Connections First

Breyta guide for setting up reusable connections before wiring flow configuration.

Goal

Create, test, and reuse workspace connections up front so flow setup is faster and less repetitive.

Quick Answer

Use this sequence:

breyta connections list
breyta connections create --type http-api --name "Orders API" --base-url https://api.example.com
breyta connections test <connection-id>
breyta flows configure suggest <slug>
breyta flows configure <slug> --set orders-api.conn=<connection-id>
breyta flows configure check <slug>
breyta flows run <slug> --wait

For human-supplied credentials, open the Breyta setup/connection UI and let the
user enter secrets there. Do not ask for secrets in chat. Protected setup links
should return through /login?redirect=....

LLM connection note:

Create LLM connections as --type http-api and choose an LLM backend.
Some UI create surfaces may still show a legacy option like {:type :llm-provider :label "LLM Provider (Legacy)" :description "Legacy create mode normalized to HTTP API with an LLM backend" :icon :sparkles}.
That legacy create-mode option still normalizes to a canonical :http-api connection. Authored flow requirements and docs should use :http-api.
For AWS Bedrock Claude, choose the Bedrock backend and AWS SigV4 auth. Use a
Bedrock Runtime base URL such as
https://bedrock-runtime.us-east-1.amazonaws.com, set :region to the same
region, set :service "bedrock", and store access-key-id,
secret-access-key, plus optional session-token in the referenced secret.

Why This Helps

Benefit	Outcome
Reuse-first setup	Fewer duplicate connections across flows.
Early health checks	Fewer runtime surprises after wiring.
Faster authoring loop	Flow wiring becomes a short mapping step.

Canonical Connect-First Workflow

Step	Command	Purpose
1	`breyta connections list [--type <type>]`	Reuse existing workspace connections before creating new ones.
2	`breyta connections create ...`	Add a connection only when no reusable one exists.
3	`breyta connections test <connection-id>`	Test the specific connection you plan to bind or debug. Use `--all` only for a deliberate workspace-wide connection audit.
4	`breyta connections items <connection-id> [--item-type <type>]`	Inspect cached non-secret provider items when a flow uses connection-backed dropdowns.
5	`breyta connections usages --only-connected`	Inspect where each connection is already wired (`draft`/`live`/`installation`).
6	`breyta secrets usages --only-connected`	Inspect where existing secret refs are already wired (`draft`/`live`/`installation`).
7	`breyta flows configure suggest <slug>`	Generate suggested `--set` values from existing healthy connections.
8	`breyta flows configure <slug> --set <slot>.conn=<connection-id>`	Apply wiring for required slots and activation inputs.
9	`breyta flows configure check <slug>`	Confirm required config is complete.
10	`breyta flows run <slug> --wait`	Verify runtime behavior.
11	`breyta connections usages --connection-id <id>`	Confirm whether a connection can be safely deleted or still has bound usages.

Reuse-First Rules

Run connections list before every connections create.
Prefer one stable workspace connection per external system.
Use clear names (Orders API, Billing DB, Support SMTP) so reuse is obvious.
Test existing connections before wiring them into new flows.
When a flow uses connection item dropdowns, inspect connections items before
assuming a repository, channel, project, or folder is available in setup/run UI.

Missing Connection Handoff

Declare the :requires slot and provider/auth shape.
List/reuse/test plausible existing connections.
If none fits, stop and hand off the setup or connection edit webUrl.
Resume after the user saves the connection, then test, bind, and run proof.
For public/end-user flows, model user-owned accounts as :provided-by :installer.

Custom OAuth Accounts

Use a custom OAuth connection when a flow needs a user-authorized http-api account that is not covered by a built-in provider button.

Custom OAuth connections store an OAuth client: your app's client ID and client secret. When a flow is shared, installers reuse the same client to authorize their own accounts. Each installer gets a separate user token and never sees your client secret.

Who can do this:

Workspace creators/admins can create, edit, and reconnect custom OAuth accounts.

Where to start in the UI:

Open Connections.
Choose New connection.
Choose OAuth account.
Choose Use custom OAuth.

You can also start from flow setup when an OAuth-capable slot is unbound:

Open flow setup for the slot.
Choose Use custom OAuth.
Complete the connection form, then finish the browser OAuth redirect.

The setup shape is:

Create a pending OAuth account connection.
Fill in the provider label, base URL, authorize URL, token URL, probe URL, scopes, and client credentials.
Complete the OAuth browser redirect.
Test the connection before wiring it into a flow.

