Connected Systems need trusted credentials before sync, webhooks, CIP, or AI-assisted capabilities can run. Authentication is declared on the Connected System manifest as authentications[] — one or more credential slots, each with a usage that tells the platform when to apply it.
Secrets resolve at deploy/upload time via kv:// references only — never hardcoded in docs or committed JSON.
Why it matters
Operational Trust requires enterprise-approved auth patterns (API key, OAuth2, client credentials) — not bypass security. Wrong or conflated auth blocks upload, integration tests, webhook validation, sync-bridge propagation, and every certification pillar that touches live APIs.
Separate usages exist on purpose: user-scoped api credentials must not power background sync workers or inbound webhook signature checks. Enterprise Synchronization Fabrix depends on webhookInbound and syncExecution slots in addition to api.
Authentication layers
| Layer | What it authenticates | Where to configure |
|---|---|---|
Vendor API (api) |
CIP, capabilities, integration tests, user-context calls | authentications[] with usage: api |
Inbound webhooks (webhookInbound) |
Signature/token validation on POST receiver paths | authentications[] with usage: webhookInbound |
Sync worker (syncExecution) |
Scheduled sync, webhook-triggered get/update, sync-bridge propagation |
authentications[] with usage: syncExecution |
| Platform CLI | Builder upload, test, certify | aifabrix login + controller roles |
Do not confuse vendor slots with platform login — a green aifabrix auth status does not fix vendor 401 errors. See Platform developer access.
The authentications[] model
Each Connected System declares an array of authentication entries. Every item reuses the same credential structure (authType, credential.method, variables, security kv paths) and adds:
| Field | Role |
|---|---|
key |
Stable slot id (e.g. default, webhook, sync-worker) |
usage |
Runtime selector — which code path loads this credential |
Usage values (Connected System)
usage |
When the platform uses it |
|---|---|
api |
Normal API calls, CIP execution, integration/E2E, Role Assistant capabilities |
webhookInbound |
Validate incoming webhook deliveries (HMAC, bearer, OIDC — same credential types as api) |
syncExecution |
Background sync: inbound sync jobs, webhook-triggered refresh, syncBridge propagation |
callback |
OAuth authorization-code / callback flows (when applicable) |
messageInbound / messageOutbound |
Future channel ingress/egress |
provisioning |
Provisioning hooks |
There is no webhook-specific auth schema — each slot uses the same credential / apiProvider shapes as today.
Single authentication (API only)
A single root authentication block on the Connected System covers normal api usage. Validate compiles it as the default API slot when multi-usage arrays are present in your toolchain.
When you add webhooks or sync bridge, extend with additional credential entries using the same shape and explicit usage values — do not duplicate secrets in datasource JSON.
Prerequisites
<systemKey>-system.jsonfromaifabrix createor copied fixture- Builder secret store paths in
env.templatefor each slot’ssecuritykeys - Authentication methods catalog
- Build with Builder MCP for post-upload Authentication UI
- When enabling webhooks or sync bridge: Enterprise sync bridge — technical guide
Where it lives
| Layer | Configuration |
|---|---|
| Multi-credential auth | <systemKey>-system.json → authentication and/or authentications[] with usage |
| API-only (common) | Root authentication → treated as usage: api |
| Secrets | env.template → kv:// per slot |
| Webhook / sync bridge | Business Entity <datasourceKey>.json → webhook, syncBridge (require matching auth usages on the system) |
| CLI session | aifabrix login |
Builder MCP
| Manifest section | system.authentication / system.authentications |
| UI tab | Authentication (?tab=authentication) — one card per authentications[] item |
| Help topics | connectedSystemUi, section, workflow, authentication catalog |
| Patch policy | Section is blocked for blind API patch — read first; assign secrets via UI or secret store |
Use help topic connectedSystemUi for post-upload Authentication URL and required secret keys per usage. Normative loop: Build with Builder MCP.
How to set
1. Default API slot
Detect vendor reality — OpenAPI import often classifies CRM specs as OAuth2; private apps often need API key.
aifabrix repair <systemKey> --auth apikey
aifabrix validate <systemKey>
repair --auth updates the default api credential block (or the default slot in authentications[] when present).
2. Add webhook and sync slots (when needed)
When a Business Entity enables webhook.enabled or syncBridge other than disabled, the Connected System must expose matching auth usages:
| Feature on datasource | Required system auth |
|---|---|
webhook.enabled: true |
authentications[] with usage: webhookInbound |
syncBridge: master or bidirectional |
usage: syncExecution (or service-capable api fallback where policy allows) |
Inbound sync.enabled (background pull) |
syncExecution recommended |
On-behalf-of user OAuth alone is invalid for syncExecution — use service account, client credentials, or API key suited to background workers.
