# Connections

## List connections

> Returns a list of all connections configured in the account.\
> If no connections exist in the account, a 204 response with no body will be returned.<br>

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"parameters":{"Include":{"name":"include","in":"query","required":false,"description":"Comma-separated list of fields to project into each returned record.\nTriggers **summary projection** on supported list endpoints: the server\nreturns a minimal identity set for each record (`_id`, `name`, plus a\nresource-specific always-on set like `adaptorType` on exports/imports,\nor richer defaults on `ashares`, `audit`, `httpconnectors`, `transfers`,\netc.) and adds any listed fields that exist on the record. Listed fields\nthe record doesn't carry are silently dropped.\n\nDot notation is supported for projecting nested sub-fields — e.g.\n`include=ftp.directoryPath` on `/v1/exports` returns just that nested\nfield inside `ftp` for FTP-type exports (and omits `ftp` entirely for\nnon-FTP exports).\n\nRules:\n- Value regex is `{a-z A-Z . _}` (letters, dots, underscores) plus the\n  comma separator; digits are also accepted in practice. Any other\n  character returns **400 `invalid_query_params`**.\n- Empty value (`include=`) or bare `include` is ignored — the full\n  default record is returned.\n- `include` and `exclude` are **mutually exclusive**. Passing both\n  returns **400 `invalid_query_params`**: *\"Please provide either\n  include or exclude param in the request query and not both.\"*\n- Array-bracket syntax (`include[]=...`) is not supported and can return\n  a 500.\n- Only list endpoints honor projection — on GET-by-id the parameter is\n  silently ignored.\n- A small set of list endpoints explicitly reject both `include` and\n  `exclude` with **400 `invalid_query_params`** and a message of the form\n  *\"Include or exclude query params are not applicable for `<resource>`\n  resource.\"* Known rejections: `/v1/ediprofiles`, `/v1/environments`,\n  `/v1/iClients`, `/v1/lookupcaches`, `/v1/tags`.","schema":{"type":"string"}},"Exclude":{"name":"exclude","in":"query","required":false,"description":"Comma-separated list of fields to remove from the default response on\nsupported list endpoints. Unlike `include`, `exclude` does NOT trigger\nsummary projection — callers get the standard full-record shape with the\nnamed fields stripped out.\n\nRules:\n- Value regex is `{a-z A-Z . _}` (letters, dots, underscores) plus the\n  comma separator; digits are also accepted in practice. Any other\n  character returns **400 `invalid_query_params`**.\n- Empty value (`exclude=`) is ignored.\n- Certain protected identity fields **cannot be stripped** — e.g.\n  `exclude=name` on `/v1/exports` is silently ignored and `name` remains\n  in the response. Protected sets vary per resource.\n- `include` and `exclude` are **mutually exclusive**. Passing both\n  returns **400 `invalid_query_params`**: *\"Please provide either\n  include or exclude param in the request query and not both.\"*\n- Only list endpoints honor stripping — on GET-by-id the parameter is\n  silently ignored.\n- A small set of list endpoints explicitly reject both `include` and\n  `exclude` with **400 `invalid_query_params`** and a message of the form\n  *\"Include or exclude query params are not applicable for `<resource>`\n  resource.\"* Known rejections: `/v1/ediprofiles`, `/v1/environments`,\n  `/v1/iClients`, `/v1/lookupcaches`, `/v1/tags`.","schema":{"type":"string"}}},"schemas":{"Response":{"type":"object","description":"Complete connection object as returned by the API","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"$ref":"#/components/schemas/IAResourceResponse"},{"type":"object","properties":{"aiDescription":{"$ref":"#/components/schemas/AIDescription"},"salesforce":{"allOf":[{"$ref":"#/components/schemas/Salesforce"},{"type":"object","properties":{"info":{"type":"object","description":"Additional Salesforce connection information","readOnly":true}}}]},"netsuite":{"allOf":[{"$ref":"#/components/schemas/NetSuite"},{"type":"object","properties":{"suiteAppInstalled":{"type":"boolean","description":"Whether the Celigo SuiteApp is installed","readOnly":true}}}]},"_integrationId":{"type":"string","format":"objectId","description":"ID of the integration this connection belongs to","readOnly":true},"_connectorId":{"type":"string","format":"objectId","description":"ID of the connector template this connection is based on","readOnly":true},"_id":{"type":"string","format":"objectId","description":"Unique identifier for the connection","readOnly":true},"offline":{"type":"boolean","description":"Whether the connection is currently offline/disabled","readOnly":true},"_userId":{"type":"string","format":"objectId","description":"ID of the user who owns this connection","readOnly":true},"createdAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was created","readOnly":true},"lastModified":{"type":"string","format":"date-time","description":"Timestamp when the connection was last modified","readOnly":true},"deletedAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was soft-deleted (if applicable)","readOnly":true},"needsAuthorization":{"type":"boolean","description":"Whether this connection requires OAuth2 or similar authorization flow","readOnly":true},"isAmazonSPConnection":{"type":"boolean","description":"Whether this is an Amazon Selling Partner API connection","readOnly":true},"concurrencyInfo":{"type":"object","description":"Current concurrency usage and limits for this connection","readOnly":true,"properties":{"currentLevel":{"type":"number","description":"Current concurrency level being used"},"targetLevel":{"type":"number","description":"Target concurrency level"},"maxLevel":{"type":"number","description":"Maximum allowed concurrency level"},"borrowedFrom":{"type":"string","description":"ID of connection this is borrowing concurrency from"}}},"rateLimit":{"type":"object","description":"Rate limiting information for this connection","readOnly":true,"properties":{"isRecovering":{"type":"boolean","description":"Whether the connection is currently recovering from rate limits"},"lastErrorAt":{"type":"string","format":"date-time","description":"Timestamp of last rate limit error"},"retryCount":{"type":"number","description":"Number of retry attempts for rate limit recovery"}}},"status":{"type":"string","enum":["active","inactive","error","pending","offline"],"description":"Current operational status of the connection","readOnly":true},"lastPingAt":{"type":"string","format":"date-time","description":"Timestamp of last successful ping test","readOnly":true},"lastPingStatus":{"type":"string","enum":["success","failed","pending"],"description":"Result of the last ping test","readOnly":true},"capabilities":{"type":"object","description":"Discovered or configured capabilities of this connection","readOnly":true,"properties":{"read":{"type":"boolean","description":"Supports read operations"},"write":{"type":"boolean","description":"Supports write operations"},"delete":{"type":"boolean","description":"Supports delete operations"},"realtime":{"type":"boolean","description":"Supports real-time data streaming"},"batch":{"type":"boolean","description":"Supports batch operations"}}},"quotas":{"type":"object","description":"Usage quotas and limits for this connection","readOnly":true,"properties":{"daily":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}},"monthly":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}}}},"_sourceId":{"type":"string","format":"objectId","description":"ID of the source this connection was created from","readOnly":true},"_templateId":{"type":"string","format":"objectId","description":"ID of the template this connection was generated from","readOnly":true},"draft":{"type":"boolean","description":"Whether this connection is in draft state","readOnly":true},"draftExpiresAt":{"type":"string","format":"date-time","description":"Timestamp when the draft connection expires","readOnly":true},"debugUntil":{"type":"string","format":"date-time","description":"Timestamp until which debug logging is enabled","readOnly":true},"apiIdentifier":{"type":"string","description":"API identifier for this connection","readOnly":true}}}]},"Request":{"type":"object","description":"Fields that can be sent when creating or updating a connection","properties":{"name":{"type":"string","description":"Descriptive identifier for the connection resource in human-readable format.\n\nThis string serves as the primary display name for the connection across the application UI and is used in:\n- API responses when listing connections\n- Error and audit logs for traceability\n- Flow builder UI components\n- Integration configuration dashboards\n\nWhile not required to be globally unique in the system, using descriptive, unique names is strongly recommended\nfor clarity when managing multiple connections. The name should indicate the target system and purpose.\n\nMaximum length: 200 characters\nAllowed characters: Letters, numbers, spaces, and basic punctuation\n","maxLength":200},"type":{"type":"string","description":"The type of connection determining which authentication and connectivity options are available","enum":["netsuite","salesforce","ftp","s3","rest","wrapper","http","rdbms","mongodb","as2","filesystem","mcp","dynamodb","jdbc","van"]},"externalId":{"type":"string","description":"External identifier for the connection, often used for integration with third-party systems"},"assistant":{"type":"string","description":"Application name in lowercase for HTTP connections to systems with integrator.io adaptors.\nUsed to identify the target application being connected to.\nExamples - Shopify: \"shopify\", eBay: \"ebay\".\nOnly applicable for HTTP connection types.\n"},"_agentId":{"type":"string","format":"objectId","description":"Reference to a Celigo on-premise Agent. Required for connection types that need\nlocal network or filesystem access (JDBC, filesystem, Oracle RDBMS).\nThe agent establishes a secure tunnel between the on-premise environment and integrator.io.\n"},"_borrowConcurrencyFromConnectionId":{"type":"string","format":"objectId","description":"Reference to another connection to share concurrency limits with.\nWhen set, this connection's concurrency is counted against the referenced\nconnection's limit instead of maintaining its own.\n"},"debugDate":{"type":"string","format":"date-time","description":"Date until which debug logging is enabled for this connection"},"settingsForm":{"type":"object","description":"Dynamic form configuration for connection-specific settings"},"settings":{"type":"object","description":"Connection-specific settings and configurations"},"pgp":{"type":"object","description":"PGP encryption settings for file-based connections"},"ssl":{"$ref":"#/components/schemas/SSL"},"netsuite":{"$ref":"#/components/schemas/NetSuite"},"salesforce":{"$ref":"#/components/schemas/Salesforce"},"ftp":{"$ref":"#/components/schemas/FTP"},"s3":{"$ref":"#/components/schemas/S3"},"rest":{"$ref":"#/components/schemas/REST"},"http":{"$ref":"#/components/schemas/HTTP"},"rdbms":{"$ref":"#/components/schemas/RDBMS"},"mongodb":{"$ref":"#/components/schemas/MongoDB"},"as2":{"$ref":"#/components/schemas/AS2"},"filesystem":{"$ref":"#/components/schemas/Filesystem"},"dynamodb":{"$ref":"#/components/schemas/DynamoDB"},"jdbc":{"$ref":"#/components/schemas/JDBC"},"van":{"$ref":"#/components/schemas/VAN"},"mcp":{"$ref":"#/components/schemas/MCP"},"wrapper":{"$ref":"#/components/schemas/Wrapper"}},"required":["name","type"],"anyOf":[{"title":"NetSuite","required":["netsuite"],"properties":{"netsuite":{"$ref":"#/components/schemas/NetSuite"}}},{"title":"Salesforce","required":["salesforce"],"properties":{"salesforce":{"$ref":"#/components/schemas/Salesforce"}}},{"title":"FTP","required":["ftp"],"properties":{"ftp":{"$ref":"#/components/schemas/FTP"}}},{"title":"S3","required":["s3"],"properties":{"s3":{"$ref":"#/components/schemas/S3"}}},{"title":"REST","required":["rest"],"properties":{"rest":{"$ref":"#/components/schemas/REST"}}},{"title":"HTTP","required":["http"],"properties":{"http":{"$ref":"#/components/schemas/HTTP"}}},{"title":"RDBMS","required":["rdbms"],"properties":{"rdbms":{"$ref":"#/components/schemas/RDBMS"}}},{"title":"MongoDB","required":["mongodb"],"properties":{"mongodb":{"$ref":"#/components/schemas/MongoDB"}}},{"title":"AS2","required":["as2"],"properties":{"as2":{"$ref":"#/components/schemas/AS2"}}},{"title":"Filesystem","required":["filesystem"],"properties":{"filesystem":{"$ref":"#/components/schemas/Filesystem"}}},{"title":"MCP","required":["mcp"],"properties":{"mcp":{"$ref":"#/components/schemas/MCP"}}},{"title":"DynamoDB","required":["dynamodb"],"properties":{"dynamodb":{"$ref":"#/components/schemas/DynamoDB"}}},{"title":"JDBC","required":["jdbc"],"properties":{"jdbc":{"$ref":"#/components/schemas/JDBC"}}},{"title":"VAN","required":["van"],"properties":{"van":{"$ref":"#/components/schemas/VAN"}}},{"title":"Wrapper","required":["wrapper"],"properties":{"wrapper":{"$ref":"#/components/schemas/Wrapper"}}}]},"SSL":{"type":"object","description":"SSL/TLS certificate configuration for secure database connections.\n\nUsed by RDBMS and other connection types that support client certificate authentication\nor connections to servers with private CA-signed certificates.\n\n**Usage rules**\n- Provide cert + key together for client certificate (mutual TLS) authentication.\n- Provide ca alone when the server uses a certificate signed by a private CA.\n- cert/key and ca can be combined for mTLS with a private CA.\n- passphrase is only needed when the private key is encrypted.\n","properties":{"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format (encrypted at rest).\nProvide this when the database server uses a certificate signed by a private CA\nthat is not in the system's default trust store.\n","writeOnly":true},"key":{"type":"string","description":"Client private key in PEM format (encrypted at rest).\nREQUIRED alongside cert for client certificate (mTLS) authentication.\nCannot be provided without cert.\n","writeOnly":true},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key (encrypted at rest).\nOnly needed when the PEM private key in the key field is password-protected.\n","writeOnly":true},"cert":{"type":"string","description":"Client certificate in PEM format (encrypted at rest).\nREQUIRED alongside key for client certificate (mTLS) authentication.\nCannot be provided without key.\n","writeOnly":true}}},"NetSuite":{"type":"object","description":"Configuration for NetSuite ERP connections. Used when the connection type is \"netsuite\".\n\nNetSuite connections support two authentication methods:\n- Token-Based Authentication (TBA) — recommended for production. Requires tokenId and tokenSecret.\n- Basic authentication (email/password) — legacy method, limited functionality.\n\n**Required fields by auth type**\n- authType \"token\": account, tokenId, tokenSecret, roleId\n- authType \"token-auto\": account (tokens are managed automatically via iClient)\n- authType \"basic\": account, email, password, roleId\n\n**Environment**\nThe environment field selects which NetSuite instance to connect to.\nThe account ID format changes based on environment (e.g., \"123456\" for production,\n\"123456_SB1\" for non-production).\n","properties":{"authType":{"type":"string","enum":["basic","token","token-auto"],"description":"Authentication method for the NetSuite connection.\n\n- \"token\" — Token-Based Authentication (TBA). Recommended for production.\n  Requires tokenId and tokenSecret from a NetSuite integration record.\n- \"token-auto\" — Automatic token management via Celigo's iClient.\n  Tokens are provisioned and rotated automatically.\n- \"basic\" — Legacy email/password authentication. Not recommended for\n  new connections; has limited API access compared to TBA.\n"},"account":{"type":"string","description":"NetSuite account ID. REQUIRED for all auth types.\n\nThis is the account identifier visible in NetSuite under Setup > Company > Company Information.\nThe value is automatically uppercased.\n\nFormat varies by environment:\n- Production: \"123456\" or \"TSTDRV123456\"\n- Non-production: \"123456_SB1\" (suffix indicates the environment number)\n- Beta: \"123456\" (same as production, but with environment set to \"beta\")\n"},"environment":{"type":"string","enum":["production","beta"],"description":"NetSuite environment to connect to.\n\n- \"production\" — Live production instance.\n- \"beta\" — NetSuite beta/release-preview environment.\n\nDefaults to \"production\" when not specified.\n"},"tokenId":{"type":"string","description":"NetSuite TBA token ID (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated in NetSuite under Setup > Users/Roles > Access Tokens.\nMust be paired with the corresponding tokenSecret.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"NetSuite TBA token secret (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated alongside the tokenId in NetSuite. Treat as a sensitive credential.\n","writeOnly":true},"entityId":{"type":"string","description":"NetSuite entity/user ID associated with the token."},"tokenName":{"type":"string","description":"Human-readable name of the NetSuite access token for identification purposes."},"roleId":{"type":"string","description":"NetSuite role ID that determines the permissions for this connection.\n\nThe role controls which records, fields, and operations are accessible.\nMust match the role associated with the access token in NetSuite.\n"},"email":{"type":"string","description":"NetSuite user email address. REQUIRED when authType is \"basic\".\nUsed as the login credential for basic (email/password) authentication.\n","format":"email"},"password":{"type":"string","description":"NetSuite user password (encrypted at rest). REQUIRED when authType is \"basic\".","writeOnly":true},"requestLevelCredentials":{"type":"boolean","description":"When true, authentication credentials are sent with each individual API request\nrather than maintaining a persistent session. Enable this for environments\nwhere session-based auth is unreliable.\n"},"dataCenterURLs":{"type":"object","description":"NetSuite data center URL overrides. Normally auto-discovered from the account ID.\nOnly set this to override the default data center routing.\n"},"accountName":{"type":"string","description":"Human-readable NetSuite account name (display purposes only)."},"roleName":{"type":"string","description":"Human-readable name of the NetSuite role (display purposes only)."},"wsdlVersion":{"type":"string","description":"NetSuite WSDL (Web Services Description Language) version for SuiteTalk Web Services.\n\nControls which API version is used for SOAP-based operations. Newer versions\nmay include additional record types and fields.\n\n- \"latest\" — Use the most recent stable WSDL version.\n- \"next\" — Use the next (pre-release) WSDL version.\n- Specific versions like \"2023.2\" pin to that exact API version.\n","enum":["latest","next","2023.2","2023.1","2022.2","2022.1"],"default":"latest"},"applicationId":{"type":"string","description":"NetSuite application ID from the integration record.\nRequired for some authentication configurations to identify the calling application.\n"},"concurrencyLevelRESTlet":{"type":"number","description":"Maximum concurrent requests to NetSuite RESTlet endpoints.\nNetSuite enforces governance limits on concurrent RESTlet requests per account.\nKeep this low to avoid SuiteScript governance errors.\n","minimum":1,"maximum":10,"default":1},"concurrencyLevelWebServices":{"type":"number","description":"Maximum concurrent requests to NetSuite SuiteTalk Web Services (SOAP API).\nNetSuite enforces concurrency limits per account — exceeding them causes\n\"Only one request may be made against a session at a time\" errors.\n","minimum":1,"maximum":10,"default":5},"concurrencyLevel":{"type":"number","description":"General concurrency level for this connection. Controls the overall\nmaximum concurrent requests across all operation types.\n","minimum":1,"maximum":10,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit and governance feedback.\n","minimum":1,"maximum":10},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for token-based authentication."}}},"Salesforce":{"type":"object","description":"Configuration for Salesforce CRM connections. Used when the connection type is \"salesforce\".\n\nSalesforce connections authenticate via OAuth 2.0 with two supported flows:\n- JWT Bearer Token — server-to-server auth using a Salesforce Connected App. Recommended for automated integrations.\n- Refresh Token — interactive OAuth flow where the user authorizes via browser. Good for user-context integrations.\n\n**Required fields by flow type**\n- oauth2FlowType \"jwtBearerToken\": username (Salesforce username of the authorized user)\n- oauth2FlowType \"refreshToken\": refreshToken (obtained via browser-based OAuth flow)\n\n**Environment selection**\nThe login endpoint defaults to login.salesforce.com for production orgs.\n","properties":{"baseURI":{"type":"string","description":"Custom Salesforce instance URL. Overrides the default login URL.\n\nNormally auto-discovered during OAuth authentication. Only set this to\nforce a specific instance URL (e.g., \"https://mycompany.my.salesforce.com\").\n","format":"uri"},"oauth2FlowType":{"type":"string","enum":["jwtBearerToken","refreshToken"],"description":"OAuth 2.0 authentication flow type.\n\n- \"jwtBearerToken\" — Server-to-server JWT Bearer Token flow. Does not require\n  user interaction. Requires a Salesforce Connected App with a digital certificate,\n  and the username field must be set to the authorized Salesforce user.\n- \"refreshToken\" — Authorization Code / Refresh Token flow. Requires initial\n  browser-based authorization, then uses the refresh token for ongoing access.\n\nChoose \"jwtBearerToken\" for automated server-to-server integrations.\nChoose \"refreshToken\" for integrations that operate in a specific user's context.\n"},"username":{"type":"string","description":"Salesforce username for JWT Bearer Token authentication.\nREQUIRED when oauth2FlowType is \"jwtBearerToken\".\n\nThis is the Salesforce login username (email) of the user whose permissions\nthe integration will operate under.\n"},"bearerToken":{"type":"string","description":"OAuth access/bearer token (encrypted at rest).\nTypically auto-managed by the system during OAuth flows. Rarely set manually.\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest). REQUIRED when oauth2FlowType is \"refreshToken\".\nObtained during the initial browser-based OAuth authorization flow.\n","writeOnly":true},"packagedOAuth":{"type":"boolean","description":"When true, uses Celigo's pre-configured Connected App for OAuth.\nWhen false, you must provide your own Connected App credentials via iClient.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of access granted.\n\nCommon scopes:\n- \"full\" — Full access to all Salesforce APIs.\n- \"refresh_token\" — Allows obtaining refresh tokens for long-lived access.\n- \"api\" — Access to REST and SOAP APIs.\n\nDefaults to [\"full\", \"refresh_token\"] which provides complete API access.\n","default":["full","refresh_token"]},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests to Salesforce.\nSalesforce enforces per-org API request limits. Setting this too high\nmay exhaust your org's API call allocation faster.\n","minimum":1,"maximum":25,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback from Salesforce.\n","minimum":1,"maximum":25}}},"FTP":{"type":"object","description":"Configuration for FTP/SFTP/FTPS file transfer connections. Used when the connection type is \"ftp\".\n\nSupports three file transfer protocols:\n- FTP — Standard File Transfer Protocol (unencrypted). Default port 21.\n- SFTP — SSH File Transfer Protocol (encrypted via SSH). Default port 22.\n- FTPS — FTP over TLS/SSL (encrypted via TLS). Default port 21 (explicit) or 990 (implicit).\n\n**Required fields**\n- type (ftp, sftp, or ftps)\n- hostURI (server hostname or IP)\n- username\n\n**Authentication**\n- FTP/FTPS: username + password\n- SFTP: username + password, OR username + authKey (SSH private key), OR both\n\n**Pgp encryption**\nOptional PGP encryption/decryption can be enabled for file-level security,\nindependent of transport-level encryption. Requires pgpEncryptKey and/or pgpDecryptKey.\n","required":["type","hostURI","username"],"properties":{"type":{"type":"string","enum":["ftp","sftp","ftps"],"description":"File transfer protocol type. REQUIRED.\n\n- \"ftp\" — Standard FTP. No transport encryption. Default port 21.\n- \"sftp\" — SSH-based file transfer. Encrypted transport. Default port 22.\n  Supports SSH key authentication via the authKey field.\n- \"ftps\" — FTP over TLS/SSL. Encrypted transport. Default port 21 (explicit TLS)\n  or 990 (implicit TLS — set useImplicitFtps to true).\n\nPrefer \"sftp\" for security. Use \"ftps\" when the server requires TLS.\nOnly use \"ftp\" for legacy systems that don't support encryption.\n"},"hostURI":{"type":"string","description":"FTP server hostname or IP address. REQUIRED.\nDo NOT include the protocol prefix (e.g., use \"ftp.example.com\", not \"sftp://ftp.example.com\").\n"},"port":{"type":"number","description":"Server port number. Defaults vary by type:\n- FTP: 21\n- SFTP: 22\n- FTPS (explicit): 21\n- FTPS (implicit): 990\n","minimum":1,"maximum":65535,"default":21},"username":{"type":"string","description":"Username for server authentication. REQUIRED."},"password":{"type":"string","description":"Password for server authentication (encrypted at rest).\nFor SFTP, either password or authKey (SSH key) is required.\n","writeOnly":true},"authKey":{"type":"string","description":"SSH private key for SFTP key-based authentication (encrypted at rest).\nOnly used when type is \"sftp\". Provide the full PEM-encoded private key.\nCan be used alone or alongside a password for two-factor auth.\n","writeOnly":true},"usePassiveMode":{"type":"boolean","description":"When true, uses passive mode for FTP/FTPS data connections.\nIn passive mode, the client initiates both control and data connections,\nwhich works better through firewalls and NAT. Enable for most scenarios.\n","default":true},"enableHostVerification":{"type":"boolean","description":"When true, verifies the server's SSH host key (SFTP) or TLS certificate (FTPS).\nDisable only for development/testing with self-signed certificates.\n","default":true},"userDirectoryIsRoot":{"type":"boolean","description":"When true, treats the user's home directory as the root directory.\nAll paths are relative to the user's home directory rather than the server root.\n","default":false},"useImplicitFtps":{"type":"boolean","description":"When true, uses implicit FTPS (TLS connection established immediately on port 990).\nWhen false, uses explicit FTPS (starts as FTP on port 21, upgrades to TLS via STARTTLS).\nOnly applies when type is \"ftps\".\n","default":false},"requireSocketReUse":{"type":"boolean","description":"When true, requires the data connection to reuse the same TLS session as the control connection.\nSome FTPS servers require this for security. Only applies to FTPS connections.\n","default":false},"entryParser":{"type":"string","enum":["UNIX","UNIX-TRIM","VMS","WINDOWS","OS/2","OS/400","AS/400","MVS","UNKNOWN-TYPE","NETWARE","MACOS-PETER"],"description":"File listing format parser. Controls how directory listings from the server are interpreted.\nMost servers use UNIX format. Only change this if directory listings appear garbled.\n\n- \"UNIX\" — Standard Unix/Linux servers (most common).\n- \"WINDOWS\" — Windows FTP servers using DOS-style listings.\n- \"MVS\" — IBM mainframe MVS systems.\n- \"AS/400\" — IBM AS/400 (iSeries) systems.\n- Other values are for specific legacy server platforms.\n"},"pgpEncryptKey":{"type":"string","description":"PGP public key for encrypting files before upload (encrypted at rest).\nWhen set, files are PGP-encrypted before being sent to the server.\n","writeOnly":true},"pgpDecryptKey":{"type":"string","description":"PGP private key for decrypting files after download (encrypted at rest).\nWhen set, downloaded files are automatically PGP-decrypted.\n","writeOnly":true},"pgpPassphrase":{"type":"string","description":"Passphrase for the PGP private key (encrypted at rest).","writeOnly":true},"pgpKeyAlgorithm":{"type":"string","enum":["CAST5","3DES","AES-128","AES-192","AES-256"],"description":"Symmetric encryption algorithm used for PGP operations.\nAES-256 is recommended for strong encryption. CAST5 is the PGP default.\nMust match the algorithm expected by the recipient when encrypting.\n"},"pgpSignAndVerify":{"type":"boolean","description":"When true, PGP-signs outbound files and verifies signatures on inbound files.\nProvides authenticity and integrity verification on top of encryption.\n","default":false},"tradingPartner":{"type":"boolean","description":"When true, this connection is associated with a trading partner configuration\nfor B2B/EDI file exchanges.\n","default":false},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent file transfer operations.\nFTP servers often have low connection limits — keep this value conservative.\n","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on server response feedback.\n","minimum":1,"maximum":10}}},"S3":{"type":"object","description":"Configuration for Amazon S3 connections. Used when the connection type is \"s3\".\n\nProvides access to Amazon S3 buckets for file-based integrations (upload, download,\nlist, and delete operations). Uses AWS IAM credentials for authentication.\n\n**Required fields**\n- accessKeyId (AWS access key)\n- secretAccessKey (AWS secret key)\n\n**Ping**\nSet pingBucket to an accessible S3 bucket name so Celigo can verify\nthe connection credentials are valid.\n","required":["accessKeyId","secretAccessKey"],"properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication. REQUIRED.\nFrom an IAM user or role with S3 access permissions (s3:GetObject, s3:PutObject, s3:ListBucket, etc.).\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest). REQUIRED.\nPaired with the accessKeyId. Treat as a sensitive credential.\n","writeOnly":true},"pingBucket":{"type":"string","description":"S3 bucket name used for connection health checks (ping).\nThe system performs a HEAD request on this bucket to verify credentials.\nMust be a bucket the IAM credentials have access to.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent S3 operations.\nS3 has high throughput limits, so this can be set relatively high.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"REST":{"type":"object","description":"Configuration for REST connector connections. Used when the connection type is \"rest\".\n\nREST connections are template-driven HTTP connections that use a pre-built HTTP Connector\ndefinition. The connector template pre-configures authentication, base URI, and other\nsettings — the user only fills in credentials and account-specific values.\n\n**Rest vs http connections**\n- Use \"rest\" when connecting to an application that has a Celigo HTTP Connector template\n  (referenced via _httpConnectorId). The connector provides pre-configured API settings.\n- Use \"http\" for fully custom API connections where you configure everything manually.\n\n**Authentication**\nThe authType field selects the authentication method. Available methods depend on the\nconnector template. Credentials are stored in the appropriate auth sub-fields (basicAuth,\nbearerToken, refreshToken, oauth, etc.).\n","required":["mediaType","baseURI","authType"],"properties":{"mediaType":{"type":"string","enum":["json","urlencoded","xml","csv"],"description":"Default content type for API requests and responses.\n\n- \"json\" — application/json (most common for REST APIs).\n- \"xml\" — application/xml (for XML-based APIs).\n- \"urlencoded\" — application/x-www-form-urlencoded (for form-style APIs).\n- \"csv\" — text/csv (for CSV-based data exchange).\n"},"baseURI":{"type":"string","description":"Base URL for all API requests. REQUIRED.\nAll relative URIs in exports and imports are appended to this base URL.\nMay be pre-populated by the HTTP Connector template.\n","format":"uri"},"authType":{"type":"string","enum":["basic","token","oauth","custom","cookie","jwt","hmac","wsse","oauth1"],"description":"Authentication method for this connection. REQUIRED.