Connect a connector

Connecting a service involves two roles: the agent owner enables the connector and (for most services) configures an OAuth app once; then each member authorizes their own account. Members never share credentials.

Owner: enable and configure

1. Enable the connector

   In the agent’s settings, toggle the connector on. Only enabled connectors appear in members’ connect flows and in tools/list — and the proxy enforces the list on every call.

2. Configure OAuth credentials (most connectors)

   Open the connector’s settings on the agent and enter your OAuth app’s client ID and client secret.

   • Skip this step for Sentry, Cloudflare, and Google — Wicket manages those apps for you.
   • For everything else, register an OAuth app with the provider (GitHub → Settings → Developer settings → OAuth Apps, Slack → api.slack.com/apps, Linear → Settings → API → OAuth applications, and so on), using the callback URL shown in the connector settings panel.

   Note

   Why bring your own app? The consent screen shows your app name to your team, your org’s admin controls (allowlists, install approvals) apply, and you can revoke access centrally at the provider. Secrets are stored encrypted and are never shown again after saving.

3. (Slack and Linear) Add a webhook secret

   These connectors can keep harvested entities fresh via webhooks. Enter your app’s webhook signing secret along with the credentials — or for Linear, let Wicket register the webhooks automatically. See Harvesting & freshness.

When you save credentials, Wicket also seeds the agent’s baseline policies for that service, so members aren’t unrestricted by accident the moment they connect.

Member: connect your account

1. Open Connect services

   On the agent’s Members tab, find your row and click Connect services, then the connector’s Connect button.

2. Authorize in the popup

   The provider’s OAuth consent screen opens. Authorize it. Wicket stores the resulting token encrypted — once you generate your member key, encrypted under that key, so nobody (including the agent owner) can read it.

3. Generate or keep your member key

   If you connected a new service after generating your key, the connection is sealed to your existing key automatically — no need to regenerate. If you have no key yet, generate one now; it’s shown once.

Your connection’s status, identity (which account you authorized), and last-used time are visible on your member panel.

Token lifecycle

• Refresh is automatic. For providers with expiring tokens, Wicket refreshes them in-flight when they near expiry — tool calls don’t fail because a token aged out.
• Disconnect any time. Remove a single service connection from your member panel; other connections and your key are unaffected.
• Lost member key? Tokens encrypted under it are unreadable by design. Use Reset lost key on your member panel — it clears the sealed connections so you can reconnect, then issue a new key.

Troubleshooting

Symptom	Likely cause
Connect button missing for a service	Connector not enabled on the agent, or owner hasn’t saved OAuth credentials
OAuth popup shows a provider error	Callback URL in your OAuth app doesn’t match the one in the connector settings
No <service> credentials configured on tool calls	You’re authorized to call the tool but haven’t connected that service — connect it from the Members tab
Tools missing from tools/list	The service isn’t connected by you (lists are per-member), or the connector was disabled