Connectors

Connectors store an external API credential — Slack, GitHub, OpenRouter, or any token-authenticated HTTP API — once in your organization, and let Sprites call that API through the Sprites gateway without ever holding the credential themselves.

The Connectors dashboard is currently behind the connected_services feature flag. Organizations without access don’t see the dashboard, but API access is controlled by bearer token authentication and connector access policies.

Access model

Every connector has an access policy that decides which Sprites may use it and which provider paths they may reach. A connector with no policy denies every Sprite. Grant access with allow_all, sprite_labels, or name_prefix, then optionally restrict provider paths with allowed_endpoints and blocked_endpoints. Endpoint patterns are exact paths or a trailing * wildcard (/chat.postMessage, /chat.*, /*). Block rules are checked before allow rules.

Calling a connector from a Sprite

Sprites call connectors through the gateway:

https://api.sprites.dev/v1/gateway/<provider>/<connection_id>/<path>

Gateway requests must originate from inside a running Sprite — Fly.io identity headers identify the calling Sprite, and the connector’s access policy is checked against it. The path after the connection ID is forwarded to the provider with the stored credential attached.

Coding agents

Every Sprite ships with the sprite-api-gateway skill for Claude Code, Cursor, Codex, and Gemini. Coding agents running inside a Sprite discover available connectors via GET /v1/gateway/list and call them by natural-language request — no manual URL building required.

For a walkthrough, provider list, agent-skill details, and policy examples, see the Connectors guide.

Start OAuth Flow

GET /v1/oauth/{provider}/authorize

Create an OAuth authorization URL for a provider. Use this to start a browser-based consent flow.

Path Parameters

provider* string

The provider parameter

Query Parameters

scopes string

Comma-separated scopes to request. Replaces the default scope set for this authorization URL.

add_scopes string

Comma-separated scopes to add to any scopes already granted for this provider.

redirect_uri string

OAuth callback URI. Defaults to the Sprites API callback for the provider.

state string

Optional state value. If omitted, Sprites generates one that ties the callback to the organization.

Response

application/json

authorize_url* string

Provider URL where the user grants access.

state* string

State value that must be sent back to the callback.

Response Codes

200

Success

400

Invalid request parameters

401

Missing or invalid authentication

bash

curl -X GET \
  "https://api.sprites.dev/v1/oauth/{provider}/authorize" \
  -H "Authorization: Bearer $SPRITES_TOKEN"

200 Response

{
  "state": "opaque-state",
  "authorize_url": "https://slack.com/oauth/v2/authorize?client_id=..."
}

Complete OAuth Flow

POST /v1/oauth/{provider}/callback

Exchange an OAuth authorization code for an encrypted connector.

Path Parameters

provider* string

The provider parameter

Request Body

application/json

code* string

Authorization code returned by the provider.

redirect_uri string

Redirect URI used to create the authorization URL.

state string

State value from the authorize response.

access_policy

Initial access policy. Empty or missing policies deny sprite use until updated.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

Response

application/json

connection*

Sanitized connector. Secrets and encrypted token fields are never returned.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

201

Created

400

Invalid request parameters

401

Missing or invalid authentication

bash

curl -X POST \
  "https://api.sprites.dev/v1/oauth/{provider}/callback" \
  -H "Authorization: Bearer $SPRITES_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"access_policy":{"allow_all":true},"code":"oauth-code","redirect_uri":"https://api.sprites.dev/v1/oauth/slack/callback","state":"opaque-state"}'

200 Response

{
  "connection": {
    "id": "conn_abc123",
    "provider": "slack"
  }
}

Create API-key Connector

POST /v1/oauth/connections/api_key

Create a connector from a user-provided API key for providers that support key validation.

Request Body

application/json

provider* string

API-key provider.

api_key* string

Provider API key. Stored encrypted and never returned by the API.

access_policy

Initial access policy. Empty or missing policies deny sprite use until updated.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

Response

application/json

connection*

Sanitized connector. Secrets and encrypted token fields are never returned.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

201

Created

400

Invalid request parameters

401

Missing or invalid authentication

bash

curl -X POST \
  "https://api.sprites.dev/v1/oauth/connections/api_key" \
  -H "Authorization: Bearer $SPRITES_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"access_policy":{"allow_all":true},"api_key":"sk-or-...","provider":"openrouter"}'

200 Response

{
  "connection": {
    "id": "conn_abc123",
    "provider": "slack"
  }
}

Provision Connector

POST /v1/oauth/connections/provision

Provision a system-managed connector for providers that support platform-managed keys.

Request Body

application/json

provider* string

Provider to provision.