\n\n- \"basic\" — HTTP Basic Auth. Requires basicAuth.username and basicAuth.password.\n- \"token\" — Bearer token or API key. Requires bearerToken. Supports auto-refresh.\n- \"oauth\" — OAuth 2.0. Requires oauth configuration and typically authURI/oauthTokenURI.\n- \"cookie\" — Cookie-based session auth. Requires cookieAuth configuration.\n- \"jwt\" — JWT-based authentication.\n- \"hmac\" — HMAC signature authentication.\n- \"wsse\" — WS-Security. Requires basicAuth credentials.\n- \"oauth1\" — OAuth 1.0a. Requires oauth.oauth1 configuration.\n- \"custom\" — No built-in auth; credentials in headers or encrypted fields.\n"},"authURI":{"type":"string","description":"OAuth 2.0 authorization endpoint URI.\nUsed for OAuth authorization code flow where users authorize via browser.\n","format":"uri"},"oauthTokenURI":{"type":"string","description":"OAuth 2.0 token endpoint URI.\nUsed to exchange authorization codes for access tokens and to refresh tokens.\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation.\nOnly use for development/testing with self-signed certificates.\n","default":false},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the connector has non-standard OAuth requirements.\n","default":false},"isHTTPProxy":{"type":"boolean","description":"When true, this REST connection acts as an HTTP proxy for another connection.\n","default":false},"authHeader":{"type":"string","description":"Custom HTTP header name for the authorization token.\nDefaults to \"Authorization\". Change only if the API uses a non-standard header.\n","default":"Authorization"},"retryHeader":{"type":"string","description":"HTTP response header name containing retry-after delay for rate-limited requests.\nDefaults to \"Retry-After\" (HTTP standard).\n","default":"Retry-After"},"authScheme":{"type":"string","enum":["MAC","OAuth","Bearer","Hmac"],"description":"Authorization header scheme/prefix prepended before the token value.\nProduces headers like \"Authorization: Bearer <token>\".\nDefaults to \"Bearer\" which is the most common scheme.\n","default":"Bearer"},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access granted.\n"},"scopeDelimiter":{"type":"string","description":"Delimiter character between multiple OAuth scopes.\nDefaults to a space (\" \") per the OAuth 2.0 spec. Some APIs use commas.\n","default":" "},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests.\nSet based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback.\n","minimum":1,"maximum":100},"bearerToken":{"type":"string","description":"Bearer token or API key for authentication (encrypted at rest).\nUsed when authType is \"token\".\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest).\nUsed to obtain new access tokens when they expire.\n","writeOnly":true},"tokenLocation":{"type":"string","enum":["header","url"],"description":"Where to include the access token in outbound requests.\n- \"header\" — Sent in the Authorization header (default, most common).\n- \"url\" — Sent as a URL query parameter (use tokenParam for the parameter name).\n","default":"header"},"tokenParam":{"type":"string","description":"URL query parameter name for the access token when tokenLocation is \"url\".\n","default":"access_token"},"basicAuth":{"type":"object","description":"Basic authentication credentials. REQUIRED when authType is \"basic\" or \"wsse\".\n","properties":{"username":{"type":"string","description":"Username for Basic authentication."},"password":{"type":"string","description":"Password for Basic authentication (encrypted at rest).","writeOnly":true}}},"cookieAuth":{"type":"object","description":"Cookie-based session authentication configuration.\nREQUIRED when authType is \"cookie\".\n","properties":{"uri":{"type":"string","description":"Login endpoint URI. REQUIRED. The system sends a request here to obtain session cookies."},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with credentials)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication."}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"refreshTokenMethod":{"type":"string","enum":["POST","PUT","GET"],"description":"HTTP method for token refresh requests.\n","default":"POST"},"refreshTokenBody":{"type":"string","description":"Request body template for token refresh requests."},"refreshTokenURI":{"type":"string","description":"URI for the token refresh endpoint.","format":"uri"},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new access token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshTokenMediaType":{"type":"string","enum":["json","urlencoded"],"description":"Content type for token refresh request bodies.","default":"json"},"refreshTokenHeaders":{"type":"array","description":"Additional headers to include in token refresh requests.","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}},"headers":{"type":"array","description":"Default HTTP headers included in every API request.\nUse for API keys in custom headers, content negotiation, or required headers.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value. Supports handlebars expressions."}},"required":["name","value"]}},"pingRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for connection health check requests.\nShould be a lightweight endpoint (e.g., \"/me\", \"/health\").\n"},"pingSuccessPath":{"type":"string","description":"JSON path to extract a success indicator from the ping response.\nIf the value matches one of pingSuccessValues, the ping succeeds.\n"},"pingSuccessValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping at pingSuccessPath."},"pingFailurePath":{"type":"string","description":"JSON path to extract a failure indicator from the ping response.\n"},"pingFailureValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping at pingFailurePath."},"pingMethod":{"type":"string","enum":["GET","POST"],"description":"HTTP method for ping requests.","default":"GET"},"pingBody":{"type":"string","description":"Request body for ping requests (when pingMethod is POST)."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values.\nField definitions are in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"info":{"type":"object","description":"Additional metadata about the REST connection, populated by the system.","readOnly":true}}},"OAuth":{"type":"object","description":"OAuth 2.0 and OAuth 1.0a authentication configuration.\n\nUsed as a sub-object within HTTP and REST connection auth configurations.\nSupports three OAuth 2.0 grant types and OAuth 1.0a for legacy APIs.\n\n**Oauth 2.0 grant types**\n- \"authorizationcode\" — Authorization Code flow (browser-based user consent).\n  Requires authURI, tokenURI, and user authorization via browser.\n- \"clientcredentials\" — Client Credentials flow (server-to-server, no user).\n  Requires tokenURI, clientId, clientSecret.\n- \"password\" — Resource Owner Password flow (username/password exchange).\n  Requires tokenURI, username, password, clientId, clientSecret.\n\n**Oauth 1.0a**\nFor OAuth 1.0a APIs, configure the oauth1 sub-object with consumer key/secret\nand access token/secret. Supports HMAC, RSA, and PLAINTEXT signature methods.\n","properties":{"type":{"type":"string","enum":["custom","assistant"],"description":"OAuth configuration mode.\n- \"custom\" — Fully user-configured OAuth settings.\n- \"assistant\" — Pre-configured via an application assistant connector.\n"},"grantType":{"type":"string","enum":["authorizationcode","clientcredentials","password","implicit"],"description":"OAuth 2.0 grant type that determines the authentication flow.\n\n- \"authorizationcode\" — Authorization Code flow. Most secure. Requires user\n  authorization via browser redirect. Use for integrations that act on behalf of a user.\n- \"clientcredentials\" — Client Credentials flow. Server-to-server authentication\n  without user involvement. Use for machine-to-machine integrations.\n- \"password\" — Resource Owner Password Credentials flow. Exchanges username/password\n  directly for tokens. Only use when the API does not support other flows.\n- \"implicit\" — Implicit flow (legacy, not recommended for new integrations).\n","default":"authorizationcode"},"authURI":{"type":"string","format":"uri","description":"OAuth 2.0 authorization endpoint URL.\nREQUIRED for \"authorizationcode\" grant type. The user is redirected to this URL\nto authorize the application.\n"},"tokenURI":{"type":"string","format":"uri","description":"OAuth 2.0 token endpoint URL.\nREQUIRED for \"authorizationcode\", \"clientcredentials\", and \"password\" grant types.\nThe system exchanges credentials or authorization codes for access tokens at this URL.\n"},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the API has non-standard OAuth requirements that conflict with validation rules.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access.\nScope values are API-specific (e.g., \"read\", \"write\", \"admin\").\n"},"scopeDelimiter":{"type":"string","description":"Delimiter between multiple scope values. Defaults to a space (\" \") per the\nOAuth 2.0 spec. Some APIs use commas or other delimiters.\n","default":" "},"clientId":{"type":"string","description":"OAuth client ID (application ID) registered with the API provider.\nREQUIRED for all OAuth 2.0 grant types.\n"},"clientSecret":{"type":"string","description":"OAuth client secret (encrypted at rest).\nREQUIRED for \"authorizationcode\" and \"clientcredentials\" grant types.\n","writeOnly":true},"username":{"type":"string","description":"Resource owner username. REQUIRED when grantType is \"password\".\n"},"password":{"type":"string","description":"Resource owner password (encrypted at rest). REQUIRED when grantType is \"password\".\n","writeOnly":true},"clientCredentialsLocation":{"type":"string","enum":["header","body"],"description":"Where to send client credentials in token requests.\n\n- \"header\" — Send as HTTP Basic Auth header (default, recommended by OAuth spec).\n- \"body\" — Send as form parameters in the request body.\n  Use when the API does not support Basic Auth for client credentials.\n","default":"header"},"accessTokenPath":{"type":"string","description":"JSON path to extract the access token from the token endpoint response.\nDefaults to \"access_token\" per the OAuth 2.0 spec.\nChange only if the API returns the token at a non-standard path.\n"},"accessTokenHeaders":{"type":"array","description":"Additional HTTP headers to include in token endpoint requests.\nUse for APIs that require custom headers beyond the standard OAuth parameters.\n","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"accessTokenBody":{"type":"string","description":"Additional body content to include in token endpoint requests.\nAppended to the standard OAuth parameters.\n"},"oauth2RedirectUrl":{"type":"string","description":"OAuth 2.0 redirect URI (callback URL) registered with the API provider.\nMust exactly match the redirect URI configured in the OAuth application registration.\n"},"useIClientFields":{"type":"boolean","description":"When true, uses iClient-managed OAuth credentials (clientId/clientSecret)\ninstead of the values in this configuration.\n"},"oauth1":{"type":"object","description":"OAuth 1.0a configuration for legacy APIs that use the older OAuth protocol.\n\n**Required fields**\n- consumerKey (always required)\n- accessToken (always required)\n- For HMAC methods: consumerSecret and tokenSecret\n- For RSA methods: consumerPrivateKey\n","properties":{"consumerKey":{"type":"string","description":"OAuth 1.0a consumer key (API key). REQUIRED.\nIdentifies the application making the request.\n"},"consumerSecret":{"type":"string","description":"OAuth 1.0a consumer secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"accessToken":{"type":"string","description":"OAuth 1.0a access token (encrypted at rest). REQUIRED.\nRepresents the user's authorization for the application to access their data.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"OAuth 1.0a token secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"signatureMethod":{"type":"string","enum":["HMAC-SHA1","HMAC-SHA256","HMAC-SHA512","RSA-SHA1","RSA-SHA256","RSA-SHA512","PLAINTEXT"],"description":"OAuth 1.0a request signing method.\n\nHMAC methods (require consumerSecret and tokenSecret):\n- \"HMAC-SHA1\" — Most widely supported (legacy).\n- \"HMAC-SHA256\" — More secure HMAC variant.\n- \"HMAC-SHA512\" — Strongest HMAC variant.\n\nRSA methods (require consumerPrivateKey):\n- \"RSA-SHA1\" — RSA signing (legacy).\n- \"RSA-SHA256\" — More secure RSA variant.\n- \"RSA-SHA512\" — Strongest RSA variant.\n\n- \"PLAINTEXT\" — No cryptographic signing. Only for testing over HTTPS.\n"},"consumerPrivateKey":{"type":"string","description":"RSA private key for OAuth 1.0a RSA signature methods (encrypted at rest).\nREQUIRED when signatureMethod is RSA-SHA1, RSA-SHA256, or RSA-SHA512.\n","writeOnly":true},"realm":{"type":"string","description":"OAuth realm value included in the Authorization header.\nSome APIs require this to identify the authentication domain.\n"}}},"pkceCodeVerifier":{"type":"string","description":"PKCE (Proof Key for Code Exchange) code verifier for enhanced OAuth 2.0 security.\nManaged internally by the system during authorization code flows.\n","writeOnly":true}}},"HTTP":{"type":"object","description":"Configuration for HTTP/REST API connections. Used when the connection type is \"http\".\n\nThis is the most versatile connection type in Celigo, supporting any REST, SOAP, or generic HTTP API.\nIt handles authentication, request/response formatting, rate limiting, and connection health checks.\n\n**When to use**\n- Any REST or SOAP API not covered by a specialized connector (Salesforce, NetSuite, etc.)\n- Custom HTTP integrations with APIs that use standard auth methods\n- GraphQL APIs (set formType to \"graph_ql\")\n- Amazon Selling Partner API (set type to \"Amazon-SP-API\")\n\n**Authentication models**\nThe auth.type field selects the authentication strategy. Each type requires specific sub-fields:\n- \"basic\" — HTTP Basic Auth (username/password)\n- \"token\" — Bearer token or API key with optional auto-refresh\n- \"oauth\" — OAuth 2.0 (authorization code, client credentials, or password grant)\n- \"jwt\" / \"jwtbearer\" — JWT-based authentication with HMAC or RSA signing\n- \"cookie\" — Cookie-based session authentication\n- \"digest\" — HTTP Digest Authentication\n- \"oauth1\" — OAuth 1.0a (HMAC or RSA signatures)\n- \"custom\" — No built-in auth; credentials go in headers or encrypted fields\n- \"wsse\" — WS-Security UsernameToken (SOAP APIs)\n- \"specific\" — Platform-specific auth (e.g., PTX)\n","required":["mediaType"],"properties":{"mediaType":{"type":"string","enum":["xml","json","urlencoded","form-data","plaintext"],"description":"Default content type for outbound HTTP request bodies. REQUIRED.\n\nThis controls the Content-Type header and how request bodies are serialized:\n- \"json\" — application/json. Use for most modern REST APIs.\n- \"xml\" — application/xml. Use for SOAP or XML-based APIs.\n- \"urlencoded\" — application/x-www-form-urlencoded. Use for form-style POST bodies.\n- \"form-data\" — multipart/form-data. Use for file uploads or multipart requests.\n- \"plaintext\" — text/plain. Use for raw text payloads.\n\nDefault to \"json\" unless the API documentation specifies otherwise.\n"},"successMediaType":{"type":"string","enum":["xml","csv","json","plaintext"],"description":"Expected content type of successful API responses. Controls how response bodies are parsed.\n\n- \"json\" — Parse response as JSON (default for most APIs).\n- \"xml\" — Parse response as XML.\n- \"csv\" — Parse response as CSV.\n- \"plaintext\" — Treat response as raw text, no parsing.\n\nIf omitted, the system infers the format from the response Content-Type header.\n"},"errorMediaType":{"type":"string","enum":["xml","json","plaintext"],"description":"Expected content type of error responses from the API. Controls how error response bodies are parsed for extracting error messages.\n\nIf omitted, defaults to the same format as successMediaType.\n"},"baseURI":{"type":"string","description":"Base URL for all API requests made through this connection. REQUIRED.\n\nAll relative URIs in exports and imports are appended to this base URL.\nMust be an absolute URL (e.g., \"https://api.example.com/v2\").\nHandlebars expressions are supported for dynamic URLs.\n\nDo NOT include trailing slashes — relative URIs in exports/imports should start with \"/\".\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for API requests.\n\nOnly set to true for development/testing with self-signed certificates.\nNEVER disable in production — it removes protection against man-in-the-middle attacks.\n","default":false},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent HTTP requests this connection can make simultaneously.\n\nHigher values increase throughput but may trigger API rate limits.\nSet this based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":25},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system automatically adjusts\nconcurrency between 1 and this value based on rate limit feedback.\n\nOnly relevant when autoRecoverRateLimitErrors is enabled on the connection.\n","minimum":1,"maximum":100},"retryHeader":{"type":"string","description":"HTTP response header name that contains the retry delay (in seconds) when rate-limited.\n\nDefaults to \"Retry-After\" which is the HTTP standard. Only change this if the API\nuses a non-standard header name for retry-after values.\n","default":"Retry-After"},"formType":{"type":"string","enum":["assistant","rest","http","graph_ql","assistant_graphql"],"description":"Controls the UI form layout for configuring this connection. Determines which\nfields are shown and how they are organized in the Celigo UI.\n\n- \"http\" — Standard HTTP connection form with full control over all fields.\n- \"rest\" — Simplified REST connector form linked to an HTTP connector template.\n- \"assistant\" — Application assistant form with pre-configured settings.\n- \"graph_ql\" — GraphQL-specific form with query/mutation support.\n- \"assistant_graphql\" — Application assistant form with GraphQL support.\n\nFor programmatic creation, \"http\" is the most common choice.\n"},"type":{"type":"string","enum":["Amazon-SP-API","Amazon-Hybrid","vendor_central"],"description":"Specific API type for Amazon integrations. Only set this for Amazon connections.\n\n- \"Amazon-SP-API\" — Amazon Selling Partner API.\n- \"Amazon-Hybrid\" — Hybrid Amazon connection supporting both MWS and SP-API.\n- \"vendor_central\" — Amazon Vendor Central API.\n"},"clientCertificates":{"type":"object","description":"Client certificate configuration for mutual TLS (mTLS) authentication.\n\nUse when the API server requires a client certificate to establish the TLS connection.\nYou can provide either a PEM cert/key pair OR a PFX bundle, but not both.\n","properties":{"cert":{"type":"string","description":"Client certificate in PEM format. Must be paired with the key field.\nCannot be used together with pfx.\n"},"key":{"type":"string","description":"Private key for the client certificate in PEM format (encrypted at rest).","writeOnly":true},"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format.\nUse when the server's certificate is signed by a private CA not in the default trust store.\n"},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key or PFX bundle (encrypted at rest).","writeOnly":true},"pfx":{"type":"string","description":"PKCS#12 (.pfx/.p12) bundle containing both the certificate and private key (encrypted at rest).\nCannot be used together with cert/key.\n","writeOnly":true}}},"ping":{"type":"object","description":"Connection health check (ping) configuration. Defines how Celigo tests\nwhether this connection is alive and authenticated.\n\nWhen configured, Celigo sends an HTTP request to the specified endpoint and\nevaluates the response to determine connection health. The ping runs when\ntesting the connection in the UI and periodically during flow execution.\n","properties":{"relativeURI":{"type":"string","description":"Relative URI appended to baseURI for the ping request.\nShould be a lightweight, fast endpoint (e.g., \"/me\", \"/health\", \"/api/v1/status\").\n"},"method":{"type":"string","enum":["GET","POST","PUT","HEAD"],"description":"HTTP method for the ping request. Defaults to GET.\nUse POST only if the health endpoint requires it.\n","default":"GET"},"body":{"type":"string","description":"Request body for the ping request. Only used when method is POST or PUT.\nFor form-data mediaType, must be valid multipart form data.\n"},"successPath":{"type":"string","description":"JSON path or XPath expression to extract a success indicator from the ping response.\nIf the value at this path matches one of the successValues, the ping succeeds.\nIf omitted, any 2xx response is considered successful.\n"},"successValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping when found at successPath.\nRequires successPath to be set.\n"},"allowArrayforSuccessPath":{"type":"boolean","description":"Whether the value at successPath can be an array (any matching element counts as success)."},"failPath":{"type":"string","description":"JSON path or XPath expression to extract a failure indicator from the ping response.\nIf the value at this path matches one of the failValues, the ping fails even if the HTTP status is 2xx.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping when found at failPath.\nRequires failPath to be set.\n"},"errorPath":{"type":"string","description":"JSON path or XPath expression to extract a human-readable error message from\na failed ping response. The extracted message is shown to the user in the UI.\n"}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"rateLimit":{"type":"object","description":"Rate limiting configuration. Defines how the system detects and handles\nAPI rate limit responses.\n\nWhen rate limiting is detected, the system pauses requests and waits for\nthe retry-after period before resuming. The retryHeader field on the parent\nHTTP object controls which response header contains the wait time.\n","properties":{"failStatusCode":{"type":"number","description":"HTTP status code that indicates the API is rate-limiting requests.\nDefaults to 429 (Too Many Requests) which is the HTTP standard.\nChange only if the API uses a non-standard status code for rate limits.\n","default":429},"failPath":{"type":"string","description":"JSON path or XPath to check in response bodies for rate limit indicators.\nUsed when APIs return 200 OK but embed rate limit errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate rate limiting. Requires failPath to be set.\n"},"limit":{"type":"number","minimum":1,"description":"Maximum number of requests per rate-limit window. When set, the connection's\neffective concurrency level must be 1 to ensure proper rate limit enforcement.\n"}}},"headers":{"type":"array","description":"Default HTTP headers included in every request made through this connection.\nUse for API keys in custom headers, content negotiation, or any headers the API requires on all requests.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name (e.g., \"X-API-Key\", \"Accept\")."},"value":{"type":"string","description":"Header value. Supports handlebars expressions for dynamic values."}},"required":["name","value"]}},"encrypted":{"type":"object","description":"Encrypted custom fields for storing sensitive configuration values (API secrets,\nprivate keys, etc.) that don't fit standard auth fields. Values are encrypted at rest.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields available on this connection.\nEach entry describes a field in the encrypted object — its ID, label, and UI position.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields available on this connection.\nEach entry describes a field in the unencrypted object.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for OAuth authentication."},"_httpConnectorId":{"type":"string","format":"objectId","description":"ID of the HTTP connector template this connection is based on."},"_httpConnectorApiId":{"type":"string","format":"objectId","description":"ID of the HTTP connector API definition."},"_httpConnectorVersionId":{"type":"string","format":"objectId","description":"ID of the HTTP connector version."}}},"JWT":{"type":"object","description":"JWT (JSON Web Token) authentication configuration.\n\nUsed when auth.type is \"jwtbearer\" on HTTP connections. The system generates\na signed JWT and uses it as a bearer token for API authentication.\n\n**Signing methods**\n- HMAC (HS256/HS384/HS512): Symmetric signing using a shared secret.\n  Requires the secret field.\n- RSA (RS256/RS384/RS512): Asymmetric signing using an RSA private key.\n  Requires the privateKey field.\n- ECDSA (ES256/ES384/ES512): Asymmetric signing using an elliptic curve private key.\n  Requires the privateKey field.\n\n**Required fields**\n- algorithm (signing algorithm)\n- secret (for HMAC algorithms) OR privateKey (for RSA/ECDSA algorithms)\n- At least one claim (issuer, subject, audience, or customClaims)\n","properties":{"algorithm":{"type":"string","enum":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"description":"JWT signing algorithm. REQUIRED.\n\nHMAC algorithms (symmetric — use the secret field):\n- \"HS256\" — HMAC with SHA-256 (default, most common).\n- \"HS384\" — HMAC with SHA-384.\n- \"HS512\" — HMAC with SHA-512.\n\nRSA algorithms (asymmetric — use the privateKey field):\n- \"RS256\" — RSA with SHA-256 (most common for RSA).\n- \"RS384\" — RSA with SHA-384.\n- \"RS512\" — RSA with SHA-512.\n\nECDSA algorithms (asymmetric — use the privateKey field):\n- \"ES256\" — ECDSA with P-256 curve and SHA-256.\n- \"ES384\" — ECDSA with P-384 curve and SHA-384.\n- \"ES512\" — ECDSA with P-521 curve and SHA-512.\n","default":"HS256"},"secret":{"type":"string","description":"Shared secret key for HMAC signing algorithms (HS256/HS384/HS512).\nEncrypted at rest. REQUIRED when using an HMAC algorithm.\nNot used with RSA or ECDSA algorithms.\n","writeOnly":true},"privateKey":{"type":"string","description":"Private key in PEM format for RSA or ECDSA signing (encrypted at rest).\nREQUIRED when using an RSA (RS*) or ECDSA (ES*) algorithm.\nNot used with HMAC algorithms.\n","writeOnly":true},"publicKey":{"type":"string","description":"Public key for JWT verification. Optional — used when the API requires\nthe public key to be registered for signature verification.\n"},"issuer":{"type":"string","description":"JWT \"iss\" (issuer) claim. Identifies the principal that issued the JWT.\nTypically a client ID, service account email, or application identifier.\n"},"subject":{"type":"string","description":"JWT \"sub\" (subject) claim. Identifies the subject of the JWT.\nOften the user or service account the token represents.\n"},"audience":{"type":"string","description":"JWT \"aud\" (audience) claim. Identifies the intended recipient of the JWT.\nTypically the API endpoint URL or resource server identifier.\n"},"expiresIn":{"type":"number","description":"JWT expiration time in seconds from the current time.\nThe \"exp\" claim is set to (now + expiresIn). After this time, the JWT is invalid\nand the system generates a new one.\n","default":3600},"notBefore":{"type":"number","description":"JWT \"nbf\" (not before) claim in seconds from the current time.\nThe JWT is not valid before this time.\n"},"issuedAt":{"type":"boolean","description":"When true, includes the \"iat\" (issued at) claim with the current timestamp.\n","default":true},"jwtId":{"type":"boolean","description":"When true, includes a unique \"jti\" (JWT ID) claim for each generated token.\nUseful for preventing token replay attacks.\n","default":false},"customClaims":{"type":"object","description":"Additional custom claims to include in the JWT payload.\nUse for API-specific claims not covered by the standard fields\n(e.g., roles, permissions, custom scopes).\n"},"token":{"type":"string","description":"Pre-generated JWT token value (encrypted at rest).\nWhen set, this static token is used instead of generating one dynamically.\nUse only when the API provides a long-lived JWT that does not need to be regenerated.\n","writeOnly":true}}},"RDBMS":{"type":"object","description":"Configuration for relational database connections. Used when the connection type is \"rdbms\".\n\nCeligo has native support for these database systems:\n- MySQL, MariaDB\n- PostgreSQL\n- Microsoft SQL Server (mssql), Azure Synapse (azuresynapse)\n- Oracle\n- Snowflake\n- Google BigQuery\n- Amazon Redshift\n\n**Required fields**\n- type (always required — selects the database system)\n- host, database, user, password (for most database types)\n- Snowflake: additionally requires snowflake.warehouse and snowflake.authType (\"basic\" or \"keyPair\")\n- BigQuery: requires bigquery.projectId, bigquery.dataset, bigquery.clientEmail, bigquery.privateKey\n- Redshift: requires host, database, user, password; optionally redshift.aws credentials for IAM auth\n- Oracle: uses serviceName instead of database\n\n**Database-specific notes**\n- For Oracle, set serviceName (not database) and optionally serverType and instanceName.\n- For Snowflake, snowflake.authType is REQUIRED: use \"basic\" for password auth, \"keyPair\" for RSA key-pair auth.\n- For MS SQL Server with Azure AD service principal auth, set mssql.authType to \"azure-service-principal\".\n- For BigQuery, use service account credentials (clientEmail + privateKey).\n","required":["type"],"properties":{"type":{"type":"string","enum":["mysql","postgresql","mssql","snowflake","oracle","bigquery","redshift","mariadb","azuresynapse"],"description":"The specific relational database system to connect to. REQUIRED.\n\nThis determines the SQL dialect, connection driver, default port, and\nwhich additional sub-fields are required.\n\n- \"mysql\" — MySQL (default port 3306)\n- \"mariadb\" — MariaDB (default port 3306)\n- \"postgresql\" — PostgreSQL (default port 5432)\n- \"mssql\" — Microsoft SQL Server (default port 1433)\n- \"azuresynapse\" — Azure Synapse Analytics (default port 1433)\n- \"oracle\" — Oracle Database (default port 1521). Uses serviceName instead of database.\n- \"snowflake\" — Snowflake Data Cloud. Requires snowflake.warehouse.\n- \"bigquery\" — Google BigQuery. Requires service account credentials in the bigquery sub-object.\n- \"redshift\" — Amazon Redshift. Optionally uses AWS IAM credentials.\n"},"host":{"type":"string","description":"Database server hostname or IP address.\nREQUIRED for all types except BigQuery (which uses Google's API endpoints).\n\nFor Snowflake, use the account URL format: \"account_identifier.snowflakecomputing.com\".\nFor Redshift, use the cluster endpoint: \"cluster-name.region.redshift.amazonaws.com\".\n"},"port":{"type":"number","description":"Database server port number. If omitted, uses the default port for the database type:\n- MySQL/MariaDB: 3306\n- PostgreSQL: 5432\n- MS SQL/Azure Synapse: 1433\n- Oracle: 1521\n- Snowflake: 443\n- Redshift: 5439\n","minimum":1,"maximum":65535},"database":{"type":"string","description":"Database name to connect to. REQUIRED for most types.\n\nFor Oracle, use the serviceName field instead of database.\nFor BigQuery, use bigquery.dataset to specify the target dataset.\n"},"instanceName":{"type":"string","description":"Named instance identifier. Used by MS SQL Server and Oracle when the server\nhosts multiple database instances. Not required for default instances.\n"},"user":{"type":"string","description":"Database username for authentication.\nREQUIRED for all types except BigQuery (which uses service account auth).\n"},"password":{"type":"string","description":"Database password (encrypted at rest). REQUIRED alongside user for password-based auth.","writeOnly":true},"version":{"type":"string","description":"Database server version string. Used by some drivers for compatibility adjustments."},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"serverType":{"type":"string","enum":["dedicated","shared","pooled"],"description":"Oracle server connection type. Controls the server process model.\n\n- \"dedicated\" — Each connection gets its own server process. Best for heavy workloads.\n- \"shared\" — Connections share a pool of server processes. More resource-efficient.