Open Connector
Connectors & Tools

Connectors

How the current provider catalog, authentication methods, and toolkits fit together.

Open Connector separates authentication providers from toolkits. This matters: a provider defines how credentials are collected, stored, refreshed, and injected; a toolkit defines the executable tools an agent can call. They often share a slug, but neither is a synonym for the other.

The current catalog model

Catalog objectOwnsRuntime representation
Authentication providerOAuth/API-key/basic methods, connection fields, outbound proxy rules, credential verification, and provider metadata.A ProviderConfig is validated and seeded into provider_config.
ToolkitAgent-facing tool metadata and executable operations. A toolkit can refer to an auth provider, a different auth provider, or no auth provider yet.Registry and official toolkit artifacts are published to the toolkit catalog.
ConnectionOne user's encrypted credential set for one selected provider authentication method and project scope.Stored separately from both catalog objects.

The runtime catalog is not limited to GitHub and Telegram. It contains a generated provider catalog plus official and generated toolkits. Use the authenticated toolkit discovery endpoint or the live API reference to see the deployment you are calling.

The old flattened connector shape—one top-level authMode, authorizationUrl, tokenUrl, and credentials—is obsolete. Authentication is now an authMethods array, so one provider can offer OAuth and personal-token flows side by side.

Authentication methods

Each entry in authMethods has a namespaced id such as github.oauth2 and is either available or explicitly unavailable with a reason. Available methods use one of these kinds:

KindWhat the user suppliesWhat the broker does
oauth2Browser consent, or client credentials when configured.Builds the authorization URL, exchanges and refreshes tokens, then stores them encrypted.
api_keyA long-lived key or token.Encrypts the supplied fields and injects them into the configured request.
basicUsername/password or equivalent key/secret pair.Encrypts both values and injects basic-auth credentials or configured request fields.

An unavailable method remains visible to describe catalog coverage, but cannot be used until its required runtime adapter is implemented.

Provider configuration

ProviderConfig remains the internal type for an authentication provider; its current shape is below. The required fields are slug, displayName, authMethods, and proxy.baseUrl.

FieldPurpose
authMethodsOne or more named methods. OAuth options belong under method.oauth2; API-key/basic fields belong under method.credentials.
connectionConfigNon-default per-connection fields, such as a tenant hostname or account ID. Sensitive fields can be marked secret.
proxyProvider-wide base URL, allowlist, request templates, and optional credential verification request. A method may add its own header/query/body templates.
description, logoDomain, appUrl, authGuideUrl, documentationUrlCatalog metadata shown to users and agents.
version, deprecated, categories, changelogLifecycle and discovery metadata.

OAuth provider example

import type { ProviderConfig } from "@open-connector/catalog";

export const myCrm = {
  slug: "my-crm",
  displayName: "My CRM",
  authMethods: [
    {
      id: "my-crm.oauth2",
      displayName: "My CRM OAuth",
      kind: "oauth2",
      status: "available",
      oauth2: {
        authorizationUrl: "https://app.mycrm.com/oauth/authorize",
        tokenUrl: "https://app.mycrm.com/oauth/token",
        defaultScopes: ["contacts:read", "contacts:write"],
        scopeSeparator: " ",
      },
    },
  ],
  proxy: {
    baseUrl: "https://api.mycrm.com/v2",
    headers: { authorization: "Bearer ${accessToken}" },
  },
  documentationUrl: "https://developers.mycrm.com/api",
  categories: ["crm"],
} satisfies ProviderConfig;

API-key provider example

Credential fields are nested under the method, not at the provider root. Method-level templates let different methods inject their credentials differently while sharing the same provider base URL.

export const myApi = {
  slug: "my-api",
  displayName: "My API",
  authMethods: [
    {
      id: "my-api.api_key",
      displayName: "API key",
      kind: "api_key",
      status: "available",
      credentials: {
        apiKey: {
          type: "string",
          title: "API key",
          description: "Key from account settings",
          secret: true,
        },
      },
      proxy: { headers: { authorization: "Bearer ${apiKey}" } },
    },
  ],
  proxy: {
    baseUrl: "https://api.example.com/v1",
    verification: { method: "GET", endpoints: ["/me"] },
  },
} satisfies ProviderConfig;

Working with the deployed catalog

Create and maintain provider catalog entries as source-controlled catalog data; server startup validates and idempotently seeds authentication providers. Toolkits are maintained as registry artifacts and published independently. Do not create a toolkit merely to model authentication, and do not assume a provider automatically provides executable tools.

For an agent or integration, the normal sequence is:

  1. Discover the toolkit and its supported authentication methods.
  2. Create or choose an auth configuration for the selected method.
  3. Create a connection for the user and project scope.
  4. Invoke a tool through that connection.

See API reference for the exact deployed discovery and execution routes, and Connected accounts for the credential lifecycle.

On this page