Authentication methods catalog

Configure page: Configure authentication. This catalog is the usage + method matrix and JSON examples for Connected System credentials.

Authentication has two dimensions integrators must combine:

usage — which runtime path loads the credential (api, webhookInbound, syncExecution, …)
credential.method — how the vendor validates the call (API key, OAuth2, bearer token, certificate, …)

Both live on authentications[] in <systemKey>-system.json. Platform developer login (aifabrix login) is a separate layer — see Platform developer access.

Prerequisites

<systemKey>-system.json from aifabrix create or copied fixture
env.template with kv:// paths for every slot’s security keys
Business Entity features that need extra usages: Enterprise webhooks, Enterprise sync bridge

Where it lives

Layer	Configuration
Multi-credential vendor auth	`<systemKey>-system.json` → `authentication` and/or `authentications[]` with `usage`
API-only	Root `authentication` (default `api` usage)
Secrets	`env.template` → `kv://` per slot (never commit values)
Builder CLI session	`aifabrix login` → token in user config

Each authentications[] item:

Field	Role
`key`	Stable slot id (`default`, `webhook`, `sync-worker`, …)
`usage`	Runtime selector — see usage catalog below
`authType`	`credential`, `apiProvider`, or `none`
`credential`	Method, non-secret `variables`, `security` kv refs (when `authType: credential`)

There is no separate webhook or sync auth schema — every slot uses the same credential shapes.

Usage catalog

`usage`	Runtime path	Typical credential methods
`api`	CIP execution, capabilities, integration/E2E, user-context vendor calls	`apikey`, `oauth2`, `bearerToken`, `certificate`, `apiProvider`
`webhookInbound`	Validate POST `/webhooks/{systemKey}/…` (signature, bearer, OIDC)	`apikey` (shared secret / HMAC), `bearerToken`, `oauth2` when vendor documents it
`syncExecution`	Scheduled `sync`, webhook-triggered refresh, `syncBridge` propagation	`apikey`, `oauth2` client credentials — service account, not end-user OAuth
`callback`	OAuth authorization-code return handling	`oauth2` with callback variables
`messageInbound` / `messageOutbound`	Channel ingress/egress (when enabled)	Vendor-specific; same credential model
`provisioning`	Provisioning hooks	`apikey`, `oauth2` client credentials

Feature → required usage

Business Entity / system feature	Required `authentications[]` usage
Default CIP and capabilities	`api` (minimum one slot)
`webhook.enabled: true`	`webhookInbound`
`syncBridge: master` or `bidirectional`	`syncExecution` (or service-capable `api` where policy allows)
`sync.enabled` background pull	`syncExecution` recommended

On-behalf-of user OAuth is valid for api only — not for syncExecution or webhookInbound.

Credential method catalog

Applies inside any usage slot when authType: credential.

`credential.method`	Use when	Non-secret `variables` (examples)	`security` kv keys (examples)
`apikey`	Private app, static token, webhook HMAC secret	`baseUrl`, `headerName`, `queryParamName`	`apiKey`
`bearerToken`	Pre-issued bearer or PAT	`baseUrl`, `headerName`	`token`
`oauth2`	Server-to-server or delegated flows	`baseUrl`, `tokenUrl`, `grantType`, `scope`	`clientId`, `clientSecret`, `tenantId`
`certificate`	mTLS or client cert	`baseUrl`, trust store hints	cert/key kv paths per schema
`custom`	Vendor-specific header/query patterns	Documented in integration manifest	Per schema

`authType`	Use when
`credential`	Direct vendor secrets via `security` kv refs
`apiProvider`	Platform-managed or enterprise IdP (`apiProviderKey`) — no vendor secrets in manifest
`none`	Public read-only endpoints (rare)

Wizard OpenAPI import often defaults CRM specs to oauth2. Private apps frequently need:

aifabrix repair <systemKey> --auth apikey

repair --auth updates the default api credential block.

