Connection

Field	Type	Behavior	Description
`name`	string	OUTPUT_ONLY	Resource name (`connections/{id}`)
`connection_type`	ConnectionType	REQUIRED	Type of external system (e.g. `CONNECTION_TYPE_POSTGRES`, `CONNECTION_TYPE_SLACK`)
`display_name`	string	REQUIRED	Human-readable name for the connection
`description`	string	REQUIRED	Description of what this connection provides
`create_time`	timestamp	OUTPUT_ONLY	When the connection was created
`update_time`	timestamp	OUTPUT_ONLY	When the connection was last modified
`delete_time`	timestamp	OUTPUT_ONLY	When the connection was soft-deleted (null if active)
`secret_id`	string		ID of the secret storing full connection details
`connection_details`	ConnectionDetails	REQUIRED	Connection-specific configuration
`tool_configurations`	ToolConfiguration[]		Which tools are enabled for this connection
`read_only`	boolean	OUTPUT_ONLY	Whether the connection is system-managed and cannot be edited
`shell_environment`	ShellEnvironment	OUTPUT_ONLY	Shell prompt information (populated on Get only)
`connection_status`	Status	OUTPUT_ONLY	Operational status of credential resolution (nil or OK means healthy)
`token_expires_at`	timestamp	OUTPUT_ONLY	When the current OAuth access token expires. Set by the server whenever credentials are refreshed; null for connection types that don’t use refreshable OAuth tokens.

Example

{
  "name": "connections/prod-iceberg",
  "connectionType": "CONNECTION_TYPE_ICEBERG",
  "displayName": "Production Iceberg",
  "description": "Iceberg connection for production data lake",
  "createTime": "2026-02-07T08:28:56.588670Z",
  "updateTime": "2026-02-07T08:28:56.588670Z",
  "secretId": "conn_778f2937dc19466086069ee42d234b0a"
}

Connection Type

Value	Description
`CONNECTION_TYPE_POSTGRES`	PostgreSQL database
`CONNECTION_TYPE_HTTP`	Generic HTTP API
`CONNECTION_TYPE_GOOGLE_POSTMASTER`	Google Postmaster Tools
`CONNECTION_TYPE_PYLON`	Pylon customer support platform
`CONNECTION_TYPE_GITHUB`	GitHub App installation
`CONNECTION_TYPE_SLACK`	Slack workspace
`CONNECTION_TYPE_PROMQL`	PromQL-compatible Prometheus API
`CONNECTION_TYPE_LINEAR`	Linear project management
`CONNECTION_TYPE_AWS`	AWS (IAM role assumption or static credentials)
`CONNECTION_TYPE_GCP`	GCP (service account authentication)
`CONNECTION_TYPE_CLICKHOUSE`	ClickHouse database
`CONNECTION_TYPE_MYSQL`	MySQL database
`CONNECTION_TYPE_ICEBERG`	Apache Iceberg REST catalog
`CONNECTION_TYPE_DATADOG`	Datadog observability platform
`CONNECTION_TYPE_INCIDENT_IO`	incident.io webhook integration
`CONNECTION_TYPE_PAGERDUTY`	PagerDuty incident management
`CONNECTION_TYPE_OPENAPI`	OpenAPI-described REST API
`CONNECTION_TYPE_CLERK`	Clerk user management and authentication
`CONNECTION_TYPE_VANTA`	Vanta compliance and security automation
`CONNECTION_TYPE_CONVEX`	Convex log stream webhook integration
`CONNECTION_TYPE_WORKOS`	WorkOS user management, SSO, and directory sync
`CONNECTION_TYPE_TRINO`	Trino distributed SQL query engine
`CONNECTION_TYPE_EMAIL_WEBHOOK`	Guarded customer-email delivery to a fixed webhook endpoint
`CONNECTION_TYPE_GRPC`	gRPC or ConnectRPC service via server reflection
`CONNECTION_TYPE_CURSOR`	Cursor AI code editor — trigger cloud agents to fix issues
`CONNECTION_TYPE_ELASTICSEARCH`	Elasticsearch cluster (queried via Elasticsearch SQL)
`CONNECTION_TYPE_GRAPHQL`	GraphQL endpoint, driven via fireshell `curl` with introspection-based discovery
`CONNECTION_TYPE_TEMBO`	Tembo — launch coding-agent tasks or trigger automations on issues
`CONNECTION_TYPE_REPLICAS`	Replicas — launch background coding agents on issues to open pull requests
`CONNECTION_TYPE_CODER`	Coder — launch a self-hosted Coder Task (workspace running an embedded coding agent) on issues

Tool

Each connection type supports a set of tools that agents can use. The enabled_tools field on AgentConnection and RunbookConnection references values from this enum.