Before you start

Gather these values from the provider's OAuth app settings and API docs:

client ID
client secret
authorization endpoint
token endpoint
a bearer-authenticated profile or me endpoint for health checks
required scopes
whether the provider requires PKCE
any provider-specific authorize parameters such as audience, resource, access_type, or prompt
non-standard authorize client ID names or scope separators, configured with :oauth.authorize-params and :oauth.scope-separator
non-standard token parameter names, configured with :oauth.token-params and :oauth.refresh-token-params

Important client constraint:

The current custom OAuth form expects a confidential OAuth client with both a client ID and client secret.
Public-client-only setups are not supported by this form today, even when PKCE is enabled.

Redirect URI to register with the provider

https://<your-breyta-base-url>/api/oauth/callback

Example:

https://flows.example.com/api/oauth/callback

Notes:

Replace <your-breyta-base-url> with the base URL where your Breyta UI/API is served.
Prefer the generic callback URL above for new custom OAuth app registrations.
Existing custom OAuth apps that already use a workspace-scoped callback can keep working during migration with https://<your-breyta-base-url>/<workspace-id>/api/oauth/callback.

Field Guide

Field	What to enter	How to choose it
Provider label	Human-readable provider name such as `X`, `Salesforce sandbox`, or `Acme CRM`	Used only for display inside Breyta.
Base URL	Base API URL used by the connection after OAuth succeeds	Usually the root API URL for later requests, such as `https://api.x.com/2`.
Authorize URL	Provider authorization endpoint	The browser is redirected here so the user can approve access.
Token URL	Provider token endpoint	Breyta exchanges the authorization code and refresh tokens here.
Probe URL	A lightweight bearer-authenticated endpoint used for connection health checks	Prefer a `me`, `userinfo`, or profile endpoint that returns `200` for a valid token.
Scopes	Space-delimited scopes	Start with the provider's minimum required scopes for the flow.
Extra authorize params	Optional JSON object of extra query params added to the authorize request	Use only when the provider docs require it, for example `{"audience":"https://api.example.com","prompt":"consent"}`.
Enable PKCE	Whether to send a PKCE challenge/verifier in the OAuth flow	Turn this on when the provider requires or recommends PKCE.
Client ID / Client secret	OAuth client credentials from the provider app	Both are required when creating the connection.

Choosing a Probe URL

The probe URL is used by connections test and other health checks to confirm that the token still works.

Choose an endpoint that:

accepts the access token as a Bearer token
returns 200 for a healthy authenticated session
is lightweight and safe to call repeatedly
does not mutate provider state

Good examples:

https://api.x.com/2/users/me
https://openidconnect.googleapis.com/v1/userinfo
https://api.github.com/user

Avoid:

write endpoints
expensive search/list endpoints
endpoints that require request bodies or unusual headers beyond normal Bearer auth

PKCE and Extra Authorize Params

Use provider documentation to decide these values:

Enable PKCE when the provider requires PKCE or documents it as the recommended authorization-code setup.
Leave Extra authorize params blank unless the provider explicitly requires additional query parameters.

Examples:

{"prompt":"consent"}

{"audience":"https://api.example.com","access_type":"offline"}

Important behaviors:

Custom OAuth connections are workspace-scoped reusable connections, just like other connection types.
Changing OAuth endpoints, scopes, or client credentials marks the connection pending and requires reconnect.
Reconnects preserve the same connection id; flows bound to that connection do not need to be rewired.
Health checks validate the configured probe/token targets before sending tokens or refresh requests.
OAuth callback return paths are limited to relative workspace URLs. External return targets are rejected.

Draft Vs Live Wiring

Target	Command
Draft (default)	`breyta flows configure <slug> --set <slot>.conn=<connection-id>`
Live	`breyta flows configure <slug> --target live --version latest --set <slot>.conn=<connection-id>`

Use breyta flows configure check <slug> for draft and breyta flows configure check <slug> --target live --version latest before the first live release of a new flow.

Common Pitfalls

Creating a new connection when a matching healthy one already exists.
Wiring untested connections directly into flows.
Mixing draft/live config expectations and testing only one target.
Treating connections test as full runtime proof instead of a preflight check.
Assuming delete safety from flow code alone; usage guards are profile-binding based (draft/live/installation).