connection you registered. The SDK then uses that token for requests to `{region}-aiplatform.googleapis.com`. The gateway also injects the `x-goog-user-project` header for quota and billing.