Skip to main content
Just ask your agent. The easiest way to connect APIs is to tell your agent what you need:
  • “Connect to the JSONPlaceholder API”
  • “Add access to my company’s internal API”
  • “Set up the weather API with my API key”
The agent handles configuration, credentials, and validation automatically.
API sources provide a flexible HTTP tool that lets your agents connect to virtually any REST API. If a service has an API, your agent can use it - no MCP server required.

How It Works

When you configure an API source, Craft Agents:
  1. Creates a flexible HTTP tool for making requests
  2. Handles auth by securely storing and injecting credentials
  3. Validates the connection using the test endpoint
  4. Enables the agent to make any request to the API’s base URL
The result: your agent can call any endpoint on the configured API.

Configuration

API sources are configured with a JSON file:

Configuration Fields

Authentication Types

API sources support six authentication methods:

Bearer Token

Sends credentials as Authorization: Bearer {token}.

Header Authentication

Sends credentials in a custom header: X-API-Key: {token}.

Query Parameter Authentication

Appends credentials as a query parameter: ?api_key={token}.

OAuth 2.0

Two modes: auto-discovery (simplest) and explicit config (for providers without standard metadata). If the API supports RFC 9728 (OAuth Protected Resource Metadata), just set authType — endpoints and client registration are handled automatically:
Craft Agents will hit the base URL, read the WWW-Authenticate header, discover OAuth metadata, dynamically register a client, and start the authorization flow. No oauth config block needed.

Explicit config

For providers that don’t expose standard OAuth metadata (e.g. GitHub, Linear), provide the endpoints manually:
Full OAuth 2.0 flow with PKCE in both modes. Tokens are automatically refreshed and sent as Authorization: Bearer {token}.
For Google, Microsoft, and Slack APIs, Craft Agents has built-in OAuth support with predefined scopes — you don’t need to configure the oauth block manually. Just set the appropriate provider field.

No Authentication

For public APIs that don’t require authentication.

Basic Authentication

Sends credentials as Authorization: Basic {base64(username:password)}.

Multi-Header Authentication

Sends multiple credentials as separate headers. Each header name in the array gets its own input field during authentication. All headers are included in every API request.
Use multi-header authentication when an API requires two or more authentication headers simultaneously. This is common for services that separate identity from authorization, or require both an API key and an application secret.
Common use cases:
  • Datadog: DD-API-KEY + DD-APPLICATION-KEY
  • APIs with identity + signing keys: Separate API key and secret
  • Services with app + user credentials: Application key plus user token

Test Endpoint

The testEndpoint field specifies an endpoint used to verify the connection works. When you test a source, Craft Agents makes a request to this endpoint to confirm:
  • The base URL is reachable
  • Authentication credentials are valid
  • The API responds correctly
Common test endpoints:
Choose a lightweight endpoint that requires authentication. This validates both connectivity and credentials in one request.

Token Renewal (Optional)

For bearer-token APIs that provide their own token renewal endpoint (not OAuth), you can configure automatic token refresh with the optional renewEndpoint field. When the token expires, Craft Agents calls this endpoint to get a fresh token — no manual re-authentication needed.
When body is omitted, the current token is sent via the Authorization header. When body is provided, {{token}} placeholders in string values are replaced with the current token (supports nested objects).
This is for APIs with custom renewal endpoints, not OAuth. For OAuth-based APIs, use authType: "oauth" instead — tokens are refreshed automatically via the standard OAuth flow.

Why Use API Sources?

  • Universal Compatibility

    Any service with a REST API can be integrated.
  • Simple Configuration

    Just provide the base URL and auth details.
  • Flexible Requests

    The HTTP tool can make any request to the API — JSON bodies by default, with raw body support for plain text, XML, and other content types.
  • Secure Credentials

    API keys are stored encrypted, not in config files.

Comparison: MCP vs API Sources

Use MCP sources when available for richer integration with predefined tools. Use API sources for services without MCP support or when you need flexible HTTP access.
Need Google, Microsoft, or Slack? Craft Agents has built-in OAuth support for these services with predefined scopes. Just ask your agent to “connect Google Calendar” or “add Slack” and it will walk you through the OAuth flow.Need any other OAuth provider? Use authType: "oauth" with the oauth config block to connect GitHub, Linear, Notion, Spotify, or any other OAuth 2.0 service.

Next Steps

Practical Examples

Real-world examples of API source configurations.