How It Works
When you configure an API source, Craft Agents:- Creates a flexible HTTP tool for making requests
- Handles auth by securely storing and injecting credentials
- Validates the connection using the test endpoint
- Enables the agent to make any request to the API’s base URL
Configuration
API sources are configured with a JSON file:Configuration Fields
Authentication Types
API sources support six authentication methods:Bearer Token
Authorization: Bearer {token}.
Header Authentication
X-API-Key: {token}.
Query Parameter Authentication
?api_key={token}.
OAuth 2.0
Two modes: auto-discovery (simplest) and explicit config (for providers without standard metadata).Auto-discovery (recommended)
If the API supports RFC 9728 (OAuth Protected Resource Metadata), just setauthType — endpoints and client registration are handled automatically:
WWW-Authenticate header, discover OAuth metadata, dynamically register a client, and start the authorization flow. No oauth config block needed.
Explicit config
For providers that don’t expose standard OAuth metadata (e.g. GitHub, Linear), provide the endpoints manually:
Full OAuth 2.0 flow with PKCE in both modes. Tokens are automatically refreshed and sent as
Authorization: Bearer {token}.
No Authentication
Basic Authentication
Authorization: Basic {base64(username:password)}.
Multi-Header Authentication
- Datadog:
DD-API-KEY+DD-APPLICATION-KEY - APIs with identity + signing keys: Separate API key and secret
- Services with app + user credentials: Application key plus user token
Test Endpoint
ThetestEndpoint field specifies an endpoint used to verify the connection works. When you test a source, Craft Agents makes a request to this endpoint to confirm:
- The base URL is reachable
- Authentication credentials are valid
- The API responds correctly
Token Renewal (Optional)
For bearer-token APIs that provide their own token renewal endpoint (not OAuth), you can configure automatic token refresh with the optionalrenewEndpoint field. When the token expires, Craft Agents calls this endpoint to get a fresh token — no manual re-authentication needed.
When
body is omitted, the current token is sent via the Authorization header. When body is provided, {{token}} placeholders in string values are replaced with the current token (supports nested objects).
Why Use API Sources?
Universal Compatibility
Any service with a REST API can be integrated.Simple Configuration
Just provide the base URL and auth details.Flexible Requests
The HTTP tool can make any request to the API — JSON bodies by default, with raw body support for plain text, XML, and other content types.Secure Credentials
API keys are stored encrypted, not in config files.
Comparison: MCP vs API Sources
Use MCP sources when available for richer integration with predefined tools. Use API sources for services without MCP support or when you need flexible HTTP access.
Need Google, Microsoft, or Slack? Craft Agents has built-in OAuth support for these services with predefined scopes. Just ask your agent to “connect Google Calendar” or “add Slack” and it will walk you through the OAuth flow.Need any other OAuth provider? Use
authType: "oauth" with the oauth config block to connect GitHub, Linear, Notion, Spotify, or any other OAuth 2.0 service.Next Steps
Practical Examples
Real-world examples of API source configurations.