3. Example — three usage slots
{
"key": "example-crm",
"displayName": "Example CRM",
"type": "openapi",
"authentications": [
{
"key": "default",
"usage": "api",
"authType": "credential",
"credential": {
"method": "apikey",
"variables": {
"baseUrl": "https://api.example.com",
"headerName": "X-API-Key"
},
"security": {
"apiKey": "kv://example-crm/apiKey"
}
}
},
{
"key": "webhook",
"usage": "webhookInbound",
"authType": "credential",
"credential": {
"method": "apikey",
"variables": {
"headerName": "X-Hub-Signature"
},
"security": {
"apiKey": "kv://example-crm/webhookSecret"
}
}
},
{
"key": "sync-worker",
"usage": "syncExecution",
"authType": "credential",
"credential": {
"method": "apikey",
"variables": {
"baseUrl": "https://api.example.com",
"headerName": "X-API-Key"
},
"security": {
"apiKey": "kv://example-crm/syncApiKey"
}
}
}
]
}
syncExecution may reuse the same kv path as api when one service credential is appropriate — keep separate slots so validation and audit stay explicit.
4. Resolve secrets and prove auth
aifabrix auth status
aifabrix login
aifabrix validate <systemKey>
aifabrix test-integration <systemKey>
aifabrix datasource test-e2e <datasourceKey> --app <systemKey>
Confirm every kv:// path in env.template exists (secret get … --exists). After upload, operators assign live secrets on Connected Systems → Authentication — one form per usage card.
Upload pushes credential references only. If denied, fix platform permissions and re-upload rather than embedding secrets in JSON.
Auth types and on-behalf-of
| Pattern | When | Manifest |
|---|---|---|
| API key / bearer token | Private apps, static tokens, webhook HMAC secrets | authType: credential with method: apikey or bearerToken |
| OAuth2 client credentials | Server-to-server SaaS, syncExecution |
method: oauth2, variables.tokenUrl, secrets in security |
| API Provider (delegated) | Enterprise IdP or platform-managed auth | authType: apiProvider with apiProviderKey |
| On-behalf-of / user context | User-scoped vendor APIs via api usage only |
Platform API Provider or OAuth authorization code — not syncExecution or webhookInbound |
Runtime selection (summary)
CIP / capabilities / integration tests → authentications[usage=api]
POST /webhooks/{systemKey}/… → authentications[usage=webhookInbound]
Sync job / SyncIntent / syncBridge write → authentications[usage=syncExecution]
Detail: Enterprise webhooks, Configure sync.
Defaults and examples
| Situation | Action |
|---|---|
| Wizard chose OAuth, you use API key | aifabrix repair <systemKey> --auth apikey (default api slot) |
| Webhook enabled, validation fails on auth | Add webhookInbound credential; set webhook secret kv path |
| Sync bridge enabled, propagation blocked | Add syncExecution; avoid user-delegated OAuth |
| Missing shared secret | secret get / secret set; re-run resolve |
Validate
aifabrix validate <systemKey>
aifabrix verify-trust <systemKey>
aifabrix test-integration <systemKey>
aifabrix datasource test-e2e <datasourceKey> --app <systemKey>
Certification checks webhook shape against webhookInbound, sync bridge against syncExecution, and get/update capabilities on the datasource — see Enterprise sync bridge — technical guide.
Auth failures surface earliest at integration or E2E. Rotate credentials in the secret store; re-upload after rotation if connection settings change.
Common mistakes
| Mistake | Fix |
|---|---|
| Secrets pasted into committed JSON | kv:// only |
| One OAuth user token for everything | Split api, webhookInbound, syncExecution |
Webhook enabled without webhookInbound |
Add slot on system manifest; validate |
Sync bridge without syncExecution |
Add worker credential; not end-user OAuth |
| CLI login OK but integration fails | Fix vendor authentications[], not platform token |
| Confusing platform token with vendor API key | Two layers — see Platform developer access |
| Skipping repair after OpenAPI import | repair --auth apikey for private apps |
Limits
Do not grant Role Assistants or models direct credential access — capabilities mediate execution. Vendor-specific OAuth scopes, webhook signature schemes, and certificate rotation vary — confirm against vendor docs and Authentication methods catalog.
Datasource manifests still require root key, displayName, systemKey, entityType, resourceType, primaryKey, and indexed externalId — system auth does not replace those bands. validate alone can stay green while live calls fail if secrets are stale — re-run test-integration after every rotation.