Connect third-party services to Weavz using OAuth2, API keys, or custom authentication.
Connections store the authentication credentials needed to interact with third-party services. Weavz supports OAuth2, API key, and custom authentication methods.
OAuth2 connections use the hosted connect flow — a Weavz-hosted page that handles the full authorization process. You create a connect token, open the connect page (as a popup or redirect), and the user completes authorization there. Once finished, you retrieve the session to get the resulting connection.
OAuth2 integrations can use two OAuth app sources:
Source
Availability
Selection
Platform-managed OAuth app
Default where Weavz has configured provider credentials
Omit oauthAppId; Weavz uses the platform app unless your organization has a permitted tenant-owned app for the integration
Tenant-owned custom OAuth app
Team, Scale, and Enterprise
Register it in Settings > OAuth Apps; new connections for that integration use it automatically, or pass oauthAppId to select a specific app
The connection type does not decide whether the provider sees a Weavz-managed OAuth client or your own OAuth client. That choice comes from OAuth app selection during hosted connect. If neither a platform-managed app nor an eligible tenant-owned app exists for the integration, creating the connect token returns NO_OAUTH_APP.
1
Navigate to Connections
Open the Connections page from the sidebar.
2
Create Connection
Click Create Connection and select the integration (e.g., Slack) from the picker.
3
Authorize
Click Authorize — a popup opens with the provider's consent screen.
4
Approve Access
Approve access in the popup — it closes automatically and your connection appears in the list.
The hosted connect flow has three steps: create a token, open the connect page, and retrieve the session result.
workspaceId associates the connect session with a workspace for access, setup, and selection. The stored credential scope still follows the Connect API defaults unless you pass scope: it defaults to ORGANIZATION, or you can explicitly choose WORKSPACE or USER. Connect token creation also accepts:
Option
Use when
endUserId
The connection should belong to a specific end user, identified by their externalId
scope
You need to explicitly choose ORGANIZATION, WORKSPACE, or USER connection scope
oauthAppId
You want to force a specific tenant-owned OAuth app instead of default app selection
successRedirectUri
Your product should receive the user after successful authorization
errorRedirectUri
Your product should receive the user after a failed authorization
See the Connect API reference for the complete request body and OAuth app selection errors.
Step 2: Open the Connect Page
Open connectUrl in a popup window or redirect the user to it. The hosted connect page guides them through the OAuth2 consent flow.
In a browser environment, the TypeScript SDK provides a convenience method that handles the popup automatically:
typescript
// First create a token, then open popupconst { token, connectUrl } = await client.connect.createToken({ integrationName: 'slack', connectionName: 'My Slack Workspace', externalId: 'tenant_123_slack', workspaceId: 'YOUR_WORKSPACE_ID',})// Opens a popup, waits for completion, returns the connection resultconst result = await client.connect.popup({ token, connectUrl })console.log('Connection created:', result.connectionId)
Step 3: Retrieve the Session
If you opened the connect page manually (not using the popup helper), poll the session endpoint to check when the user has completed authorization:
Direct connection creation also accepts workspaceId, endUserId, scope, and auth-type-specific fields. scope defaults to ORGANIZATION; pass workspaceId plus endUserId when creating a user-scoped connection for an end user's externalId. See the Connections API reference.
// Register the end userconst { endUser } = await client.endUsers.create({ workspaceId: '550e8400-e29b-41d4-a716-446655440000', externalId: 'user_456', displayName: 'Alice Johnson',})// Generate a connect URL for Slackconst { connectUrl } = await client.endUsers.createConnectToken( endUser.id, { integrationName: 'slack' })// Open connectUrl in a popup for the user to authorize
python
# Register the end userresult = client.end_users.create( workspace_id="550e8400-e29b-41d4-a716-446655440000", external_id="user_456", display_name="Alice Johnson",)end_user = result["endUser"]# Generate a connect URL for Slackresult = client.end_users.create_connect_token( end_user["id"], integration_name="slack",)connect_url = result["connectUrl"]# Open connect_url in a popup for the user to authorize
import httpxheaders = {"Authorization": "Bearer wvz_your_key"}# Register the end userres = httpx.post( "https://api.weavz.io/api/v1/end-users", headers=headers, json={ "workspaceId": "550e8400-e29b-41d4-a716-446655440000", "externalId": "user_456", "displayName": "Alice Johnson", },)end_user = res.json()["endUser"]# Generate a connect URL for Slackres = httpx.post( f"https://api.weavz.io/api/v1/end-users/{end_user['id']}/connect-token", headers=headers, json={"integrationName": "slack"},)connect_url = res.json()["connectUrl"]
Connections created through the end user connect portal are automatically linked to the end user. When executing actions directly, pass endUserId and the workspace integration integrationAlias so Weavz can resolve the right configured integration and the right user's credential. integrationName alone is convenient only when one configured instance exists.
Connection external IDs are your stable identifiers for individual credential sets. Use them when your backend needs to retrieve or execute against a specific connection, such as a project API key, shared customer bot, or tenant-level account.
For per-user credentials, use end users instead: store your user's ID in endUser.externalId and pass that value as endUserId during execution.
When resolving by connection external ID, always pass the same context you used when creating or using the connection. workspaceId is required for resolution, and mismatched scope is rejected.