Multi-slot examples

API key — three usages (CRM + webhooks + sync)

{
  "key": "example-crm",
  "displayName": "Example CRM",
  "type": "openapi",
  "authentications": [
    {
      "key": "default",
      "usage": "api",
      "authType": "credential",
      "credential": {
        "method": "apikey",
        "variables": {
          "baseUrl": "https://api.example.com",
          "headerName": "X-API-Key"
        },
        "security": {
          "apiKey": "kv://example-crm/apiKey"
        }
      }
    },
    {
      "key": "webhook",
      "usage": "webhookInbound",
      "authType": "credential",
      "credential": {
        "method": "apikey",
        "variables": {
          "headerName": "X-Hub-Signature"
        },
        "security": {
          "apiKey": "kv://example-crm/webhookSecret"
        }
      }
    },
    {
      "key": "sync-worker",
      "usage": "syncExecution",
      "authType": "credential",
      "credential": {
        "method": "apikey",
        "variables": {
          "baseUrl": "https://api.example.com",
          "headerName": "X-API-Key"
        },
        "security": {
          "apiKey": "kv://example-crm/syncApiKey"
        }
      }
    }
  ]
}

syncExecution may reference the same kv path as api when one service credential is appropriate — keep separate slots for validation and audit.

OAuth2 client credentials — `api` + `syncExecution`

{
  "authentications": [
    {
      "key": "default",
      "usage": "api",
      "authType": "credential",
      "credential": {
        "method": "oauth2",
        "variables": {
          "baseUrl": "https://graph.microsoft.com/v1.0",
          "tokenUrl": "https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token",
          "grantType": "client_credentials",
          "scope": "https://graph.microsoft.com/.default"
        },
        "security": {
          "clientId": "kv://example-sp/clientId",
          "clientSecret": "kv://example-sp/clientSecret",
          "tenantId": "kv://example-sp/tenantId"
        }
      }
    },
    {
      "key": "sync-worker",
      "usage": "syncExecution",
      "authType": "credential",
      "credential": {
        "method": "oauth2",
        "variables": {
          "baseUrl": "https://graph.microsoft.com/v1.0",
          "tokenUrl": "https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token",
          "grantType": "client_credentials",
          "scope": "https://graph.microsoft.com/.default"
        },
        "security": {
          "clientId": "kv://example-sp/clientId",
          "clientSecret": "kv://example-sp/clientSecret",
          "tenantId": "kv://example-sp/tenantId"
        }
      }
    }
  ]
}

Single `authentication` (extend when needed)

One root authentication object is enough for api-only integrations. Add authentications[] entries with usage: webhookInbound or usage: syncExecution when you enable those features — same credential shape as the API block.

Runtime selection

CIP / capabilities / integration tests     →  authentications[usage=api]
POST /webhooks/…                           →  authentications[usage=webhookInbound]
Sync job / SyncIntent / syncBridge         →  authentications[usage=syncExecution]
OAuth redirect / callback                  →  authentications[usage=callback]

Builder CLI (platform) auth

Independent of vendor authentications[]:

aifabrix login
aifabrix auth status

CI/CD: aifabrix login --method credentials --app <appKey> with secrets in secrets.local.yaml.

Defaults and quick reference

Situation	Action
Only CIP/capabilities needed	One slot: `usage: api`
Webhooks enabled on entity	Add `usage: webhookInbound`
Sync bridge or background sync	Add `usage: syncExecution`
OpenAPI assumed OAuth, you use API key	`repair --auth apikey` on default slot
Same secret for api + sync	Allowed — duplicate slot with same `kv://`, different `usage`

Mistake	Fix
One user OAuth token for all usages	Split `api`, `webhookInbound`, `syncExecution`
Webhook enabled, no `webhookInbound` slot	Add slot on system manifest
Sync bridge blocked	Add `syncExecution`; use client credentials or API key
Secrets in committed JSON	`kv://` only
CLI login OK, integration 401	Fix vendor slot, not platform token
Rotated secret, stale runtime	Update secret store, re-upload, re-run `test-integration`

Validate

aifabrix auth status
aifabrix validate <systemKey>
aifabrix verify-trust <systemKey>
aifabrix test-integration <systemKey>
aifabrix datasource test-e2e <datasourceKey> --app <systemKey>

401/403 on integration test → fix the usage slot that path uses (api vs syncExecution), not governance subjects.

Certification checks webhook config against webhookInbound, sync bridge against syncExecution, and capability readiness on datasources.

Limits

Vendor OAuth scopes, webhook signature schemes, certificate rotation, and delegated user flows vary — confirm against vendor documentation. This catalog does not enumerate every schema variant the external-system validator accepts.

Datasource identity (key, resourceType, indexed externalId, …) is independent of auth — see entity configure guides.
validate checks shape; live TLS, token refresh, and webhook signature proof require test-integration or E2E.
Authentication UI shows one card per authentications[] item; manifest/Builder API defines slots — operators assign secrets per usage after upload.

Documentation Index