1Open the Connection tab

Step 1.1

From the editor

In the 10-tab strip click πŸ”Œ Connection. The tab body shows three groups: Base settings, Authentication, and Resilience (rate limiting, retries, circuit breaker). Use Esc to close any submodal that pops up here.

2Base URL & TLS

Step 2.1

Set the base URL

The Base URL field (test id connection-base-url) is the root every command path is appended to. Examples:

  • https://graph.microsoft.com/v1.0
  • https://my-tenant.service-now.com/api/now
  • https://impl-services.workday.com/ccx/service

Trailing slash optional. Use HTTPS for any production system.

Step 2.2

TLS & timeouts

  • Verify TLS β€” on by default. Turn off only for self-signed dev environments.
  • Connect timeout β€” seconds to wait for the TCP handshake. Default 5s.
  • Request timeout β€” seconds for the whole HTTP request. Default 30s.

3Authentication type

The Auth type dropdown (test id connection-auth-type) picks how EmpowerNow authenticates to the system. The form below the dropdown rebuilds based on your choice.

Auth typeWhat you provideNotes
NoneNothingPublic APIs only (rare).
API KeyHeader name + key valueStatic token in a custom header (e.g. X-API-Key).
Bearer TokenToken valueSent as Authorization: Bearer …. Static β€” for short-lived tokens prefer OAuth.
Basic AuthUsername + passwordBase64 encoded.
OAuth 2.0 (client credentials)Token URL, client id, client secret, scopesEmpowerNow fetches tokens automatically and refreshes when needed.
OAuth 2.0 (authorization code)OAuth tab fully configured (see below)For systems that need the end user's consent.
Custom (Headers)List of header name/value pairsEscape hatch for SaaS APIs that use proprietary auth.
πŸ”’
Use environment-referenced secrets, not literal values

For any credential field, prefer the ${env:NAME} or ${secret:name} reference forms. The literal value never lives in the YAML; the platform resolves it from the secret store at runtime. Never commit raw API keys.

4Rate limiting and retries

Step 4.1

Rate limiting

Toggle Rate limiting (test id connection-rate-limiting-toggle) on to throttle outbound calls. Two fields appear:

  • Requests per second (connection-rate-limiting-rps) β€” sustained rate.
  • Burst (connection-rate-limiting-burst) β€” short-term spike allowance before the limiter throttles.

Match the upstream system's published limits to avoid 429s.

Step 4.2

Retries & circuit breaker

The Retries section configures attempts on transient failures: max attempts, exponential backoff base, jitter. The Circuit breaker stops sending requests entirely after a configurable failure rate; useful when the upstream is reliably degraded.

5Test the connection

Step 5.1

Click Test Connection

The Test Connection button at the bottom of the Connection tab (test id connection-test-button, aria-label "Test API") performs a sanity request against the base URL with the configured auth.

Connection Β· EntraID
πŸ§ͺ Test Connection
βœ“ Connection OK
MethodGET https://graph.microsoft.com/v1.0/$metadata
Status200 OK
Latency148 ms
TLSverified Β· TLS 1.3
AuthOAuth client_credentials Β· token cached
Step 5.2

When it fails

Common errors:

SymptomLikely cause
DNS / connection refusedWrong base URL, network ACL blocking the egress, or the system is down.
TLS handshake failedSelf-signed cert + Verify TLS is on β€” disable for dev or install the cert chain.
401 / 403Bad credentials. Re-check secret references and OAuth client config.
404Base URL is wrong (often a missing or extra path segment).
429Throttled. Lower RPS in rate limiting.
πŸ›‘
Do not click Save with a broken connection

The system will save fine but every workflow that calls it will start failing. Always Test before Save when changing connection fields.

6OAuth tab β€” pick a preset

Step 6.1

When to use OAuth

The OAuth tab is for systems that need an end user to consent to actions taken on their behalf β€” typically the authorization-code flow with PKCE. Set this up when:

  • You're building a workflow that uses the user's own Slack / Google / Microsoft account.
  • The platform delegates to the user's identity for read access.

For server-to-server (client credentials), configure OAuth directly on the Connection tab instead β€” you don't need this tab.

