Connection architecture and lifecycle

Edit online

Connections, tools, and agents work together to help watsonx Orchestrate communicate securely with external applications. You use a connection to define how authentication occurs, which credentials are applied, and how requests reach the target system. Understanding the architecture and lifecycle of a connection helps you design integrations that are predictable, secure, and aligned with your organization’s access requirements.

Architecture

The connection architecture defines how watsonx Orchestrate integrates securely with external applications by separating user interaction, tool logic, and authentication into distinct functional components. This model supports consistent behavior across all deployment channels and provides a scalable foundation for managing integrations. A connection sits at the integration layer between tools and the third-party applications that they interact with. The architecture is composed of three primary elements: agents, tools, and connections. Each element plays a specific role in handling user requests and carrying out authenticated operations in external systems.

Agents

Agents serve as the orchestration layer within watsonx Orchestrate. They interpret user input, determine the appropriate task to carry out, and call the tools that are required to complete that task. Agents operate consistently across all supported channels, including Slack, Microsoft Teams, embedded chat, and the in‑portal chat interface.

Tools

Tools contain the actionable logic for communicating with third-party applications. Each tool defines operations such as creating, reading, updating, or deleting data. Tools do not contain credentials or authentication details; instead, they rely on a bound connection to access the target system securely. A single connection can be reused by multiple tools that target the same external service.

Connections

Connections define the authentication and integration settings that are required to communicate with external applications. A connection specifies the authentication method, credential type, and environment‑specific configuration that is used when tools make API calls. Connections act as the secure access point for all external interactions and centralize credential management for reuse across tools. Connections provide two isolated environments Draft and Live allowing integrations to be developed, tested, and deployed with predictable behavior. Tools automatically use the correct environment based on where the agent runs.

Connection process flow

The connection processing flow describes how watsonx Orchestrate handles a user request and completes an action in an external application. When a user interacts with an agent, the agent interprets the request and selects the appropriate tool. The tool contains the business logic that defines the action that must be carried out. To access an external system, the tool uses a configured connection. The connection acts as the bridge to the third‑party application, houses the required credentials, and applies the configured authentication method. This flow supports secure, consistent, and predictable integration across all supported channels and environments.

This architecture centralizes authentication, keeps tool logic that is focused on business actions, and supports consistent request flow across channels such as Slack, Microsoft Teams, embedded chat, and in‑portal chat.

When a user interacts with an agent, the request moves through a predictable sequence:

  1. The user sends a request in a supported channel.

  2. The agent interprets the request and selects the appropriate tool based on intent.

  3. The tool determines the required action and relies on its bound connection to access the external application.

  4. The connection applies its configuration, including authentication type, credential model, and environment, to authenticate the request.

  5. The external application processes the request and returns a result to the tool, which then passes it back through the agent to the user.

This lifecycle keeps authentication and integration concerns in the connection layer, not in tools or agents.

The following image shows how a user request moves through each stage of the connection architecture.

Connection process flow

Lifecycle

The lifecycle of a connection describes how watsonx Orchestrate prepares, uses, and validates a connection as a tool interacts with an external application. Understanding this lifecycle helps you see how authentication, credentials, and environment settings work together to support predictable, secure behavior and align each request to a third‑party system with your configuration choices.

Connection lifecycle stages

The connection lifecycle outlines the stages that a connection moves through as tools use it to access external applications. A connection progresses through four stages: configuration, binding, execution, and deployment validation. Each stage defines how watsonx Orchestrate prepares, uses, and checks the connection as tools interact with external applications.

Configuration

A connection is first defined with its authentication type, credential model, and draft and live configurations. These settings determine how the connection authenticates with the external service and which identity is used for access. Connections store this information centrally and act as the secure integration path for tools.

Binding

After configuration, a tool must be bound to the connection. Binding links the tool’s business action to the specific authentication and credential details that are provided by the connection. Every tool requires exactly one bound connection, and multiple tools can reuse the same connection when they access the same application.

Execution

When the agent calls the tool in response to a user request, the connection applies the correct environment and credential model. The connection handles authentication, creates the outbound request, and sends it to the external application. The external application returns a response to the tool, and the tool passes that response back to the agent.

Deployment validation

Before an agent can be deployed, watsonx Orchestrate verifies that each tool has a fully configured live connection. Deployment cannot proceed until every tool is bound to a connection with valid live settings and credentials. This safeguard helps maintain consistent behavior across all production channels.

Why understanding the lifecycle matters

Understanding the connection lifecycle helps you design integrations that:

  • Apply the correct authentication and credential model for each external application

  • Behave predictably across Draft and Live environments

  • Avoid deployment issues caused by incomplete configuration

  • Reuse connection settings efficiently across multiple tools

  • Maintain consistent and secure access to external systems across all supported channels

A clear understanding of the lifecycle helps your tools authenticate correctly, supports successful agent deployments, and promotes reliable integration behavior in production.