Value	Description
`TOOL_POSTGRES_QUERY`	Execute a read-only SQL query against PostgreSQL
`TOOL_POSTGRES_WRITE_QUERY`	Execute a read-write SQL query against PostgreSQL
`TOOL_HTTP_REQUEST`	Make an HTTP request
`TOOL_GITHUB_SEARCH_CODE`	Search code in GitHub repositories
`TOOL_GITHUB_GET_FILE`	Get file contents from a GitHub repository
`TOOL_GITHUB_LIST_DIRECTORY`	List files in a GitHub repository directory
`TOOL_GITHUB_GET_PR`	Get a GitHub pull request
`TOOL_GITHUB_GET_ISSUE`	Get a GitHub issue
`TOOL_GITHUB_PULL_REQUEST_SEARCH`	Search GitHub pull requests
`TOOL_GITHUB_CREATE_ISSUE`	Create a GitHub issue
`TOOL_GITHUB_ADD_ISSUE_COMMENT`	Add a comment to a GitHub issue
`TOOL_GITHUB_LIST_ISSUES`	List GitHub issues
`TOOL_GITHUB_CREATE_PR_COMMENT`	Add a comment to a GitHub pull request
`TOOL_GITHUB_LIST_PR_COMMENTS`	List comments on a GitHub pull request
`TOOL_GITHUB_LIST_PR_REVIEWS`	List reviews on a GitHub pull request
`TOOL_GITHUB_LIST_ORGANIZATION_MEMBERS`	List members of a GitHub organization
`TOOL_GITHUB_LIST_REPOS`	List repositories in a GitHub organization
`TOOL_PROMQL_QUERY`	Execute an instant PromQL query
`TOOL_PROMQL_QUERY_RANGE`	Execute a range PromQL query
`TOOL_PROMQL_LABELS`	List all label names from Prometheus
`TOOL_PROMQL_LABEL_VALUES`	Get label values from Prometheus
`TOOL_PROMQL_SERIES`	Get time series from Prometheus
`TOOL_PROMQL_METADATA`	Get metric metadata from Prometheus
`TOOL_GOOGLE_POSTMASTER_LIST_DOMAINS`	List domains in Google Postmaster Tools
`TOOL_GOOGLE_POSTMASTER_GET_TRAFFIC_STATS`	Get traffic stats from Google Postmaster Tools
`TOOL_PYLON_LIST_ISSUES`	List issues from Pylon
`TOOL_SLACK_SEND_MESSAGE`	Send a message in Slack
`TOOL_FIRETIGER_QUERY`	Query Firetiger’s data lake
`TOOL_FIRETIGER_CODEBASE_SEARCH`	Search code across configured repositories
`TOOL_LINEAR_LIST_ISSUES`	List issues from Linear
`TOOL_LINEAR_LIST_USERS`	List users from Linear
`TOOL_CLICKHOUSE_QUERY`	Execute a query against ClickHouse
`TOOL_MYSQL_QUERY`	Execute a read-only query against MySQL
`TOOL_ICEBERG_QUERY`	Query an Apache Iceberg table
`TOOL_DATADOG_QUERY_METRICS`	Query metrics from Datadog
`TOOL_DATADOG_QUERY_LOGS`	Query logs from Datadog
`TOOL_OPENAPI_REQUEST`	Make HTTP requests to an OpenAPI-described API
`TOOL_OPENAPI_SCHEMA`	Introspect the OpenAPI spec for available endpoints and schemas
`TOOL_GCP_QUERY_METRICS`	Query GCP Cloud Monitoring metrics via PromQL
`TOOL_TRINO_QUERY`	Execute a query against a Trino cluster
`TOOL_EMAIL_WEBHOOK_SEND`	Send an approved customer email via a guarded webhook
`TOOL_GRPC_SERVICES`	List all services and methods available via gRPC server reflection
`TOOL_GRPC_DESCRIBE`	Show the full schema of a gRPC service including field types and documentation
`TOOL_GRPC_REQUEST`	Invoke a gRPC or ConnectRPC method with a JSON payload

Tool Configuration

Controls whether a specific tool is enabled on a connection.

Field	Type	Description
`tool`	Tool	The tool being configured
`is_enabled`	boolean	Whether this tool is enabled

Connection Details

Connection-specific configuration. This is a union type – exactly one variant is set, matching the connection’s connection_type. The fields vary by connection type (e.g. host/port/database for PostgreSQL, base URL and headers for HTTP). Refer to the connection creation UI or ftops api connections for the fields available for each type.