\n- \"pooled\" — Database Resident Connection Pooling (DRCP). Best for many short-lived connections.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nSet based on the database server's connection limit and available resources.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for the database connection.\nOnly use for development/testing with self-signed certificates.\n","default":false},"snowflake":{"type":"object","description":"Snowflake-specific configuration. REQUIRED when type is \"snowflake\".\n","required":["warehouse","authType"],"properties":{"warehouse":{"type":"string","description":"Snowflake virtual warehouse name. REQUIRED for Snowflake connections.\nThe warehouse provides compute resources for queries. Must be a warehouse\nthe user role has access to.\n"},"schema":{"type":"string","description":"Default Snowflake schema. If omitted, queries must fully-qualify table names\n(e.g., DATABASE.SCHEMA.TABLE).\n"},"role":{"type":"string","description":"Snowflake security role to use for the session. Determines which databases,\nschemas, and warehouses are accessible. Defaults to the user's default role.\n"},"authType":{"type":"string","enum":["basic","keyPair"],"description":"Authentication type for Snowflake. REQUIRED.\n\n- \"basic\" — Username/password authentication. Use for standard username/password connections.\n- \"keyPair\" — Key-pair authentication using RSA private key.\n  When using keyPair, provide the RSA private key in the connection's key field.\n\nWhen creating placeholder/dummy connections, use \"basic\".\n"}}},"mssql":{"type":"object","description":"Microsoft SQL Server / Azure Synapse-specific configuration.\n","properties":{"authType":{"type":"string","enum":["basic","azure-service-principal"],"description":"Authentication type for MS SQL Server.\n\n- \"basic\" — Standard SQL Server authentication with username/password (default).\n- \"azure-service-principal\" — Azure Active Directory service principal authentication.\n  Requires an iClient configuration with the service principal credentials.\n","default":"basic"}}},"bigquery":{"type":"object","description":"Google BigQuery-specific configuration. REQUIRED when type is \"bigquery\".\nUses Google Cloud service account credentials for authentication.\n","properties":{"projectId":{"type":"string","description":"Google Cloud project ID that contains the BigQuery datasets. REQUIRED.\nFound in the Google Cloud Console project settings.\n"},"dataset":{"type":"string","description":"Default BigQuery dataset name. REQUIRED.\nQueries will target tables within this dataset unless fully-qualified names are used.\n"},"clientEmail":{"type":"string","description":"Google Cloud service account email address. REQUIRED.\nFormat: \"service-account-name@project-id.iam.gserviceaccount.com\".\nThe service account must have BigQuery Data Editor and BigQuery Job User roles.\n"},"privateKey":{"type":"string","description":"Google Cloud service account private key in PEM format (encrypted at rest). REQUIRED.\nDownloaded as part of the service account JSON key file.\n","writeOnly":true}}},"redshift":{"type":"object","description":"Amazon Redshift-specific configuration. AWS credentials are optional —\nonly needed for IAM-based authentication instead of standard username/password.\n","properties":{"aws":{"type":"object","description":"AWS credentials for IAM-based Redshift authentication.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication."},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"clusterIdentifier":{"type":"string","description":"Redshift cluster identifier. Required for IAM-based authentication."},"region":{"type":"string","description":"AWS region where the Redshift cluster is deployed. Required for IAM-based authentication.\n","enum":["us-east-1","us-east-2","us-west-1","us-west-2","eu-west-1","eu-west-2","eu-west-3","eu-central-1","ap-southeast-1","ap-southeast-2","ap-northeast-1","ap-northeast-2","ap-south-1","sa-east-1","ca-central-1"]}}},"ssl":{"$ref":"#/components/schemas/SSL"},"options":{"type":"array","description":"Additional database driver connection options as name/value pairs.\nUse for driver-specific settings not covered by the standard fields\n(e.g., connection timeout, charset, application name).\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Option name (driver-specific)."},"value":{"type":"string","description":"Option value."}},"required":["name","value"]}}}},"MongoDB":{"type":"object","description":"Configuration for MongoDB connections. Used when the connection type is \"mongodb\".\n\nSupports standalone MongoDB instances, replica sets, and MongoDB Atlas clusters.\n\n**Required fields**\n- host (array of one or more server addresses)\n- database (target database name)\n\n**Authentication**\nUsername and password are optional — only required when the MongoDB server has\nauthentication enabled (which is recommended for production).\nUse authSource to specify the authentication database if it differs from the target database.\n\n**Replica sets**\nFor replica sets, provide all member hostnames in the host array and set\nthe replicaSet field to the replica set name.\n","required":["host","database"],"properties":{"host":{"type":"array","items":{"type":"string"},"description":"MongoDB server addresses. REQUIRED. An array of one or more host:port strings.\n\n- Standalone: [\"mongodb.example.com:27017\"]\n- Replica set: [\"rs1.example.com:27017\", \"rs2.example.com:27017\", \"rs3.example.com:27017\"]\n- MongoDB Atlas: [\"cluster0-shard-00-00.abc.mongodb.net:27017\", ...]\n\nInclude the port number with each host. Default MongoDB port is 27017.\n"},"database":{"type":"string","description":"Target MongoDB database name. REQUIRED.\nAll operations (reads/writes) target collections within this database.\n"},"username":{"type":"string","description":"MongoDB username for authentication.\nRequired when the MongoDB server has authentication enabled.\n"},"password":{"type":"string","description":"MongoDB password (encrypted at rest). Required alongside username.","writeOnly":true},"replicaSet":{"type":"string","description":"MongoDB replica set name. Required when connecting to a replica set.\nThe driver uses this to discover all replica set members and handle failover.\nFor MongoDB Atlas, this is typically \"atlas-xxxxxx-shard-0\".\n"},"ssl":{"type":"boolean","description":"When true, connects to MongoDB over TLS/SSL.\nRequired for MongoDB Atlas and recommended for all production deployments.\n","default":false},"authSource":{"type":"string","description":"MongoDB authentication database — the database where the user credentials are stored.\nDefaults to the value of the database field. Set to \"admin\" if the user was created\nin the admin database (common for shared MongoDB deployments and Atlas).\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent MongoDB operations.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"AS2":{"type":"object","description":"AS2 (Applicability Statement 2) connection configuration for EDI","required":["as2Id","partnerId"],"properties":{"as2Id":{"type":"string","description":"AS2 identifier for this station. Trading partners use this as the \"To\"\nidentifier when sending documents, and integrator.io uses it as the \"From\"\nidentifier when sending documents to partners.\n\nIMPORTANT: This value must be unique across ALL integrator.io users to\nensure inbound documents are routed correctly. It CANNOT be updated after\ncreation. Use a different identifier for each environment (e.g., production vs. non-production).\n\nIf not provided, a unique value will be auto-generated.\n"},"partnerId":{"type":"string","description":"AS2 partner identifier"},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration","properties":{"function":{"type":"string","description":"Name of the routing function"},"_scriptId":{"type":"string","format":"objectId","description":"Reference to script containing the routing function"}}},"partnerStationInfo":{"type":"object","description":"Partner (remote) station configuration — used on the IMPORT side.\nControls how messages are sent TO the trading partner.\n","required":["as2URI","signing","encryptionType"],"properties":{"as2URI":{"type":"string","format":"uri","description":"Partner's AS2 endpoint URI"},"mdn":{"type":"object","description":"MDN (Message Disposition Notification) settings","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"verifyMDNSignature":{"type":"boolean","description":"Whether to verify the MDN signature from the partner"}}},"auth":{"type":"object","description":"Authentication for the partner AS2 endpoint","properties":{"type":{"type":"string","enum":["basic","token"],"description":"Authentication type"},"failStatusCode":{"type":"number","description":"HTTP status code indicating auth failure"},"failPath":{"type":"string","description":"JSON path to check for auth failure"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate auth failure"},"basic":{"type":"object","description":"Basic auth credentials","properties":{"username":{"type":"string","description":"Username for basic auth"},"password":{"type":"string","writeOnly":true,"description":"Password for basic auth (encrypted)"}}},"token":{"type":"object","description":"Token-based auth configuration","properties":{"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Headers for token refresh requests"},"refreshToken":{"type":"string","writeOnly":true,"description":"Refresh token (encrypted)"}}}}},"rateLimit":{"type":"object","description":"Rate limiting configuration","properties":{"failStatusCode":{"type":"number"},"failPath":{"type":"string"},"failValues":{"type":"array","items":{"type":"string"}},"limit":{"type":"number","minimum":1,"description":"Maximum requests per time window"}}},"SMIMEVersion":{"type":"string","enum":["v2","v3"],"description":"S/MIME version (not typically exposed on UI)"},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for outbound messages to partner"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for outbound messages to partner"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default base64)"},"signatureEncoding":{"type":"string","enum":["base64","binary"],"description":"Signature encoding format"}}},"userStationInfo":{"type":"object","description":"User (local) station configuration — used on the EXPORT side.\nControls how inbound messages from the partner are processed.\n","required":["signing","encryptionType"],"properties":{"mdn":{"type":"object","description":"MDN settings for inbound messages","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"mdnEncoding":{"type":"string","enum":["base64","binary"],"description":"MDN encoding format"}}},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for inbound message verification"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for inbound message decryption"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default binary)"},"compressed":{"type":"boolean","description":"Whether to compress messages","default":false}}},"encrypted":{"type":"object","description":"Encrypted certificate and key data (stored encrypted at rest).\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPrivateKey":{"type":"string","writeOnly":true,"description":"PEM-encoded X.509 private key for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"}}},"unencrypted":{"type":"object","description":"Unencrypted certificate data for identity and partner verification.\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPublicKey":{"type":"string","description":"PEM-encoded X.509 public certificate for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"},"partnerCertificate":{"type":"string","description":"PEM-encoded X.509 certificate for the trading partner.\nRequired when partnerStationInfo.encryptionType != NONE or userStationInfo.signing != NONE,\nor when partnerStationInfo.mdn.verifyMDNSignature is true.\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling","minimum":1,"maximum":10},"preventCanonicalization":{"type":"boolean","description":"Prevent canonicalization of message content","default":false}}},"Filesystem":{"type":"object","description":"Configuration for filesystem connections. Used when the connection type is \"filesystem\".\n\nFilesystem connections provide access to the local filesystem on a Celigo on-premise Agent.\nThis enables file-based integrations with directories on the agent's host machine or\nmounted network drives.\n\n**Agent requirement**\nA Celigo Agent is REQUIRED for filesystem connections (set _agentId on the parent\nconnection object). The agent provides the filesystem access — cloud-only\ndeployments cannot use this connection type.\n\n**Ping**\nSet ping.directoryPath to a directory the agent can access to verify the connection.\n","properties":{"ping":{"type":"object","description":"Health check configuration for validating filesystem access.","properties":{"directoryPath":{"type":"string","description":"Absolute directory path on the agent's host used for connection health checks.\nThe system verifies the directory exists and is accessible.\nExample: \"/data/integrations/incoming\" or \"C:\\\\Data\\\\Integrations\".\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent filesystem operations.\n","minimum":1,"maximum":100},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling.\n","minimum":1,"maximum":100}}},"DynamoDB":{"type":"object","description":"Configuration for Amazon DynamoDB connections. Used when the connection type is \"dynamodb\".\n\nProvides access to DynamoDB tables for NoSQL data integrations.\nUses AWS IAM credentials for authentication.\n\n**Required fields**\n- aws.accessKeyId\n- aws.secretAccessKey\n\nThe IAM credentials must have appropriate DynamoDB permissions\n(dynamodb:GetItem, dynamodb:PutItem, dynamodb:Query, dynamodb:Scan, etc.).\n","required":["aws"],"properties":{"aws":{"type":"object","description":"AWS IAM credentials for DynamoDB authentication. REQUIRED.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication.\nFrom an IAM user or role with DynamoDB access permissions.\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent DynamoDB operations.\nDynamoDB throughput is governed by table-level read/write capacity units.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on throughput feedback.\n","minimum":1,"maximum":100}}},"JDBC":{"type":"object","description":"Configuration for JDBC (Java Database Connectivity) connections.\nUsed when the connection type is \"jdbc\".\n\nJDBC connections provide access to databases through Java-based JDBC drivers,\nincluding databases not natively supported by Celigo's RDBMS connector.\n\n**When to use jdbc vs rdbms**\n- Use RDBMS for: MySQL, PostgreSQL, MS SQL, Snowflake, Oracle, BigQuery, Redshift, MariaDB.\n- Use JDBC for: NetSuite (SuiteAnalytics), Databricks, DB2, Workday, and other databases\n  accessible via a JDBC driver deployed on a Celigo Agent.\n\n**Required fields**\n- type (always required — selects the JDBC driver)\n- host, database, user, password (for most types)\n- For Oracle: use serviceName instead of database\n- For wallet auth: set authType to \"wallet\" and provide the wallet file\n\n**Agent requirement**\nMost JDBC connections require a Celigo on-premise Agent (set _agentId on the connection)\nbecause the JDBC driver runs on the agent, not in the cloud.\n","required":["type"],"properties":{"type":{"type":"string","enum":["agent","netsuitejdbc","databricks","oracle:thin","sqlserver","activedirectory","db2","workday"],"description":"JDBC driver/connection type. REQUIRED.\n\n- \"agent\" — Generic JDBC driver deployed on a Celigo Agent. Requires driverPath.\n- \"netsuitejdbc\" — NetSuite SuiteAnalytics JDBC driver for reporting and analytics queries.\n- \"databricks\" — Databricks SQL/Spark via JDBC.\n- \"oracle:thin\" — Oracle Database via the Oracle Thin JDBC driver.\n- \"sqlserver\" — Microsoft SQL Server via the JTDS or Microsoft JDBC driver.\n- \"activedirectory\" — SQL Server with Active Directory authentication.\n- \"db2\" — IBM DB2 database.\n- \"workday\" — Workday via JDBC (for report/data access).\n"},"version":{"type":"string","description":"JDBC driver version. Used for driver compatibility when multiple versions are available."},"host":{"type":"string","description":"Database server hostname or IP address.\nFor NetSuite JDBC, use the SuiteAnalytics Connect hostname\n(e.g., \"account-id.connect.api.netsuite.com\").\n"},"port":{"type":"number","description":"Database server port number. Default varies by driver type."},"database":{"type":"string","description":"Database or catalog name. For Oracle, use the serviceName field instead.\n"},"user":{"type":"string","description":"Database username for authentication."},"password":{"type":"string","description":"Database password (encrypted at rest).","writeOnly":true},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle JDBC connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"authType":{"type":"string","enum":["customjdbc","wallet"],"description":"Authentication method for the JDBC connection.\n\n- \"customjdbc\" — Standard username/password authentication (default).\n- \"wallet\" — Oracle Wallet authentication. Provide the wallet file in the wallet field.\n  The wallet contains encrypted credentials so username/password are not needed separately.\n"},"wallet":{"type":"string","description":"Oracle Wallet file contents (encrypted at rest).\nREQUIRED when authType is \"wallet\". Contains the auto-login wallet (cwallet.sso)\nwith encrypted credentials for passwordless Oracle authentication.\n","writeOnly":true},"driverPath":{"type":"string","description":"File path to the JDBC driver JAR on the Celigo Agent.\nREQUIRED when type is \"agent\" (generic JDBC).\nThe driver must be deployed on the agent before creating the connection.\n"},"properties":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional JDBC connection properties as name/value pairs.\nThese are passed directly to the JDBC driver as connection properties.\nUse for driver-specific settings like SSL mode, connection timeout,\napplication name, etc.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nJDBC connections often run through a single Agent, so keep this value\nconservative to avoid overwhelming the Agent or database.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"VAN":{"type":"object","description":"Configuration for VAN (Value Added Network) connections.\nUsed when the connection type is \"van\".\n\nVAN connections provide EDI document exchange through a Value Added Network provider.\nDocuments are sent to and received from a VAN mailbox identified by the mailboxId.\n\nThe as2Id field links this VAN connection to an AS2 identity for document routing,\nand contentBasedFlowRouter enables routing inbound documents to different flows\nbased on document content.\n","properties":{"mailboxId":{"type":"number","description":"VAN mailbox identifier. Identifies the specific mailbox on the VAN provider\nthat this connection sends to and receives from.\n"},"as2Id":{"type":"string","description":"AS2 identifier for this VAN station. Used as the \"From\" identifier when sending\ndocuments and the \"To\" identifier when receiving. Must be unique across all\nintegrator.io users. Cannot be changed after creation.\n"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration for inbound VAN documents.\nRoutes incoming documents to different flows based on document content\nusing a custom JavaScript function.\n","properties":{"function":{"type":"string","description":"Name of the JavaScript routing function in the referenced script."},"_scriptId":{"type":"string","format":"objectId","description":"Reference to the script resource containing the routing function."}}}}},"MCP":{"type":"object","description":"Configuration for MCP (Model Context Protocol) connections.\nUsed when the connection type is \"mcp\".\n\nMCP connections enable Celigo to call tools exposed by an external MCP server\nover HTTP. The MCP server provides a set of callable tools that can be invoked\nduring flow execution.\n\n**Required fields**\n- serverURL (the MCP server's HTTP endpoint)\n- http.auth.type (must be one of: \"token\", \"oauth\", or \"custom\")\n\n**Authentication**\nMCP connections authenticate via the http sub-object, which reuses the same\nauth configuration as HTTP connections but with a restricted set of auth types.\nOnly \"token\", \"oauth\", and \"custom\" are valid for MCP connections.\n","properties":{"protocol":{"type":"string","enum":["http"],"description":"Transport protocol for communicating with the MCP server.\nCurrently only \"http\" is supported.\n"},"serverURL":{"type":"string","description":"MCP server endpoint URL. REQUIRED.\nMust be a valid absolute URL (e.g., \"https://mcp-server.example.com/mcp\").\nThe system validates this as a proper URL.\n","format":"uri"},"timeout":{"type":"number","description":"Request timeout in milliseconds for MCP tool invocations.\nIf the MCP server does not respond within this time, the request fails.\n"},"allowedTools":{"type":"array","description":"Optional allowlist of MCP tool names that this connection may invoke.\nWhen set, only tools in this list can be called. When omitted or empty,\nall tools exposed by the MCP server are available.\n","items":{"type":"string"}},"http":{"type":"object","description":"HTTP transport configuration for the MCP connection, including authentication and headers.\n\nThe auth.type MUST be one of: \"token\", \"oauth\", or \"custom\".\nOther auth types (basic, cookie, jwt, etc.) are not supported for MCP connections.\n","properties":{"_iClientId":{"type":"string","format":"objectId","description":"Reference to an OAuth iClient for OAuth-based MCP authentication.\nRequired when http.auth.type is \"oauth\".\n"},"auth":{"$ref":"#/components/schemas/auth"},"headers":{"type":"array","description":"Default HTTP headers included in every request to the MCP server.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value."}},"required":["name","value"]}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive MCP configuration."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive MCP configuration (encrypted at rest)."}}}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"Wrapper":{"type":"object","description":"Configuration for Wrapper connections. Used when the connection type is \"wrapper\".\n\nWrapper connections are custom-built connectors deployed on a Celigo Stack.\nThey allow developers to implement custom authentication, data transformation,\nand API interaction logic using server-side JavaScript on a dedicated stack.\n\n**When to use**\nUse wrapper connections when:\n- The target API has non-standard authentication not supported by HTTP connections.\n- Custom server-side logic is needed for connection management.\n- You need a fully custom connector deployed on a Celigo Stack.\n\n**Required fields**\n- pingFunction (name of the function that tests connection health)\n- _stackId (set on the parent connection object — references the Celigo Stack)\n\n**Custom fields**\nUse encrypted/unencrypted fields to store connection-specific configuration.\nThe wrapper code on the Stack accesses these values at runtime.\n","required":["pingFunction"],"properties":{"pingFunction":{"type":"string","description":"Name of the JavaScript function on the Stack that tests connection health.\nThis function is called when the user clicks \"Test Connection\" in the UI.\nIt should verify that the connection credentials are valid and the target\nsystem is reachable.\n"},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nThese values are accessible to the wrapper code on the Stack at runtime.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values (API keys, passwords, etc.).\nValues are encrypted at rest and decrypted only on the Stack at runtime.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_stackId":{"type":"string","format":"objectId","description":"Reference to the stack this wrapper connection uses."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations through this wrapper connection.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"ResourceResponse":{"type":"object","description":"Core response fields shared by all Celigo resources","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource.\n\nThe _id is used in:\n- API endpoints that operate on a specific resource (e.g., GET, PUT, DELETE)\n- References from other resources (e.g., flows that use this resource)\n- Job history and error tracking\n\nFormat: 24-character hexadecimal string\n"},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was initially created.\n\nThis read-only field is automatically set during resource creation and cannot\nbe modified. It provides an audit trail for when the resource was first added\nto the system, which can be useful for:\n\n- Resource lifecycle management\n- Audit and compliance reporting\n- Troubleshooting integration timelines\n- Identifying older resources that may need review\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was most recently updated.\n\nThis read-only field is automatically updated whenever any property of the\nresource is modified. It provides an audit trail that can be used for:\n\n- Determining if a resource has changed since it was last reviewed\n- Monitoring configuration changes during troubleshooting\n- Implementing cache invalidation strategies\n- Synchronizing related resources based on modification time\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix)\nand will always be equal to or later than the createdAt timestamp.\n"},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was marked for deletion.\n\nWhen this field is present and contains a valid timestamp, it indicates\nthat the resource has been soft-deleted (moved to the recycle bin) but not\nyet permanently removed from the system. This allows for recovery of\naccidentally deleted resources within a specified retention period.\n\nThe deletedAt timestamp enables:\n- Filtering deleted resources from active resource listings\n- Implementing time-based retention policies for permanent deletion\n- Tracking deletion events for audit and compliance purposes\n- Resource recovery workflows with clear timeframes\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\nWhen null or absent, the resource is considered active.\n"}},"required":["_id"]},"IAResourceResponse":{"type":"object","description":"Integration app response fields for resources that are part of integration apps","properties":{"_integrationId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the specific integration instance that contains this resource.\n\nThis field is only populated for resources that are part of an integration app\ninstallation. It contains the unique identifier (_id) of the integration\nresource that was installed in the account.\n\nThe integration instance represents a specific installed instance of an\nintegration app, with its own configuration, settings, and runtime environment.\n\nThis reference enables:\n- Tracing the resource back to its parent integration instance\n- Permission and access control based on integration ownership\n- Lifecycle management (enabling/disabling, updating, or uninstalling)\n"},"_connectorId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the integration app that defines this resource.\n\nThis field is only populated for resources that are part of an integration app.\nIt contains the unique identifier (_id) of the integration app (connector)\nthat defines the structure, behavior, and templates for this resource.\n\nThe integration app is the published template that can be installed\nmultiple times across different accounts, with each installation creating\na separate integration instance (referenced by _integrationId).\n\nThis reference enables:\n- Identifying the source integration app for this resource\n- Determining which template version is being used\n- Linking to documentation, support, and marketplace information\n"}}},"AIDescription":{"type":"object","description":"AI-generated descriptions and documentation for the resource.\n\nThis object contains automatically generated content that helps users\nunderstand the purpose, behavior, and configuration of the resource without\nrequiring them to analyze the technical details. The AI-generated content\nis sanitized and safe for display in the UI.\n","properties":{"summary":{"type":"string","description":"Brief AI-generated summary of the resource's purpose and functionality.\n\nThis concise description provides a quick overview of what the resource does,\nwhat systems it interacts with, and its primary role in the integration.\nThe summary is suitable for display in list views, dashboards, and other\ncontexts where space is limited.\n\nMaximum length: 10KB\n"},"detailed":{"type":"string","description":"Comprehensive AI-generated description of the resource's functionality.\n\nThis detailed explanation covers the resource's purpose, configuration details,\ndata flow patterns, filtering logic, and other technical aspects. It provides\nin-depth information suitable for documentation, tooltips, or detailed views\nin the administration interface.\n\nThe content may include HTML formatting for improved readability.\n\nMaximum length: 10KB\n"},"generatedOn":{"type":"string","format":"date-time","description":"Timestamp indicating when the AI description was generated.\n\nThis field helps track the freshness of the AI-generated content and\ndetermine when it might need to be regenerated due to changes in the\nresource's configuration or behavior.\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"}}}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/connections":{"get":{"summary":"List connections","description":"Returns a list of all connections configured in the account.\nIf no connections exist in the account, a 204 response with no body will be returned.\n","operationId":"listConnections","tags":["Connections"],"parameters":[{"in":"query","name":"fetchQueueSize","schema":{"type":"boolean"},"description":"Include queue size information in the response if set to true"},{"in":"query","name":"type","schema":{"type":"string","enum":["netsuite","salesforce","ftp","s3","rest","wrapper","http","rdbms","mongodb","as2","filesystem","mcp","dynamodb","jdbc","van"]},"description":"Filter connections by type"},{"$ref":"#/components/parameters/Include"},{"$ref":"#/components/parameters/Exclude"}],"responses":{"200":{"description":"Successfully retrieved list of connections","headers":{"Link":{"description":"RFC-5988 pagination links. When more pages remain, includes a `<...>; rel=\"next\"` entry;\nabsent on the final page.\n","schema":{"type":"string"}}},"content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/Response"}}}}},"204":{"description":"No connections exist in the account"},"401":{"$ref":"#/components/responses/401-unauthorized"}}}}}}
```

## Create a connection

> Creates a new connection configuration that can be used to authenticate and connect\
> to external systems and applications.<br>

