Docs

Connect

OAuth connect flow.

OAuth agents let users connect their provider account from chat. Orchet stores user-scoped tokens and attaches them only to approved tool calls for that agent.

Credential boundary.

Your manifest declares OAuth endpoints and environment variable names. Your submission never carries client secrets, and your frontend never receives provider access tokens.

TS

connect: {
  model: "oauth2",
  authorize_url: "https://provider.example.com/oauth/authorize",
  token_url: "https://provider.example.com/oauth/token",
  revocation_url: "https://provider.example.com/oauth/revoke",
  scopes: [
    {
      name: "groups:read",
      description: "View groups, members, and balances.",
      required: true,
    },
  ],
  client_id_env: "ORCHET_SPLITWISE_CLIENT_ID",
  client_secret_env: "ORCHET_SPLITWISE_CLIENT_SECRET",
  client_type: "confidential",
}

Flow.

The connect flow starts from the chat card and returns to the same user request.

  1. 1User asks for a capability that requires the agent.
  2. 2Orchet detects the missing connection and renders a connect card.
  3. 3User clicks Connect. Orchet starts Authorization Code + PKCE with state tied to the blocked request.
  4. 4Provider redirects back to Orchet. Orchet exchanges the code server-side and stores encrypted tokens per user and agent.
  5. 5Orchet marks the connection ready and resumes the original request if it is still valid.
  6. 6Future tool calls include Authorization: Bearer <provider access token> only for that user's approved connection.

Refresh, disconnect, and scope changes.

Agents should support token refresh and revocation where the provider allows it. If a new agent version asks for broader scopes, Orchet should ask the user to reconnect before using those tools.