HTTP Connection Details

Field	Type	Description
`base_url`	string	Base URL for HTTP requests
`allowed_routes`	string[]	Allowed route patterns
`headers`	map<string, string>	Non-auth headers included in every request (e.g. `Content-Type`, `X-Tenant-ID`)
`max_response_size_bytes`	uint64	Maximum response size in bytes
`timeout_seconds`	uint32	Request timeout in seconds
`oauth_client_credentials`	OAuthClientCredentials	OAuth 2.0 Client Credentials grant (oneof `auth`)
`bearer_token`	HttpBearerAuth	Static Bearer token (oneof `auth`)
`basic_auth`	HttpBasicAuth	HTTP Basic authentication (oneof `auth`)
`static_headers`	HttpAuthStaticHeaders	Auth via raw headers (oneof `auth`)
`webhook_signing_secret`	string	Optional outbound webhook signing secret

Authentication is configured via the auth oneof — set exactly one of the four auth fields above.

OAuth Client Credentials

The resolver automatically obtains and refreshes an OAuth 2.0 access token using the client credentials grant. The token is injected as an Authorization: Bearer header on each request.

Field	Type	Behavior	Description
`token_url`	string	REQUIRED	Token endpoint URL (must use HTTPS, e.g. `https://api.vanta.com/oauth/token`)
`client_id`	string		OAuth client ID (returned in responses)
`client_secret`	string	INPUT_ONLY	OAuth client secret (not returned in responses)
`scopes`	string		Optional space-separated scopes to request
`extra_params`	map<string, string>		Optional additional form parameters for the token request (e.g. `audience`)
`access_token`	string	OUTPUT_ONLY	Current access token (populated by the resolver)
`token_expires_at`	timestamp	OUTPUT_ONLY	When the current access token expires

Bearer Token

Field	Type	Behavior	Description
`token`	string	INPUT_ONLY	Bearer token value

Basic Auth

Field	Type	Behavior	Description
`username`	string		Username
`password`	string	INPUT_ONLY	Password

Static Headers

Field	Type	Behavior	Description
`headers`	map<string, string>	INPUT_ONLY	Auth headers to include in every request

Non-auth headers can be used alongside any auth method (e.g. X-Tenant-ID). Auth headers are resolved from the auth field and merged into the request; do not duplicate auth headers in headers.

AWS SigV4 Auth

AWS Signature Version 4 authentication for services that require SigV4-signed requests (e.g., Amazon Managed Prometheus). The server resolves the configured credentials into temporary session credentials before each request.

Field	Type	Behavior	Description
`region`	string	REQUIRED	AWS region for SigV4 signing (e.g. `us-west-2`)
`assume_role`	AwsAssumeRoleAuth		IAM role assumption (oneof `credentials`)
`static_credentials`	AwsStaticCredentialsAuth		Static IAM credentials (oneof `credentials`)
`session_credentials`	AwsSessionCredentials	OUTPUT_ONLY	Resolved temporary credentials (populated by the server)

Exactly one of assume_role or static_credentials must be set.

AWS Assume Role Auth

Field	Type	Behavior	Description
`role_arn`	string	REQUIRED	ARN of the IAM role to assume (e.g. `arn:aws:iam::123456789012:role/prometheus-read`)
`external_id`	string		Optional external ID for cross-account access

AWS Static Credentials Auth

Field	Type	Behavior	Description
`access_key_id`	string	INPUT_ONLY, REQUIRED	AWS access key ID
`secret_access_key`	string	INPUT_ONLY, REQUIRED	AWS secret access key
`session_token`	string	INPUT_ONLY	Optional session token for temporary credentials

HTTP Webhook Signing

When webhook_signing_secret is present, outbound HTTP requests can include a GitHub-style X-Webhook-Signature header computed as sha256=<hex digest> over the exact raw request body bytes. The runtime only signs POST, PUT, DELETE, and PATCH requests, and only when a request body is actually sent.

Email Webhook Connection Details

Guarded customer-email delivery to a fixed webhook endpoint.

Field	Type	Description
`base_url`	string	Full webhook URL for customer email delivery
`allowed_routes`	string[]	Allowed route patterns. In practice this is fixed to `POST /`
`headers`	map<string, string>	Non-auth headers included in every request
`max_response_size_bytes`	uint64	Maximum response size in bytes
`timeout_seconds`	uint32	Request timeout in seconds
`oauth_client_credentials`	OAuthClientCredentials	OAuth 2.0 Client Credentials grant (oneof `auth`)
`bearer_token`	HttpBearerAuth	Static Bearer token (oneof `auth`)
`basic_auth`	HttpBasicAuth	HTTP Basic authentication (oneof `auth`)
`static_headers`	HttpAuthStaticHeaders	Auth via raw headers (oneof `auth`)
`webhook_signing_secret`	string	Optional outbound webhook signing secret
`slack_connection_name`	string	Optional Slack connection to notify when a customer email is waiting for review
`slack_channel`	string	Optional Slack channel to notify when a customer email is waiting for review

Authentication is configured via the auth oneof — set exactly one of the four auth fields above. The auth field shapes are the same as HTTP Connection Details.

