Skip to main content

How It Works

veryfront.config.ts            Renderer (framework)               API (token vault)
┌──────────────────┐     ┌────────────────────────────┐     ┌────────────────────────┐
│ integrations:    │────▶│ 1. Read config             │     │ Connector specs (JSON) │
│   github: {}     │     │ 2. Fetch connector spec    │────▶│ OAuth ceremonies       │
│   slack:         │     │    (cached 5 min)          │     │ Token storage          │
│     tools:       │     │ 3. Generate MCP tools      │     │ Auto-refresh           │
│       - send-msg │     │ 4. On tool call:           │     │                        │
│   linear:        │     │    a. Get token from API   │────▶│ GET /oauth/token/:name │
│     perUser: true│     │    b. Call external API    │     │ → { accessToken }      │
└──────────────────┘     └─────────────┬──────────────┘     └────────────────────────┘
                                       │ Bearer token

                         ┌────────────────────────────┐
                         │ External API (GitHub, etc.) │
                         └────────────────────────────┘
Key points:
  • The renderer owns tool listing and execution. Tools run in-process, not proxied through the API.
  • The API is the token vault. It handles OAuth ceremonies, stores encrypted tokens, and auto-refreshes expired ones.
  • Config-driven. Adding github: {} to the integrations record enables all GitHub tools instantly.
  • Per-user tokens. Set perUser: true so each end-user authenticates with their own account.
  • Tool allowlisting. Use tools: ["send-message"] to expose only specific tools.

Configuration

// veryfront.config.ts
import { defineConfig } from "veryfront/config";

export default defineConfig({
  integrations: {
    // All tools, project-level token
    github: {},

    // Only specific tools
    slack: {
      tools: ["send-message", "list-channels"],
    },

    // Per-user tokens (each end-user authenticates individually)
    linear: {
      perUser: true,
    },

    // API-key based (no OAuth needed)
    stripe: {},
  },
});

Authentication Flow

When an agent calls an integration tool and no valid token exists:
  1. Tool returns { error: "authentication_required", connectUrl: "..." }
  2. Agent surfaces the connect URL to the user
  3. User clicks → Veryfront OAuth app → Provider consent screen → Callback
  4. Token stored per (project, user, integration), encrypted at rest
  5. Subsequent tool calls succeed automatically
  6. Token refresh is transparent; users never see expiry errors

Zero-Config OAuth (Managed Apps)

For OAuth integrations, Veryfront provides managed OAuth apps by default. Developers don’t need to create their own OAuth apps; just add the integration to config and it works.

BYO Credentials

Enterprise teams can use their own OAuth app credentials by setting environment variables: 
GITHUB_CLIENT_ID=your_app_id
GITHUB_CLIENT_SECRET=your_app_secret
When both are set, the system uses your credentials. Otherwise, it falls back to Veryfront’s managed app.

API Setup for Managed OAuth Apps

To enable zero-config OAuth for users, Veryfront needs a registered OAuth app for each provider. Here’s how to set them up:

Provider Registration

For each OAuth provider, create an application and configure the callback URL: 
https://api.veryfront.com/api/oauth/callback/{integration-name}
Then set the credentials as environment variables on the API:
ProviderVariable PrefixRegistration URL
GitHubGITHUB_https://github.com/settings/developers
Google (Gmail, Calendar, Docs, Drive, Sheets)GOOGLE_https://console.cloud.google.com/apis/credentials
SlackSLACK_https://api.slack.com/apps
Microsoft (Outlook, Teams, OneDrive, SharePoint)MICROSOFT_https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps
Atlassian (Jira, Confluence)ATLASSIAN_https://developer.atlassian.com/console/myapps/
LinearLINEAR_https://linear.app/settings/api
NotionNOTION_https://www.notion.so/my-integrations
FigmaFIGMA_https://www.figma.com/developers/apps
DiscordDISCORD_https://discord.com/developers/applications
DropboxDROPBOX_https://www.dropbox.com/developers/apps
AirtableAIRTABLE_https://airtable.com/create/oauth
AsanaASANA_https://app.asana.com/0/developer-console
BitbucketBITBUCKET_https://bitbucket.org/workspace/settings/oauth-consumers
BoxBOX_https://app.box.com/developers/console
ClickUpCLICKUP_https://app.clickup.com/settings/integrations
FreshdeskFRESHDESK_https://developers.freshdesk.com/
GitLabGITLAB_https://gitlab.com/-/profile/applications
HubSpotHUBSPOT_https://app.hubspot.com/developer
IntercomINTERCOM_https://app.intercom.com/a/apps/_/developer-hub
MailchimpMAILCHIMP_https://admin.mailchimp.com/account/oauth2/
Monday.comMONDAY_https://monday.com/developers/apps
PipedrivePIPEDRIVE_https://developers.pipedrive.com/docs/marketplace
QuickBooksQUICKBOOKS_https://developer.intuit.com/app/developer/dashboard
SalesforceSALESFORCE_https://login.salesforce.com/lightning/setup/ConnectedApplication
ServiceNowSERVICENOW_Instance admin → Application Registry
ShopifySHOPIFY_https://partners.shopify.com/organizations
TrelloTRELLO_https://trello.com/power-ups/admin
Twitter/XTWITTER_https://developer.twitter.com/en/portal/dashboard
WebexWEBEX_https://developer.webex.com/my-apps
XeroXERO_https://developer.xero.com/app/manage
ZendeskZENDESK_https://zendesk.com/admin/apps-integrations
ZoomZOOM_https://marketplace.zoom.us/develop
Each provider needs two variables: 
{PREFIX}CLIENT_ID=...
{PREFIX}CLIENT_SECRET=...
For example: 
GITHUB_CLIENT_ID=Iv1.abc123
GITHUB_CLIENT_SECRET=secret_xyz
GOOGLE_CLIENT_ID=123456789.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-abc
SLACK_CLIENT_ID=123456.789012
SLACK_CLIENT_SECRET=abc123secret

Google APIs (shared credentials)

Google Calendar, Gmail, Docs, Drive, and Sheets all use the same GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET. Register one Google OAuth app and enable all required APIs in the Cloud Console:

Microsoft APIs (shared credentials)

Outlook, Teams, OneDrive, and SharePoint all use MICROSOFT_CLIENT_ID / MICROSOFT_CLIENT_SECRET. Register one Azure AD app with the required Microsoft Graph permissions.

API-Key Integrations (no OAuth setup needed)

These integrations use API keys set by the developer in their project environment variables (no Veryfront OAuth app needed):
IntegrationRequired Variables
AnthropicANTHROPIC_API_KEY
AWSAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
MixpanelMIXPANEL_PROJECT_TOKEN, MIXPANEL_API_SECRET, MIXPANEL_PROJECT_ID
NeonNEON_API_KEY, DATABASE_URL
PostHogPOSTHOG_API_KEY
SentrySENTRY_AUTH_TOKEN, SENTRY_ORG
SnowflakeSNOWFLAKE_ACCOUNT, SNOWFLAKE_USERNAME, SNOWFLAKE_PASSWORD, SNOWFLAKE_WAREHOUSE
StripeSTRIPE_SECRET_KEY
SupabaseSUPABASE_URL, SUPABASE_ANON_KEY, SUPABASE_SERVICE_KEY
TwilioTWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_PHONE_NUMBER

Available Integrations

Project Management (30 tools)

IntegrationToolsAuth
Jirasearch-issues, get-issue, create-issue, update-issue, list-projectsOAuth
Linearsearch-issues, get-issue, create-issue, update-issue, list-projectsOAuth
Asanalist-tasks, get-task, create-task, update-task, list-projectsOAuth
ClickUplist-tasks, get-task, create-task, update-task, list-listsOAuth
Monday.comlist-boards, list-items, get-item, create-item, update-itemOAuth (GraphQL)
Trellolist-boards, list-cards, get-card, create-card, update-cardOAuth

Code & DevOps (22 tools)

IntegrationToolsAuth
GitHublist-repos, list-prs, create-issue, get-pr-diffOAuth
GitLabsearch-issues, get-issue, create-issue, list-merge-requests, list-projectsOAuth
Bitbucketlist-repositories, list-pull-requests, create-pull-request, list-issuesOAuth
Sentrylist-projects, list-issues, get-issue, resolve-issueAPI Key
AWSlist-s3-buckets, list-s3-objects, get-s3-object, list-ec2-instances, list-lambda-functionsAPI Key