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Request":{"type":"object","description":"Fields that can be sent when creating or updating a connection","properties":{"name":{"type":"string","description":"Descriptive identifier for the connection resource in human-readable format.\n\nThis string serves as the primary display name for the connection across the application UI and is used in:\n- API responses when listing connections\n- Error and audit logs for traceability\n- Flow builder UI components\n- Integration configuration dashboards\n\nWhile not required to be globally unique in the system, using descriptive, unique names is strongly recommended\nfor clarity when managing multiple connections. The name should indicate the target system and purpose.\n\nMaximum length: 200 characters\nAllowed characters: Letters, numbers, spaces, and basic punctuation\n","maxLength":200},"type":{"type":"string","description":"The type of connection determining which authentication and connectivity options are available","enum":["netsuite","salesforce","ftp","s3","rest","wrapper","http","rdbms","mongodb","as2","filesystem","mcp","dynamodb","jdbc","van"]},"externalId":{"type":"string","description":"External identifier for the connection, often used for integration with third-party systems"},"assistant":{"type":"string","description":"Application name in lowercase for HTTP connections to systems with integrator.io adaptors.\nUsed to identify the target application being connected to.\nExamples - Shopify: \"shopify\", eBay: \"ebay\".\nOnly applicable for HTTP connection types.\n"},"_agentId":{"type":"string","format":"objectId","description":"Reference to a Celigo on-premise Agent. Required for connection types that need\nlocal network or filesystem access (JDBC, filesystem, Oracle RDBMS).\nThe agent establishes a secure tunnel between the on-premise environment and integrator.io.\n"},"_borrowConcurrencyFromConnectionId":{"type":"string","format":"objectId","description":"Reference to another connection to share concurrency limits with.\nWhen set, this connection's concurrency is counted against the referenced\nconnection's limit instead of maintaining its own.\n"},"debugDate":{"type":"string","format":"date-time","description":"Date until which debug logging is enabled for this connection"},"settingsForm":{"type":"object","description":"Dynamic form configuration for connection-specific settings"},"settings":{"type":"object","description":"Connection-specific settings and configurations"},"pgp":{"type":"object","description":"PGP encryption settings for file-based connections"},"ssl":{"$ref":"#/components/schemas/SSL"},"netsuite":{"$ref":"#/components/schemas/NetSuite"},"salesforce":{"$ref":"#/components/schemas/Salesforce"},"ftp":{"$ref":"#/components/schemas/FTP"},"s3":{"$ref":"#/components/schemas/S3"},"rest":{"$ref":"#/components/schemas/REST"},"http":{"$ref":"#/components/schemas/HTTP"},"rdbms":{"$ref":"#/components/schemas/RDBMS"},"mongodb":{"$ref":"#/components/schemas/MongoDB"},"as2":{"$ref":"#/components/schemas/AS2"},"filesystem":{"$ref":"#/components/schemas/Filesystem"},"dynamodb":{"$ref":"#/components/schemas/DynamoDB"},"jdbc":{"$ref":"#/components/schemas/JDBC"},"van":{"$ref":"#/components/schemas/VAN"},"mcp":{"$ref":"#/components/schemas/MCP"},"wrapper":{"$ref":"#/components/schemas/Wrapper"}},"required":["name","type"],"anyOf":[{"title":"NetSuite","required":["netsuite"],"properties":{"netsuite":{"$ref":"#/components/schemas/NetSuite"}}},{"title":"Salesforce","required":["salesforce"],"properties":{"salesforce":{"$ref":"#/components/schemas/Salesforce"}}},{"title":"FTP","required":["ftp"],"properties":{"ftp":{"$ref":"#/components/schemas/FTP"}}},{"title":"S3","required":["s3"],"properties":{"s3":{"$ref":"#/components/schemas/S3"}}},{"title":"REST","required":["rest"],"properties":{"rest":{"$ref":"#/components/schemas/REST"}}},{"title":"HTTP","required":["http"],"properties":{"http":{"$ref":"#/components/schemas/HTTP"}}},{"title":"RDBMS","required":["rdbms"],"properties":{"rdbms":{"$ref":"#/components/schemas/RDBMS"}}},{"title":"MongoDB","required":["mongodb"],"properties":{"mongodb":{"$ref":"#/components/schemas/MongoDB"}}},{"title":"AS2","required":["as2"],"properties":{"as2":{"$ref":"#/components/schemas/AS2"}}},{"title":"Filesystem","required":["filesystem"],"properties":{"filesystem":{"$ref":"#/components/schemas/Filesystem"}}},{"title":"MCP","required":["mcp"],"properties":{"mcp":{"$ref":"#/components/schemas/MCP"}}},{"title":"DynamoDB","required":["dynamodb"],"properties":{"dynamodb":{"$ref":"#/components/schemas/DynamoDB"}}},{"title":"JDBC","required":["jdbc"],"properties":{"jdbc":{"$ref":"#/components/schemas/JDBC"}}},{"title":"VAN","required":["van"],"properties":{"van":{"$ref":"#/components/schemas/VAN"}}},{"title":"Wrapper","required":["wrapper"],"properties":{"wrapper":{"$ref":"#/components/schemas/Wrapper"}}}]},"SSL":{"type":"object","description":"SSL/TLS certificate configuration for secure database connections.\n\nUsed by RDBMS and other connection types that support client certificate authentication\nor connections to servers with private CA-signed certificates.\n\n**Usage rules**\n- Provide cert + key together for client certificate (mutual TLS) authentication.\n- Provide ca alone when the server uses a certificate signed by a private CA.\n- cert/key and ca can be combined for mTLS with a private CA.\n- passphrase is only needed when the private key is encrypted.\n","properties":{"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format (encrypted at rest).\nProvide this when the database server uses a certificate signed by a private CA\nthat is not in the system's default trust store.\n","writeOnly":true},"key":{"type":"string","description":"Client private key in PEM format (encrypted at rest).\nREQUIRED alongside cert for client certificate (mTLS) authentication.\nCannot be provided without cert.\n","writeOnly":true},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key (encrypted at rest).\nOnly needed when the PEM private key in the key field is password-protected.\n","writeOnly":true},"cert":{"type":"string","description":"Client certificate in PEM format (encrypted at rest).\nREQUIRED alongside key for client certificate (mTLS) authentication.\nCannot be provided without key.\n","writeOnly":true}}},"NetSuite":{"type":"object","description":"Configuration for NetSuite ERP connections. Used when the connection type is \"netsuite\".\n\nNetSuite connections support two authentication methods:\n- Token-Based Authentication (TBA) — recommended for production. Requires tokenId and tokenSecret.\n- Basic authentication (email/password) — legacy method, limited functionality.\n\n**Required fields by auth type**\n- authType \"token\": account, tokenId, tokenSecret, roleId\n- authType \"token-auto\": account (tokens are managed automatically via iClient)\n- authType \"basic\": account, email, password, roleId\n\n**Environment**\nThe environment field selects which NetSuite instance to connect to.\nThe account ID format changes based on environment (e.g., \"123456\" for production,\n\"123456_SB1\" for non-production).\n","properties":{"authType":{"type":"string","enum":["basic","token","token-auto"],"description":"Authentication method for the NetSuite connection.\n\n- \"token\" — Token-Based Authentication (TBA). Recommended for production.\n  Requires tokenId and tokenSecret from a NetSuite integration record.\n- \"token-auto\" — Automatic token management via Celigo's iClient.\n  Tokens are provisioned and rotated automatically.\n- \"basic\" — Legacy email/password authentication. Not recommended for\n  new connections; has limited API access compared to TBA.\n"},"account":{"type":"string","description":"NetSuite account ID. REQUIRED for all auth types.\n\nThis is the account identifier visible in NetSuite under Setup > Company > Company Information.\nThe value is automatically uppercased.\n\nFormat varies by environment:\n- Production: \"123456\" or \"TSTDRV123456\"\n- Non-production: \"123456_SB1\" (suffix indicates the environment number)\n- Beta: \"123456\" (same as production, but with environment set to \"beta\")\n"},"environment":{"type":"string","enum":["production","beta"],"description":"NetSuite environment to connect to.\n\n- \"production\" — Live production instance.\n- \"beta\" — NetSuite beta/release-preview environment.\n\nDefaults to \"production\" when not specified.\n"},"tokenId":{"type":"string","description":"NetSuite TBA token ID (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated in NetSuite under Setup > Users/Roles > Access Tokens.\nMust be paired with the corresponding tokenSecret.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"NetSuite TBA token secret (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated alongside the tokenId in NetSuite. Treat as a sensitive credential.\n","writeOnly":true},"entityId":{"type":"string","description":"NetSuite entity/user ID associated with the token."},"tokenName":{"type":"string","description":"Human-readable name of the NetSuite access token for identification purposes."},"roleId":{"type":"string","description":"NetSuite role ID that determines the permissions for this connection.\n\nThe role controls which records, fields, and operations are accessible.\nMust match the role associated with the access token in NetSuite.\n"},"email":{"type":"string","description":"NetSuite user email address. REQUIRED when authType is \"basic\".\nUsed as the login credential for basic (email/password) authentication.\n","format":"email"},"password":{"type":"string","description":"NetSuite user password (encrypted at rest). REQUIRED when authType is \"basic\".","writeOnly":true},"requestLevelCredentials":{"type":"boolean","description":"When true, authentication credentials are sent with each individual API request\nrather than maintaining a persistent session. Enable this for environments\nwhere session-based auth is unreliable.\n"},"dataCenterURLs":{"type":"object","description":"NetSuite data center URL overrides. Normally auto-discovered from the account ID.\nOnly set this to override the default data center routing.\n"},"accountName":{"type":"string","description":"Human-readable NetSuite account name (display purposes only)."},"roleName":{"type":"string","description":"Human-readable name of the NetSuite role (display purposes only)."},"wsdlVersion":{"type":"string","description":"NetSuite WSDL (Web Services Description Language) version for SuiteTalk Web Services.\n\nControls which API version is used for SOAP-based operations. Newer versions\nmay include additional record types and fields.\n\n- \"latest\" — Use the most recent stable WSDL version.\n- \"next\" — Use the next (pre-release) WSDL version.\n- Specific versions like \"2023.2\" pin to that exact API version.\n","enum":["latest","next","2023.2","2023.1","2022.2","2022.1"],"default":"latest"},"applicationId":{"type":"string","description":"NetSuite application ID from the integration record.\nRequired for some authentication configurations to identify the calling application.\n"},"concurrencyLevelRESTlet":{"type":"number","description":"Maximum concurrent requests to NetSuite RESTlet endpoints.\nNetSuite enforces governance limits on concurrent RESTlet requests per account.\nKeep this low to avoid SuiteScript governance errors.\n","minimum":1,"maximum":10,"default":1},"concurrencyLevelWebServices":{"type":"number","description":"Maximum concurrent requests to NetSuite SuiteTalk Web Services (SOAP API).\nNetSuite enforces concurrency limits per account — exceeding them causes\n\"Only one request may be made against a session at a time\" errors.\n","minimum":1,"maximum":10,"default":5},"concurrencyLevel":{"type":"number","description":"General concurrency level for this connection. Controls the overall\nmaximum concurrent requests across all operation types.\n","minimum":1,"maximum":10,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit and governance feedback.\n","minimum":1,"maximum":10},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for token-based authentication."}}},"Salesforce":{"type":"object","description":"Configuration for Salesforce CRM connections. Used when the connection type is \"salesforce\".\n\nSalesforce connections authenticate via OAuth 2.0 with two supported flows:\n- JWT Bearer Token — server-to-server auth using a Salesforce Connected App. Recommended for automated integrations.\n- Refresh Token — interactive OAuth flow where the user authorizes via browser. Good for user-context integrations.\n\n**Required fields by flow type**\n- oauth2FlowType \"jwtBearerToken\": username (Salesforce username of the authorized user)\n- oauth2FlowType \"refreshToken\": refreshToken (obtained via browser-based OAuth flow)\n\n**Environment selection**\nThe login endpoint defaults to login.salesforce.com for production orgs.\n","properties":{"baseURI":{"type":"string","description":"Custom Salesforce instance URL. Overrides the default login URL.\n\nNormally auto-discovered during OAuth authentication. Only set this to\nforce a specific instance URL (e.g., \"https://mycompany.my.salesforce.com\").\n","format":"uri"},"oauth2FlowType":{"type":"string","enum":["jwtBearerToken","refreshToken"],"description":"OAuth 2.0 authentication flow type.\n\n- \"jwtBearerToken\" — Server-to-server JWT Bearer Token flow. Does not require\n  user interaction. Requires a Salesforce Connected App with a digital certificate,\n  and the username field must be set to the authorized Salesforce user.\n- \"refreshToken\" — Authorization Code / Refresh Token flow. Requires initial\n  browser-based authorization, then uses the refresh token for ongoing access.\n\nChoose \"jwtBearerToken\" for automated server-to-server integrations.\nChoose \"refreshToken\" for integrations that operate in a specific user's context.\n"},"username":{"type":"string","description":"Salesforce username for JWT Bearer Token authentication.\nREQUIRED when oauth2FlowType is \"jwtBearerToken\".\n\nThis is the Salesforce login username (email) of the user whose permissions\nthe integration will operate under.\n"},"bearerToken":{"type":"string","description":"OAuth access/bearer token (encrypted at rest).\nTypically auto-managed by the system during OAuth flows. Rarely set manually.\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest). REQUIRED when oauth2FlowType is \"refreshToken\".\nObtained during the initial browser-based OAuth authorization flow.\n","writeOnly":true},"packagedOAuth":{"type":"boolean","description":"When true, uses Celigo's pre-configured Connected App for OAuth.\nWhen false, you must provide your own Connected App credentials via iClient.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of access granted.\n\nCommon scopes:\n- \"full\" — Full access to all Salesforce APIs.\n- \"refresh_token\" — Allows obtaining refresh tokens for long-lived access.\n- \"api\" — Access to REST and SOAP APIs.\n\nDefaults to [\"full\", \"refresh_token\"] which provides complete API access.\n","default":["full","refresh_token"]},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests to Salesforce.\nSalesforce enforces per-org API request limits. Setting this too high\nmay exhaust your org's API call allocation faster.\n","minimum":1,"maximum":25,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback from Salesforce.\n","minimum":1,"maximum":25}}},"FTP":{"type":"object","description":"Configuration for FTP/SFTP/FTPS file transfer connections. Used when the connection type is \"ftp\".\n\nSupports three file transfer protocols:\n- FTP — Standard File Transfer Protocol (unencrypted). Default port 21.\n- SFTP — SSH File Transfer Protocol (encrypted via SSH). Default port 22.\n- FTPS — FTP over TLS/SSL (encrypted via TLS). Default port 21 (explicit) or 990 (implicit).\n\n**Required fields**\n- type (ftp, sftp, or ftps)\n- hostURI (server hostname or IP)\n- username\n\n**Authentication**\n- FTP/FTPS: username + password\n- SFTP: username + password, OR username + authKey (SSH private key), OR both\n\n**Pgp encryption**\nOptional PGP encryption/decryption can be enabled for file-level security,\nindependent of transport-level encryption. Requires pgpEncryptKey and/or pgpDecryptKey.\n","required":["type","hostURI","username"],"properties":{"type":{"type":"string","enum":["ftp","sftp","ftps"],"description":"File transfer protocol type. REQUIRED.\n\n- \"ftp\" — Standard FTP. No transport encryption. Default port 21.\n- \"sftp\" — SSH-based file transfer. Encrypted transport. Default port 22.\n  Supports SSH key authentication via the authKey field.\n- \"ftps\" — FTP over TLS/SSL. Encrypted transport. Default port 21 (explicit TLS)\n  or 990 (implicit TLS — set useImplicitFtps to true).\n\nPrefer \"sftp\" for security. Use \"ftps\" when the server requires TLS.\nOnly use \"ftp\" for legacy systems that don't support encryption.\n"},"hostURI":{"type":"string","description":"FTP server hostname or IP address. REQUIRED.\nDo NOT include the protocol prefix (e.g., use \"ftp.example.com\", not \"sftp://ftp.example.com\").\n"},"port":{"type":"number","description":"Server port number. Defaults vary by type:\n- FTP: 21\n- SFTP: 22\n- FTPS (explicit): 21\n- FTPS (implicit): 990\n","minimum":1,"maximum":65535,"default":21},"username":{"type":"string","description":"Username for server authentication. REQUIRED."},"password":{"type":"string","description":"Password for server authentication (encrypted at rest).\nFor SFTP, either password or authKey (SSH key) is required.\n","writeOnly":true},"authKey":{"type":"string","description":"SSH private key for SFTP key-based authentication (encrypted at rest).\nOnly used when type is \"sftp\". Provide the full PEM-encoded private key.\nCan be used alone or alongside a password for two-factor auth.\n","writeOnly":true},"usePassiveMode":{"type":"boolean","description":"When true, uses passive mode for FTP/FTPS data connections.\nIn passive mode, the client initiates both control and data connections,\nwhich works better through firewalls and NAT. Enable for most scenarios.\n","default":true},"enableHostVerification":{"type":"boolean","description":"When true, verifies the server's SSH host key (SFTP) or TLS certificate (FTPS).\nDisable only for development/testing with self-signed certificates.\n","default":true},"userDirectoryIsRoot":{"type":"boolean","description":"When true, treats the user's home directory as the root directory.\nAll paths are relative to the user's home directory rather than the server root.\n","default":false},"useImplicitFtps":{"type":"boolean","description":"When true, uses implicit FTPS (TLS connection established immediately on port 990).\nWhen false, uses explicit FTPS (starts as FTP on port 21, upgrades to TLS via STARTTLS).\nOnly applies when type is \"ftps\".\n","default":false},"requireSocketReUse":{"type":"boolean","description":"When true, requires the data connection to reuse the same TLS session as the control connection.\nSome FTPS servers require this for security. Only applies to FTPS connections.\n","default":false},"entryParser":{"type":"string","enum":["UNIX","UNIX-TRIM","VMS","WINDOWS","OS/2","OS/400","AS/400","MVS","UNKNOWN-TYPE","NETWARE","MACOS-PETER"],"description":"File listing format parser. Controls how directory listings from the server are interpreted.\nMost servers use UNIX format. Only change this if directory listings appear garbled.\n\n- \"UNIX\" — Standard Unix/Linux servers (most common).\n- \"WINDOWS\" — Windows FTP servers using DOS-style listings.\n- \"MVS\" — IBM mainframe MVS systems.\n- \"AS/400\" — IBM AS/400 (iSeries) systems.\n- Other values are for specific legacy server platforms.\n"},"pgpEncryptKey":{"type":"string","description":"PGP public key for encrypting files before upload (encrypted at rest).\nWhen set, files are PGP-encrypted before being sent to the server.\n","writeOnly":true},"pgpDecryptKey":{"type":"string","description":"PGP private key for decrypting files after download (encrypted at rest).\nWhen set, downloaded files are automatically PGP-decrypted.\n","writeOnly":true},"pgpPassphrase":{"type":"string","description":"Passphrase for the PGP private key (encrypted at rest).","writeOnly":true},"pgpKeyAlgorithm":{"type":"string","enum":["CAST5","3DES","AES-128","AES-192","AES-256"],"description":"Symmetric encryption algorithm used for PGP operations.\nAES-256 is recommended for strong encryption. CAST5 is the PGP default.\nMust match the algorithm expected by the recipient when encrypting.\n"},"pgpSignAndVerify":{"type":"boolean","description":"When true, PGP-signs outbound files and verifies signatures on inbound files.\nProvides authenticity and integrity verification on top of encryption.\n","default":false},"tradingPartner":{"type":"boolean","description":"When true, this connection is associated with a trading partner configuration\nfor B2B/EDI file exchanges.\n","default":false},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent file transfer operations.\nFTP servers often have low connection limits — keep this value conservative.\n","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on server response feedback.\n","minimum":1,"maximum":10}}},"S3":{"type":"object","description":"Configuration for Amazon S3 connections. Used when the connection type is \"s3\".\n\nProvides access to Amazon S3 buckets for file-based integrations (upload, download,\nlist, and delete operations). Uses AWS IAM credentials for authentication.\n\n**Required fields**\n- accessKeyId (AWS access key)\n- secretAccessKey (AWS secret key)\n\n**Ping**\nSet pingBucket to an accessible S3 bucket name so Celigo can verify\nthe connection credentials are valid.\n","required":["accessKeyId","secretAccessKey"],"properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication. REQUIRED.\nFrom an IAM user or role with S3 access permissions (s3:GetObject, s3:PutObject, s3:ListBucket, etc.).\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest). REQUIRED.\nPaired with the accessKeyId. Treat as a sensitive credential.\n","writeOnly":true},"pingBucket":{"type":"string","description":"S3 bucket name used for connection health checks (ping).\nThe system performs a HEAD request on this bucket to verify credentials.\nMust be a bucket the IAM credentials have access to.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent S3 operations.\nS3 has high throughput limits, so this can be set relatively high.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"REST":{"type":"object","description":"Configuration for REST connector connections. Used when the connection type is \"rest\".\n\nREST connections are template-driven HTTP connections that use a pre-built HTTP Connector\ndefinition. The connector template pre-configures authentication, base URI, and other\nsettings — the user only fills in credentials and account-specific values.\n\n**Rest vs http connections**\n- Use \"rest\" when connecting to an application that has a Celigo HTTP Connector template\n  (referenced via _httpConnectorId). The connector provides pre-configured API settings.\n- Use \"http\" for fully custom API connections where you configure everything manually.\n\n**Authentication**\nThe authType field selects the authentication method. Available methods depend on the\nconnector template. Credentials are stored in the appropriate auth sub-fields (basicAuth,\nbearerToken, refreshToken, oauth, etc.).\n","required":["mediaType","baseURI","authType"],"properties":{"mediaType":{"type":"string","enum":["json","urlencoded","xml","csv"],"description":"Default content type for API requests and responses.\n\n- \"json\" — application/json (most common for REST APIs).\n- \"xml\" — application/xml (for XML-based APIs).\n- \"urlencoded\" — application/x-www-form-urlencoded (for form-style APIs).\n- \"csv\" — text/csv (for CSV-based data exchange).\n"},"baseURI":{"type":"string","description":"Base URL for all API requests. REQUIRED.\nAll relative URIs in exports and imports are appended to this base URL.\nMay be pre-populated by the HTTP Connector template.\n","format":"uri"},"authType":{"type":"string","enum":["basic","token","oauth","custom","cookie","jwt","hmac","wsse","oauth1"],"description":"Authentication method for this connection. REQUIRED.\n\n- \"basic\" — HTTP Basic Auth. Requires basicAuth.username and basicAuth.password.\n- \"token\" — Bearer token or API key. Requires bearerToken. Supports auto-refresh.\n- \"oauth\" — OAuth 2.0. Requires oauth configuration and typically authURI/oauthTokenURI.\n- \"cookie\" — Cookie-based session auth. Requires cookieAuth configuration.\n- \"jwt\" — JWT-based authentication.\n- \"hmac\" — HMAC signature authentication.\n- \"wsse\" — WS-Security. Requires basicAuth credentials.\n- \"oauth1\" — OAuth 1.0a. Requires oauth.oauth1 configuration.\n- \"custom\" — No built-in auth; credentials in headers or encrypted fields.\n"},"authURI":{"type":"string","description":"OAuth 2.0 authorization endpoint URI.\nUsed for OAuth authorization code flow where users authorize via browser.\n","format":"uri"},"oauthTokenURI":{"type":"string","description":"OAuth 2.0 token endpoint URI.\nUsed to exchange authorization codes for access tokens and to refresh tokens.\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation.\nOnly use for development/testing with self-signed certificates.\n","default":false},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the connector has non-standard OAuth requirements.\n","default":false},"isHTTPProxy":{"type":"boolean","description":"When true, this REST connection acts as an HTTP proxy for another connection.\n","default":false},"authHeader":{"type":"string","description":"Custom HTTP header name for the authorization token.\nDefaults to \"Authorization\". Change only if the API uses a non-standard header.\n","default":"Authorization"},"retryHeader":{"type":"string","description":"HTTP response header name containing retry-after delay for rate-limited requests.\nDefaults to \"Retry-After\" (HTTP standard).\n","default":"Retry-After"},"authScheme":{"type":"string","enum":["MAC","OAuth","Bearer","Hmac"],"description":"Authorization header scheme/prefix prepended before the token value.\nProduces headers like \"Authorization: Bearer <token>\".\nDefaults to \"Bearer\" which is the most common scheme.\n","default":"Bearer"},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access granted.\n"},"scopeDelimiter":{"type":"string","description":"Delimiter character between multiple OAuth scopes.\nDefaults to a space (\" \") per the OAuth 2.0 spec. Some APIs use commas.\n","default":" "},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests.\nSet based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback.\n","minimum":1,"maximum":100},"bearerToken":{"type":"string","description":"Bearer token or API key for authentication (encrypted at rest).\nUsed when authType is \"token\".\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest).\nUsed to obtain new access tokens when they expire.\n","writeOnly":true},"tokenLocation":{"type":"string","enum":["header","url"],"description":"Where to include the access token in outbound requests.\n- \"header\" — Sent in the Authorization header (default, most common).\n- \"url\" — Sent as a URL query parameter (use tokenParam for the parameter name).\n","default":"header"},"tokenParam":{"type":"string","description":"URL query parameter name for the access token when tokenLocation is \"url\".\n","default":"access_token"},"basicAuth":{"type":"object","description":"Basic authentication credentials. REQUIRED when authType is \"basic\" or \"wsse\".\n","properties":{"username":{"type":"string","description":"Username for Basic authentication."},"password":{"type":"string","description":"Password for Basic authentication (encrypted at rest).","writeOnly":true}}},"cookieAuth":{"type":"object","description":"Cookie-based session authentication configuration.\nREQUIRED when authType is \"cookie\".\n","properties":{"uri":{"type":"string","description":"Login endpoint URI. REQUIRED. The system sends a request here to obtain session cookies."},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with credentials)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication."}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"refreshTokenMethod":{"type":"string","enum":["POST","PUT","GET"],"description":"HTTP method for token refresh requests.\n","default":"POST"},"refreshTokenBody":{"type":"string","description":"Request body template for token refresh requests."},"refreshTokenURI":{"type":"string","description":"URI for the token refresh endpoint.","format":"uri"},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new access token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshTokenMediaType":{"type":"string","enum":["json","urlencoded"],"description":"Content type for token refresh request bodies.","default":"json"},"refreshTokenHeaders":{"type":"array","description":"Additional headers to include in token refresh requests.","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}},"headers":{"type":"array","description":"Default HTTP headers included in every API request.\nUse for API keys in custom headers, content negotiation, or required headers.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value. Supports handlebars expressions."}},"required":["name","value"]}},"pingRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for connection health check requests.\nShould be a lightweight endpoint (e.g., \"/me\", \"/health\").\n"},"pingSuccessPath":{"type":"string","description":"JSON path to extract a success indicator from the ping response.\nIf the value matches one of pingSuccessValues, the ping succeeds.\n"},"pingSuccessValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping at pingSuccessPath."},"pingFailurePath":{"type":"string","description":"JSON path to extract a failure indicator from the ping response.\n"},"pingFailureValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping at pingFailurePath."},"pingMethod":{"type":"string","enum":["GET","POST"],"description":"HTTP method for ping requests.","default":"GET"},"pingBody":{"type":"string","description":"Request body for ping requests (when pingMethod is POST)."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values.\nField definitions are in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"info":{"type":"object","description":"Additional metadata about the REST connection, populated by the system.","readOnly":true}}},"OAuth":{"type":"object","description":"OAuth 2.0 and OAuth 1.0a authentication configuration.\n\nUsed as a sub-object within HTTP and REST connection auth configurations.\nSupports three OAuth 2.0 grant types and OAuth 1.0a for legacy APIs.\n\n**Oauth 2.0 grant types**\n- \"authorizationcode\" — Authorization Code flow (browser-based user consent).\n  Requires authURI, tokenURI, and user authorization via browser.\n- \"clientcredentials\" — Client Credentials flow (server-to-server, no user).\n  Requires tokenURI, clientId, clientSecret.\n- \"password\" — Resource Owner Password flow (username/password exchange).\n  Requires tokenURI, username, password, clientId, clientSecret.\n\n**Oauth 1.0a**\nFor OAuth 1.0a APIs, configure the oauth1 sub-object with consumer key/secret\nand access token/secret. Supports HMAC, RSA, and PLAINTEXT signature methods.\n","properties":{"type":{"type":"string","enum":["custom","assistant"],"description":"OAuth configuration mode.\n- \"custom\" — Fully user-configured OAuth settings.\n- \"assistant\" — Pre-configured via an application assistant connector.\n"},"grantType":{"type":"string","enum":["authorizationcode","clientcredentials","password","implicit"],"description":"OAuth 2.0 grant type that determines the authentication flow.\n\n- \"authorizationcode\" — Authorization Code flow. Most secure. Requires user\n  authorization via browser redirect. Use for integrations that act on behalf of a user.\n- \"clientcredentials\" — Client Credentials flow. Server-to-server authentication\n  without user involvement. Use for machine-to-machine integrations.\n- \"password\" — Resource Owner Password Credentials flow. Exchanges username/password\n  directly for tokens. Only use when the API does not support other flows.\n- \"implicit\" — Implicit flow (legacy, not recommended for new integrations).\n","default":"authorizationcode"},"authURI":{"type":"string","format":"uri","description":"OAuth 2.0 authorization endpoint URL.\nREQUIRED for \"authorizationcode\" grant type. The user is redirected to this URL\nto authorize the application.\n"},"tokenURI":{"type":"string","format":"uri","description":"OAuth 2.0 token endpoint URL.\nREQUIRED for \"authorizationcode\", \"clientcredentials\", and \"password\" grant types.\nThe system exchanges credentials or authorization codes for access tokens at this URL.\n"},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the API has non-standard OAuth requirements that conflict with validation rules.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access.\nScope values are API-specific (e.g., \"read\", \"write\", \"admin\").\n"},"scopeDelimiter":{"type":"string","description":"Delimiter between multiple scope values. Defaults to a space (\" \") per the\nOAuth 2.0 spec. Some APIs use commas or other delimiters.\n","default":" "},"clientId":{"type":"string","description":"OAuth client ID (application ID) registered with the API provider.\nREQUIRED for all OAuth 2.0 grant types.\n"},"clientSecret":{"type":"string","description":"OAuth client secret (encrypted at rest).\nREQUIRED for \"authorizationcode\" and \"clientcredentials\" grant types.\n","writeOnly":true},"username":{"type":"string","description":"Resource owner username. REQUIRED when grantType is \"password\".