If both slack_connection_name and slack_channel are set, Firetiger sends a best-effort Slack notification when a customer email is waiting for review. If they are omitted, the guarded email flow still works normally.

gRPC Connection Details

Connect to a gRPC or ConnectRPC service. Agents use the grpc_services, grpc_describe, and grpc_request tools for reflection-based discovery and method invocation.

Field	Type	Behavior	Description
`address`	string	REQUIRED	Server address in `host:port` format (e.g. `api.example.com:443`)
`protocol`	enum		Wire protocol for method invocation. One of `GRPC_PROTOCOL_GRPC` (default), `GRPC_PROTOCOL_CONNECT`, `GRPC_PROTOCOL_GRPCWEB`. Service discovery always uses gRPC regardless of this setting.
`basic_auth`	BasicAuth		HTTP Basic authentication (oneof `auth`)
`bearer_auth`	BearerAuth		Bearer token authentication (oneof `auth`)

Authentication is optional — omit the auth field for unauthenticated services. When auth is configured, credentials are injected as HTTP headers on TLS connections. Auth injection requires port 443; credentials will not be injected for non-standard ports.

gRPC Basic Auth

Field	Type	Behavior	Description
`username`	string		Username
`password`	string	INPUT_ONLY	Password

gRPC Bearer Auth

Field	Type	Behavior	Description
`token`	string	INPUT_ONLY	Bearer token value

PromQL Connection Details

Connect to a Prometheus-compatible metrics API. Agents use the promql_query, promql_query_range, promql_labels, promql_label_values, promql_series, and promql_metadata tools.

Field	Type	Behavior	Description
`base_url`	string	REQUIRED	Base URL of the Prometheus API (e.g. `https://prometheus.example.com`)
`timeout`	duration		Request timeout for API calls. Defaults to 30 seconds
`basic`	HttpBasicAuth		HTTP Basic authentication (oneof `auth`)
`bearer`	HttpBearerAuth		Bearer token authentication (oneof `auth`)
`sigv4`	AwsSigV4Auth		AWS SigV4 authentication for Amazon Managed Prometheus (oneof `auth`)

Authentication is optional — omit the auth field entirely for Prometheus instances that don’t require authentication (e.g. internal/VPN-only deployments). When auth is needed, set exactly one of the three auth fields above.

Example (no auth)

{
  "connectionType": "CONNECTION_TYPE_PROMQL",
  "displayName": "Internal Prometheus",
  "description": "VPN-only Prometheus instance",
  "connectionDetails": {
    "promql": {
      "baseUrl": "https://prometheus.internal.example.com"
    }
  }
}

Example (bearer token)

{
  "connectionType": "CONNECTION_TYPE_PROMQL",
  "displayName": "Grafana Cloud Prometheus",
  "description": "Grafana Cloud managed Prometheus",
  "connectionDetails": {
    "promql": {
      "baseUrl": "https://prometheus-prod-01-eu-west-0.grafana.net/api/prom",
      "bearer": {
        "token": "glc_..."
      }
    }
  }
}

Example (AWS SigV4 — Amazon Managed Prometheus)

{
  "connectionType": "CONNECTION_TYPE_PROMQL",
  "displayName": "Production AMP",
  "description": "Amazon Managed Prometheus workspace",
  "connectionDetails": {
    "promql": {
      "baseUrl": "https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-abc123",
      "sigv4": {
        "region": "us-west-2",
        "assumeRole": {
          "roleArn": "arn:aws:iam::123456789012:role/prometheus-read"
        }
      }
    }
  }
}

OpenAPI Connection Details

Connect to any REST API that publishes an OpenAPI (Swagger) specification. The agent can introspect the spec to discover endpoints and make authenticated requests.

Field	Type	Description
`spec_url`	string	URL to fetch the OpenAPI specification (JSON or YAML)
`server_url`	string	Base URL of the API server. If empty, derived from the spec’s `servers[0].url`
`oauth_client_credentials`	OAuthClientCredentials	OAuth 2.0 Client Credentials grant (oneof `auth`)
`bearer_token`	HttpBearerAuth	Static Bearer token (oneof `auth`)
`basic_auth`	HttpBasicAuth	HTTP Basic authentication (oneof `auth`)

Authentication is configured via the auth oneof — set exactly one of the three auth fields above. The auth types reuse the same messages as HTTP Connection Details.

When server_url is omitted, the resolver fetches the spec and extracts the base URL from servers[0].url, resolving relative paths (e.g. /v1) against the spec URL.

