eavz

Connections

Manage authenticated credentials for third-party integrations.

Connections

A connection stores authenticated credentials for an integration. Every time you need to interact with a third-party service — executing an action, enabling a trigger, or serving MCP tools — you need a connection.

Authentication Types

Connections support multiple authentication methods depending on the integration:

OAuth2

For services like Slack, GitHub, and Google Sheets. Weavz provides a hosted connect page that handles the full OAuth2 authorization flow, including token exchange and PKCE.

bash
# Step 1: Create a connect token
curl -X POST https://api.weavz.io/api/v1/connect/token \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "integrationName": "slack",
    "connectionName": "My Slack",
    "externalId": "my_slack",
    "workspaceId": "proj_abc123"
  }'

Open the returned connectUrl in a popup or redirect. After the user completes authorization, retrieve the session result:

bash
# Step 2: Retrieve the session result
curl https://api.weavz.io/api/v1/connect/session/cs_abc123 \
  -H "Authorization: Bearer wvz_your_api_key"

The session response includes a status field (pending, completed, or failed) and the resulting connection object when completed. OAuth2 token refresh is handled automatically.

API Key

For services like OpenAI and Twilio. Provide the secret value directly:

bash
curl -X POST https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "SECRET_TEXT",
    "integrationName": "openai",
    "externalId": "my_openai",
    "displayName": "Production OpenAI",
    "secretText": "sk-your-openai-key"
  }'

Custom Auth

For integrations requiring multiple fields (e.g., base URL + API key):

bash
curl -X POST https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "CUSTOM_AUTH",
    "integrationName": "airtable",
    "externalId": "my_airtable",
    "displayName": "My Airtable",
    "props": {
      "token": "pat_your_airtable_token"
    }
  }'

Encryption

All connection credentials are encrypted at rest using AES-256. Secrets are never stored in plain text and are only decrypted when needed to make API calls to the third-party service.

Connection Status

Connections have two possible statuses:

StatusDescription
ACTIVECredentials are valid and ready to use
ERRORAn error occurred (e.g., OAuth2 token refresh failed)

End User Ownership

Connections can be owned by an end user. When you create a connection through the end user connect portal or pass endUserId when creating a connection, that connection is linked to the end user.

This enables per-user connection management:

  • View connections — get all connections for a specific end user via GET /api/v1/end-users/:id
  • Automatic cleanup — when an end user is deleted, their connections are deleted too
  • Connection resolution — pass endUserId when executing actions or resolving connections, and Weavz finds the right connection based on the workspace's connection strategy

End users are auto-created when a connection is established through the hosted connect flow with an endUserId parameter, if the end user doesn't exist yet.

Multi-Tenant Scoping

Connections can be scoped at three levels:

Organization scope

Available to everyone in the organization. Best for shared service accounts.

json
{
  "integrationName": "slack",
  "displayName": "Team Slack",
  "scope": "ORGANIZATION"
}

Workspace scope

Available only within a specific workspace. Best for environment-specific credentials.

json
{
  "integrationName": "slack",
  "displayName": "Production Slack",
  "scope": "WORKSPACE",
  "workspaceId": "proj_abc123"
}

User scope

Tied to a specific end user. Best for personal accounts or per-user OAuth2 connections where each end user connects their own account.

External IDs

For fine-grained multi-tenancy, tag connections with an externalId that maps to a user in your system:

bash
curl -X POST https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "PLATFORM_OAUTH2",
    "integrationName": "slack",
    "externalId": "customer_789",
    "displayName": "Customer 789 Slack",
    "accessToken": "xoxb-..."
  }'

Then resolve a connection by external ID at execution time:

bash
curl -X POST https://api.weavz.io/api/v1/connections/resolve \
  -H "Authorization: Bearer wvz_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "integrationName": "slack",
    "workspaceId": "proj_abc123",
    "externalId": "customer_789"
  }'

Connection Resolution

When you execute an action or enable a trigger, Weavz resolves which connection to use. You can specify a connection explicitly by its external ID, or let Weavz resolve it based on the current context:

Resolution priority:

  1. Explicit connectionExternalId — if provided, find the connection tagged with that external ID
  2. Workspace integration — if a workspaceId is provided, the workspace's integration configuration determines the connection based on its strategy (fixed, per_user, or per_user_with_fallback)
  3. No connection — returns a CONNECTION_REQUIRED error

If you provide workspaceId and/or endUserId, explicit external-ID resolution is validated against that scope. Cross-workspace or cross-user matches are rejected.

Learn more about workspace integrations

Managing Connections

List connections

bash
curl https://api.weavz.io/api/v1/connections \
  -H "Authorization: Bearer wvz_your_api_key"

Filter by integration:

bash
curl "https://api.weavz.io/api/v1/connections?integrationName=slack" \
  -H "Authorization: Bearer wvz_your_api_key"

Delete a connection

bash
curl -X DELETE https://api.weavz.io/api/v1/connections/{connectionId} \
  -H "Authorization: Bearer wvz_your_api_key"

Deleting a connection does not disable triggers or remove MCP tools that use it — those will fail with a CONNECTION_REQUIRED error until a new connection is configured.

Next Steps

Ready to connect? Create your first connection in the dashboard or follow the Setting Up Connections guide.