What is Open Connector
Learn what Open Connector is and why you'd use it instead of Composio.
The problem: agents need credentials they shouldn't hold
Modern AI agents are built to act — open a GitHub issue, send a Telegram message, push a commit. Every one of those actions requires authenticating against a third-party API. That means credentials: OAuth tokens, API keys, service account secrets.
Giving an agent a raw token is dangerous:
- Tokens leak through logs, model context windows, and tool output
- Long-lived tokens cannot be scoped per agent or per project
- There is no audit trail: you cannot know which agent used a credential or when
- Revoking access means rotating a shared secret that every agent depends on
Managed platforms like Composio solve this by centralizing the credential store — but that store is their infrastructure, not yours.
The solution: a credential broker you own
Open Connector is a credential broker: a small server that sits between your agents and the APIs they call. Agents authenticate with a scoped API key; Open Connector resolves the real OAuth token from an encrypted vault, calls the upstream API on the agent's behalf, and returns the result.
Agent ──(x-api-key)──▶ Open Connector ──(OAuth token)──▶ GitHub / Telegram / …
│
Encrypted vault
(your Postgres)Your raw tokens never leave your infrastructure. The agent only ever sees scoped responses, not credentials.
Key differentiators
Open Source
Full source on GitHub. Audit it, fork it, contribute to it. No black-box credential handling. See LICENSING.md for terms.
Self-hostable
Your Postgres, your OAuth apps, your encryption key. No vendor holds your tokens.
Composio SDK compatible
Change one baseURL — the same Composio SDK code works against your own instance.
Tamper-evident audit trail
Every credential use is written to a SHA-256 hash-chained journal. Any tampered record breaks the chain.
Feature overview
Encrypted credential vault
Credentials are encrypted with AES-256-GCM before being written to Postgres. The encryption key (CONNECTOR_ENCRYPTION_KEY) never leaves your server process. Even with direct database access, credentials are unreadable without the key.
Multi-protocol auth
Open Connector's runtime has three credential protocols. Provider catalogs use those protocols to expose the authorization methods users actually choose:
| Authorization method | Runtime protocol | How it works |
|---|---|---|
| OAuth 2.0 Authorization Code | oauth2 | Redirect-based user consent with PKCE; refresh tokens are managed automatically |
| OAuth 2.0 Client Credentials | oauth2 | Machine-to-machine token exchange using a client ID and client secret |
| API key / API token | api_key | One or more secrets stored in the vault and injected into headers, query parameters, or the request body |
| Bearer token | api_key | A provider token stored as a credential and injected into the Authorization: Bearer … header |
| Basic authentication | basic | Username and password stored encrypted and encoded for the Authorization header at call time |
| No authentication | Tool-level no_auth | Public tools can execute without creating a connected account |
The provider catalog can give these methods provider-specific names and credential fields. Managed OAuth and bring-your-own OAuth apps use the same OAuth protocols; they differ in who supplies the OAuth client credentials.
Agent-native API key auth
Agents authenticate with an x-api-key header. Keys are scoped to a Project and carry metadata (allowed connectors, rate limits) in the key record. A compromised agent key can be rotated without touching any other agent's access.
Hash-chained audit log
Every credential use emits a structured audit event. Each event includes a SHA-256 hash of the previous event — forming a chain. If any record is altered or deleted, every subsequent hash becomes invalid, making tampering immediately detectable.
Comparison with Composio
| Open Connector | Composio | |
|---|---|---|
| Hosting | Self-hosted (your infra) | Managed SaaS |
| Source code | Open source (LICENSING.md) | Closed source |
| Credential storage | Your Postgres, your encryption key | Composio's vault |
| SDK compatibility | Composio SDK compatible | Composio SDK |
| Audit trail | Hash-chained, in your database | Composio dashboard |
| Pricing | Free (infra cost only) | Usage-based |
| OAuth app | Your own registered apps | Composio's shared apps |
Using your own OAuth apps (instead of a shared platform app) means your users authenticate against your application — your branding, your consent screen, your token ownership.
What Open Connector is not
- Not a general-purpose API gateway or reverse proxy
- Not an agent framework (it works with any agent: LangChain, LlamaIndex, Vercel AI SDK, raw HTTP)
- Not a secrets manager (use Vault or AWS Secrets Manager for general secrets; Open Connector is credential-lifecycle-aware)