Example

{
  "connectionType": "CONNECTION_TYPE_OPENAPI",
  "displayName": "Vanta API",
  "description": "Vanta compliance platform API",
  "connectionDetails": {
    "openapi": {
      "specUrl": "https://firetiger-public.s3.us-west-2.amazonaws.com/connections/vanta/openapi.json",
      "serverUrl": "https://api.vanta.com/v1",
      "oauthClientCredentials": {
        "tokenUrl": "https://api.vanta.com/oauth/token",
        "clientId": "my-client-id",
        "clientSecret": "my-client-secret",
        "scopes": "vanta-api.all:read"
      }
    }
  }
}

Clerk Connection Details

Connect to the Clerk Backend API for user management and authentication. Uses a Bearer token (Clerk secret key) for auth.

Field	Type	Description
`bearer_token`	HttpBearerAuth	Clerk Secret Key (`sk_live_...` or `sk_test_...`) as Bearer token (oneof `auth`)

Authentication is configured via the auth oneof. The Clerk connection automatically configures the OpenAPI spec URL (https://clerk.com/docs/reference/spec/bapi/2025-11-10) and server URL (https://api.clerk.com). Agents use the openapi_schema and openapi_request tools to interact with the API.

Example

{
  "connectionType": "CONNECTION_TYPE_CLERK",
  "displayName": "Clerk",
  "description": "Clerk user management and authentication API",
  "connectionDetails": {
    "clerk": {
      "bearerToken": {
        "token": "sk_live_..."
      }
    }
  }
}

Vanta Connection Details

Connect to the Vanta API for compliance and security automation. Uses OAuth 2.0 Client Credentials for authentication.

Field	Type	Description
`oauth_client_credentials`	OAuthClientCredentials	OAuth 2.0 Client Credentials for Vanta API (oneof `auth`)

Authentication is configured via the auth oneof. The Vanta connection automatically configures the OpenAPI spec URL (https://firetiger-public.s3.us-west-2.amazonaws.com/connections/vanta/openapi.json) and server URL (https://api.vanta.com/v1). Agents use the openapi_schema and openapi_request tools to interact with the API.

Example

{
  "connectionType": "CONNECTION_TYPE_VANTA",
  "displayName": "Vanta",
  "description": "Vanta compliance and security automation API",
  "connectionDetails": {
    "vanta": {
      "oauthClientCredentials": {
        "tokenUrl": "https://api.vanta.com/oauth/token",
        "clientId": "my-client-id",
        "clientSecret": "my-client-secret",
        "scopes": "vanta-api.all:read"
      }
    }
  }
}

WorkOS Connection Details

Connect to the WorkOS API for user management, SSO, directory sync, and audit logs. Uses standard WorkOS API authentication (API key starting with sk_). Agents use the openapi_schema and openapi_request tools to interact with the API.

Field	Type	Description
`bearer_token`	HttpBearerAuth	WorkOS API key as Bearer token (oneof `auth`)
`read_only`	boolean	When true, only GET requests are allowed

Example

{
  "connectionType": "CONNECTION_TYPE_WORKOS",
  "displayName": "WorkOS",
  "connectionDetails": {
    "workOs": {
      "bearerToken": { "token": "sk_..." },
      "readOnly": true
    }
  }
}

Trino Connection Details

Connect to a Trino distributed SQL query engine (including Starburst). Agents use the query_trino tool to execute SQL queries.

Field	Type	Behavior	Description
`host`	string	REQUIRED	Trino coordinator host (e.g. `trino.example.com`)
`port`	int32	REQUIRED	Coordinator port (default 8080 for HTTP, 443 for HTTPS)
`catalog`	string	REQUIRED	Default catalog (e.g. `hive`, `iceberg`, `tpch`)
`schema`	string		Default schema within the catalog (optional)
`username`	string	REQUIRED	Username for authentication
`password`	string	INPUT_ONLY	Password (optional — Trino supports no-auth setups)
`secure`	boolean		Enable HTTPS (default true). When `false`, the fireshell proxy routes the configured port as plaintext HTTP and dials the upstream over `http://`; when `true`, it terminates TLS and dials over `https://`. Set `false` for clusters that only serve HTTP on the coordinator port.

Example

{
  "connectionType": "CONNECTION_TYPE_TRINO",
  "displayName": "Starburst Trino",
  "description": "Production Trino cluster",
  "connectionDetails": {
    "trino": {
      "host": "trino.example.com",
      "port": 443,
      "catalog": "hive",
      "schema": "default",
      "username": "trino_user",
      "password": "secret",
      "secure": true
    }
  }
}

Elasticsearch Connection Details

Connect to an Elasticsearch cluster. Agents drive Elasticsearch queries through the shell environment — $ES_URL is exported and an Authorization header (Basic or ApiKey, based on the selected auth branch) is injected by the fireshell proxy. Use Elasticsearch SQL via POST $ES_URL/_sql?format=json. There is no dedicated TOOL_* enum for Elasticsearch.

