> ## Documentation Index
> Fetch the complete documentation index at: https://developer.watson-orchestrate.ibm.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Why use connections

A **connection** represents a dependency on an external application or service. It contains all the necessary information for agents, tools, knowledge bases, or virtual models to securely authenticate and interact with that external system.

## Types of connections

watsonx Orchestrate supports several types of authentication methods:

* **Basic**, **Bearer**, and **API Key**: These methods pass the configured credentials directly to the consuming tool or service.
* **OAuth**: Orchestrate supports multiple OAuth flows, as defined in the OpenAPI specification. When using OAuth:
  * Orchestrate authenticates the user interactively.
  * It generates an `access_token` on behalf of the user.
  * This token is securely passed to the downstream tool during execution.

<Note>
  **Note:**
  OAuth-based connections currently only work when the user interacts with the agent through the **watsonx Orchestrate UI** (not embedded webchat).
</Note>

When you embed webchat in an external website, Orchestrate supports integration with upstream **SSO/IDP providers** such as Azure AD, Workday CCX, and others.

Orchestrate also supports **Key-Value connections**, which allow builders to provide a secure dictionary of keys and values to downstream tools. You can use these connections to:

* Pass arbitrary authentication configurations to Python tools.
* Securely provide environment variables to MCP toolkits.
* Configure connections to LLM providers through the AI Gateway.

### Support by tool type

| Authentication Kind                 | Python | OpenAPI | Flows \[1] | Local MCP Toolkits | Remote MCP Toolkits | Langflow |
| ----------------------------------- | :----: | :-----: | :--------: | :----------------: | :-----------------: | :------: |
| Basic Auth                          |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| Bearer Token                        |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| API Key                             |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| OAuth (Client Credentials) **\[2]** |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| OAuth (Auth Code) **\[2]**          |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| OAuth (Implicit) **\[2]**           |   🚧   |    🚧   |     N/A    |          ❌         |          🚧         |     ❌    |
| OAuth (Password) **\[2]**           |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| OAuth (SSO/IDP Flow) **\[3]**       |    ✅   |    ✅    |     N/A    |          ❌         |          ✅          |     ❌    |
| Key-Value                           |    ✅   |    ❌    |     N/A    |          ✅         |          ❌          |     ✅    |

<Note>
  **\[1]** Tools build using flows do not require connection support as connections within flows are configured via their
  downstream component tools.<br />
  **\[2]** OAuth connections are currently only supported by agents in the watsonx Orchestrate integrated webchat ui.<br />
  **\[3]** SSO/ IDP connections are only supported by agents in webchat embedded into a customer's website.
</Note>

### Support for knowledge

| Authentication Kind                 | Milvus | Elastic Search | Custom Search |
| ----------------------------------- | :----: | :------------: | :-----------: |
| Basic Auth                          |    ✅   |        ✅       |       ✅       |
| Bearer Token                        |    ❌   |        ❌       |       ❌       |
| API Key                             |    ❌   |        ✅       |       ✅       |
| OAuth (Client Credentials) **\[2]** |    ❌   |        ❌       |       ❌       |
| OAuth (Auth Code) **\[2]**          |    ❌   |        ❌       |       ❌       |
| OAuth (Implicit) **\[2]**           |    ❌   |        ❌       |       ❌       |
| OAuth (Password) **\[2]**           |    ❌   |        ❌       |       ❌       |
| OAuth (SSO/IDP Flow) **\[3]**       |    ❌   |        ❌       |       ❌       |
| Key-Value                           |    ❌   |        ❌       |       ❌       |

### Support for `member` vs `team`

| Authentication Kind        | member (per user) | team (shared) |
| -------------------------- | :---------------: | :-----------: |
| Basic Auth                 |         ✅         |       ✅       |
| Bearer Token               |         ✅         |       ✅       |
| API Key                    |         ✅         |       ✅       |
| OAuth (Client Credentials) |         ✅         |       ✅       |
| OAuth (Auth Code)          |         ✅         |       ✅       |
| OAuth (Implicit)           |         🚧        |       🚧      |
| OAuth (Password)           |         ✅         |       ✅       |
| OAuth (SSO/IDP Flow)       |         ✅         |       ✅       |
| Key-Value                  |         ❌         |       ✅       |

### Support for AI Gateway

The AI Gateway supports only `key-value` connections.

### 🚧 Support for Agents

Connection support for External Agents credentials is *coming soon*.