Step 6.2

Choose a preset

OAuth Β· presets
Microsoft Entra ID
Google
Okta
Slack
GitHub
Custom
Display nameSign in with Microsoft
Authorization URLhttps://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize
Token URLhttps://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
Client ID${env:ENTRA_CLIENT_ID}
Client secret${secret:entra_client_secret}

Presets pre-fill the URLs and known scopes for the major identity providers. Pick Custom for anything not listed and provide the URLs yourself. The presets list has the test id oauth-presets; each entry has oauth-preset-<id>.

7Scopes, PKCE, and enrichment

Step 7.1

Add scopes

The Scopes field (add via oauth-scope-add) is a list of OAuth scope strings the user is asked to consent to. Start narrow β€” only the scopes the workflow actually needs. Add more later as you wire up additional commands.

Step 7.2

PKCE

Toggle Use PKCE on for any public client. The platform generates the code verifier and challenge automatically; no further config needed.

Step 7.3

Token enrichment

Optional. The Enrichment section can call a follow-up endpoint after the token exchange (e.g. userinfo) and merge the response into the user's identity for downstream use.

Step 7.4

UI branding

Set Display name (test id oauth-display-name), button colour, and icon. These appear on the consent screen the end user sees.

8Delegation broker

When a workflow or AI agent acts on behalf of an end user, the Delegation Broker issues a constrained token. The Delegation tab configures the broker for this system.

FieldWhat it does
Enable delegationMaster toggle. When off, every command runs as the platform service account.
Allowed scopesSubset of the system's OAuth scopes that delegation may request. Anything outside is rejected.
CapabilitiesFunctional caps the delegated principal can use: read, write, list, delete. The Designer's per-command MCP config can refine further.
Response filterField-level redaction applied to delegated responses (e.g. mask ssn).
Error filterSanitises error messages before they leave the platform β€” prevents leaking internal IDs to the delegate.
🀝
Delegation pairs with MCP

If you expose commands as MCP tools and want AI agents to call them with end-user identity, fill in this tab. Otherwise the broker is bypassed.

9Automation: webhook ingress

The πŸ€– Automation tab configures how the external system pushes events back to EmpowerNow. Two modes are common: webhook (system calls EmpowerNow when something happens) and poller (EmpowerNow polls the system on a schedule).

Step 9.1

Enable automation

Toggle Enable automation (test id automation-enable-toggle) on. Choose an Event family (test id automation-event-family) β€” e.g. identity.lifecycle, access.changes, incidents.created. The family scopes the events this ingress publishes.

Step 9.2

Webhook mode

Pick Webhook in the Mode toggle (test id automation-mode-webhook). Configure:

Fielddata-testidNotes
Webhook endpointautomation-webhook-endpointThe path the platform exposes (e.g. /webhook/entraid). Provide this URL to the upstream system.
Webhook secretautomation-webhook-secretShared secret. Reference an env var or secret store entry.
Signature headerautomation-webhook-sig-headerHTTP header name where the upstream system places the signature (e.g. X-Slack-Signature).
Signature algorithmautomation-webhook-sig-algorithmAlgorithm used to compute the signature (e.g. HMAC-SHA256).
Subject templateautomation-subject-templateTemplated NATS-style subject the event is published to: e.g. identity.{{ payload.userId }}.

10Automation: poller mode

Step 10.1

When to use polling

Pick Poller (automation-mode-poller) when the upstream doesn't expose webhooks. EmpowerNow runs a recurring command and emits an event for each new record.

Fielddata-testidNotes
Intervalautomation-poller-intervalHow often to poll (seconds or cron expression).
Command refautomation-poller-command-refName of the command to call on each tick. Must exist in the Designer.
State keyautomation-poller-state-keyField on each result used as a watermark (e.g. updated_at). The poller keeps a "last seen" value to avoid double-emits.
Timestampautomation-poller-timestampISO timestamp field that anchors the poll window.
Step 10.2

Hybrid mode

Some systems support both: a webhook for the most common events plus a polling sweep to catch anything missed. Pick Hybrid in the Mode toggle and configure both blocks. The platform deduplicates by the state key.

βœ…
Validate the ingress before relying on it

After saving, watch the platform-ops dashboards or the system's mind-map node detail to confirm events are flowing. Webhooks: send a synthetic event from the upstream. Pollers: wait one interval and check the last-seen state key.