Open Connector
Start here

What is Open Connector

Learn what Open Connector is and why you'd use it instead of Composio.

The problem: agents need credentials they shouldn't hold

Modern AI agents are built to act — open a GitHub issue, send a Telegram message, push a commit. Every one of those actions requires authenticating against a third-party API. That means credentials: OAuth tokens, API keys, service account secrets.

Giving an agent a raw token is dangerous:

  • Tokens leak through logs, model context windows, and tool output
  • Long-lived tokens cannot be scoped per agent or per project
  • There is no audit trail: you cannot know which agent used a credential or when
  • Revoking access means rotating a shared secret that every agent depends on

Managed platforms like Composio solve this by centralizing the credential store — but that store is their infrastructure, not yours.

The solution: a credential broker you own

Open Connector is a credential broker: a small server that sits between your agents and the APIs they call. Agents authenticate with a scoped API key; Open Connector resolves the real OAuth token from an encrypted vault, calls the upstream API on the agent's behalf, and returns the result.

Agent  ──(x-api-key)──▶  Open Connector  ──(OAuth token)──▶  GitHub / Telegram / …

                         Encrypted vault
                         (your Postgres)

Your raw tokens never leave your infrastructure. The agent only ever sees scoped responses, not credentials.

Key differentiators

Feature overview

Encrypted credential vault

Credentials are encrypted with AES-256-GCM before being written to Postgres. The encryption key (CONNECTOR_ENCRYPTION_KEY) never leaves your server process. Even with direct database access, credentials are unreadable without the key.

Multi-protocol auth

Open Connector's runtime has three credential protocols. Provider catalogs use those protocols to expose the authorization methods users actually choose:

Authorization methodRuntime protocolHow it works
OAuth 2.0 Authorization Codeoauth2Redirect-based user consent with PKCE; refresh tokens are managed automatically
OAuth 2.0 Client Credentialsoauth2Machine-to-machine token exchange using a client ID and client secret
API key / API tokenapi_keyOne or more secrets stored in the vault and injected into headers, query parameters, or the request body
Bearer tokenapi_keyA provider token stored as a credential and injected into the Authorization: Bearer … header
Basic authenticationbasicUsername and password stored encrypted and encoded for the Authorization header at call time
No authenticationTool-level no_authPublic tools can execute without creating a connected account

The provider catalog can give these methods provider-specific names and credential fields. Managed OAuth and bring-your-own OAuth apps use the same OAuth protocols; they differ in who supplies the OAuth client credentials.

Agent-native API key auth

Agents authenticate with an x-api-key header. Keys are scoped to a Project and carry metadata (allowed connectors, rate limits) in the key record. A compromised agent key can be rotated without touching any other agent's access.

Hash-chained audit log

Every credential use emits a structured audit event. Each event includes a SHA-256 hash of the previous event — forming a chain. If any record is altered or deleted, every subsequent hash becomes invalid, making tampering immediately detectable.

Comparison with Composio

Open ConnectorComposio
HostingSelf-hosted (your infra)Managed SaaS
Source codeOpen source (LICENSING.md)Closed source
Credential storageYour Postgres, your encryption keyComposio's vault
SDK compatibilityComposio SDK compatibleComposio SDK
Audit trailHash-chained, in your databaseComposio dashboard
PricingFree (infra cost only)Usage-based
OAuth appYour own registered appsComposio's shared apps

Using your own OAuth apps (instead of a shared platform app) means your users authenticate against your application — your branding, your consent screen, your token ownership.

What Open Connector is not

  • Not a general-purpose API gateway or reverse proxy
  • Not an agent framework (it works with any agent: LangChain, LlamaIndex, Vercel AI SDK, raw HTTP)
  • Not a secrets manager (use Vault or AWS Secrets Manager for general secrets; Open Connector is credential-lifecycle-aware)

On this page