Skip to main content
A connection represents a dependency on an external application or service. It contains all the necessary information for agents, tools, knowledge bases, or virtual models to securely authenticate and interact with that external system.

​
Types of connections

watsonx Orchestrate supports several types of authentication methods:
  • Basic, Bearer, and API Key: These methods pass the configured credentials directly to the consuming tool or service.
  • OAuth: Orchestrate supports multiple OAuth flows, as defined in the OpenAPI specification. When using OAuth:
    • Orchestrate authenticates the user interactively.
    • It generates an access_token on behalf of the user.
    • This token is securely passed to the downstream tool during execution.
OAuth-based connections currently only work when the user interacts with the agent through the watsonx Orchestrate UI (not embedded web chat).
When you embed web chat in an external website, Orchestrate supports integration with upstream SSO/IDP providers such as Azure AD, Workday CCX, and others. Orchestrate also supports Key-Value connections, which allow builders to provide a secure dictionary of keys and values to downstream tools. You can use these connections to:
  • Pass arbitrary authentication configurations to Python tools.
  • Securely provide environment variables to MCP toolkits.
  • Configure connections to LLM providers through the AI Gateway.
Legendβœ… Supported ❌ Not supported 🚧 Partially supported (native agents only)

​
Support by tool type

Authentication KindPythonOpenAPIAgentic workflows [1]Local MCP ToolkitsRemote MCP ToolkitsLangflow
Basic Authβœ…βœ…βœ…βŒβœ…βŒ
Bearer Tokenβœ…βœ…βœ…βŒβœ…βŒ
API Keyβœ…βœ…βœ…βŒβœ…βŒ
OAuth (Client Credentials) [2]βœ…βœ…βœ…βŒβœ…βŒ
OAuth (Auth Code) [2]βœ…βœ…βœ…βŒβœ…βŒ
OAuth (Implicit) [2]πŸš§πŸš§βœ…βŒβŒβŒ
OAuth (Password) [2]βœ…βœ…βœ…βŒβœ…βŒ
OAuth (SSO/IDP Flow) [3]βœ…βœ…βœ…βŒβŒβŒ
Key-Valueβœ…βŒβœ…βœ…βŒβœ…
[1] Tools built using Agentic workflows do not require connection support as connections within Agentic workflows are configured via their downstream component tools.
[2] OAuth connections are currently only supported by agents in the watsonx Orchestrate integrated web chat ui.
[3] SSO/ IDP connections are only supported by agents in web chat embedded into a customer’s website.

​
Support for knowledge

Authentication KindMilvusElastic SearchCustom Search
Basic Authβœ…βœ…βœ…
Bearer Token❌❌❌
API KeyβŒβœ…βœ…
OAuth (Client Credentials) [2]❌❌❌
OAuth (Auth Code) [2]❌❌❌
OAuth (Implicit) [2]❌❌❌
OAuth (Password) [2]❌❌❌
OAuth (SSO/IDP Flow) [3]❌❌❌
Key-Value❌❌❌

​
Support for member vs team

Authentication Kindmember (per user)team (shared)
Basic Authβœ…βœ…
Bearer Tokenβœ…βœ…
API Keyβœ…βœ…
OAuth (Client Credentials)βœ…βœ…
OAuth (Auth Code)βœ…βœ…
OAuth (Implicit)🚧🚧
OAuth (Password)βœ…βœ…
OAuth (SSO/IDP Flow)βœ…βœ…
Key-ValueβŒβœ…

​
Support for AI Gateway

The AI Gateway supports only key-value connections.