Connection overview

Connections, credentials, and environments form the foundation of how watsonx Orchestrate integrates with external applications. You can use these elements together to define how authentication occurs, which identity is used when a tool accesses a third‑party application, and how development and production behavior remain separated and predictable. The connection framework centralizes authentication, manages credentials securely, and provides a controlled and consistent way for tools to access external systems.

Connections

A connection defines how watsonx Orchestrate communicates with an external application. It specifies the authentication method, the credentials that are required, and the environment in which the integration runs. Tools rely on these configured connections to access external services, and agents use the bound tools to complete user requests. Connections are used whenever an agent calls a tool that interacts with an external API or service. By separating authentication from tool logic, connections help maintain secure access, support reuse across multiple tools, and provide clear separation between development and production environments. This approach reduces configuration duplication, improves maintainability, and supports consistent security controls across all integrations.

A connection includes:

  • Authentication type such as OAuth 2.0, API key, Basic authentication, or key‑value pair authentication

  • Credential type that is used for access team or member credentials

  • Environment settings that separate draft from live configuration

Connections provide a consistent integration method across all supported channels and can be reused across multiple tools that target the same application.

Credentials

Credentials define the identity that watsonx Orchestrate uses when it authenticates with an external application. You use credentials to help verify that tool actions run with the correct level of access and that the external application applies its own authorization rules. watsonx Orchestrate supports two credential models team credentials and member credentials each designed for different identity and access requirements.

Team credentials provide a single, shared identity for all users of an agent. Builders or administrators configure these credentials in the connection settings. Team credentials are suited for system‑level or service‑level access, where requests do not depend on the individual who starts the action. By using a shared identity across tools and users, team credentials simplify setup, support consistent access to the application, and reduce the need for repeated configuration.

Member credentials represent an individual user’s identity in the third‑party system. When a tool uses member credentials, the tool carries out actions on behalf of the user and applies that user’s specific permissions and entitlements. This model is important for applications where access is personalized, where records are tied to a user, or where the external system enforces user‑level authorization. Member credentials are stored securely and can be managed by the user in Profile settings.

Using the appropriate credential model helps verify that watsonx Orchestrate interacts with external systems in a secure, predictable way and aligns the integration with the authorization requirements of your application landscape.

Environments

Environments define the configuration that is in scope for the agent during development and production. Each environment provides a separate space so you can test and validate configuration safely before it is used in production.

During build and testing, the agent uses the draft environment’s connection configuration. Draft settings can include credentials or authentication parameters that differ from those values that are used in production. Draft allows you to refine connection settings, validate authentication, and test tool behavior without affecting users or production systems.

When the agent is deployed and runs through a channel such as in‑portal chat, embedded chat, Slack, or Microsoft Teams it uses the live environment’s connection configuration. Live must contain complete and valid values, including the authentication type, credential model, and credentials. The deployment process checks that every tool has a working live connection before the agent can be published.

Separating draft and live reduces configuration risk, supports predictable rollouts, and allows you to control how integrations operate across development and production scenarios.