Communication (24 tools)

IntegrationToolsAuth
Slacklist-channels, send-message, get-messagesOAuth
Discordlist-guilds, list-channels, get-messages, send-message, get-userOAuth
Gmaillist-emails, send-email, search-emailsOAuth
Outlooklist-emails, get-email, send-email, search-emails, list-foldersOAuth
Teamslist-chats, get-messages, send-message, list-teams, list-channelsOAuth
Twiliosend-sms, send-whatsapp, list-messages, get-message, list-callsAPI Key
Webexlist-meetings, get-meeting, create-meeting, list-rooms, send-messageOAuth

Documents & Storage (34 tools)

IntegrationToolsAuth
Notionsearch-notion, read-page, create-page, query-databaseOAuth
Google Docslist-documents, get-document, create-document, update-document, search-documentsOAuth
Google Drivelist-files, get-file, search-files, create-folder, upload-fileOAuth
Google Sheetslist-spreadsheets, get-spreadsheet, read-range, write-range, create-spreadsheetOAuth
Confluencesearch-content, get-page, create-page, update-page, list-spacesOAuth
Dropboxlist-files, get-file, upload-file, search-files, get-accountOAuth
Boxlist-files, get-file, search-files, create-folder, upload-fileOAuth
OneDrivelist-files, search-files, upload-file, download-fileOAuth
SharePointlist-sites, get-site, list-files, get-file, upload-fileOAuth

CRM & Sales (20 tools)

IntegrationToolsAuth
HubSpotlist-contacts, get-contact, create-contact, list-deals, create-dealOAuth
Salesforcelist-accounts, get-account, list-contacts, list-opportunities, create-leadOAuth
Pipedrivelist-deals, get-deal, create-deal, update-deal, list-personsOAuth
Intercomlist-contacts, get-contact, list-conversations, get-conversation, send-messageOAuth

Databases (15 tools)

IntegrationToolsAuth
Supabaselist-tables, query-table, insert-row, update-row, delete-rowAPI Key
Neonlist-projects, list-branches, query-database, list-tables, describe-tableAPI Key
Snowflakerun-query, list-databases, list-schemas, list-tables, describe-tableAPI Key

Design (5 tools)

IntegrationToolsAuth
Figmalist-files, get-file, get-comments, post-comment, list-projectsOAuth

Analytics (14 tools)

IntegrationToolsAuth
Mixpaneltrack-event, query-events, get-funnel, get-retention, list-cohortsAPI Key
PostHogget-trends, list-feature-flags, list-persons, capture-eventAPI Key
Anthropiclist-workspaces, get-usage, list-api-keys, list-members, get-organizationAPI Key

Finance & Accounting (15 tools)

IntegrationToolsAuth
Stripelist-customers, get-customer, list-payments, get-balance, list-subscriptionsAPI Key
QuickBookslist-invoices, get-invoice, create-invoice, list-customers, get-customerOAuth
Xerolist-invoices, get-invoice, create-invoice, list-contacts, get-contactOAuth

Support (14 tools)

IntegrationToolsAuth
Zendesklist-tickets, get-ticket, create-ticket, search-ticketsOAuth
Freshdesklist-tickets, get-ticket, create-ticket, update-ticket, list-contactsOAuth
ServiceNowlist-incidents, get-incident, create-incident, update-incident, search-knowledgeOAuth

Calendar & Meetings (13 tools)

IntegrationToolsAuth
Google Calendarlist-events, create-event, find-free-timeOAuth
Zoomlist-meetings, get-meeting, create-meeting, update-meeting, delete-meetingOAuth

Marketing (5 tools)

IntegrationToolsAuth
Mailchimplist-campaigns, get-campaign, list-lists, get-list, list-membersOAuth

E-Commerce (5 tools)

IntegrationToolsAuth
Shopifylist-products, get-product, list-orders, get-order, list-customersOAuth

Social (6 tools)

IntegrationToolsAuth
Twitter/Xsearch-tweets, post-tweet, get-timelineOAuth
Airtablelist-bases, get-base, list-records, get-record, create-recordOAuth
50 integrations | 235 tools | 40 OAuth + 10 API Key