Skip to main content
A connection represents a dependency on an external application or service. It contains all the necessary information for agents, tools, knowledge bases, or virtual models to securely authenticate and interact with that external system.

Types of connections

watsonx Orchestrate supports several types of authentication methods:
  • Basic, Bearer, and API Key: These methods pass the configured credentials directly to the consuming tool or service.
  • OAuth: Orchestrate supports multiple OAuth flows, as defined in the OpenAPI specification. When using OAuth:
    • Orchestrate authenticates the user interactively.
    • It generates an access_token on behalf of the user.
    • This token is securely passed to the downstream tool during execution.
Note: OAuth-based connections currently only work when the user interacts with the agent through the watsonx Orchestrate UI (not embedded webchat).
When you embed webchat in an external website, Orchestrate supports integration with upstream SSO/IDP providers such as Azure AD, Workday CCX, and others. Orchestrate also supports Key-Value connections, which allow builders to provide a secure dictionary of keys and values to downstream tools. You can use these connections to:
  • Pass arbitrary authentication configurations to Python tools.
  • Securely provide environment variables to MCP toolkits.
  • Configure connections to LLM providers through the AI Gateway.

Support by tool type

Authentication KindPythonOpenAPIFlows [1]Local MCP ToolkitsRemote MCP ToolkitsLangflow
Basic AuthN/A
Bearer TokenN/A
API KeyN/A
OAuth (Client Credentials) [2]N/A
OAuth (Auth Code) [2]N/A
OAuth (Implicit) [2]🚧🚧N/A🚧
OAuth (Password) [2]N/A
OAuth (SSO/IDP Flow) [3]N/A
Key-ValueN/A
[1] Tools build using flows do not require connection support as connections within flows are configured via their downstream component tools.
[2] OAuth connections are currently only supported by agents in the watsonx Orchestrate integrated webchat ui.
[3] SSO/ IDP connections are only supported by agents in webchat embedded into a customer’s website.

Support for knowledge

Authentication KindMiluvsElastic SearchCustom Search
Basic Auth
Bearer Token
API Key
OAuth (Client Credentials) [2]
OAuth (Auth Code) [2]
OAuth (Implicit) [2]
OAuth (Password) [2]
OAuth (SSO/IDP Flow) [3]
Key-Value

Support for member vs team

Authentication Kindmember (per user)team (shared)
Basic Auth
Bearer Token
API Key
OAuth (Client Credentials)
OAuth (Auth Code)
OAuth (Implicit)🚧🚧
OAuth (Password)
OAuth (SSO/IDP Flow)
Key-Value

Support for AI Gateway

The AI Gateway supports only key-value connections.

🚧 Support for Agents

Connection support for External Agents credentials is coming soon.