Field	Type	Behavior	Description
`url`	string	REQUIRED	Cluster base URL including scheme. Both `https://` and `http://` are accepted (e.g. `https://es.example.com:9200` or `http://es.internal:9200`). The fireshell proxy MITMs as TLS for `https://` URLs and as plaintext HTTP for `http://` URLs; pick the scheme that matches the actual cluster — pasting `https://` against a plaintext server fails the upstream TLS handshake and returns 502.
`auth`	oneof	REQUIRED	Authentication method. Set exactly one of `basic`, `api_key`, or `none`
`auth.basic.username`	string	REQUIRED (within `basic`)	Username for HTTP Basic auth
`auth.basic.password`	string	INPUT_ONLY	Password for HTTP Basic auth
`auth.api_key.token`	string	INPUT_ONLY	Base64-encoded Elastic API key, sent as `Authorization: ApiKey <token>` (the `api_key` oneof branch wraps an HttpBearerAuth-shaped message; only the header scheme prefix differs from a standard bearer token)
`auth.none`	message		Explicitly unauthenticated. For local/dev clusters with security disabled.
`tls_skip_verify`	boolean		Skip TLS certificate verification. Use only for self-signed clusters on trusted networks.

When updating a connection, omit auth.basic.password or auth.api_key.token to keep the existing credential.

Example

{
  "connectionType": "CONNECTION_TYPE_ELASTICSEARCH",
  "displayName": "Production Elasticsearch",
  "description": "Primary search cluster",
  "connectionDetails": {
    "elasticsearch": {
      "url": "https://es.example.com:9200",
      "basic": {
        "username": "elastic",
        "password": "secret"
      }
    }
  }
}

GraphQL Connection Details

Connect to any GraphQL endpoint. The connection is shell-only — there is no dedicated TOOL_* enum. Agents drive it through the fireshell environment: $GRAPHQL_URL is exported and the configured auth header(s) are injected by the proxy on the URL’s host. Discover the schema via GraphQL introspection at runtime (e.g. {__schema{queryType{fields{name description}}}}) — schemas are not cached on the connection record because real-world schemas can be hundreds of kilobytes of SDL.

The auth oneof reuses the same auth messages as the HTTP and OpenAPI connection types so creation forms, Terraform, and credential rotation behave identically across them.

Field	Type	Behavior	Description
`url`	string	REQUIRED	Endpoint URL. Both `https://` and `http://` are accepted (e.g. `https://6.8.sourcegraph.com/api/graphql` or `http://gql.internal/graphql`). The fireshell proxy MITMs as TLS for `https://` URLs and as plaintext HTTP for `http://` URLs; pick the scheme that matches the actual server — pasting `https://` against a plaintext endpoint fails the upstream TLS handshake and returns 502.
`auth`	oneof	REQUIRED	Authentication method. Set exactly one of `bearer`, `basic`, `static_headers`, or `none`.
`auth.bearer.token`	string	INPUT_ONLY	Bearer token, sent as `Authorization: Bearer <token>`. Use for Linear, GitHub GraphQL, and other APIs that follow the standard Bearer scheme.
`auth.basic.username`	string	REQUIRED (within `basic`)	Username for HTTP Basic auth.
`auth.basic.password`	string	INPUT_ONLY	Password for HTTP Basic auth.
`auth.static_headers.headers`	map<string, string>	INPUT_ONLY	Arbitrary header map, injected on the configured host. Covers schemes that don’t fit Bearer — Sourcegraph (`Authorization: token <X>`), Shopify Admin (`X-Shopify-Access-Token: <X>`), Hasura (`X-Hasura-Admin-Secret: <X>`), etc.
`auth.none`	message		No authentication — for public GraphQL APIs.

When updating a connection, omit auth.bearer.token, auth.basic.password, or auth.static_headers.headers to keep the existing credential.

Example (Sourcegraph — static headers)

{
  "connectionType": "CONNECTION_TYPE_GRAPHQL",
  "displayName": "Sourcegraph",
  "description": "Sourcegraph code search GraphQL API",
  "connectionDetails": {
    "graphql": {
      "url": "https://6.8.sourcegraph.com/api/graphql",
      "staticHeaders": {
        "headers": {
          "Authorization": "token your-sourcegraph-token"
        }
      }
    }
  }
}

Example (Linear — bearer token)

{
  "connectionType": "CONNECTION_TYPE_GRAPHQL",
  "displayName": "Linear",
  "description": "Linear GraphQL API",
  "connectionDetails": {
    "graphql": {
      "url": "https://api.linear.app/graphql",
      "bearer": {
        "token": "lin_api_..."
      }
    }
  }
}

Datadog Connection Details

Connect to Datadog for querying metrics, logs, traces, monitors, and dashboards. Both an API key and an Application Key are required.

