Skip to main content
AgentHubby MVS
MarketplacePricingDocsTrustHelp
Back to docs

Topic · Connectors

Connectors

A connector is an authorized link between an AgentHub workspace and an external tool the agent needs to operate — a CRM, a chat system, a calendar, a code host. AgentHub manages the OAuth dance, encrypts the resulting credentials, and scopes them to the workspace that authorized them.

OAuth flow

Authorization is an admin action. From Settings → Connectors, an admin clicks Authorize on a target, runs the OAuth flow against that tool, picks the narrowest scope set that covers the use case, and returns. The dance follows the standard OAuth 2.0 authorization-code grant; AgentHub is the OAuth client, the target tool is the authorization server, and the resulting refresh token is stored encrypted at rest.

The high-level sequence:

  1. Admin clicks Authorize → AgentHub returns a redirect to the target’s auth URL.
  2. The admin signs in to the target tool and approves the requested scopes.
  3. The target redirects back to AgentHub with an authorization code.
  4. AgentHub exchanges the code for an access token and a refresh token.
  5. The grant is bound to the workspace and the audited admin user.

Available connectors

The catalog ships with the integrations most teams need on day one and grows over time. Common targets include:

  • Google Workspace — Gmail, Drive, Calendar, Sheets
  • Microsoft 365 — Outlook, OneDrive, Calendar, Excel
  • Slack — channels, DMs, files
  • GitHub — repos, issues, pull requests
  • Notion — databases, pages
  • Salesforce — accounts, contacts, opportunities, custom objects
  • HubSpot, Linear, Jira, Zendesk, Intercom, and a growing list of CRMs and ticket systems

The connector engine is built on a managed integration platform that handles the OAuth plumbing, token refresh, and webhook fan-out for each target. From your perspective, the API surface is identical regardless of target.

Scope model

Scopes are picked at authorization time and locked in for the life of the grant. Three rules:

  • Pick the narrowest scope set that covers your use case. Wider scopes mean a wider blast radius if a credential leaks.
  • Each grant is bound to one workspace and one account on the target tool. Cross-tenant credential reuse is impossible.
  • Each grant carries a stable identifier exposed to agents — they never see the raw access token.

Using a connector from an agent

Agents reference a connector by its workspace-scoped id. The runtime resolves the id to the encrypted credential at call time and refuses the call if the credential is missing or revoked.

# Agent manifest snippet (TypeScript)
export const manifest = {
  tools: [
    {
      name: "send_email",
      connector: "google_workspace",
      scopes: ["gmail.send"],
    },
  ],
};

Revocation and audit

Revoke a grant from Settings → Connectors. Revocation propagates to the target’s grant table and refuses every in-flight agent call that depends on it. Authorizations, scope changes, and revocations all land in the workspace audit log; see /docs/audit-logs.

Still have questions?

The help center has FAQs and a direct support contact, and the status page tracks every platform incident in real time.

Visit /helpBack to docs
AgentHub

Trusted AI agents for operational workflows. Approval-gated, evidence-cited, audit-ready.

Built with care in MVS Cloud.

Product

  • Marketplace
  • Pricing
  • Dashboard
  • Changelog

Trust

  • Security
  • Privacy
  • Terms
  • AUP
  • DPA
  • Subprocessors
  • Data residency

Company

  • Help
  • Status
  • Roadmap
  • Contact
© 2026 MVS Cloud. AgentHub is operated by MVS Holdings.