> ## Documentation Index
> Fetch the complete documentation index at: https://developer.watson-orchestrate.ibm.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Why use connections
A **connection** represents a dependency on an external application or service. It contains all the necessary information for agents, tools, knowledge bases, or virtual models to securely authenticate and interact with that external system.
## Types of connections
watsonx Orchestrate supports several types of authentication methods:
* **Basic**, **Bearer**, and **API Key**: These methods pass the configured credentials directly to the consuming tool or service.
* **OAuth**: Orchestrate supports multiple OAuth flows, as defined in the OpenAPI specification. When using OAuth:
* Orchestrate authenticates the user interactively.
* It generates an `access_token` on behalf of the user.
* This token is securely passed to the downstream tool during execution.
OAuth-based connections currently only work when the user interacts with the agent through the **watsonx Orchestrate UI** (not embedded web chat).
When you embed web chat in an external website, Orchestrate supports integration with upstream **SSO/IDP providers** such as Azure AD, Workday CCX, and others.
Orchestrate also supports **Key-Value connections**, which allow builders to provide a secure dictionary of keys and values to downstream tools. You can use these connections to:
* Pass arbitrary authentication configurations to Python tools.
* Securely provide environment variables to MCP toolkits.
* Configure connections to LLM providers through the AI Gateway.
Legend
✅ Supported
❌ Not supported
🚧 Partially supported (native agents only)
### Support by tool type
| Authentication Kind | Python | OpenAPI | Agentic workflows \[1] | Local MCP Toolkits | Remote MCP Toolkits | Langflow |
| ----------------------------------- | :----: | :-----: | :--------------------: | :----------------: | :-----------------: | :------: |
| Basic Auth | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Bearer Token | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| API Key | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| OAuth (Client Credentials) **\[2]** | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| OAuth (Auth Code) **\[2]** | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| OAuth (Implicit) **\[2]** | 🚧 | 🚧 | ✅ | ❌ | ❌ | ❌ |
| OAuth (Password) **\[2]** | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| OAuth (SSO/IDP Flow) **\[3]** | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Key-Value | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ |
**\[1]** Tools built using Agentic workflows do not require connection support as connections within Agentic workflows are configured via their
downstream component tools.
**\[2]** OAuth connections are currently only supported by agents in the watsonx Orchestrate integrated web chat ui.
**\[3]** SSO/ IDP connections are only supported by agents in web chat embedded into a customer's website.
### Support for knowledge
| Authentication Kind | Milvus | Elastic Search | Custom Search |
| ----------------------------------- | :----: | :------------: | :-----------: |
| Basic Auth | ✅ | ✅ | ✅ |
| Bearer Token | ❌ | ❌ | ❌ |
| API Key | ❌ | ✅ | ✅ |
| OAuth (Client Credentials) **\[2]** | ❌ | ❌ | ❌ |
| OAuth (Auth Code) **\[2]** | ❌ | ❌ | ❌ |
| OAuth (Implicit) **\[2]** | ❌ | ❌ | ❌ |
| OAuth (Password) **\[2]** | ❌ | ❌ | ❌ |
| OAuth (SSO/IDP Flow) **\[3]** | ❌ | ❌ | ❌ |
| Key-Value | ❌ | ❌ | ❌ |
### Support for `member` vs `team`
| Authentication Kind | member (per user) | team (shared) |
| -------------------------- | :---------------: | :-----------: |
| Basic Auth | ✅ | ✅ |
| Bearer Token | ✅ | ✅ |
| API Key | ✅ | ✅ |
| OAuth (Client Credentials) | ✅ | ✅ |
| OAuth (Auth Code) | ✅ | ✅ |
| OAuth (Implicit) | 🚧 | 🚧 |
| OAuth (Password) | ✅ | ✅ |
| OAuth (SSO/IDP Flow) | ✅ | ✅ |
| Key-Value | ❌ | ✅ |
### Support for AI Gateway
The AI Gateway supports only `key-value` connections.