Field	Type	Behavior	Description
`site`	string	REQUIRED	Datadog site (e.g. `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`)
`api_key`	string	INPUT_ONLY	Datadog API key. Required for all Datadog API requests. Find it in Organization Settings → API Keys.
`application_key`	string	INPUT_ONLY	Datadog Application Key. Required for query operations (metrics, logs, traces) and management endpoints (monitors, dashboards). Find it in Organization Settings → Application Keys.

When updating a connection, omit api_key and application_key to keep the existing values.

Example

{
  "connectionType": "CONNECTION_TYPE_DATADOG",
  "displayName": "Datadog Production",
  "description": "Datadog observability platform - query metrics, search logs, inspect monitors, and analyze APM traces",
  "connectionDetails": {
    "datadog": {
      "site": "datadoghq.com",
      "apiKey": "your-api-key",
      "applicationKey": "your-application-key"
    }
  }
}

Cursor Connection Details

Connect to Cursor to trigger cloud agents that automatically fix issues in your codebase.

Field	Type	Behavior	Description
`api_key`	string	INPUT_ONLY	Cursor API key. Find it at cursor.com/dashboard/cloud-agents under My User API Keys.
`default_repository`	string	Optional	Default GitHub repository (e.g. `https://github.com/owner/repo`) used to seed the agent when the issue carries no GitHub link. A GitHub link on the issue takes precedence. Leave empty to require a link on every issue.

When updating a connection, omit api_key to keep the existing value.

Example

{
  "connectionType": "CONNECTION_TYPE_CURSOR",
  "displayName": "Cursor",
  "description": "Cursor AI code editor — trigger cloud agents to fix issues",
  "connectionDetails": {
    "cursor": {
      "apiKey": "your-cursor-api-key",
      "defaultRepository": "https://github.com/owner/repo"
    }
  }
}

Tembo Connection Details

Connect to Tembo to launch coding-agent tasks or trigger pre-configured automations on issues. Tembo’s API lives at api.tembo.io; the organization is derived server-side from the API key.

Field	Type	Behavior	Description
`api_key`	string	INPUT_ONLY	Tembo API key. Find it at app.tembo.io under Settings → API Keys.
`task`	TemboTaskMode	oneof `mode`	Configures ad-hoc coding-agent task launches (`POST /task/create`). Mutually exclusive with `automation`.
`automation`	TemboAutomationMode	oneof `mode`	Configures automation triggers (`POST /automation/{key}/trigger`). Mutually exclusive with `task`.
`default_repository`	string	Optional	Default GitHub repository (e.g. `https://github.com/owner/repo`) used to seed a Tembo task when the issue carries no GitHub link. A GitHub link on the issue takes precedence. Applies to task mode only; automation mode tolerates an empty repository.

Exactly one of task or automation must be set on create and whenever the full connection_details object is replaced on update; this is enforced at the API boundary. When updating a connection, omit api_key to keep the existing value.

Tembo Task Mode

Field	Type	Behavior	Description
`default_agent`	string	Optional	Default Tembo agent identifier, e.g. `claudeCode:claude-sonnet-4-6`. Leave empty to use Tembo’s org-level default.

Tembo Automation Mode

Field	Type	Behavior	Description
`automation_key`	string	REQUIRED	Tembo automation key or UUID. Find it in the automation’s properties panel on app.tembo.io.

Example (task mode)

{
  "connectionType": "CONNECTION_TYPE_TEMBO",
  "displayName": "Tembo",
  "description": "Launch Tembo coding agents on issues",
  "connectionDetails": {
    "tembo": {
      "apiKey": "your-tembo-api-key",
      "defaultRepository": "https://github.com/owner/repo",
      "task": {
        "defaultAgent": "claudeCode:claude-sonnet-4-6"
      }
    }
  }
}

Example (automation mode)

{
  "connectionType": "CONNECTION_TYPE_TEMBO",
  "displayName": "Tembo on-call automation",
  "description": "Trigger the on-call Tembo automation for incoming issues",
  "connectionDetails": {
    "tembo": {
      "apiKey": "your-tembo-api-key",
      "automation": {
        "automationKey": "fix-on-call-issues"
      }
    }
  }
}

Replicas Connection Details

Connect to Replicas to launch background coding agents on issues. Each agent runs in a sandboxed VM bound to a Replicas environment and opens a pull request. Replicas’ API lives at api.tryreplicas.com; the organization is derived server-side from the API key.

