Connections

Manage authenticated credentials for third-party integrations.

Connections

A connection stores authenticated credentials for an integration. Use connections when an integration needs access to a third-party account, such as Slack, GitHub, Google Sheets, OpenAI, or another authenticated API.

Some integrations and actions do not require an external account. Utility and built-in integrations such as Datetime, Hash & Encode, Data Transformer, Storage, and KV Store can run without a connection. In those cases, omit connectionId and connectionExternalId; Weavz still scopes the call to your organization, workspace, MCP server, and end user where applicable.

Authentication Types

Connections support multiple authentication methods depending on the integration:

OAuth2

For services like Slack, GitHub, and Google Sheets. Weavz provides a hosted connect page that handles the full OAuth2 authorization flow, including token exchange and PKCE.

bash
# Step 1: Create a connect token
curl -X POST https://api.weavz.io/api/v1/connect/token \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "integrationName": "slack",
    "connectionName": "My Slack",
    "externalId": "my_slack",
    "workspaceId": "550e8400-e29b-41d4-a716-446655440000"
  }'

Open the returned connectUrl in a popup or redirect. After the user completes authorization, retrieve the session result:

bash
# Step 2: Retrieve the session result
curl -X POST https://api.weavz.io/api/v1/connect/session/poll \
  -H "Content-Type: application/json" \
  -d '{"token":"cst_your_connect_token"}'

The session response includes a status field (PENDING, CONNECTING, COMPLETED, or FAILED) and the resulting connectionId when completed. OAuth2 token refresh is handled automatically.

API Key

For services like OpenAI and Twilio. Provide the secret value directly:

bash
curl -X POST https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "SECRET_TEXT",
    "integrationName": "openai",
    "externalId": "my_openai",
    "displayName": "Production OpenAI",
    "secretText": "sk-your-openai-key"
  }'

Custom Auth

For integrations requiring multiple fields (e.g., base URL + API key):

bash
curl -X POST https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "CUSTOM_AUTH",
    "integrationName": "airtable",
    "externalId": "my_airtable",
    "displayName": "My Airtable",
    "props": {
      "token": "pat_your_airtable_token"
    }
  }'

Encryption

All connection credentials are encrypted at rest using AES-256. Secrets are never stored in plain text and are only decrypted when needed to make API calls to the third-party service.

Connection Status

Connections have two possible statuses:

StatusDescription
ACTIVECredentials are valid and ready to use
ERRORAn error occurred (e.g., OAuth2 token refresh failed)

End User Ownership

Connections can be owned by an end user. When you create a connection through the end user connect portal or pass endUserId when creating a connection, that connection is linked to the end user.

This enables per-user connection management:

  • View connections — get all connections for a specific end user via GET /api/v1/end-users/:id
  • Automatic cleanup — when an end user is deleted, their connections are deleted too
  • Connection resolution — pass endUserId when executing actions or resolving connections, and Weavz finds the right connection based on the workspace's connection strategy

End users are auto-created when a connection is established through the hosted connect flow with an endUserId parameter, if the end user doesn't exist yet.

Multi-Tenant Scoping

Connections can be scoped at three levels:

Organization scope

Available to everyone in the organization. Best for shared service accounts.

json
{
  "integrationName": "slack",
  "displayName": "Team Slack",
  "scope": "ORGANIZATION"
}

Workspace scope

Available only within a specific workspace. Best for environment-specific credentials.

json
{
  "integrationName": "slack",
  "displayName": "Production Slack",
  "scope": "WORKSPACE",
  "workspaceId": "550e8400-e29b-41d4-a716-446655440000"
}

User scope

Tied to a specific end user. Best for personal accounts or per-user OAuth2 connections where each end user connects their own account.

Connection External IDs

Every connection has a Weavz UUID, and every connection you create also has an externalId. Use the connection externalId as a stable selector for that specific credential set, such as a shared customer Slack workspace or a project API key.

Connection externalId is not the default per-user identity model. For per-user OAuth and per-user credential routing, create end users and pass endUserId during execution.

bash
curl -X POST https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "PLATFORM_OAUTH2",
    "integrationName": "slack",
    "workspaceId": "550e8400-e29b-41d4-a716-446655440000",
    "externalId": "conn_customer_789_slack",
    "displayName": "Customer 789 Shared Slack",
    "accessToken": "xoxb-..."
  }'

Then resolve that connection by external ID when you need the connection record:

bash
curl -X POST https://api.weavz.io/api/v1/connections/resolve \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "integrationName": "slack",
    "workspaceId": "550e8400-e29b-41d4-a716-446655440000",
    "externalId": "conn_customer_789_slack"
  }'

Connection Resolution

When you execute an action or enable a trigger, Weavz resolves which connection to use. You can specify a connection explicitly by passing the connection's externalId as connectionExternalId, or let Weavz resolve it based on the current workspace integration context:

Resolution priority:

  1. Explicit connectionExternalId — if provided, find the connection with that connection.externalId
  2. Workspace integration — if workspaceId is provided, the workspace's integration configuration determines the connection based on its strategy (fixed, per_user, or per_user_with_fallback)
  3. End-user context — if the strategy is per-user, pass endUserId so Weavz can resolve credentials linked to that end user
  4. No connection — returns a CONNECTION_REQUIRED error

If you provide workspaceId and/or endUserId, explicit external-ID resolution is validated against that scope. Cross-workspace or cross-user matches are rejected.

Learn more about workspace integrations

Managing Connections

List connections

bash
curl https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key"

Filter by integration:

bash
curl "https://api.weavz.io/api/v1/connections?integrationName=slack" \
  -H "Authorization: Bearer wvz_your_api_key"

Delete a connection

bash
curl -X DELETE https://api.weavz.io/api/v1/connections/{connectionId} \
  -H "Authorization: Bearer wvz_your_api_key"

Deleting a connection does not disable triggers or remove MCP tools that use it — those will fail with a CONNECTION_REQUIRED error until a new connection is configured.

Next Steps

Ready to connect? Create your first connection in the dashboard or follow the Setting Up Connections guide.