\n"},"password":{"type":"string","description":"Resource owner password (encrypted at rest). REQUIRED when grantType is \"password\".\n","writeOnly":true},"clientCredentialsLocation":{"type":"string","enum":["header","body"],"description":"Where to send client credentials in token requests.\n\n- \"header\" — Send as HTTP Basic Auth header (default, recommended by OAuth spec).\n- \"body\" — Send as form parameters in the request body.\n  Use when the API does not support Basic Auth for client credentials.\n","default":"header"},"accessTokenPath":{"type":"string","description":"JSON path to extract the access token from the token endpoint response.\nDefaults to \"access_token\" per the OAuth 2.0 spec.\nChange only if the API returns the token at a non-standard path.\n"},"accessTokenHeaders":{"type":"array","description":"Additional HTTP headers to include in token endpoint requests.\nUse for APIs that require custom headers beyond the standard OAuth parameters.\n","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"accessTokenBody":{"type":"string","description":"Additional body content to include in token endpoint requests.\nAppended to the standard OAuth parameters.\n"},"oauth2RedirectUrl":{"type":"string","description":"OAuth 2.0 redirect URI (callback URL) registered with the API provider.\nMust exactly match the redirect URI configured in the OAuth application registration.\n"},"useIClientFields":{"type":"boolean","description":"When true, uses iClient-managed OAuth credentials (clientId/clientSecret)\ninstead of the values in this configuration.\n"},"oauth1":{"type":"object","description":"OAuth 1.0a configuration for legacy APIs that use the older OAuth protocol.\n\n**Required fields**\n- consumerKey (always required)\n- accessToken (always required)\n- For HMAC methods: consumerSecret and tokenSecret\n- For RSA methods: consumerPrivateKey\n","properties":{"consumerKey":{"type":"string","description":"OAuth 1.0a consumer key (API key). REQUIRED.\nIdentifies the application making the request.\n"},"consumerSecret":{"type":"string","description":"OAuth 1.0a consumer secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"accessToken":{"type":"string","description":"OAuth 1.0a access token (encrypted at rest). REQUIRED.\nRepresents the user's authorization for the application to access their data.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"OAuth 1.0a token secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"signatureMethod":{"type":"string","enum":["HMAC-SHA1","HMAC-SHA256","HMAC-SHA512","RSA-SHA1","RSA-SHA256","RSA-SHA512","PLAINTEXT"],"description":"OAuth 1.0a request signing method.\n\nHMAC methods (require consumerSecret and tokenSecret):\n- \"HMAC-SHA1\" — Most widely supported (legacy).\n- \"HMAC-SHA256\" — More secure HMAC variant.\n- \"HMAC-SHA512\" — Strongest HMAC variant.\n\nRSA methods (require consumerPrivateKey):\n- \"RSA-SHA1\" — RSA signing (legacy).\n- \"RSA-SHA256\" — More secure RSA variant.\n- \"RSA-SHA512\" — Strongest RSA variant.\n\n- \"PLAINTEXT\" — No cryptographic signing. Only for testing over HTTPS.\n"},"consumerPrivateKey":{"type":"string","description":"RSA private key for OAuth 1.0a RSA signature methods (encrypted at rest).\nREQUIRED when signatureMethod is RSA-SHA1, RSA-SHA256, or RSA-SHA512.\n","writeOnly":true},"realm":{"type":"string","description":"OAuth realm value included in the Authorization header.\nSome APIs require this to identify the authentication domain.\n"}}},"pkceCodeVerifier":{"type":"string","description":"PKCE (Proof Key for Code Exchange) code verifier for enhanced OAuth 2.0 security.\nManaged internally by the system during authorization code flows.\n","writeOnly":true}}},"HTTP":{"type":"object","description":"Configuration for HTTP/REST API connections. Used when the connection type is \"http\".\n\nThis is the most versatile connection type in Celigo, supporting any REST, SOAP, or generic HTTP API.\nIt handles authentication, request/response formatting, rate limiting, and connection health checks.\n\n**When to use**\n- Any REST or SOAP API not covered by a specialized connector (Salesforce, NetSuite, etc.)\n- Custom HTTP integrations with APIs that use standard auth methods\n- GraphQL APIs (set formType to \"graph_ql\")\n- Amazon Selling Partner API (set type to \"Amazon-SP-API\")\n\n**Authentication models**\nThe auth.type field selects the authentication strategy. Each type requires specific sub-fields:\n- \"basic\" — HTTP Basic Auth (username/password)\n- \"token\" — Bearer token or API key with optional auto-refresh\n- \"oauth\" — OAuth 2.0 (authorization code, client credentials, or password grant)\n- \"jwt\" / \"jwtbearer\" — JWT-based authentication with HMAC or RSA signing\n- \"cookie\" — Cookie-based session authentication\n- \"digest\" — HTTP Digest Authentication\n- \"oauth1\" — OAuth 1.0a (HMAC or RSA signatures)\n- \"custom\" — No built-in auth; credentials go in headers or encrypted fields\n- \"wsse\" — WS-Security UsernameToken (SOAP APIs)\n- \"specific\" — Platform-specific auth (e.g., PTX)\n","required":["mediaType"],"properties":{"mediaType":{"type":"string","enum":["xml","json","urlencoded","form-data","plaintext"],"description":"Default content type for outbound HTTP request bodies. REQUIRED.\n\nThis controls the Content-Type header and how request bodies are serialized:\n- \"json\" — application/json. Use for most modern REST APIs.\n- \"xml\" — application/xml. Use for SOAP or XML-based APIs.\n- \"urlencoded\" — application/x-www-form-urlencoded. Use for form-style POST bodies.\n- \"form-data\" — multipart/form-data. Use for file uploads or multipart requests.\n- \"plaintext\" — text/plain. Use for raw text payloads.\n\nDefault to \"json\" unless the API documentation specifies otherwise.\n"},"successMediaType":{"type":"string","enum":["xml","csv","json","plaintext"],"description":"Expected content type of successful API responses. Controls how response bodies are parsed.\n\n- \"json\" — Parse response as JSON (default for most APIs).\n- \"xml\" — Parse response as XML.\n- \"csv\" — Parse response as CSV.\n- \"plaintext\" — Treat response as raw text, no parsing.\n\nIf omitted, the system infers the format from the response Content-Type header.\n"},"errorMediaType":{"type":"string","enum":["xml","json","plaintext"],"description":"Expected content type of error responses from the API. Controls how error response bodies are parsed for extracting error messages.\n\nIf omitted, defaults to the same format as successMediaType.\n"},"baseURI":{"type":"string","description":"Base URL for all API requests made through this connection. REQUIRED.\n\nAll relative URIs in exports and imports are appended to this base URL.\nMust be an absolute URL (e.g., \"https://api.example.com/v2\").\nHandlebars expressions are supported for dynamic URLs.\n\nDo NOT include trailing slashes — relative URIs in exports/imports should start with \"/\".\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for API requests.\n\nOnly set to true for development/testing with self-signed certificates.\nNEVER disable in production — it removes protection against man-in-the-middle attacks.\n","default":false},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent HTTP requests this connection can make simultaneously.\n\nHigher values increase throughput but may trigger API rate limits.\nSet this based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":25},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system automatically adjusts\nconcurrency between 1 and this value based on rate limit feedback.\n\nOnly relevant when autoRecoverRateLimitErrors is enabled on the connection.\n","minimum":1,"maximum":100},"retryHeader":{"type":"string","description":"HTTP response header name that contains the retry delay (in seconds) when rate-limited.\n\nDefaults to \"Retry-After\" which is the HTTP standard. Only change this if the API\nuses a non-standard header name for retry-after values.\n","default":"Retry-After"},"formType":{"type":"string","enum":["assistant","rest","http","graph_ql","assistant_graphql"],"description":"Controls the UI form layout for configuring this connection. Determines which\nfields are shown and how they are organized in the Celigo UI.\n\n- \"http\" — Standard HTTP connection form with full control over all fields.\n- \"rest\" — Simplified REST connector form linked to an HTTP connector template.\n- \"assistant\" — Application assistant form with pre-configured settings.\n- \"graph_ql\" — GraphQL-specific form with query/mutation support.\n- \"assistant_graphql\" — Application assistant form with GraphQL support.\n\nFor programmatic creation, \"http\" is the most common choice.\n"},"type":{"type":"string","enum":["Amazon-SP-API","Amazon-Hybrid","vendor_central"],"description":"Specific API type for Amazon integrations. Only set this for Amazon connections.\n\n- \"Amazon-SP-API\" — Amazon Selling Partner API.\n- \"Amazon-Hybrid\" — Hybrid Amazon connection supporting both MWS and SP-API.\n- \"vendor_central\" — Amazon Vendor Central API.\n"},"clientCertificates":{"type":"object","description":"Client certificate configuration for mutual TLS (mTLS) authentication.\n\nUse when the API server requires a client certificate to establish the TLS connection.\nYou can provide either a PEM cert/key pair OR a PFX bundle, but not both.\n","properties":{"cert":{"type":"string","description":"Client certificate in PEM format. Must be paired with the key field.\nCannot be used together with pfx.\n"},"key":{"type":"string","description":"Private key for the client certificate in PEM format (encrypted at rest).","writeOnly":true},"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format.\nUse when the server's certificate is signed by a private CA not in the default trust store.\n"},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key or PFX bundle (encrypted at rest).","writeOnly":true},"pfx":{"type":"string","description":"PKCS#12 (.pfx/.p12) bundle containing both the certificate and private key (encrypted at rest).\nCannot be used together with cert/key.\n","writeOnly":true}}},"ping":{"type":"object","description":"Connection health check (ping) configuration. Defines how Celigo tests\nwhether this connection is alive and authenticated.\n\nWhen configured, Celigo sends an HTTP request to the specified endpoint and\nevaluates the response to determine connection health. The ping runs when\ntesting the connection in the UI and periodically during flow execution.\n","properties":{"relativeURI":{"type":"string","description":"Relative URI appended to baseURI for the ping request.\nShould be a lightweight, fast endpoint (e.g., \"/me\", \"/health\", \"/api/v1/status\").\n"},"method":{"type":"string","enum":["GET","POST","PUT","HEAD"],"description":"HTTP method for the ping request. Defaults to GET.\nUse POST only if the health endpoint requires it.\n","default":"GET"},"body":{"type":"string","description":"Request body for the ping request. Only used when method is POST or PUT.\nFor form-data mediaType, must be valid multipart form data.\n"},"successPath":{"type":"string","description":"JSON path or XPath expression to extract a success indicator from the ping response.\nIf the value at this path matches one of the successValues, the ping succeeds.\nIf omitted, any 2xx response is considered successful.\n"},"successValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping when found at successPath.\nRequires successPath to be set.\n"},"allowArrayforSuccessPath":{"type":"boolean","description":"Whether the value at successPath can be an array (any matching element counts as success)."},"failPath":{"type":"string","description":"JSON path or XPath expression to extract a failure indicator from the ping response.\nIf the value at this path matches one of the failValues, the ping fails even if the HTTP status is 2xx.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping when found at failPath.\nRequires failPath to be set.\n"},"errorPath":{"type":"string","description":"JSON path or XPath expression to extract a human-readable error message from\na failed ping response. The extracted message is shown to the user in the UI.\n"}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"rateLimit":{"type":"object","description":"Rate limiting configuration. Defines how the system detects and handles\nAPI rate limit responses.\n\nWhen rate limiting is detected, the system pauses requests and waits for\nthe retry-after period before resuming. The retryHeader field on the parent\nHTTP object controls which response header contains the wait time.\n","properties":{"failStatusCode":{"type":"number","description":"HTTP status code that indicates the API is rate-limiting requests.\nDefaults to 429 (Too Many Requests) which is the HTTP standard.\nChange only if the API uses a non-standard status code for rate limits.\n","default":429},"failPath":{"type":"string","description":"JSON path or XPath to check in response bodies for rate limit indicators.\nUsed when APIs return 200 OK but embed rate limit errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate rate limiting. Requires failPath to be set.\n"},"limit":{"type":"number","minimum":1,"description":"Maximum number of requests per rate-limit window. When set, the connection's\neffective concurrency level must be 1 to ensure proper rate limit enforcement.\n"}}},"headers":{"type":"array","description":"Default HTTP headers included in every request made through this connection.\nUse for API keys in custom headers, content negotiation, or any headers the API requires on all requests.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name (e.g., \"X-API-Key\", \"Accept\")."},"value":{"type":"string","description":"Header value. Supports handlebars expressions for dynamic values."}},"required":["name","value"]}},"encrypted":{"type":"object","description":"Encrypted custom fields for storing sensitive configuration values (API secrets,\nprivate keys, etc.) that don't fit standard auth fields. Values are encrypted at rest.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields available on this connection.\nEach entry describes a field in the encrypted object — its ID, label, and UI position.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields available on this connection.\nEach entry describes a field in the unencrypted object.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for OAuth authentication."},"_httpConnectorId":{"type":"string","format":"objectId","description":"ID of the HTTP connector template this connection is based on."},"_httpConnectorApiId":{"type":"string","format":"objectId","description":"ID of the HTTP connector API definition."},"_httpConnectorVersionId":{"type":"string","format":"objectId","description":"ID of the HTTP connector version."}}},"JWT":{"type":"object","description":"JWT (JSON Web Token) authentication configuration.\n\nUsed when auth.type is \"jwtbearer\" on HTTP connections. The system generates\na signed JWT and uses it as a bearer token for API authentication.\n\n**Signing methods**\n- HMAC (HS256/HS384/HS512): Symmetric signing using a shared secret.\n  Requires the secret field.\n- RSA (RS256/RS384/RS512): Asymmetric signing using an RSA private key.\n  Requires the privateKey field.\n- ECDSA (ES256/ES384/ES512): Asymmetric signing using an elliptic curve private key.\n  Requires the privateKey field.\n\n**Required fields**\n- algorithm (signing algorithm)\n- secret (for HMAC algorithms) OR privateKey (for RSA/ECDSA algorithms)\n- At least one claim (issuer, subject, audience, or customClaims)\n","properties":{"algorithm":{"type":"string","enum":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"description":"JWT signing algorithm. REQUIRED.\n\nHMAC algorithms (symmetric — use the secret field):\n- \"HS256\" — HMAC with SHA-256 (default, most common).\n- \"HS384\" — HMAC with SHA-384.\n- \"HS512\" — HMAC with SHA-512.\n\nRSA algorithms (asymmetric — use the privateKey field):\n- \"RS256\" — RSA with SHA-256 (most common for RSA).\n- \"RS384\" — RSA with SHA-384.\n- \"RS512\" — RSA with SHA-512.\n\nECDSA algorithms (asymmetric — use the privateKey field):\n- \"ES256\" — ECDSA with P-256 curve and SHA-256.\n- \"ES384\" — ECDSA with P-384 curve and SHA-384.\n- \"ES512\" — ECDSA with P-521 curve and SHA-512.\n","default":"HS256"},"secret":{"type":"string","description":"Shared secret key for HMAC signing algorithms (HS256/HS384/HS512).\nEncrypted at rest. REQUIRED when using an HMAC algorithm.\nNot used with RSA or ECDSA algorithms.\n","writeOnly":true},"privateKey":{"type":"string","description":"Private key in PEM format for RSA or ECDSA signing (encrypted at rest).\nREQUIRED when using an RSA (RS*) or ECDSA (ES*) algorithm.\nNot used with HMAC algorithms.\n","writeOnly":true},"publicKey":{"type":"string","description":"Public key for JWT verification. Optional — used when the API requires\nthe public key to be registered for signature verification.\n"},"issuer":{"type":"string","description":"JWT \"iss\" (issuer) claim. Identifies the principal that issued the JWT.\nTypically a client ID, service account email, or application identifier.\n"},"subject":{"type":"string","description":"JWT \"sub\" (subject) claim. Identifies the subject of the JWT.\nOften the user or service account the token represents.\n"},"audience":{"type":"string","description":"JWT \"aud\" (audience) claim. Identifies the intended recipient of the JWT.\nTypically the API endpoint URL or resource server identifier.\n"},"expiresIn":{"type":"number","description":"JWT expiration time in seconds from the current time.\nThe \"exp\" claim is set to (now + expiresIn). After this time, the JWT is invalid\nand the system generates a new one.\n","default":3600},"notBefore":{"type":"number","description":"JWT \"nbf\" (not before) claim in seconds from the current time.\nThe JWT is not valid before this time.\n"},"issuedAt":{"type":"boolean","description":"When true, includes the \"iat\" (issued at) claim with the current timestamp.\n","default":true},"jwtId":{"type":"boolean","description":"When true, includes a unique \"jti\" (JWT ID) claim for each generated token.\nUseful for preventing token replay attacks.\n","default":false},"customClaims":{"type":"object","description":"Additional custom claims to include in the JWT payload.\nUse for API-specific claims not covered by the standard fields\n(e.g., roles, permissions, custom scopes).\n"},"token":{"type":"string","description":"Pre-generated JWT token value (encrypted at rest).\nWhen set, this static token is used instead of generating one dynamically.\nUse only when the API provides a long-lived JWT that does not need to be regenerated.\n","writeOnly":true}}},"RDBMS":{"type":"object","description":"Configuration for relational database connections. Used when the connection type is \"rdbms\".\n\nCeligo has native support for these database systems:\n- MySQL, MariaDB\n- PostgreSQL\n- Microsoft SQL Server (mssql), Azure Synapse (azuresynapse)\n- Oracle\n- Snowflake\n- Google BigQuery\n- Amazon Redshift\n\n**Required fields**\n- type (always required — selects the database system)\n- host, database, user, password (for most database types)\n- Snowflake: additionally requires snowflake.warehouse and snowflake.authType (\"basic\" or \"keyPair\")\n- BigQuery: requires bigquery.projectId, bigquery.dataset, bigquery.clientEmail, bigquery.privateKey\n- Redshift: requires host, database, user, password; optionally redshift.aws credentials for IAM auth\n- Oracle: uses serviceName instead of database\n\n**Database-specific notes**\n- For Oracle, set serviceName (not database) and optionally serverType and instanceName.\n- For Snowflake, snowflake.authType is REQUIRED: use \"basic\" for password auth, \"keyPair\" for RSA key-pair auth.\n- For MS SQL Server with Azure AD service principal auth, set mssql.authType to \"azure-service-principal\".\n- For BigQuery, use service account credentials (clientEmail + privateKey).\n","required":["type"],"properties":{"type":{"type":"string","enum":["mysql","postgresql","mssql","snowflake","oracle","bigquery","redshift","mariadb","azuresynapse"],"description":"The specific relational database system to connect to. REQUIRED.\n\nThis determines the SQL dialect, connection driver, default port, and\nwhich additional sub-fields are required.\n\n- \"mysql\" — MySQL (default port 3306)\n- \"mariadb\" — MariaDB (default port 3306)\n- \"postgresql\" — PostgreSQL (default port 5432)\n- \"mssql\" — Microsoft SQL Server (default port 1433)\n- \"azuresynapse\" — Azure Synapse Analytics (default port 1433)\n- \"oracle\" — Oracle Database (default port 1521). Uses serviceName instead of database.\n- \"snowflake\" — Snowflake Data Cloud. Requires snowflake.warehouse.\n- \"bigquery\" — Google BigQuery. Requires service account credentials in the bigquery sub-object.\n- \"redshift\" — Amazon Redshift. Optionally uses AWS IAM credentials.\n"},"host":{"type":"string","description":"Database server hostname or IP address.\nREQUIRED for all types except BigQuery (which uses Google's API endpoints).\n\nFor Snowflake, use the account URL format: \"account_identifier.snowflakecomputing.com\".\nFor Redshift, use the cluster endpoint: \"cluster-name.region.redshift.amazonaws.com\".\n"},"port":{"type":"number","description":"Database server port number. If omitted, uses the default port for the database type:\n- MySQL/MariaDB: 3306\n- PostgreSQL: 5432\n- MS SQL/Azure Synapse: 1433\n- Oracle: 1521\n- Snowflake: 443\n- Redshift: 5439\n","minimum":1,"maximum":65535},"database":{"type":"string","description":"Database name to connect to. REQUIRED for most types.\n\nFor Oracle, use the serviceName field instead of database.\nFor BigQuery, use bigquery.dataset to specify the target dataset.\n"},"instanceName":{"type":"string","description":"Named instance identifier. Used by MS SQL Server and Oracle when the server\nhosts multiple database instances. Not required for default instances.\n"},"user":{"type":"string","description":"Database username for authentication.\nREQUIRED for all types except BigQuery (which uses service account auth).\n"},"password":{"type":"string","description":"Database password (encrypted at rest). REQUIRED alongside user for password-based auth.","writeOnly":true},"version":{"type":"string","description":"Database server version string. Used by some drivers for compatibility adjustments."},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"serverType":{"type":"string","enum":["dedicated","shared","pooled"],"description":"Oracle server connection type. Controls the server process model.\n\n- \"dedicated\" — Each connection gets its own server process. Best for heavy workloads.\n- \"shared\" — Connections share a pool of server processes. More resource-efficient.\n- \"pooled\" — Database Resident Connection Pooling (DRCP). Best for many short-lived connections.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nSet based on the database server's connection limit and available resources.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for the database connection.\nOnly use for development/testing with self-signed certificates.\n","default":false},"snowflake":{"type":"object","description":"Snowflake-specific configuration. REQUIRED when type is \"snowflake\".\n","required":["warehouse","authType"],"properties":{"warehouse":{"type":"string","description":"Snowflake virtual warehouse name. REQUIRED for Snowflake connections.\nThe warehouse provides compute resources for queries. Must be a warehouse\nthe user role has access to.\n"},"schema":{"type":"string","description":"Default Snowflake schema. If omitted, queries must fully-qualify table names\n(e.g., DATABASE.SCHEMA.TABLE).\n"},"role":{"type":"string","description":"Snowflake security role to use for the session. Determines which databases,\nschemas, and warehouses are accessible. Defaults to the user's default role.\n"},"authType":{"type":"string","enum":["basic","keyPair"],"description":"Authentication type for Snowflake. REQUIRED.\n\n- \"basic\" — Username/password authentication. Use for standard username/password connections.\n- \"keyPair\" — Key-pair authentication using RSA private key.\n  When using keyPair, provide the RSA private key in the connection's key field.\n\nWhen creating placeholder/dummy connections, use \"basic\".\n"}}},"mssql":{"type":"object","description":"Microsoft SQL Server / Azure Synapse-specific configuration.\n","properties":{"authType":{"type":"string","enum":["basic","azure-service-principal"],"description":"Authentication type for MS SQL Server.\n\n- \"basic\" — Standard SQL Server authentication with username/password (default).\n- \"azure-service-principal\" — Azure Active Directory service principal authentication.\n  Requires an iClient configuration with the service principal credentials.\n","default":"basic"}}},"bigquery":{"type":"object","description":"Google BigQuery-specific configuration. REQUIRED when type is \"bigquery\".\nUses Google Cloud service account credentials for authentication.\n","properties":{"projectId":{"type":"string","description":"Google Cloud project ID that contains the BigQuery datasets. REQUIRED.\nFound in the Google Cloud Console project settings.\n"},"dataset":{"type":"string","description":"Default BigQuery dataset name. REQUIRED.\nQueries will target tables within this dataset unless fully-qualified names are used.\n"},"clientEmail":{"type":"string","description":"Google Cloud service account email address. REQUIRED.\nFormat: \"service-account-name@project-id.iam.gserviceaccount.com\".\nThe service account must have BigQuery Data Editor and BigQuery Job User roles.\n"},"privateKey":{"type":"string","description":"Google Cloud service account private key in PEM format (encrypted at rest). REQUIRED.\nDownloaded as part of the service account JSON key file.\n","writeOnly":true}}},"redshift":{"type":"object","description":"Amazon Redshift-specific configuration. AWS credentials are optional —\nonly needed for IAM-based authentication instead of standard username/password.\n","properties":{"aws":{"type":"object","description":"AWS credentials for IAM-based Redshift authentication.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication."},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"clusterIdentifier":{"type":"string","description":"Redshift cluster identifier. Required for IAM-based authentication."},"region":{"type":"string","description":"AWS region where the Redshift cluster is deployed. Required for IAM-based authentication.\n","enum":["us-east-1","us-east-2","us-west-1","us-west-2","eu-west-1","eu-west-2","eu-west-3","eu-central-1","ap-southeast-1","ap-southeast-2","ap-northeast-1","ap-northeast-2","ap-south-1","sa-east-1","ca-central-1"]}}},"ssl":{"$ref":"#/components/schemas/SSL"},"options":{"type":"array","description":"Additional database driver connection options as name/value pairs.\nUse for driver-specific settings not covered by the standard fields\n(e.g., connection timeout, charset, application name).\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Option name (driver-specific)."},"value":{"type":"string","description":"Option value."}},"required":["name","value"]}}}},"MongoDB":{"type":"object","description":"Configuration for MongoDB connections. Used when the connection type is \"mongodb\".\n\nSupports standalone MongoDB instances, replica sets, and MongoDB Atlas clusters.\n\n**Required fields**\n- host (array of one or more server addresses)\n- database (target database name)\n\n**Authentication**\nUsername and password are optional — only required when the MongoDB server has\nauthentication enabled (which is recommended for production).\nUse authSource to specify the authentication database if it differs from the target database.\n\n**Replica sets**\nFor replica sets, provide all member hostnames in the host array and set\nthe replicaSet field to the replica set name.\n","required":["host","database"],"properties":{"host":{"type":"array","items":{"type":"string"},"description":"MongoDB server addresses. REQUIRED. An array of one or more host:port strings.\n\n- Standalone: [\"mongodb.example.com:27017\"]\n- Replica set: [\"rs1.example.com:27017\", \"rs2.example.com:27017\", \"rs3.example.com:27017\"]\n- MongoDB Atlas: [\"cluster0-shard-00-00.abc.mongodb.net:27017\", ...]\n\nInclude the port number with each host. Default MongoDB port is 27017.\n"},"database":{"type":"string","description":"Target MongoDB database name. REQUIRED.\nAll operations (reads/writes) target collections within this database.\n"},"username":{"type":"string","description":"MongoDB username for authentication.\nRequired when the MongoDB server has authentication enabled.\n"},"password":{"type":"string","description":"MongoDB password (encrypted at rest). Required alongside username.","writeOnly":true},"replicaSet":{"type":"string","description":"MongoDB replica set name. Required when connecting to a replica set.\nThe driver uses this to discover all replica set members and handle failover.\nFor MongoDB Atlas, this is typically \"atlas-xxxxxx-shard-0\".\n"},"ssl":{"type":"boolean","description":"When true, connects to MongoDB over TLS/SSL.\nRequired for MongoDB Atlas and recommended for all production deployments.\n","default":false},"authSource":{"type":"string","description":"MongoDB authentication database — the database where the user credentials are stored.\nDefaults to the value of the database field. Set to \"admin\" if the user was created\nin the admin database (common for shared MongoDB deployments and Atlas).\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent MongoDB operations.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"AS2":{"type":"object","description":"AS2 (Applicability Statement 2) connection configuration for EDI","required":["as2Id","partnerId"],"properties":{"as2Id":{"type":"string","description":"AS2 identifier for this station. Trading partners use this as the \"To\"\nidentifier when sending documents, and integrator.io uses it as the \"From\"\nidentifier when sending documents to partners.\n\nIMPORTANT: This value must be unique across ALL integrator.io users to\nensure inbound documents are routed correctly. It CANNOT be updated after\ncreation. Use a different identifier for each environment (e.g., production vs. non-production).\n\nIf not provided, a unique value will be auto-generated.\n"},"partnerId":{"type":"string","description":"AS2 partner identifier"},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration","properties":{"function":{"type":"string","description":"Name of the routing function"},"_scriptId":{"type":"string","format":"objectId","description":"Reference to script containing the routing function"}}},"partnerStationInfo":{"type":"object","description":"Partner (remote) station configuration — used on the IMPORT side.\nControls how messages are sent TO the trading partner.\n","required":["as2URI","signing","encryptionType"],"properties":{"as2URI":{"type":"string","format":"uri","description":"Partner's AS2 endpoint URI"},"mdn":{"type":"object","description":"MDN (Message Disposition Notification) settings","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"verifyMDNSignature":{"type":"boolean","description":"Whether to verify the MDN signature from the partner"}}},"auth":{"type":"object","description":"Authentication for the partner AS2 endpoint","properties":{"type":{"type":"string","enum":["basic","token"],"description":"Authentication type"},"failStatusCode":{"type":"number","description":"HTTP status code indicating auth failure"},"failPath":{"type":"string","description":"JSON path to check for auth failure"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate auth failure"},"basic":{"type":"object","description":"Basic auth credentials","properties":{"username":{"type":"string","description":"Username for basic auth"},"password":{"type":"string","writeOnly":true,"description":"Password for basic auth (encrypted)"}}},"token":{"type":"object","description":"Token-based auth configuration","properties":{"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Headers for token refresh requests"},"refreshToken":{"type":"string","writeOnly":true,"description":"Refresh token (encrypted)"}}}}},"rateLimit":{"type":"object","description":"Rate limiting configuration","properties":{"failStatusCode":{"type":"number"},"failPath":{"type":"string"},"failValues":{"type":"array","items":{"type":"string"}},"limit":{"type":"number","minimum":1,"description":"Maximum requests per time window"}}},"SMIMEVersion":{"type":"string","enum":["v2","v3"],"description":"S/MIME version (not typically exposed on UI)"},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for outbound messages to partner"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for outbound messages to partner"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default base64)"},"signatureEncoding":{"type":"string","enum":["base64","binary"],"description":"Signature encoding format"}}},"userStationInfo":{"type":"object","description":"User (local) station configuration — used on the EXPORT side.