Field	Type	Behavior	Description
`api_key`	string	INPUT_ONLY, REQUIRED	Replicas API key. Find it at tryreplicas.com/dashboard/apikeys.
`coding_agent`	ReplicasCodingAgentBackend	Optional	Which agent backend runs inside the sandbox. Defaults to `claude` when unspecified.
`environment_id`	string	REQUIRED	UUID of the Replicas environment to launch into. Its repository binding determines which repo the agent operates on. Copy it from tryreplicas.com/dashboard — installing the Replicas GitHub App on a repo auto-creates a `Default <repo>` environment.

api_key and environment_id are both required on create; this is enforced at the API boundary. When updating a connection, omit api_key to keep the existing value.

Replicas Coding Agent Backend

Value	Description
`REPLICAS_CODING_AGENT_BACKEND_UNSPECIFIED`	Use the Replicas API default (currently Claude)
`REPLICAS_CODING_AGENT_BACKEND_CLAUDE`	Run Claude inside the sandbox
`REPLICAS_CODING_AGENT_BACKEND_CODEX`	Run Codex inside the sandbox

Example

{
  "connectionType": "CONNECTION_TYPE_REPLICAS",
  "displayName": "Replicas",
  "description": "Launch Replicas background coding agents on issues",
  "connectionDetails": {
    "replicas": {
      "apiKey": "your-replicas-api-key",
      "codingAgent": "REPLICAS_CODING_AGENT_BACKEND_CLAUDE",
      "environmentId": "00000000-0000-0000-0000-000000000000"
    }
  }
}

Coder Connection Details

Connect to a self-hosted Coder deployment to launch a Coder Task on issues — a workspace running an embedded coding agent (e.g. Claude Code). The template version determines the embedded agent and the repository the agent operates on, so it lives on the connection. The Firetiger prompt is forwarded as the Task’s input, and the Task is created via the GA Tasks API (POST {base_url}/api/v2/tasks/{username}) using the Coder-Session-Token header.

Field	Type	Behavior	Description
`base_url`	string	REQUIRED	Base URL of the Coder deployment, e.g. `https://coder.example.com`.
`session_token`	string	INPUT_ONLY, REQUIRED	Long-lived Coder API token. Create one with `coder tokens create`.
`template_version_id`	string	REQUIRED	UUID of the template version Tasks are built from. Defines the embedded agent and the repository. Find it in Coder under Templates → your template → the active version.
`template_version_preset_id`	string	Optional	UUID of a template version preset (parameter bundle). Omit to use the template’s defaults.
`username`	string	Optional	Coder username that should own created Tasks. Defaults to the token owner (`me`).

base_url, session_token, and template_version_id are all required on create; this is enforced at the API boundary. When updating a connection, omit session_token to keep the existing value.

Example

{
  "connectionType": "CONNECTION_TYPE_CODER",
  "displayName": "Coder",
  "description": "Launch Coder Tasks on issues",
  "connectionDetails": {
    "coder": {
      "baseUrl": "https://coder.example.com",
      "sessionToken": "your-coder-api-token",
      "templateVersionId": "00000000-0000-0000-0000-000000000000"
    }
  }
}

GitHub Connection Details

GitHub connections use GitHub App installation tokens for authentication. The installation token is resolved server-side and is not returned in API responses.

Field	Type	Behavior	Description
`installation_id`	int64	REQUIRED	GitHub App installation ID. The installation must be owned by the deployment creating this connection.
`owner`	string		GitHub account (org or user login) that owns this installation. Set automatically at connection creation.
`auto_create_deployments`	enum		`AUTO_CREATE_DEPLOYMENTS_ENABLED` (default) or `AUTO_CREATE_DEPLOYMENTS_DISABLED`. Controls whether GitHub deployment webhook events automatically create Deployment resources.
`auto_monitor_pull_requests`	enum		`AUTO_MONITOR_PULL_REQUESTS_DISABLED` (default) or `AUTO_MONITOR_PULL_REQUESTS_ENABLED`. When enabled, opened PR webhook events automatically create a deploy-monitoring agent.
`auto_monitor_pr_filter`	string		Optional natural-language filter applied to opened PRs when `auto_monitor_pull_requests` is enabled. Non-matching PRs get a skip comment instead of a monitor.
`auto_monitor_pr_authors`	repeated string		Optional GitHub username allowlist. When non-empty, only PRs from listed authors are eligible for auto-monitoring.
`post_updates_to_github`	enum		`POST_UPDATES_TO_GITHUB_ENABLED` (default) or `POST_UPDATES_TO_GITHUB_DISABLED`. When disabled, change-monitoring updates (plan invites, plan publishes, status updates, skip explanations) stay in the Firetiger UI and are not posted as comments on the originating pull request.

Shell Environment

Shell prompt information for the connection, populated only on Get requests.

Field	Type	Description
`prompt`	string	Shell prompt text for interactive sessions

Status

Operational status of the connection’s credential resolution, following the google.rpc.Status format.

Field	Type	Description
`code`	integer	Status code (0 means OK)
`message`	string	Human-readable error message (empty when healthy)