Connections First
Breyta guide for setting up reusable connections before wiring flow configuration.
Goal
Create, test, and reuse workspace connections up front so flow setup is faster and less repetitive.
Quick Answer
Use this sequence:
breyta connections list
breyta connections create --type http-api --name "Orders API" --base-url https://api.example.com
breyta connections test --all
breyta flows configure suggest <slug>
breyta flows configure <slug> --set orders-api.conn=<connection-id>
breyta flows configure check <slug>
breyta flows run <slug> --wait
Why This Helps
| Benefit | Outcome |
|---|---|
| Reuse-first setup | Fewer duplicate connections across flows. |
| Early health checks | Fewer runtime surprises after wiring. |
| Faster authoring loop | Flow wiring becomes a short mapping step. |
Canonical Connect-First Workflow
| Step | Command | Purpose |
|---|---|---|
| 1 | breyta connections list [--type <type>] | Reuse existing workspace connections before creating new ones. |
| 2 | breyta connections create ... | Add a connection only when no reusable one exists. |
| 3 | breyta connections test --all | Run workspace-wide health checks before wiring. This confirms connection health/config state, not end-to-end flow execution. |
| 4 | breyta connections usages --only-connected | Inspect where each connection is already wired (draft/live/installation). |
| 5 | breyta secrets usages --only-connected | Inspect where existing secret refs are already wired (draft/live/installation). |
| 6 | breyta flows configure suggest <slug> | Generate suggested --set values from existing healthy connections. |
| 7 | breyta flows configure <slug> --set <slot>.conn=<connection-id> | Apply wiring for required slots and activation inputs. |
| 8 | breyta flows configure check <slug> | Confirm required config is complete. |
| 9 | breyta flows run <slug> --wait | Verify runtime behavior. |
| 10 | breyta connections usages --connection-id <id> | Confirm whether a connection can be safely deleted or still has bound usages. |
Reuse-First Rules
- Run
connections listbefore everyconnections create. - Prefer one stable workspace connection per external system.
- Use clear names (
Orders API,Billing DB,Support SMTP) so reuse is obvious. - Test existing connections before wiring them into new flows.
Custom OAuth Accounts
Use a custom OAuth connection when a flow needs a user-authorized http-api account that is not covered by a built-in provider button.
Who can do this:
- Workspace creators/admins can create, edit, and reconnect custom OAuth accounts.
Where to start in the UI:
- Open
Connections. - Choose
New connection. - Choose
OAuth account. - Choose
Use custom OAuth.
You can also start from flow setup when an OAuth-capable slot is unbound:
- Open flow setup for the slot.
- Choose
Use custom OAuth. - Complete the connection form, then finish the browser OAuth redirect.
The setup shape is:
- Create a pending
OAuth accountconnection. - Fill in the provider label, base URL, authorize URL, token URL, probe URL, scopes, and client credentials.
- Complete the OAuth browser redirect.
- Test the connection before wiring it into a flow.
Before you start
Gather these values from the provider's OAuth app settings and API docs:
- client ID
- client secret
- authorization endpoint
- token endpoint
- a bearer-authenticated profile or
meendpoint for health checks - required scopes
- whether the provider requires PKCE
- any provider-specific authorize parameters such as
audience,resource,access_type, orprompt
Important client constraint:
- The current custom OAuth form expects a confidential OAuth client with both a client ID and client secret.
- Public-client-only setups are not supported by this form today, even when PKCE is enabled.
Redirect URI to register with the provider
Register this callback URL in the provider's OAuth app configuration:
https://<your-breyta-base-url>/<workspace-id>/api/oauth/callback
Example:
https://flows.example.com/ws-acme/api/oauth/callback
Notes:
- Replace
<your-breyta-base-url>with the base URL where your Breyta UI/API is served. - Replace
<workspace-id>with the workspace where the connection will live. - The callback URL is workspace-specific, so use the exact workspace id.
Field Guide
| Field | What to enter | How to choose it |
|---|---|---|
| Provider label | Human-readable provider name such as X, Salesforce sandbox, or Acme CRM | Used only for display inside Breyta. |
| Base URL | Base API URL used by the connection after OAuth succeeds | Usually the root API URL for later requests, such as https://api.x.com/2. |
| Authorize URL | Provider authorization endpoint | The browser is redirected here so the user can approve access. |
| Token URL | Provider token endpoint | Breyta exchanges the authorization code and refresh tokens here. |
| Probe URL | A lightweight bearer-authenticated endpoint used for connection health checks | Prefer a me, userinfo, or profile endpoint that returns 200 for a valid token. |
| Scopes | Space-delimited scopes | Start with the provider's minimum required scopes for the flow. |
| Extra authorize params | Optional JSON object of extra query params added to the authorize request | Use only when the provider docs require it, for example {"audience":"https://api.example.com","prompt":"consent"}. |
| Enable PKCE | Whether to send a PKCE challenge/verifier in the OAuth flow | Turn this on when the provider requires or recommends PKCE. |
| Client ID / Client secret | OAuth client credentials from the provider app | Both are required when creating the connection. |
Choosing a Probe URL
The probe URL is used by connections test and other health checks to confirm that the token still works.
Choose an endpoint that:
- accepts the access token as a Bearer token
- returns
200for a healthy authenticated session - is lightweight and safe to call repeatedly
- does not mutate provider state
Good examples:
https://api.x.com/2/users/mehttps://openidconnect.googleapis.com/v1/userinfohttps://api.github.com/user
Avoid:
- write endpoints
- expensive search/list endpoints
- endpoints that require request bodies or unusual headers beyond normal Bearer auth
PKCE and Extra Authorize Params
Use provider documentation to decide these values:
- Enable PKCE when the provider requires PKCE or documents it as the recommended authorization-code setup.
- Leave
Extra authorize paramsblank unless the provider explicitly requires additional query parameters.
Examples:
{"prompt":"consent"}
{"audience":"https://api.example.com","access_type":"offline"}
Important behaviors:
- Custom OAuth connections are workspace-scoped reusable connections, just like other connection types.
- Changing OAuth endpoints, scopes, or client credentials marks the connection pending and requires reconnect.
- Reconnects preserve the same connection id; flows bound to that connection do not need to be rewired.
- Health checks validate the configured probe/token targets before sending tokens or refresh requests.
- OAuth callback return paths are limited to relative workspace URLs. External return targets are rejected.
Draft Vs Live Wiring
| Target | Command |
|---|---|
| Draft (default) | breyta flows configure <slug> --set <slot>.conn=<connection-id> |
| Live | breyta flows configure <slug> --target live --version latest --set <slot>.conn=<connection-id> |
Use breyta flows configure check <slug> for draft and breyta flows configure check <slug> --target live --version latest before the first live release of a new flow.
Common Pitfalls
- Creating a new connection when a matching healthy one already exists.
- Wiring untested connections directly into flows.
- Mixing draft/live config expectations and testing only one target.
- Treating
connections testas full runtime proof instead of a preflight check. - Assuming delete safety from flow code alone; usage guards are profile-binding based (
draft/live/installation).