\nControls how inbound messages from the partner are processed.\n","required":["signing","encryptionType"],"properties":{"mdn":{"type":"object","description":"MDN settings for inbound messages","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"mdnEncoding":{"type":"string","enum":["base64","binary"],"description":"MDN encoding format"}}},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for inbound message verification"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for inbound message decryption"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default binary)"},"compressed":{"type":"boolean","description":"Whether to compress messages","default":false}}},"encrypted":{"type":"object","description":"Encrypted certificate and key data (stored encrypted at rest).\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPrivateKey":{"type":"string","writeOnly":true,"description":"PEM-encoded X.509 private key for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"}}},"unencrypted":{"type":"object","description":"Unencrypted certificate data for identity and partner verification.\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPublicKey":{"type":"string","description":"PEM-encoded X.509 public certificate for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"},"partnerCertificate":{"type":"string","description":"PEM-encoded X.509 certificate for the trading partner.\nRequired when partnerStationInfo.encryptionType != NONE or userStationInfo.signing != NONE,\nor when partnerStationInfo.mdn.verifyMDNSignature is true.\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling","minimum":1,"maximum":10},"preventCanonicalization":{"type":"boolean","description":"Prevent canonicalization of message content","default":false}}},"Filesystem":{"type":"object","description":"Configuration for filesystem connections. Used when the connection type is \"filesystem\".\n\nFilesystem connections provide access to the local filesystem on a Celigo on-premise Agent.\nThis enables file-based integrations with directories on the agent's host machine or\nmounted network drives.\n\n**Agent requirement**\nA Celigo Agent is REQUIRED for filesystem connections (set _agentId on the parent\nconnection object). The agent provides the filesystem access — cloud-only\ndeployments cannot use this connection type.\n\n**Ping**\nSet ping.directoryPath to a directory the agent can access to verify the connection.\n","properties":{"ping":{"type":"object","description":"Health check configuration for validating filesystem access.","properties":{"directoryPath":{"type":"string","description":"Absolute directory path on the agent's host used for connection health checks.\nThe system verifies the directory exists and is accessible.\nExample: \"/data/integrations/incoming\" or \"C:\\\\Data\\\\Integrations\".\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent filesystem operations.\n","minimum":1,"maximum":100},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling.\n","minimum":1,"maximum":100}}},"DynamoDB":{"type":"object","description":"Configuration for Amazon DynamoDB connections. Used when the connection type is \"dynamodb\".\n\nProvides access to DynamoDB tables for NoSQL data integrations.\nUses AWS IAM credentials for authentication.\n\n**Required fields**\n- aws.accessKeyId\n- aws.secretAccessKey\n\nThe IAM credentials must have appropriate DynamoDB permissions\n(dynamodb:GetItem, dynamodb:PutItem, dynamodb:Query, dynamodb:Scan, etc.).\n","required":["aws"],"properties":{"aws":{"type":"object","description":"AWS IAM credentials for DynamoDB authentication. REQUIRED.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication.\nFrom an IAM user or role with DynamoDB access permissions.\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent DynamoDB operations.\nDynamoDB throughput is governed by table-level read/write capacity units.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on throughput feedback.\n","minimum":1,"maximum":100}}},"JDBC":{"type":"object","description":"Configuration for JDBC (Java Database Connectivity) connections.\nUsed when the connection type is \"jdbc\".\n\nJDBC connections provide access to databases through Java-based JDBC drivers,\nincluding databases not natively supported by Celigo's RDBMS connector.\n\n**When to use jdbc vs rdbms**\n- Use RDBMS for: MySQL, PostgreSQL, MS SQL, Snowflake, Oracle, BigQuery, Redshift, MariaDB.\n- Use JDBC for: NetSuite (SuiteAnalytics), Databricks, DB2, Workday, and other databases\n  accessible via a JDBC driver deployed on a Celigo Agent.\n\n**Required fields**\n- type (always required — selects the JDBC driver)\n- host, database, user, password (for most types)\n- For Oracle: use serviceName instead of database\n- For wallet auth: set authType to \"wallet\" and provide the wallet file\n\n**Agent requirement**\nMost JDBC connections require a Celigo on-premise Agent (set _agentId on the connection)\nbecause the JDBC driver runs on the agent, not in the cloud.\n","required":["type"],"properties":{"type":{"type":"string","enum":["agent","netsuitejdbc","databricks","oracle:thin","sqlserver","activedirectory","db2","workday"],"description":"JDBC driver/connection type. REQUIRED.\n\n- \"agent\" — Generic JDBC driver deployed on a Celigo Agent. Requires driverPath.\n- \"netsuitejdbc\" — NetSuite SuiteAnalytics JDBC driver for reporting and analytics queries.\n- \"databricks\" — Databricks SQL/Spark via JDBC.\n- \"oracle:thin\" — Oracle Database via the Oracle Thin JDBC driver.\n- \"sqlserver\" — Microsoft SQL Server via the JTDS or Microsoft JDBC driver.\n- \"activedirectory\" — SQL Server with Active Directory authentication.\n- \"db2\" — IBM DB2 database.\n- \"workday\" — Workday via JDBC (for report/data access).\n"},"version":{"type":"string","description":"JDBC driver version. Used for driver compatibility when multiple versions are available."},"host":{"type":"string","description":"Database server hostname or IP address.\nFor NetSuite JDBC, use the SuiteAnalytics Connect hostname\n(e.g., \"account-id.connect.api.netsuite.com\").\n"},"port":{"type":"number","description":"Database server port number. Default varies by driver type."},"database":{"type":"string","description":"Database or catalog name. For Oracle, use the serviceName field instead.\n"},"user":{"type":"string","description":"Database username for authentication."},"password":{"type":"string","description":"Database password (encrypted at rest).","writeOnly":true},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle JDBC connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"authType":{"type":"string","enum":["customjdbc","wallet"],"description":"Authentication method for the JDBC connection.\n\n- \"customjdbc\" — Standard username/password authentication (default).\n- \"wallet\" — Oracle Wallet authentication. Provide the wallet file in the wallet field.\n  The wallet contains encrypted credentials so username/password are not needed separately.\n"},"wallet":{"type":"string","description":"Oracle Wallet file contents (encrypted at rest).\nREQUIRED when authType is \"wallet\". Contains the auto-login wallet (cwallet.sso)\nwith encrypted credentials for passwordless Oracle authentication.\n","writeOnly":true},"driverPath":{"type":"string","description":"File path to the JDBC driver JAR on the Celigo Agent.\nREQUIRED when type is \"agent\" (generic JDBC).\nThe driver must be deployed on the agent before creating the connection.\n"},"properties":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional JDBC connection properties as name/value pairs.\nThese are passed directly to the JDBC driver as connection properties.\nUse for driver-specific settings like SSL mode, connection timeout,\napplication name, etc.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nJDBC connections often run through a single Agent, so keep this value\nconservative to avoid overwhelming the Agent or database.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"VAN":{"type":"object","description":"Configuration for VAN (Value Added Network) connections.\nUsed when the connection type is \"van\".\n\nVAN connections provide EDI document exchange through a Value Added Network provider.\nDocuments are sent to and received from a VAN mailbox identified by the mailboxId.\n\nThe as2Id field links this VAN connection to an AS2 identity for document routing,\nand contentBasedFlowRouter enables routing inbound documents to different flows\nbased on document content.\n","properties":{"mailboxId":{"type":"number","description":"VAN mailbox identifier. Identifies the specific mailbox on the VAN provider\nthat this connection sends to and receives from.\n"},"as2Id":{"type":"string","description":"AS2 identifier for this VAN station. Used as the \"From\" identifier when sending\ndocuments and the \"To\" identifier when receiving. Must be unique across all\nintegrator.io users. Cannot be changed after creation.\n"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration for inbound VAN documents.\nRoutes incoming documents to different flows based on document content\nusing a custom JavaScript function.\n","properties":{"function":{"type":"string","description":"Name of the JavaScript routing function in the referenced script."},"_scriptId":{"type":"string","format":"objectId","description":"Reference to the script resource containing the routing function."}}}}},"MCP":{"type":"object","description":"Configuration for MCP (Model Context Protocol) connections.\nUsed when the connection type is \"mcp\".\n\nMCP connections enable Celigo to call tools exposed by an external MCP server\nover HTTP. The MCP server provides a set of callable tools that can be invoked\nduring flow execution.\n\n**Required fields**\n- serverURL (the MCP server's HTTP endpoint)\n- http.auth.type (must be one of: \"token\", \"oauth\", or \"custom\")\n\n**Authentication**\nMCP connections authenticate via the http sub-object, which reuses the same\nauth configuration as HTTP connections but with a restricted set of auth types.\nOnly \"token\", \"oauth\", and \"custom\" are valid for MCP connections.\n","properties":{"protocol":{"type":"string","enum":["http"],"description":"Transport protocol for communicating with the MCP server.\nCurrently only \"http\" is supported.\n"},"serverURL":{"type":"string","description":"MCP server endpoint URL. REQUIRED.\nMust be a valid absolute URL (e.g., \"https://mcp-server.example.com/mcp\").\nThe system validates this as a proper URL.\n","format":"uri"},"timeout":{"type":"number","description":"Request timeout in milliseconds for MCP tool invocations.\nIf the MCP server does not respond within this time, the request fails.\n"},"allowedTools":{"type":"array","description":"Optional allowlist of MCP tool names that this connection may invoke.\nWhen set, only tools in this list can be called. When omitted or empty,\nall tools exposed by the MCP server are available.\n","items":{"type":"string"}},"http":{"type":"object","description":"HTTP transport configuration for the MCP connection, including authentication and headers.\n\nThe auth.type MUST be one of: \"token\", \"oauth\", or \"custom\".\nOther auth types (basic, cookie, jwt, etc.) are not supported for MCP connections.\n","properties":{"_iClientId":{"type":"string","format":"objectId","description":"Reference to an OAuth iClient for OAuth-based MCP authentication.\nRequired when http.auth.type is \"oauth\".\n"},"auth":{"$ref":"#/components/schemas/auth"},"headers":{"type":"array","description":"Default HTTP headers included in every request to the MCP server.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value."}},"required":["name","value"]}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive MCP configuration."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive MCP configuration (encrypted at rest)."}}}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"Wrapper":{"type":"object","description":"Configuration for Wrapper connections. Used when the connection type is \"wrapper\".\n\nWrapper connections are custom-built connectors deployed on a Celigo Stack.\nThey allow developers to implement custom authentication, data transformation,\nand API interaction logic using server-side JavaScript on a dedicated stack.\n\n**When to use**\nUse wrapper connections when:\n- The target API has non-standard authentication not supported by HTTP connections.\n- Custom server-side logic is needed for connection management.\n- You need a fully custom connector deployed on a Celigo Stack.\n\n**Required fields**\n- pingFunction (name of the function that tests connection health)\n- _stackId (set on the parent connection object — references the Celigo Stack)\n\n**Custom fields**\nUse encrypted/unencrypted fields to store connection-specific configuration.\nThe wrapper code on the Stack accesses these values at runtime.\n","required":["pingFunction"],"properties":{"pingFunction":{"type":"string","description":"Name of the JavaScript function on the Stack that tests connection health.\nThis function is called when the user clicks \"Test Connection\" in the UI.\nIt should verify that the connection credentials are valid and the target\nsystem is reachable.\n"},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nThese values are accessible to the wrapper code on the Stack at runtime.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values (API keys, passwords, etc.).\nValues are encrypted at rest and decrypted only on the Stack at runtime.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_stackId":{"type":"string","format":"objectId","description":"Reference to the stack this wrapper connection uses."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations through this wrapper connection.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"Response":{"type":"object","description":"Complete connection object as returned by the API","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"$ref":"#/components/schemas/IAResourceResponse"},{"type":"object","properties":{"aiDescription":{"$ref":"#/components/schemas/AIDescription"},"salesforce":{"allOf":[{"$ref":"#/components/schemas/Salesforce"},{"type":"object","properties":{"info":{"type":"object","description":"Additional Salesforce connection information","readOnly":true}}}]},"netsuite":{"allOf":[{"$ref":"#/components/schemas/NetSuite"},{"type":"object","properties":{"suiteAppInstalled":{"type":"boolean","description":"Whether the Celigo SuiteApp is installed","readOnly":true}}}]},"_integrationId":{"type":"string","format":"objectId","description":"ID of the integration this connection belongs to","readOnly":true},"_connectorId":{"type":"string","format":"objectId","description":"ID of the connector template this connection is based on","readOnly":true},"_id":{"type":"string","format":"objectId","description":"Unique identifier for the connection","readOnly":true},"offline":{"type":"boolean","description":"Whether the connection is currently offline/disabled","readOnly":true},"_userId":{"type":"string","format":"objectId","description":"ID of the user who owns this connection","readOnly":true},"createdAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was created","readOnly":true},"lastModified":{"type":"string","format":"date-time","description":"Timestamp when the connection was last modified","readOnly":true},"deletedAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was soft-deleted (if applicable)","readOnly":true},"needsAuthorization":{"type":"boolean","description":"Whether this connection requires OAuth2 or similar authorization flow","readOnly":true},"isAmazonSPConnection":{"type":"boolean","description":"Whether this is an Amazon Selling Partner API connection","readOnly":true},"concurrencyInfo":{"type":"object","description":"Current concurrency usage and limits for this connection","readOnly":true,"properties":{"currentLevel":{"type":"number","description":"Current concurrency level being used"},"targetLevel":{"type":"number","description":"Target concurrency level"},"maxLevel":{"type":"number","description":"Maximum allowed concurrency level"},"borrowedFrom":{"type":"string","description":"ID of connection this is borrowing concurrency from"}}},"rateLimit":{"type":"object","description":"Rate limiting information for this connection","readOnly":true,"properties":{"isRecovering":{"type":"boolean","description":"Whether the connection is currently recovering from rate limits"},"lastErrorAt":{"type":"string","format":"date-time","description":"Timestamp of last rate limit error"},"retryCount":{"type":"number","description":"Number of retry attempts for rate limit recovery"}}},"status":{"type":"string","enum":["active","inactive","error","pending","offline"],"description":"Current operational status of the connection","readOnly":true},"lastPingAt":{"type":"string","format":"date-time","description":"Timestamp of last successful ping test","readOnly":true},"lastPingStatus":{"type":"string","enum":["success","failed","pending"],"description":"Result of the last ping test","readOnly":true},"capabilities":{"type":"object","description":"Discovered or configured capabilities of this connection","readOnly":true,"properties":{"read":{"type":"boolean","description":"Supports read operations"},"write":{"type":"boolean","description":"Supports write operations"},"delete":{"type":"boolean","description":"Supports delete operations"},"realtime":{"type":"boolean","description":"Supports real-time data streaming"},"batch":{"type":"boolean","description":"Supports batch operations"}}},"quotas":{"type":"object","description":"Usage quotas and limits for this connection","readOnly":true,"properties":{"daily":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}},"monthly":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}}}},"_sourceId":{"type":"string","format":"objectId","description":"ID of the source this connection was created from","readOnly":true},"_templateId":{"type":"string","format":"objectId","description":"ID of the template this connection was generated from","readOnly":true},"draft":{"type":"boolean","description":"Whether this connection is in draft state","readOnly":true},"draftExpiresAt":{"type":"string","format":"date-time","description":"Timestamp when the draft connection expires","readOnly":true},"debugUntil":{"type":"string","format":"date-time","description":"Timestamp until which debug logging is enabled","readOnly":true},"apiIdentifier":{"type":"string","description":"API identifier for this connection","readOnly":true}}}]},"ResourceResponse":{"type":"object","description":"Core response fields shared by all Celigo resources","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource.\n\nThe _id is used in:\n- API endpoints that operate on a specific resource (e.g., GET, PUT, DELETE)\n- References from other resources (e.g., flows that use this resource)\n- Job history and error tracking\n\nFormat: 24-character hexadecimal string\n"},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was initially created.\n\nThis read-only field is automatically set during resource creation and cannot\nbe modified. It provides an audit trail for when the resource was first added\nto the system, which can be useful for:\n\n- Resource lifecycle management\n- Audit and compliance reporting\n- Troubleshooting integration timelines\n- Identifying older resources that may need review\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was most recently updated.\n\nThis read-only field is automatically updated whenever any property of the\nresource is modified. It provides an audit trail that can be used for:\n\n- Determining if a resource has changed since it was last reviewed\n- Monitoring configuration changes during troubleshooting\n- Implementing cache invalidation strategies\n- Synchronizing related resources based on modification time\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix)\nand will always be equal to or later than the createdAt timestamp.\n"},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was marked for deletion.\n\nWhen this field is present and contains a valid timestamp, it indicates\nthat the resource has been soft-deleted (moved to the recycle bin) but not\nyet permanently removed from the system. This allows for recovery of\naccidentally deleted resources within a specified retention period.\n\nThe deletedAt timestamp enables:\n- Filtering deleted resources from active resource listings\n- Implementing time-based retention policies for permanent deletion\n- Tracking deletion events for audit and compliance purposes\n- Resource recovery workflows with clear timeframes\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\nWhen null or absent, the resource is considered active.\n"}},"required":["_id"]},"IAResourceResponse":{"type":"object","description":"Integration app response fields for resources that are part of integration apps","properties":{"_integrationId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the specific integration instance that contains this resource.\n\nThis field is only populated for resources that are part of an integration app\ninstallation. It contains the unique identifier (_id) of the integration\nresource that was installed in the account.\n\nThe integration instance represents a specific installed instance of an\nintegration app, with its own configuration, settings, and runtime environment.\n\nThis reference enables:\n- Tracing the resource back to its parent integration instance\n- Permission and access control based on integration ownership\n- Lifecycle management (enabling/disabling, updating, or uninstalling)\n"},"_connectorId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the integration app that defines this resource.\n\nThis field is only populated for resources that are part of an integration app.\nIt contains the unique identifier (_id) of the integration app (connector)\nthat defines the structure, behavior, and templates for this resource.\n\nThe integration app is the published template that can be installed\nmultiple times across different accounts, with each installation creating\na separate integration instance (referenced by _integrationId).\n\nThis reference enables:\n- Identifying the source integration app for this resource\n- Determining which template version is being used\n- Linking to documentation, support, and marketplace information\n"}}},"AIDescription":{"type":"object","description":"AI-generated descriptions and documentation for the resource.\n\nThis object contains automatically generated content that helps users\nunderstand the purpose, behavior, and configuration of the resource without\nrequiring them to analyze the technical details. The AI-generated content\nis sanitized and safe for display in the UI.\n","properties":{"summary":{"type":"string","description":"Brief AI-generated summary of the resource's purpose and functionality.\n\nThis concise description provides a quick overview of what the resource does,\nwhat systems it interacts with, and its primary role in the integration.\nThe summary is suitable for display in list views, dashboards, and other\ncontexts where space is limited.\n\nMaximum length: 10KB\n"},"detailed":{"type":"string","description":"Comprehensive AI-generated description of the resource's functionality.\n\nThis detailed explanation covers the resource's purpose, configuration details,\ndata flow patterns, filtering logic, and other technical aspects. It provides\nin-depth information suitable for documentation, tooltips, or detailed views\nin the administration interface.\n\nThe content may include HTML formatting for improved readability.\n\nMaximum length: 10KB\n"},"generatedOn":{"type":"string","format":"date-time","description":"Timestamp indicating when the AI description was generated.\n\nThis field helps track the freshness of the AI-generated content and\ndetermine when it might need to be regenerated due to changes in the\nresource's configuration or behavior.\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"400-bad-request":{"description":"Bad request. The server could not understand the request because of malformed syntax or invalid parameters.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"403-forbidden":{"description":"Forbidden. The authenticated caller does not have permission to perform this operation.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"422-unprocessable-entity":{"description":"Unprocessable entity. The request was well-formed but was unable to be followed due to semantic errors.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/connections":{"post":{"summary":"Create a connection","description":"Creates a new connection configuration that can be used to authenticate and connect\nto external systems and applications.\n","operationId":"createConnection","tags":["Connections"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Request"}}}},"responses":{"201":{"description":"Connection created successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Response"}}}},"400":{"$ref":"#/components/responses/400-bad-request"},"401":{"$ref":"#/components/responses/401-unauthorized"},"403":{"$ref":"#/components/responses/403-forbidden"},"422":{"$ref":"#/components/responses/422-unprocessable-entity"}}}}}}
```

## Get a connection

> Retrieves a specific connection by its unique identifier.\
> Returns the complete connection configuration including authentication settings.<br>

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Response":{"type":"object","description":"Complete connection object as returned by the API","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"$ref":"#/components/schemas/IAResourceResponse"},{"type":"object","properties":{"aiDescription":{"$ref":"#/components/schemas/AIDescription"},"salesforce":{"allOf":[{"$ref":"#/components/schemas/Salesforce"},{"type":"object","properties":{"info":{"type":"object","description":"Additional Salesforce connection information","readOnly":true}}}]},"netsuite":{"allOf":[{"$ref":"#/components/schemas/NetSuite"},{"type":"object","properties":{"suiteAppInstalled":{"type":"boolean","description":"Whether the Celigo SuiteApp is installed","readOnly":true}}}]},"_integrationId":{"type":"string","format":"objectId","description":"ID of the integration this connection belongs to","readOnly":true},"_connectorId":{"type":"string","format":"objectId","description":"ID of the connector template this connection is based on","readOnly":true},"_id":{"type":"string","format":"objectId","description":"Unique identifier for the connection","readOnly":true},"offline":{"type":"boolean","description":"Whether the connection is currently offline/disabled","readOnly":true},"_userId":{"type":"string","format":"objectId","description":"ID of the user who owns this connection","readOnly":true},"createdAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was created","readOnly":true},"lastModified":{"type":"string","format":"date-time","description":"Timestamp when the connection was last modified","readOnly":true},"deletedAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was soft-deleted (if applicable)","readOnly":true},"needsAuthorization":{"type":"boolean","description":"Whether this connection requires OAuth2 or similar authorization flow","readOnly":true},"isAmazonSPConnection":{"type":"boolean","description":"Whether this is an Amazon Selling Partner API connection","readOnly":true},"concurrencyInfo":{"type":"object","description":"Current concurrency usage and limits for this connection","readOnly":true,"properties":{"currentLevel":{"type":"number","description":"Current concurrency level being used"},"targetLevel":{"type":"number","description":"Target concurrency level"},"maxLevel":{"type":"number","description":"Maximum allowed concurrency level"},"borrowedFrom":{"type":"string","description":"ID of connection this is borrowing concurrency from"}}},"rateLimit":{"type":"object","description":"Rate limiting information for this connection","readOnly":true,"properties":{"isRecovering":{"type":"boolean","description":"Whether the connection is currently recovering from rate limits"},"lastErrorAt":{"type":"string","format":"date-time","description":"Timestamp of last rate limit error"},"retryCount":{"type":"number","description":"Number of retry attempts for rate limit recovery"}}},"status":{"type":"string","enum":["active","inactive","error","pending","offline"],"description":"Current operational status of the connection","readOnly":true},"lastPingAt":{"type":"string","format":"date-time","description":"Timestamp of last successful ping test","readOnly":true},"lastPingStatus":{"type":"string","enum":["success","failed","pending"],"description":"Result of the last ping test","readOnly":true},"capabilities":{"type":"object","description":"Discovered or configured capabilities of this connection","readOnly":true,"properties":{"read":{"type":"boolean","description":"Supports read operations"},"write":{"type":"boolean","description":"Supports write operations"},"delete":{"type":"boolean","description":"Supports delete operations"},"realtime":{"type":"boolean","description":"Supports real-time data streaming"},"batch":{"type":"boolean","description":"Supports batch operations"}}},"quotas":{"type":"object","description":"Usage quotas and limits for this connection","readOnly":true,"properties":{"daily":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}},"monthly":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}}}},"_sourceId":{"type":"string","format":"objectId","description":"ID of the source this connection was created from","readOnly":true},"_templateId":{"type":"string","format":"objectId","description":"ID of the template this connection was generated from","readOnly":true},"draft":{"type":"boolean","description":"Whether this connection is in draft state","readOnly":true},"draftExpiresAt":{"type":"string","format":"date-time","description":"Timestamp when the draft connection expires","readOnly":true},"debugUntil":{"type":"string","format":"date-time","description":"Timestamp until which debug logging is enabled","readOnly":true},"apiIdentifier":{"type":"string","description":"API identifier for this connection","readOnly":true}}}]},"Request":{"type":"object","description":"Fields that can be sent when creating or updating a connection","properties":{"name":{"type":"string","description":"Descriptive identifier for the connection resource in human-readable format.\n\nThis string serves as the primary display name for the connection across the application UI and is used in:\n- API responses when listing connections\n- Error and audit logs for traceability\n- Flow builder UI components\n- Integration configuration dashboards\n\nWhile not required to be globally unique in the system, using descriptive, unique names is strongly recommended\nfor clarity when managing multiple connections. The name should indicate the target system and purpose.\n\nMaximum length: 200 characters\nAllowed characters: Letters, numbers, spaces, and basic punctuation\n","maxLength":200},"type":{"type":"string","description":"The type of connection determining which authentication and connectivity options are available","enum":["netsuite","salesforce","ftp","s3","rest","wrapper","http","rdbms","mongodb","as2","filesystem","mcp","dynamodb","jdbc","van"]},"externalId":{"type":"string","description":"External identifier for the connection, often used for integration with third-party systems"},"assistant":{"type":"string","description":"Application name in lowercase for HTTP connections to systems with integrator.io adaptors.\nUsed to identify the target application being connected to.