Skip to main content
A connection represents a dependency on an external application or service. It contains all the necessary information for agents, tools, knowledge bases, or virtual models to securely authenticate and interact with that external system.

​
Types of connections

watsonx Orchestrate supports several types of authentication methods:
  • Basic, Bearer, and API Key: These methods pass the configured credentials directly to the consuming tool or service.
  • OAuth: Orchestrate supports multiple OAuth flows, as defined in the OpenAPI specification. When using OAuth:
    • Orchestrate authenticates the user interactively.
    • It generates an access_token on behalf of the user.
    • This token is securely passed to the downstream tool during execution.
Note: OAuth-based connections currently only work when the user interacts with the agent through the watsonx Orchestrate UI (not embedded webchat).
When you embed webchat in an external website, Orchestrate supports integration with upstream SSO/IDP providers such as Azure AD, Workday CCX, and others. Orchestrate also supports Key-Value connections, which allow builders to provide a secure dictionary of keys and values to downstream tools. You can use these connections to:
  • Pass arbitrary authentication configurations to Python tools.
  • Securely provide environment variables to MCP toolkits.
  • Configure connections to LLM providers through the AI Gateway.

​
Support by tool type

Authentication KindPythonOpenAPIFlows [1]Local MCP ToolkitsRemote MCP ToolkitsLangflow
Basic Authβœ…βœ…N/AβŒβœ…βŒ
Bearer Tokenβœ…βœ…N/AβŒβœ…βŒ
API Keyβœ…βœ…N/AβŒβœ…βŒ
OAuth (Client Credentials) [2]βœ…βœ…N/AβŒβœ…βŒ
OAuth (Auth Code) [2]βœ…βœ…N/AβŒβœ…βŒ
OAuth (Implicit) [2]🚧🚧N/A❌🚧❌
OAuth (Password) [2]βœ…βœ…N/AβŒβœ…βŒ
OAuth (SSO/IDP Flow) [3]βœ…βœ…N/AβŒβœ…βŒ
Key-Valueβœ…βŒN/Aβœ…βŒβœ…
[1] Tools build using flows do not require connection support as connections within flows are configured via their downstream component tools.
[2] OAuth connections are currently only supported by agents in the watsonx Orchestrate integrated webchat ui.
[3] SSO/ IDP connections are only supported by agents in webchat embedded into a customer’s website.

​
Support for knowledge

Authentication KindMilvusElastic SearchCustom Search
Basic Authβœ…βœ…βœ…
Bearer Token❌❌❌
API KeyβŒβœ…βœ…
OAuth (Client Credentials) [2]❌❌❌
OAuth (Auth Code) [2]❌❌❌
OAuth (Implicit) [2]❌❌❌
OAuth (Password) [2]❌❌❌
OAuth (SSO/IDP Flow) [3]❌❌❌
Key-Value❌❌❌

​
Support for member vs team

Authentication Kindmember (per user)team (shared)
Basic Authβœ…βœ…
Bearer Tokenβœ…βœ…
API Keyβœ…βœ…
OAuth (Client Credentials)βœ…βœ…
OAuth (Auth Code)βœ…βœ…
OAuth (Implicit)🚧🚧
OAuth (Password)βœ…βœ…
OAuth (SSO/IDP Flow)βœ…βœ…
Key-ValueβŒβœ…

​
Support for AI Gateway

The AI Gateway supports only key-value connections.

​
🚧 Support for Agents

Connection support for External Agents credentials is coming soon.