Response

application/json

connection*

Sanitized connector. Secrets and encrypted token fields are never returned.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

201

Created

400

Invalid request parameters

401

Missing or invalid authentication

bash

curl -X POST \
  "https://api.sprites.dev/v1/oauth/connections/provision" \
  -H "Authorization: Bearer $SPRITES_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"provider":"openrouter"}'

200 Response

{
  "connection": {
    "id": "conn_abc123",
    "provider": "slack"
  }
}

List Connectors

GET /v1/oauth/connections

List connectors configured for the authenticated organization.

Query Parameters

provider string

Optional provider filter.

Response

application/json

connections* Connection[]

Connectors configured for the organization.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

200

Success

401

Missing or invalid authentication

bash

curl -X GET \
  "https://api.sprites.dev/v1/oauth/connections" \
  -H "Authorization: Bearer $SPRITES_TOKEN"

200 Response

{
  "connections": [
    {
      "id": "conn_abc123",
      "provider": "slack"
    }
  ]
}

Get Connector

GET /v1/oauth/connections/{id}

Get a single connector by ID.

Path Parameters

id* string

Resource identifier

Response

application/json

connection*

Sanitized connector. Secrets and encrypted token fields are never returned.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

200

Success

401

Missing or invalid authentication

404

Sprite not found

bash

curl -X GET \
  "https://api.sprites.dev/v1/oauth/connections/{id}" \
  -H "Authorization: Bearer $SPRITES_TOKEN"

200 Response

{
  "connection": {
    "id": "conn_abc123",
    "provider": "slack"
  }
}

Update Connector Policy

PATCH /v1/oauth/connections/{id}

Update a connector access policy.

Path Parameters

id* string

Resource identifier

Request Body

application/json

access_policy*

Replacement access policy.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

Response

application/json

connection*

Sanitized connector. Secrets and encrypted token fields are never returned.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

200

Success

400

Invalid request parameters

401

Missing or invalid authentication

404

Sprite not found

bash

curl -X PATCH \
  "https://api.sprites.dev/v1/oauth/connections/{id}" \
  -H "Authorization: Bearer $SPRITES_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"access_policy":{"allowed_endpoints":["/chat.*"],"sprite_labels":["api-access"]}}'

200 Response

{
  "connection": {
    "id": "conn_abc123",
    "provider": "slack"
  }
}

PUT /v1/oauth/connections/{id}

Update a connector access policy.

Path Parameters

id* string

Resource identifier

Request Body

application/json

access_policy*

Replacement access policy.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

Response

application/json

connection*

Sanitized connector. Secrets and encrypted token fields are never returned.

id* string

Connector ID used in gateway URLs.

provider* "slack" | "slack_bot" | "github" | "openrouter" | "custom_api"

Provider key.

provider_account_id* string

Provider account, workspace, or key identifier.

provider_account_name string

Human-readable provider account name.

scopes string

Comma-separated OAuth scopes granted to the connector.

connection_type "oauth" | "api_key" | "provisioned"

How the connector was created.

access_policy

Policy controlling which sprites and provider endpoints may use this connector.

allow_all boolean

When true, all sprites in the organization may use this connector.

sprite_labels string

Labels the calling sprite must have. All listed labels are required.

name_prefix string

Sprite name prefix required to use this connector.

allowed_endpoints string

Provider API paths the connector may call. Supports exact paths and trailing * prefix wildcards.

blocked_endpoints string

Provider API paths the connector may not call. Block rules are checked before allow rules.

provider_info map

Provider-specific metadata such as workspace URLs, custom API base URLs, or icon references.

user_id string

Sprites user ID that created or owns the connector.

token_expires_at string

When the stored token expires, if the provider issues expiring tokens.

inserted_at string

When the connector was created.

updated_at string

When the connector was last updated.

usage_snippet string

Provider-specific curl snippet showing how to call the connector through the gateway.

Response Codes

200

Success

400

Invalid request parameters

401

Missing or invalid authentication

404

Sprite not found

bash

curl -X PUT \
  "https://api.sprites.dev/v1/oauth/connections/{id}" \
  -H "Authorization: Bearer $SPRITES_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"access_policy":{"allowed_endpoints":["/chat.*"],"sprite_labels":["api-access"]}}'

200 Response

{
  "connection": {
    "id": "conn_abc123",
    "provider": "slack"
  }
}

Delete Connector

DELETE /v1/oauth/connections/{id}

Delete a connector and its encrypted credentials.

Path Parameters

id* string

Resource identifier

Response

application/json

Response Codes

204

No content

401

Missing or invalid authentication

404

Sprite not found

bash

curl -X DELETE \
  "https://api.sprites.dev/v1/oauth/connections/{id}" \
  -H "Authorization: Bearer $SPRITES_TOKEN"

200 Response