\nExamples - Shopify: \"shopify\", eBay: \"ebay\".\nOnly applicable for HTTP connection types.\n"},"_agentId":{"type":"string","format":"objectId","description":"Reference to a Celigo on-premise Agent. Required for connection types that need\nlocal network or filesystem access (JDBC, filesystem, Oracle RDBMS).\nThe agent establishes a secure tunnel between the on-premise environment and integrator.io.\n"},"_borrowConcurrencyFromConnectionId":{"type":"string","format":"objectId","description":"Reference to another connection to share concurrency limits with.\nWhen set, this connection's concurrency is counted against the referenced\nconnection's limit instead of maintaining its own.\n"},"debugDate":{"type":"string","format":"date-time","description":"Date until which debug logging is enabled for this connection"},"settingsForm":{"type":"object","description":"Dynamic form configuration for connection-specific settings"},"settings":{"type":"object","description":"Connection-specific settings and configurations"},"pgp":{"type":"object","description":"PGP encryption settings for file-based connections"},"ssl":{"$ref":"#/components/schemas/SSL"},"netsuite":{"$ref":"#/components/schemas/NetSuite"},"salesforce":{"$ref":"#/components/schemas/Salesforce"},"ftp":{"$ref":"#/components/schemas/FTP"},"s3":{"$ref":"#/components/schemas/S3"},"rest":{"$ref":"#/components/schemas/REST"},"http":{"$ref":"#/components/schemas/HTTP"},"rdbms":{"$ref":"#/components/schemas/RDBMS"},"mongodb":{"$ref":"#/components/schemas/MongoDB"},"as2":{"$ref":"#/components/schemas/AS2"},"filesystem":{"$ref":"#/components/schemas/Filesystem"},"dynamodb":{"$ref":"#/components/schemas/DynamoDB"},"jdbc":{"$ref":"#/components/schemas/JDBC"},"van":{"$ref":"#/components/schemas/VAN"},"mcp":{"$ref":"#/components/schemas/MCP"},"wrapper":{"$ref":"#/components/schemas/Wrapper"}},"required":["name","type"],"anyOf":[{"title":"NetSuite","required":["netsuite"],"properties":{"netsuite":{"$ref":"#/components/schemas/NetSuite"}}},{"title":"Salesforce","required":["salesforce"],"properties":{"salesforce":{"$ref":"#/components/schemas/Salesforce"}}},{"title":"FTP","required":["ftp"],"properties":{"ftp":{"$ref":"#/components/schemas/FTP"}}},{"title":"S3","required":["s3"],"properties":{"s3":{"$ref":"#/components/schemas/S3"}}},{"title":"REST","required":["rest"],"properties":{"rest":{"$ref":"#/components/schemas/REST"}}},{"title":"HTTP","required":["http"],"properties":{"http":{"$ref":"#/components/schemas/HTTP"}}},{"title":"RDBMS","required":["rdbms"],"properties":{"rdbms":{"$ref":"#/components/schemas/RDBMS"}}},{"title":"MongoDB","required":["mongodb"],"properties":{"mongodb":{"$ref":"#/components/schemas/MongoDB"}}},{"title":"AS2","required":["as2"],"properties":{"as2":{"$ref":"#/components/schemas/AS2"}}},{"title":"Filesystem","required":["filesystem"],"properties":{"filesystem":{"$ref":"#/components/schemas/Filesystem"}}},{"title":"MCP","required":["mcp"],"properties":{"mcp":{"$ref":"#/components/schemas/MCP"}}},{"title":"DynamoDB","required":["dynamodb"],"properties":{"dynamodb":{"$ref":"#/components/schemas/DynamoDB"}}},{"title":"JDBC","required":["jdbc"],"properties":{"jdbc":{"$ref":"#/components/schemas/JDBC"}}},{"title":"VAN","required":["van"],"properties":{"van":{"$ref":"#/components/schemas/VAN"}}},{"title":"Wrapper","required":["wrapper"],"properties":{"wrapper":{"$ref":"#/components/schemas/Wrapper"}}}]},"SSL":{"type":"object","description":"SSL/TLS certificate configuration for secure database connections.\n\nUsed by RDBMS and other connection types that support client certificate authentication\nor connections to servers with private CA-signed certificates.\n\n**Usage rules**\n- Provide cert + key together for client certificate (mutual TLS) authentication.\n- Provide ca alone when the server uses a certificate signed by a private CA.\n- cert/key and ca can be combined for mTLS with a private CA.\n- passphrase is only needed when the private key is encrypted.\n","properties":{"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format (encrypted at rest).\nProvide this when the database server uses a certificate signed by a private CA\nthat is not in the system's default trust store.\n","writeOnly":true},"key":{"type":"string","description":"Client private key in PEM format (encrypted at rest).\nREQUIRED alongside cert for client certificate (mTLS) authentication.\nCannot be provided without cert.\n","writeOnly":true},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key (encrypted at rest).\nOnly needed when the PEM private key in the key field is password-protected.\n","writeOnly":true},"cert":{"type":"string","description":"Client certificate in PEM format (encrypted at rest).\nREQUIRED alongside key for client certificate (mTLS) authentication.\nCannot be provided without key.\n","writeOnly":true}}},"NetSuite":{"type":"object","description":"Configuration for NetSuite ERP connections. Used when the connection type is \"netsuite\".\n\nNetSuite connections support two authentication methods:\n- Token-Based Authentication (TBA) — recommended for production. Requires tokenId and tokenSecret.\n- Basic authentication (email/password) — legacy method, limited functionality.\n\n**Required fields by auth type**\n- authType \"token\": account, tokenId, tokenSecret, roleId\n- authType \"token-auto\": account (tokens are managed automatically via iClient)\n- authType \"basic\": account, email, password, roleId\n\n**Environment**\nThe environment field selects which NetSuite instance to connect to.\nThe account ID format changes based on environment (e.g., \"123456\" for production,\n\"123456_SB1\" for non-production).\n","properties":{"authType":{"type":"string","enum":["basic","token","token-auto"],"description":"Authentication method for the NetSuite connection.\n\n- \"token\" — Token-Based Authentication (TBA). Recommended for production.\n  Requires tokenId and tokenSecret from a NetSuite integration record.\n- \"token-auto\" — Automatic token management via Celigo's iClient.\n  Tokens are provisioned and rotated automatically.\n- \"basic\" — Legacy email/password authentication. Not recommended for\n  new connections; has limited API access compared to TBA.\n"},"account":{"type":"string","description":"NetSuite account ID. REQUIRED for all auth types.\n\nThis is the account identifier visible in NetSuite under Setup > Company > Company Information.\nThe value is automatically uppercased.\n\nFormat varies by environment:\n- Production: \"123456\" or \"TSTDRV123456\"\n- Non-production: \"123456_SB1\" (suffix indicates the environment number)\n- Beta: \"123456\" (same as production, but with environment set to \"beta\")\n"},"environment":{"type":"string","enum":["production","beta"],"description":"NetSuite environment to connect to.\n\n- \"production\" — Live production instance.\n- \"beta\" — NetSuite beta/release-preview environment.\n\nDefaults to \"production\" when not specified.\n"},"tokenId":{"type":"string","description":"NetSuite TBA token ID (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated in NetSuite under Setup > Users/Roles > Access Tokens.\nMust be paired with the corresponding tokenSecret.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"NetSuite TBA token secret (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated alongside the tokenId in NetSuite. Treat as a sensitive credential.\n","writeOnly":true},"entityId":{"type":"string","description":"NetSuite entity/user ID associated with the token."},"tokenName":{"type":"string","description":"Human-readable name of the NetSuite access token for identification purposes."},"roleId":{"type":"string","description":"NetSuite role ID that determines the permissions for this connection.\n\nThe role controls which records, fields, and operations are accessible.\nMust match the role associated with the access token in NetSuite.\n"},"email":{"type":"string","description":"NetSuite user email address. REQUIRED when authType is \"basic\".\nUsed as the login credential for basic (email/password) authentication.\n","format":"email"},"password":{"type":"string","description":"NetSuite user password (encrypted at rest). REQUIRED when authType is \"basic\".","writeOnly":true},"requestLevelCredentials":{"type":"boolean","description":"When true, authentication credentials are sent with each individual API request\nrather than maintaining a persistent session. Enable this for environments\nwhere session-based auth is unreliable.\n"},"dataCenterURLs":{"type":"object","description":"NetSuite data center URL overrides. Normally auto-discovered from the account ID.\nOnly set this to override the default data center routing.\n"},"accountName":{"type":"string","description":"Human-readable NetSuite account name (display purposes only)."},"roleName":{"type":"string","description":"Human-readable name of the NetSuite role (display purposes only)."},"wsdlVersion":{"type":"string","description":"NetSuite WSDL (Web Services Description Language) version for SuiteTalk Web Services.\n\nControls which API version is used for SOAP-based operations. Newer versions\nmay include additional record types and fields.\n\n- \"latest\" — Use the most recent stable WSDL version.\n- \"next\" — Use the next (pre-release) WSDL version.\n- Specific versions like \"2023.2\" pin to that exact API version.\n","enum":["latest","next","2023.2","2023.1","2022.2","2022.1"],"default":"latest"},"applicationId":{"type":"string","description":"NetSuite application ID from the integration record.\nRequired for some authentication configurations to identify the calling application.\n"},"concurrencyLevelRESTlet":{"type":"number","description":"Maximum concurrent requests to NetSuite RESTlet endpoints.\nNetSuite enforces governance limits on concurrent RESTlet requests per account.\nKeep this low to avoid SuiteScript governance errors.\n","minimum":1,"maximum":10,"default":1},"concurrencyLevelWebServices":{"type":"number","description":"Maximum concurrent requests to NetSuite SuiteTalk Web Services (SOAP API).\nNetSuite enforces concurrency limits per account — exceeding them causes\n\"Only one request may be made against a session at a time\" errors.\n","minimum":1,"maximum":10,"default":5},"concurrencyLevel":{"type":"number","description":"General concurrency level for this connection. Controls the overall\nmaximum concurrent requests across all operation types.\n","minimum":1,"maximum":10,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit and governance feedback.\n","minimum":1,"maximum":10},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for token-based authentication."}}},"Salesforce":{"type":"object","description":"Configuration for Salesforce CRM connections. Used when the connection type is \"salesforce\".\n\nSalesforce connections authenticate via OAuth 2.0 with two supported flows:\n- JWT Bearer Token — server-to-server auth using a Salesforce Connected App. Recommended for automated integrations.\n- Refresh Token — interactive OAuth flow where the user authorizes via browser. Good for user-context integrations.\n\n**Required fields by flow type**\n- oauth2FlowType \"jwtBearerToken\": username (Salesforce username of the authorized user)\n- oauth2FlowType \"refreshToken\": refreshToken (obtained via browser-based OAuth flow)\n\n**Environment selection**\nThe login endpoint defaults to login.salesforce.com for production orgs.\n","properties":{"baseURI":{"type":"string","description":"Custom Salesforce instance URL. Overrides the default login URL.\n\nNormally auto-discovered during OAuth authentication. Only set this to\nforce a specific instance URL (e.g., \"https://mycompany.my.salesforce.com\").\n","format":"uri"},"oauth2FlowType":{"type":"string","enum":["jwtBearerToken","refreshToken"],"description":"OAuth 2.0 authentication flow type.\n\n- \"jwtBearerToken\" — Server-to-server JWT Bearer Token flow. Does not require\n  user interaction. Requires a Salesforce Connected App with a digital certificate,\n  and the username field must be set to the authorized Salesforce user.\n- \"refreshToken\" — Authorization Code / Refresh Token flow. Requires initial\n  browser-based authorization, then uses the refresh token for ongoing access.\n\nChoose \"jwtBearerToken\" for automated server-to-server integrations.\nChoose \"refreshToken\" for integrations that operate in a specific user's context.\n"},"username":{"type":"string","description":"Salesforce username for JWT Bearer Token authentication.\nREQUIRED when oauth2FlowType is \"jwtBearerToken\".\n\nThis is the Salesforce login username (email) of the user whose permissions\nthe integration will operate under.\n"},"bearerToken":{"type":"string","description":"OAuth access/bearer token (encrypted at rest).\nTypically auto-managed by the system during OAuth flows. Rarely set manually.\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest). REQUIRED when oauth2FlowType is \"refreshToken\".\nObtained during the initial browser-based OAuth authorization flow.\n","writeOnly":true},"packagedOAuth":{"type":"boolean","description":"When true, uses Celigo's pre-configured Connected App for OAuth.\nWhen false, you must provide your own Connected App credentials via iClient.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of access granted.\n\nCommon scopes:\n- \"full\" — Full access to all Salesforce APIs.\n- \"refresh_token\" — Allows obtaining refresh tokens for long-lived access.\n- \"api\" — Access to REST and SOAP APIs.\n\nDefaults to [\"full\", \"refresh_token\"] which provides complete API access.\n","default":["full","refresh_token"]},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests to Salesforce.\nSalesforce enforces per-org API request limits. Setting this too high\nmay exhaust your org's API call allocation faster.\n","minimum":1,"maximum":25,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback from Salesforce.\n","minimum":1,"maximum":25}}},"FTP":{"type":"object","description":"Configuration for FTP/SFTP/FTPS file transfer connections. Used when the connection type is \"ftp\".\n\nSupports three file transfer protocols:\n- FTP — Standard File Transfer Protocol (unencrypted). Default port 21.\n- SFTP — SSH File Transfer Protocol (encrypted via SSH). Default port 22.\n- FTPS — FTP over TLS/SSL (encrypted via TLS). Default port 21 (explicit) or 990 (implicit).\n\n**Required fields**\n- type (ftp, sftp, or ftps)\n- hostURI (server hostname or IP)\n- username\n\n**Authentication**\n- FTP/FTPS: username + password\n- SFTP: username + password, OR username + authKey (SSH private key), OR both\n\n**Pgp encryption**\nOptional PGP encryption/decryption can be enabled for file-level security,\nindependent of transport-level encryption. Requires pgpEncryptKey and/or pgpDecryptKey.\n","required":["type","hostURI","username"],"properties":{"type":{"type":"string","enum":["ftp","sftp","ftps"],"description":"File transfer protocol type. REQUIRED.\n\n- \"ftp\" — Standard FTP. No transport encryption. Default port 21.\n- \"sftp\" — SSH-based file transfer. Encrypted transport. Default port 22.\n  Supports SSH key authentication via the authKey field.\n- \"ftps\" — FTP over TLS/SSL. Encrypted transport. Default port 21 (explicit TLS)\n  or 990 (implicit TLS — set useImplicitFtps to true).\n\nPrefer \"sftp\" for security. Use \"ftps\" when the server requires TLS.\nOnly use \"ftp\" for legacy systems that don't support encryption.\n"},"hostURI":{"type":"string","description":"FTP server hostname or IP address. REQUIRED.\nDo NOT include the protocol prefix (e.g., use \"ftp.example.com\", not \"sftp://ftp.example.com\").\n"},"port":{"type":"number","description":"Server port number. Defaults vary by type:\n- FTP: 21\n- SFTP: 22\n- FTPS (explicit): 21\n- FTPS (implicit): 990\n","minimum":1,"maximum":65535,"default":21},"username":{"type":"string","description":"Username for server authentication. REQUIRED."},"password":{"type":"string","description":"Password for server authentication (encrypted at rest).\nFor SFTP, either password or authKey (SSH key) is required.\n","writeOnly":true},"authKey":{"type":"string","description":"SSH private key for SFTP key-based authentication (encrypted at rest).\nOnly used when type is \"sftp\". Provide the full PEM-encoded private key.\nCan be used alone or alongside a password for two-factor auth.\n","writeOnly":true},"usePassiveMode":{"type":"boolean","description":"When true, uses passive mode for FTP/FTPS data connections.\nIn passive mode, the client initiates both control and data connections,\nwhich works better through firewalls and NAT. Enable for most scenarios.\n","default":true},"enableHostVerification":{"type":"boolean","description":"When true, verifies the server's SSH host key (SFTP) or TLS certificate (FTPS).\nDisable only for development/testing with self-signed certificates.\n","default":true},"userDirectoryIsRoot":{"type":"boolean","description":"When true, treats the user's home directory as the root directory.\nAll paths are relative to the user's home directory rather than the server root.\n","default":false},"useImplicitFtps":{"type":"boolean","description":"When true, uses implicit FTPS (TLS connection established immediately on port 990).\nWhen false, uses explicit FTPS (starts as FTP on port 21, upgrades to TLS via STARTTLS).\nOnly applies when type is \"ftps\".\n","default":false},"requireSocketReUse":{"type":"boolean","description":"When true, requires the data connection to reuse the same TLS session as the control connection.\nSome FTPS servers require this for security. Only applies to FTPS connections.\n","default":false},"entryParser":{"type":"string","enum":["UNIX","UNIX-TRIM","VMS","WINDOWS","OS/2","OS/400","AS/400","MVS","UNKNOWN-TYPE","NETWARE","MACOS-PETER"],"description":"File listing format parser. Controls how directory listings from the server are interpreted.\nMost servers use UNIX format. Only change this if directory listings appear garbled.\n\n- \"UNIX\" — Standard Unix/Linux servers (most common).\n- \"WINDOWS\" — Windows FTP servers using DOS-style listings.\n- \"MVS\" — IBM mainframe MVS systems.\n- \"AS/400\" — IBM AS/400 (iSeries) systems.\n- Other values are for specific legacy server platforms.\n"},"pgpEncryptKey":{"type":"string","description":"PGP public key for encrypting files before upload (encrypted at rest).\nWhen set, files are PGP-encrypted before being sent to the server.\n","writeOnly":true},"pgpDecryptKey":{"type":"string","description":"PGP private key for decrypting files after download (encrypted at rest).\nWhen set, downloaded files are automatically PGP-decrypted.\n","writeOnly":true},"pgpPassphrase":{"type":"string","description":"Passphrase for the PGP private key (encrypted at rest).","writeOnly":true},"pgpKeyAlgorithm":{"type":"string","enum":["CAST5","3DES","AES-128","AES-192","AES-256"],"description":"Symmetric encryption algorithm used for PGP operations.\nAES-256 is recommended for strong encryption. CAST5 is the PGP default.\nMust match the algorithm expected by the recipient when encrypting.\n"},"pgpSignAndVerify":{"type":"boolean","description":"When true, PGP-signs outbound files and verifies signatures on inbound files.\nProvides authenticity and integrity verification on top of encryption.\n","default":false},"tradingPartner":{"type":"boolean","description":"When true, this connection is associated with a trading partner configuration\nfor B2B/EDI file exchanges.\n","default":false},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent file transfer operations.\nFTP servers often have low connection limits — keep this value conservative.\n","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on server response feedback.\n","minimum":1,"maximum":10}}},"S3":{"type":"object","description":"Configuration for Amazon S3 connections. Used when the connection type is \"s3\".\n\nProvides access to Amazon S3 buckets for file-based integrations (upload, download,\nlist, and delete operations). Uses AWS IAM credentials for authentication.\n\n**Required fields**\n- accessKeyId (AWS access key)\n- secretAccessKey (AWS secret key)\n\n**Ping**\nSet pingBucket to an accessible S3 bucket name so Celigo can verify\nthe connection credentials are valid.\n","required":["accessKeyId","secretAccessKey"],"properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication. REQUIRED.\nFrom an IAM user or role with S3 access permissions (s3:GetObject, s3:PutObject, s3:ListBucket, etc.).\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest). REQUIRED.\nPaired with the accessKeyId. Treat as a sensitive credential.\n","writeOnly":true},"pingBucket":{"type":"string","description":"S3 bucket name used for connection health checks (ping).\nThe system performs a HEAD request on this bucket to verify credentials.\nMust be a bucket the IAM credentials have access to.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent S3 operations.\nS3 has high throughput limits, so this can be set relatively high.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"REST":{"type":"object","description":"Configuration for REST connector connections. Used when the connection type is \"rest\".\n\nREST connections are template-driven HTTP connections that use a pre-built HTTP Connector\ndefinition. The connector template pre-configures authentication, base URI, and other\nsettings — the user only fills in credentials and account-specific values.\n\n**Rest vs http connections**\n- Use \"rest\" when connecting to an application that has a Celigo HTTP Connector template\n  (referenced via _httpConnectorId). The connector provides pre-configured API settings.\n- Use \"http\" for fully custom API connections where you configure everything manually.\n\n**Authentication**\nThe authType field selects the authentication method. Available methods depend on the\nconnector template. Credentials are stored in the appropriate auth sub-fields (basicAuth,\nbearerToken, refreshToken, oauth, etc.).\n","required":["mediaType","baseURI","authType"],"properties":{"mediaType":{"type":"string","enum":["json","urlencoded","xml","csv"],"description":"Default content type for API requests and responses.\n\n- \"json\" — application/json (most common for REST APIs).\n- \"xml\" — application/xml (for XML-based APIs).\n- \"urlencoded\" — application/x-www-form-urlencoded (for form-style APIs).\n- \"csv\" — text/csv (for CSV-based data exchange).\n"},"baseURI":{"type":"string","description":"Base URL for all API requests. REQUIRED.\nAll relative URIs in exports and imports are appended to this base URL.\nMay be pre-populated by the HTTP Connector template.\n","format":"uri"},"authType":{"type":"string","enum":["basic","token","oauth","custom","cookie","jwt","hmac","wsse","oauth1"],"description":"Authentication method for this connection. REQUIRED.\n\n- \"basic\" — HTTP Basic Auth. Requires basicAuth.username and basicAuth.password.\n- \"token\" — Bearer token or API key. Requires bearerToken. Supports auto-refresh.\n- \"oauth\" — OAuth 2.0. Requires oauth configuration and typically authURI/oauthTokenURI.\n- \"cookie\" — Cookie-based session auth. Requires cookieAuth configuration.\n- \"jwt\" — JWT-based authentication.\n- \"hmac\" — HMAC signature authentication.\n- \"wsse\" — WS-Security. Requires basicAuth credentials.\n- \"oauth1\" — OAuth 1.0a. Requires oauth.oauth1 configuration.\n- \"custom\" — No built-in auth; credentials in headers or encrypted fields.\n"},"authURI":{"type":"string","description":"OAuth 2.0 authorization endpoint URI.\nUsed for OAuth authorization code flow where users authorize via browser.\n","format":"uri"},"oauthTokenURI":{"type":"string","description":"OAuth 2.0 token endpoint URI.\nUsed to exchange authorization codes for access tokens and to refresh tokens.\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation.\nOnly use for development/testing with self-signed certificates.\n","default":false},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the connector has non-standard OAuth requirements.\n","default":false},"isHTTPProxy":{"type":"boolean","description":"When true, this REST connection acts as an HTTP proxy for another connection.\n","default":false},"authHeader":{"type":"string","description":"Custom HTTP header name for the authorization token.\nDefaults to \"Authorization\". Change only if the API uses a non-standard header.\n","default":"Authorization"},"retryHeader":{"type":"string","description":"HTTP response header name containing retry-after delay for rate-limited requests.\nDefaults to \"Retry-After\" (HTTP standard).\n","default":"Retry-After"},"authScheme":{"type":"string","enum":["MAC","OAuth","Bearer","Hmac"],"description":"Authorization header scheme/prefix prepended before the token value.\nProduces headers like \"Authorization: Bearer <token>\".\nDefaults to \"Bearer\" which is the most common scheme.\n","default":"Bearer"},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access granted.\n"},"scopeDelimiter":{"type":"string","description":"Delimiter character between multiple OAuth scopes.\nDefaults to a space (\" \") per the OAuth 2.0 spec. Some APIs use commas.\n","default":" "},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests.\nSet based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback.\n","minimum":1,"maximum":100},"bearerToken":{"type":"string","description":"Bearer token or API key for authentication (encrypted at rest).\nUsed when authType is \"token\".\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest).\nUsed to obtain new access tokens when they expire.\n","writeOnly":true},"tokenLocation":{"type":"string","enum":["header","url"],"description":"Where to include the access token in outbound requests.\n- \"header\" — Sent in the Authorization header (default, most common).\n- \"url\" — Sent as a URL query parameter (use tokenParam for the parameter name).\n","default":"header"},"tokenParam":{"type":"string","description":"URL query parameter name for the access token when tokenLocation is \"url\".\n","default":"access_token"},"basicAuth":{"type":"object","description":"Basic authentication credentials. REQUIRED when authType is \"basic\" or \"wsse\".\n","properties":{"username":{"type":"string","description":"Username for Basic authentication."},"password":{"type":"string","description":"Password for Basic authentication (encrypted at rest).","writeOnly":true}}},"cookieAuth":{"type":"object","description":"Cookie-based session authentication configuration.\nREQUIRED when authType is \"cookie\".\n","properties":{"uri":{"type":"string","description":"Login endpoint URI. REQUIRED. The system sends a request here to obtain session cookies."},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with credentials)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication."}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"refreshTokenMethod":{"type":"string","enum":["POST","PUT","GET"],"description":"HTTP method for token refresh requests.\n","default":"POST"},"refreshTokenBody":{"type":"string","description":"Request body template for token refresh requests."},"refreshTokenURI":{"type":"string","description":"URI for the token refresh endpoint.","format":"uri"},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new access token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshTokenMediaType":{"type":"string","enum":["json","urlencoded"],"description":"Content type for token refresh request bodies.","default":"json"},"refreshTokenHeaders":{"type":"array","description":"Additional headers to include in token refresh requests.","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}},"headers":{"type":"array","description":"Default HTTP headers included in every API request.\nUse for API keys in custom headers, content negotiation, or required headers.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value. Supports handlebars expressions."}},"required":["name","value"]}},"pingRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for connection health check requests.\nShould be a lightweight endpoint (e.g., \"/me\", \"/health\").\n"},"pingSuccessPath":{"type":"string","description":"JSON path to extract a success indicator from the ping response.\nIf the value matches one of pingSuccessValues, the ping succeeds.\n"},"pingSuccessValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping at pingSuccessPath."},"pingFailurePath":{"type":"string","description":"JSON path to extract a failure indicator from the ping response.\n"},"pingFailureValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping at pingFailurePath."},"pingMethod":{"type":"string","enum":["GET","POST"],"description":"HTTP method for ping requests.","default":"GET"},"pingBody":{"type":"string","description":"Request body for ping requests (when pingMethod is POST)."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values.\nField definitions are in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"info":{"type":"object","description":"Additional metadata about the REST connection, populated by the system.","readOnly":true}}},"OAuth":{"type":"object","description":"OAuth 2.0 and OAuth 1.0a authentication configuration.\n\nUsed as a sub-object within HTTP and REST connection auth configurations.\nSupports three OAuth 2.0 grant types and OAuth 1.0a for legacy APIs.\n\n**Oauth 2.0 grant types**\n- \"authorizationcode\" — Authorization Code flow (browser-based user consent).\n  Requires authURI, tokenURI, and user authorization via browser.\n- \"clientcredentials\" — Client Credentials flow (server-to-server, no user).\n  Requires tokenURI, clientId, clientSecret.\n- \"password\" — Resource Owner Password flow (username/password exchange).\n  Requires tokenURI, username, password, clientId, clientSecret.\n\n**Oauth 1.0a**\nFor OAuth 1.0a APIs, configure the oauth1 sub-object with consumer key/secret\nand access token/secret. Supports HMAC, RSA, and PLAINTEXT signature methods.\n","properties":{"type":{"type":"string","enum":["custom","assistant"],"description":"OAuth configuration mode.\n- \"custom\" — Fully user-configured OAuth settings.\n- \"assistant\" — Pre-configured via an application assistant connector.\n"},"grantType":{"type":"string","enum":["authorizationcode","clientcredentials","password","implicit"],"description":"OAuth 2.0 grant type that determines the authentication flow.\n\n- \"authorizationcode\" — Authorization Code flow. Most secure. Requires user\n  authorization via browser redirect. Use for integrations that act on behalf of a user.\n- \"clientcredentials\" — Client Credentials flow. Server-to-server authentication\n  without user involvement. Use for machine-to-machine integrations.\n- \"password\" — Resource Owner Password Credentials flow. Exchanges username/password\n  directly for tokens. Only use when the API does not support other flows.\n- \"implicit\" — Implicit flow (legacy, not recommended for new integrations).\n","default":"authorizationcode"},"authURI":{"type":"string","format":"uri","description":"OAuth 2.0 authorization endpoint URL.\nREQUIRED for \"authorizationcode\" grant type. The user is redirected to this URL\nto authorize the application.\n"},"tokenURI":{"type":"string","format":"uri","description":"OAuth 2.0 token endpoint URL.\nREQUIRED for \"authorizationcode\", \"clientcredentials\", and \"password\" grant types.\nThe system exchanges credentials or authorization codes for access tokens at this URL.\n"},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the API has non-standard OAuth requirements that conflict with validation rules.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access.\nScope values are API-specific (e.g., \"read\", \"write\", \"admin\").\n"},"scopeDelimiter":{"type":"string","description":"Delimiter between multiple scope values. Defaults to a space (\" \") per the\nOAuth 2.0 spec. Some APIs use commas or other delimiters.\n","default":" "},"clientId":{"type":"string","description":"OAuth client ID (application ID) registered with the API provider.\nREQUIRED for all OAuth 2.0 grant types.\n"},"clientSecret":{"type":"string","description":"OAuth client secret (encrypted at rest).\nREQUIRED for \"authorizationcode\" and \"clientcredentials\" grant types.\n","writeOnly":true},"username":{"type":"string","description":"Resource owner username. REQUIRED when grantType is \"password\".\n"},"password":{"type":"string","description":"Resource owner password (encrypted at rest). REQUIRED when grantType is \"password\".