Documentation menu

Connected Apps

What are connected apps?

Connected apps let your agent interact with external services on your behalf. Connect Gmail and your agent can read and send email. Connect GitHub and it can create PRs. Connect Notion and it can update your docs.

The important thing: your agent never sees your actual credentials. A proxy layer swaps in real credentials at request time — the agent only ever works with placeholders. Your real keys and tokens never enter the agent’s environment.

Connecting an app

The easiest way is to just ask your agent. Tell it “connect my GitHub” or “I want you to be able to read my Google Calendar” and it handles the rest.

If it’s an OAuth integration (most common)

Your agent opens a connection screen, you click through the standard authorization flow (Google, GitHub, etc. will ask you to grant access), and you’re done. The token is encrypted and stored. Takes about 10 seconds.

Gmail, GitHub, Notion, Slack, Google Calendar, Google Drive, Linear, Jira, Figma, Discord, Todoist, and dozens more support OAuth.

If it requires an API key

Some services need an API key instead of OAuth. Your agent will tell you exactly where to go — which settings page, what to click, what permissions to select. When you’re ready, it opens a secure input screen where you paste the key.

Never paste credentials directly in chat. Chat messages are stored in conversation history. Always use the secure input popup that your agent opens for you — it keeps the key out of the conversation entirely.

Manual setup

You can also connect apps yourself through the settings panel. Scroll through the list of OAuth providers and click to connect, or add an API key manually. But honestly, just asking the agent is easier — it knows the setup steps for each service and walks you through it.

Network access

You control what your agent can reach on the internet. There are two modes, configurable in settings:

Open access (default) — Your agent can reach any domain. Connected services get automatic credential injection; everything else passes through without credentials. This is the right default for most people — the agent can browse the web, read docs, hit public APIs.

Connected apps only — Requests must go through a connected app, limited to the permissions you granted. It’s not just a domain allowlist — every request must match a specific credential you’ve configured. Even if GitHub is connected, the agent can only use your token with the scopes you authorized. If you didn’t connect it, the request doesn’t leave the sandbox. Use this when you want tight control over what data leaves your workspace.