\n","writeOnly":true},"clientCredentialsLocation":{"type":"string","enum":["header","body"],"description":"Where to send client credentials in token requests.\n\n- \"header\" — Send as HTTP Basic Auth header (default, recommended by OAuth spec).\n- \"body\" — Send as form parameters in the request body.\n  Use when the API does not support Basic Auth for client credentials.\n","default":"header"},"accessTokenPath":{"type":"string","description":"JSON path to extract the access token from the token endpoint response.\nDefaults to \"access_token\" per the OAuth 2.0 spec.\nChange only if the API returns the token at a non-standard path.\n"},"accessTokenHeaders":{"type":"array","description":"Additional HTTP headers to include in token endpoint requests.\nUse for APIs that require custom headers beyond the standard OAuth parameters.\n","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"accessTokenBody":{"type":"string","description":"Additional body content to include in token endpoint requests.\nAppended to the standard OAuth parameters.\n"},"oauth2RedirectUrl":{"type":"string","description":"OAuth 2.0 redirect URI (callback URL) registered with the API provider.\nMust exactly match the redirect URI configured in the OAuth application registration.\n"},"useIClientFields":{"type":"boolean","description":"When true, uses iClient-managed OAuth credentials (clientId/clientSecret)\ninstead of the values in this configuration.\n"},"oauth1":{"type":"object","description":"OAuth 1.0a configuration for legacy APIs that use the older OAuth protocol.\n\n**Required fields**\n- consumerKey (always required)\n- accessToken (always required)\n- For HMAC methods: consumerSecret and tokenSecret\n- For RSA methods: consumerPrivateKey\n","properties":{"consumerKey":{"type":"string","description":"OAuth 1.0a consumer key (API key). REQUIRED.\nIdentifies the application making the request.\n"},"consumerSecret":{"type":"string","description":"OAuth 1.0a consumer secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"accessToken":{"type":"string","description":"OAuth 1.0a access token (encrypted at rest). REQUIRED.\nRepresents the user's authorization for the application to access their data.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"OAuth 1.0a token secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"signatureMethod":{"type":"string","enum":["HMAC-SHA1","HMAC-SHA256","HMAC-SHA512","RSA-SHA1","RSA-SHA256","RSA-SHA512","PLAINTEXT"],"description":"OAuth 1.0a request signing method.\n\nHMAC methods (require consumerSecret and tokenSecret):\n- \"HMAC-SHA1\" — Most widely supported (legacy).\n- \"HMAC-SHA256\" — More secure HMAC variant.\n- \"HMAC-SHA512\" — Strongest HMAC variant.\n\nRSA methods (require consumerPrivateKey):\n- \"RSA-SHA1\" — RSA signing (legacy).\n- \"RSA-SHA256\" — More secure RSA variant.\n- \"RSA-SHA512\" — Strongest RSA variant.\n\n- \"PLAINTEXT\" — No cryptographic signing. Only for testing over HTTPS.\n"},"consumerPrivateKey":{"type":"string","description":"RSA private key for OAuth 1.0a RSA signature methods (encrypted at rest).\nREQUIRED when signatureMethod is RSA-SHA1, RSA-SHA256, or RSA-SHA512.\n","writeOnly":true},"realm":{"type":"string","description":"OAuth realm value included in the Authorization header.\nSome APIs require this to identify the authentication domain.\n"}}},"pkceCodeVerifier":{"type":"string","description":"PKCE (Proof Key for Code Exchange) code verifier for enhanced OAuth 2.0 security.\nManaged internally by the system during authorization code flows.\n","writeOnly":true}}},"HTTP":{"type":"object","description":"Configuration for HTTP/REST API connections. Used when the connection type is \"http\".\n\nThis is the most versatile connection type in Celigo, supporting any REST, SOAP, or generic HTTP API.\nIt handles authentication, request/response formatting, rate limiting, and connection health checks.\n\n**When to use**\n- Any REST or SOAP API not covered by a specialized connector (Salesforce, NetSuite, etc.)\n- Custom HTTP integrations with APIs that use standard auth methods\n- GraphQL APIs (set formType to \"graph_ql\")\n- Amazon Selling Partner API (set type to \"Amazon-SP-API\")\n\n**Authentication models**\nThe auth.type field selects the authentication strategy. Each type requires specific sub-fields:\n- \"basic\" — HTTP Basic Auth (username/password)\n- \"token\" — Bearer token or API key with optional auto-refresh\n- \"oauth\" — OAuth 2.0 (authorization code, client credentials, or password grant)\n- \"jwt\" / \"jwtbearer\" — JWT-based authentication with HMAC or RSA signing\n- \"cookie\" — Cookie-based session authentication\n- \"digest\" — HTTP Digest Authentication\n- \"oauth1\" — OAuth 1.0a (HMAC or RSA signatures)\n- \"custom\" — No built-in auth; credentials go in headers or encrypted fields\n- \"wsse\" — WS-Security UsernameToken (SOAP APIs)\n- \"specific\" — Platform-specific auth (e.g., PTX)\n","required":["mediaType"],"properties":{"mediaType":{"type":"string","enum":["xml","json","urlencoded","form-data","plaintext"],"description":"Default content type for outbound HTTP request bodies. REQUIRED.\n\nThis controls the Content-Type header and how request bodies are serialized:\n- \"json\" — application/json. Use for most modern REST APIs.\n- \"xml\" — application/xml. Use for SOAP or XML-based APIs.\n- \"urlencoded\" — application/x-www-form-urlencoded. Use for form-style POST bodies.\n- \"form-data\" — multipart/form-data. Use for file uploads or multipart requests.\n- \"plaintext\" — text/plain. Use for raw text payloads.\n\nDefault to \"json\" unless the API documentation specifies otherwise.\n"},"successMediaType":{"type":"string","enum":["xml","csv","json","plaintext"],"description":"Expected content type of successful API responses. Controls how response bodies are parsed.\n\n- \"json\" — Parse response as JSON (default for most APIs).\n- \"xml\" — Parse response as XML.\n- \"csv\" — Parse response as CSV.\n- \"plaintext\" — Treat response as raw text, no parsing.\n\nIf omitted, the system infers the format from the response Content-Type header.\n"},"errorMediaType":{"type":"string","enum":["xml","json","plaintext"],"description":"Expected content type of error responses from the API. Controls how error response bodies are parsed for extracting error messages.\n\nIf omitted, defaults to the same format as successMediaType.\n"},"baseURI":{"type":"string","description":"Base URL for all API requests made through this connection. REQUIRED.\n\nAll relative URIs in exports and imports are appended to this base URL.\nMust be an absolute URL (e.g., \"https://api.example.com/v2\").\nHandlebars expressions are supported for dynamic URLs.\n\nDo NOT include trailing slashes — relative URIs in exports/imports should start with \"/\".\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for API requests.\n\nOnly set to true for development/testing with self-signed certificates.\nNEVER disable in production — it removes protection against man-in-the-middle attacks.\n","default":false},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent HTTP requests this connection can make simultaneously.\n\nHigher values increase throughput but may trigger API rate limits.\nSet this based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":25},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system automatically adjusts\nconcurrency between 1 and this value based on rate limit feedback.\n\nOnly relevant when autoRecoverRateLimitErrors is enabled on the connection.\n","minimum":1,"maximum":100},"retryHeader":{"type":"string","description":"HTTP response header name that contains the retry delay (in seconds) when rate-limited.\n\nDefaults to \"Retry-After\" which is the HTTP standard. Only change this if the API\nuses a non-standard header name for retry-after values.\n","default":"Retry-After"},"formType":{"type":"string","enum":["assistant","rest","http","graph_ql","assistant_graphql"],"description":"Controls the UI form layout for configuring this connection. Determines which\nfields are shown and how they are organized in the Celigo UI.\n\n- \"http\" — Standard HTTP connection form with full control over all fields.\n- \"rest\" — Simplified REST connector form linked to an HTTP connector template.\n- \"assistant\" — Application assistant form with pre-configured settings.\n- \"graph_ql\" — GraphQL-specific form with query/mutation support.\n- \"assistant_graphql\" — Application assistant form with GraphQL support.\n\nFor programmatic creation, \"http\" is the most common choice.\n"},"type":{"type":"string","enum":["Amazon-SP-API","Amazon-Hybrid","vendor_central"],"description":"Specific API type for Amazon integrations. Only set this for Amazon connections.\n\n- \"Amazon-SP-API\" — Amazon Selling Partner API.\n- \"Amazon-Hybrid\" — Hybrid Amazon connection supporting both MWS and SP-API.\n- \"vendor_central\" — Amazon Vendor Central API.\n"},"clientCertificates":{"type":"object","description":"Client certificate configuration for mutual TLS (mTLS) authentication.\n\nUse when the API server requires a client certificate to establish the TLS connection.\nYou can provide either a PEM cert/key pair OR a PFX bundle, but not both.\n","properties":{"cert":{"type":"string","description":"Client certificate in PEM format. Must be paired with the key field.\nCannot be used together with pfx.\n"},"key":{"type":"string","description":"Private key for the client certificate in PEM format (encrypted at rest).","writeOnly":true},"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format.\nUse when the server's certificate is signed by a private CA not in the default trust store.\n"},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key or PFX bundle (encrypted at rest).","writeOnly":true},"pfx":{"type":"string","description":"PKCS#12 (.pfx/.p12) bundle containing both the certificate and private key (encrypted at rest).\nCannot be used together with cert/key.\n","writeOnly":true}}},"ping":{"type":"object","description":"Connection health check (ping) configuration. Defines how Celigo tests\nwhether this connection is alive and authenticated.\n\nWhen configured, Celigo sends an HTTP request to the specified endpoint and\nevaluates the response to determine connection health. The ping runs when\ntesting the connection in the UI and periodically during flow execution.\n","properties":{"relativeURI":{"type":"string","description":"Relative URI appended to baseURI for the ping request.\nShould be a lightweight, fast endpoint (e.g., \"/me\", \"/health\", \"/api/v1/status\").\n"},"method":{"type":"string","enum":["GET","POST","PUT","HEAD"],"description":"HTTP method for the ping request. Defaults to GET.\nUse POST only if the health endpoint requires it.\n","default":"GET"},"body":{"type":"string","description":"Request body for the ping request. Only used when method is POST or PUT.\nFor form-data mediaType, must be valid multipart form data.\n"},"successPath":{"type":"string","description":"JSON path or XPath expression to extract a success indicator from the ping response.\nIf the value at this path matches one of the successValues, the ping succeeds.\nIf omitted, any 2xx response is considered successful.\n"},"successValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping when found at successPath.\nRequires successPath to be set.\n"},"allowArrayforSuccessPath":{"type":"boolean","description":"Whether the value at successPath can be an array (any matching element counts as success)."},"failPath":{"type":"string","description":"JSON path or XPath expression to extract a failure indicator from the ping response.\nIf the value at this path matches one of the failValues, the ping fails even if the HTTP status is 2xx.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping when found at failPath.\nRequires failPath to be set.\n"},"errorPath":{"type":"string","description":"JSON path or XPath expression to extract a human-readable error message from\na failed ping response. The extracted message is shown to the user in the UI.\n"}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"rateLimit":{"type":"object","description":"Rate limiting configuration. Defines how the system detects and handles\nAPI rate limit responses.\n\nWhen rate limiting is detected, the system pauses requests and waits for\nthe retry-after period before resuming. The retryHeader field on the parent\nHTTP object controls which response header contains the wait time.\n","properties":{"failStatusCode":{"type":"number","description":"HTTP status code that indicates the API is rate-limiting requests.\nDefaults to 429 (Too Many Requests) which is the HTTP standard.\nChange only if the API uses a non-standard status code for rate limits.\n","default":429},"failPath":{"type":"string","description":"JSON path or XPath to check in response bodies for rate limit indicators.\nUsed when APIs return 200 OK but embed rate limit errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate rate limiting. Requires failPath to be set.\n"},"limit":{"type":"number","minimum":1,"description":"Maximum number of requests per rate-limit window. When set, the connection's\neffective concurrency level must be 1 to ensure proper rate limit enforcement.\n"}}},"headers":{"type":"array","description":"Default HTTP headers included in every request made through this connection.\nUse for API keys in custom headers, content negotiation, or any headers the API requires on all requests.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name (e.g., \"X-API-Key\", \"Accept\")."},"value":{"type":"string","description":"Header value. Supports handlebars expressions for dynamic values."}},"required":["name","value"]}},"encrypted":{"type":"object","description":"Encrypted custom fields for storing sensitive configuration values (API secrets,\nprivate keys, etc.) that don't fit standard auth fields. Values are encrypted at rest.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields available on this connection.\nEach entry describes a field in the encrypted object — its ID, label, and UI position.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields available on this connection.\nEach entry describes a field in the unencrypted object.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for OAuth authentication."},"_httpConnectorId":{"type":"string","format":"objectId","description":"ID of the HTTP connector template this connection is based on."},"_httpConnectorApiId":{"type":"string","format":"objectId","description":"ID of the HTTP connector API definition."},"_httpConnectorVersionId":{"type":"string","format":"objectId","description":"ID of the HTTP connector version."}}},"JWT":{"type":"object","description":"JWT (JSON Web Token) authentication configuration.\n\nUsed when auth.type is \"jwtbearer\" on HTTP connections. The system generates\na signed JWT and uses it as a bearer token for API authentication.\n\n**Signing methods**\n- HMAC (HS256/HS384/HS512): Symmetric signing using a shared secret.\n  Requires the secret field.\n- RSA (RS256/RS384/RS512): Asymmetric signing using an RSA private key.\n  Requires the privateKey field.\n- ECDSA (ES256/ES384/ES512): Asymmetric signing using an elliptic curve private key.\n  Requires the privateKey field.\n\n**Required fields**\n- algorithm (signing algorithm)\n- secret (for HMAC algorithms) OR privateKey (for RSA/ECDSA algorithms)\n- At least one claim (issuer, subject, audience, or customClaims)\n","properties":{"algorithm":{"type":"string","enum":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"description":"JWT signing algorithm. REQUIRED.\n\nHMAC algorithms (symmetric — use the secret field):\n- \"HS256\" — HMAC with SHA-256 (default, most common).\n- \"HS384\" — HMAC with SHA-384.\n- \"HS512\" — HMAC with SHA-512.\n\nRSA algorithms (asymmetric — use the privateKey field):\n- \"RS256\" — RSA with SHA-256 (most common for RSA).\n- \"RS384\" — RSA with SHA-384.\n- \"RS512\" — RSA with SHA-512.\n\nECDSA algorithms (asymmetric — use the privateKey field):\n- \"ES256\" — ECDSA with P-256 curve and SHA-256.\n- \"ES384\" — ECDSA with P-384 curve and SHA-384.\n- \"ES512\" — ECDSA with P-521 curve and SHA-512.\n","default":"HS256"},"secret":{"type":"string","description":"Shared secret key for HMAC signing algorithms (HS256/HS384/HS512).\nEncrypted at rest. REQUIRED when using an HMAC algorithm.\nNot used with RSA or ECDSA algorithms.\n","writeOnly":true},"privateKey":{"type":"string","description":"Private key in PEM format for RSA or ECDSA signing (encrypted at rest).\nREQUIRED when using an RSA (RS*) or ECDSA (ES*) algorithm.\nNot used with HMAC algorithms.\n","writeOnly":true},"publicKey":{"type":"string","description":"Public key for JWT verification. Optional — used when the API requires\nthe public key to be registered for signature verification.\n"},"issuer":{"type":"string","description":"JWT \"iss\" (issuer) claim. Identifies the principal that issued the JWT.\nTypically a client ID, service account email, or application identifier.\n"},"subject":{"type":"string","description":"JWT \"sub\" (subject) claim. Identifies the subject of the JWT.\nOften the user or service account the token represents.\n"},"audience":{"type":"string","description":"JWT \"aud\" (audience) claim. Identifies the intended recipient of the JWT.\nTypically the API endpoint URL or resource server identifier.\n"},"expiresIn":{"type":"number","description":"JWT expiration time in seconds from the current time.\nThe \"exp\" claim is set to (now + expiresIn). After this time, the JWT is invalid\nand the system generates a new one.\n","default":3600},"notBefore":{"type":"number","description":"JWT \"nbf\" (not before) claim in seconds from the current time.\nThe JWT is not valid before this time.\n"},"issuedAt":{"type":"boolean","description":"When true, includes the \"iat\" (issued at) claim with the current timestamp.\n","default":true},"jwtId":{"type":"boolean","description":"When true, includes a unique \"jti\" (JWT ID) claim for each generated token.\nUseful for preventing token replay attacks.\n","default":false},"customClaims":{"type":"object","description":"Additional custom claims to include in the JWT payload.\nUse for API-specific claims not covered by the standard fields\n(e.g., roles, permissions, custom scopes).\n"},"token":{"type":"string","description":"Pre-generated JWT token value (encrypted at rest).\nWhen set, this static token is used instead of generating one dynamically.\nUse only when the API provides a long-lived JWT that does not need to be regenerated.\n","writeOnly":true}}},"RDBMS":{"type":"object","description":"Configuration for relational database connections. Used when the connection type is \"rdbms\".\n\nCeligo has native support for these database systems:\n- MySQL, MariaDB\n- PostgreSQL\n- Microsoft SQL Server (mssql), Azure Synapse (azuresynapse)\n- Oracle\n- Snowflake\n- Google BigQuery\n- Amazon Redshift\n\n**Required fields**\n- type (always required — selects the database system)\n- host, database, user, password (for most database types)\n- Snowflake: additionally requires snowflake.warehouse and snowflake.authType (\"basic\" or \"keyPair\")\n- BigQuery: requires bigquery.projectId, bigquery.dataset, bigquery.clientEmail, bigquery.privateKey\n- Redshift: requires host, database, user, password; optionally redshift.aws credentials for IAM auth\n- Oracle: uses serviceName instead of database\n\n**Database-specific notes**\n- For Oracle, set serviceName (not database) and optionally serverType and instanceName.\n- For Snowflake, snowflake.authType is REQUIRED: use \"basic\" for password auth, \"keyPair\" for RSA key-pair auth.\n- For MS SQL Server with Azure AD service principal auth, set mssql.authType to \"azure-service-principal\".\n- For BigQuery, use service account credentials (clientEmail + privateKey).\n","required":["type"],"properties":{"type":{"type":"string","enum":["mysql","postgresql","mssql","snowflake","oracle","bigquery","redshift","mariadb","azuresynapse"],"description":"The specific relational database system to connect to. REQUIRED.\n\nThis determines the SQL dialect, connection driver, default port, and\nwhich additional sub-fields are required.\n\n- \"mysql\" — MySQL (default port 3306)\n- \"mariadb\" — MariaDB (default port 3306)\n- \"postgresql\" — PostgreSQL (default port 5432)\n- \"mssql\" — Microsoft SQL Server (default port 1433)\n- \"azuresynapse\" — Azure Synapse Analytics (default port 1433)\n- \"oracle\" — Oracle Database (default port 1521). Uses serviceName instead of database.\n- \"snowflake\" — Snowflake Data Cloud. Requires snowflake.warehouse.\n- \"bigquery\" — Google BigQuery. Requires service account credentials in the bigquery sub-object.\n- \"redshift\" — Amazon Redshift. Optionally uses AWS IAM credentials.\n"},"host":{"type":"string","description":"Database server hostname or IP address.\nREQUIRED for all types except BigQuery (which uses Google's API endpoints).\n\nFor Snowflake, use the account URL format: \"account_identifier.snowflakecomputing.com\".\nFor Redshift, use the cluster endpoint: \"cluster-name.region.redshift.amazonaws.com\".\n"},"port":{"type":"number","description":"Database server port number. If omitted, uses the default port for the database type:\n- MySQL/MariaDB: 3306\n- PostgreSQL: 5432\n- MS SQL/Azure Synapse: 1433\n- Oracle: 1521\n- Snowflake: 443\n- Redshift: 5439\n","minimum":1,"maximum":65535},"database":{"type":"string","description":"Database name to connect to. REQUIRED for most types.\n\nFor Oracle, use the serviceName field instead of database.\nFor BigQuery, use bigquery.dataset to specify the target dataset.\n"},"instanceName":{"type":"string","description":"Named instance identifier. Used by MS SQL Server and Oracle when the server\nhosts multiple database instances. Not required for default instances.\n"},"user":{"type":"string","description":"Database username for authentication.\nREQUIRED for all types except BigQuery (which uses service account auth).\n"},"password":{"type":"string","description":"Database password (encrypted at rest). REQUIRED alongside user for password-based auth.","writeOnly":true},"version":{"type":"string","description":"Database server version string. Used by some drivers for compatibility adjustments."},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"serverType":{"type":"string","enum":["dedicated","shared","pooled"],"description":"Oracle server connection type. Controls the server process model.\n\n- \"dedicated\" — Each connection gets its own server process. Best for heavy workloads.\n- \"shared\" — Connections share a pool of server processes. More resource-efficient.\n- \"pooled\" — Database Resident Connection Pooling (DRCP). Best for many short-lived connections.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nSet based on the database server's connection limit and available resources.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for the database connection.\nOnly use for development/testing with self-signed certificates.\n","default":false},"snowflake":{"type":"object","description":"Snowflake-specific configuration. REQUIRED when type is \"snowflake\".\n","required":["warehouse","authType"],"properties":{"warehouse":{"type":"string","description":"Snowflake virtual warehouse name. REQUIRED for Snowflake connections.\nThe warehouse provides compute resources for queries. Must be a warehouse\nthe user role has access to.\n"},"schema":{"type":"string","description":"Default Snowflake schema. If omitted, queries must fully-qualify table names\n(e.g., DATABASE.SCHEMA.TABLE).\n"},"role":{"type":"string","description":"Snowflake security role to use for the session. Determines which databases,\nschemas, and warehouses are accessible. Defaults to the user's default role.\n"},"authType":{"type":"string","enum":["basic","keyPair"],"description":"Authentication type for Snowflake. REQUIRED.\n\n- \"basic\" — Username/password authentication. Use for standard username/password connections.\n- \"keyPair\" — Key-pair authentication using RSA private key.\n  When using keyPair, provide the RSA private key in the connection's key field.\n\nWhen creating placeholder/dummy connections, use \"basic\".\n"}}},"mssql":{"type":"object","description":"Microsoft SQL Server / Azure Synapse-specific configuration.\n","properties":{"authType":{"type":"string","enum":["basic","azure-service-principal"],"description":"Authentication type for MS SQL Server.\n\n- \"basic\" — Standard SQL Server authentication with username/password (default).\n- \"azure-service-principal\" — Azure Active Directory service principal authentication.\n  Requires an iClient configuration with the service principal credentials.\n","default":"basic"}}},"bigquery":{"type":"object","description":"Google BigQuery-specific configuration. REQUIRED when type is \"bigquery\".\nUses Google Cloud service account credentials for authentication.\n","properties":{"projectId":{"type":"string","description":"Google Cloud project ID that contains the BigQuery datasets. REQUIRED.\nFound in the Google Cloud Console project settings.\n"},"dataset":{"type":"string","description":"Default BigQuery dataset name. REQUIRED.\nQueries will target tables within this dataset unless fully-qualified names are used.\n"},"clientEmail":{"type":"string","description":"Google Cloud service account email address. REQUIRED.\nFormat: \"service-account-name@project-id.iam.gserviceaccount.com\".\nThe service account must have BigQuery Data Editor and BigQuery Job User roles.\n"},"privateKey":{"type":"string","description":"Google Cloud service account private key in PEM format (encrypted at rest). REQUIRED.\nDownloaded as part of the service account JSON key file.\n","writeOnly":true}}},"redshift":{"type":"object","description":"Amazon Redshift-specific configuration. AWS credentials are optional —\nonly needed for IAM-based authentication instead of standard username/password.\n","properties":{"aws":{"type":"object","description":"AWS credentials for IAM-based Redshift authentication.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication."},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"clusterIdentifier":{"type":"string","description":"Redshift cluster identifier. Required for IAM-based authentication."},"region":{"type":"string","description":"AWS region where the Redshift cluster is deployed. Required for IAM-based authentication.\n","enum":["us-east-1","us-east-2","us-west-1","us-west-2","eu-west-1","eu-west-2","eu-west-3","eu-central-1","ap-southeast-1","ap-southeast-2","ap-northeast-1","ap-northeast-2","ap-south-1","sa-east-1","ca-central-1"]}}},"ssl":{"$ref":"#/components/schemas/SSL"},"options":{"type":"array","description":"Additional database driver connection options as name/value pairs.\nUse for driver-specific settings not covered by the standard fields\n(e.g., connection timeout, charset, application name).\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Option name (driver-specific)."},"value":{"type":"string","description":"Option value."}},"required":["name","value"]}}}},"MongoDB":{"type":"object","description":"Configuration for MongoDB connections. Used when the connection type is \"mongodb\".\n\nSupports standalone MongoDB instances, replica sets, and MongoDB Atlas clusters.\n\n**Required fields**\n- host (array of one or more server addresses)\n- database (target database name)\n\n**Authentication**\nUsername and password are optional — only required when the MongoDB server has\nauthentication enabled (which is recommended for production).\nUse authSource to specify the authentication database if it differs from the target database.\n\n**Replica sets**\nFor replica sets, provide all member hostnames in the host array and set\nthe replicaSet field to the replica set name.\n","required":["host","database"],"properties":{"host":{"type":"array","items":{"type":"string"},"description":"MongoDB server addresses. REQUIRED. An array of one or more host:port strings.\n\n- Standalone: [\"mongodb.example.com:27017\"]\n- Replica set: [\"rs1.example.com:27017\", \"rs2.example.com:27017\", \"rs3.example.com:27017\"]\n- MongoDB Atlas: [\"cluster0-shard-00-00.abc.mongodb.net:27017\", ...]\n\nInclude the port number with each host. Default MongoDB port is 27017.\n"},"database":{"type":"string","description":"Target MongoDB database name. REQUIRED.\nAll operations (reads/writes) target collections within this database.\n"},"username":{"type":"string","description":"MongoDB username for authentication.\nRequired when the MongoDB server has authentication enabled.\n"},"password":{"type":"string","description":"MongoDB password (encrypted at rest). Required alongside username.","writeOnly":true},"replicaSet":{"type":"string","description":"MongoDB replica set name. Required when connecting to a replica set.\nThe driver uses this to discover all replica set members and handle failover.\nFor MongoDB Atlas, this is typically \"atlas-xxxxxx-shard-0\".\n"},"ssl":{"type":"boolean","description":"When true, connects to MongoDB over TLS/SSL.\nRequired for MongoDB Atlas and recommended for all production deployments.\n","default":false},"authSource":{"type":"string","description":"MongoDB authentication database — the database where the user credentials are stored.\nDefaults to the value of the database field. Set to \"admin\" if the user was created\nin the admin database (common for shared MongoDB deployments and Atlas).\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent MongoDB operations.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"AS2":{"type":"object","description":"AS2 (Applicability Statement 2) connection configuration for EDI","required":["as2Id","partnerId"],"properties":{"as2Id":{"type":"string","description":"AS2 identifier for this station. Trading partners use this as the \"To\"\nidentifier when sending documents, and integrator.io uses it as the \"From\"\nidentifier when sending documents to partners.\n\nIMPORTANT: This value must be unique across ALL integrator.io users to\nensure inbound documents are routed correctly. It CANNOT be updated after\ncreation. Use a different identifier for each environment (e.g., production vs. non-production).\n\nIf not provided, a unique value will be auto-generated.\n"},"partnerId":{"type":"string","description":"AS2 partner identifier"},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration","properties":{"function":{"type":"string","description":"Name of the routing function"},"_scriptId":{"type":"string","format":"objectId","description":"Reference to script containing the routing function"}}},"partnerStationInfo":{"type":"object","description":"Partner (remote) station configuration — used on the IMPORT side.\nControls how messages are sent TO the trading partner.\n","required":["as2URI","signing","encryptionType"],"properties":{"as2URI":{"type":"string","format":"uri","description":"Partner's AS2 endpoint URI"},"mdn":{"type":"object","description":"MDN (Message Disposition Notification) settings","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"verifyMDNSignature":{"type":"boolean","description":"Whether to verify the MDN signature from the partner"}}},"auth":{"type":"object","description":"Authentication for the partner AS2 endpoint","properties":{"type":{"type":"string","enum":["basic","token"],"description":"Authentication type"},"failStatusCode":{"type":"number","description":"HTTP status code indicating auth failure"},"failPath":{"type":"string","description":"JSON path to check for auth failure"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate auth failure"},"basic":{"type":"object","description":"Basic auth credentials","properties":{"username":{"type":"string","description":"Username for basic auth"},"password":{"type":"string","writeOnly":true,"description":"Password for basic auth (encrypted)"}}},"token":{"type":"object","description":"Token-based auth configuration","properties":{"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Headers for token refresh requests"},"refreshToken":{"type":"string","writeOnly":true,"description":"Refresh token (encrypted)"}}}}},"rateLimit":{"type":"object","description":"Rate limiting configuration","properties":{"failStatusCode":{"type":"number"},"failPath":{"type":"string"},"failValues":{"type":"array","items":{"type":"string"}},"limit":{"type":"number","minimum":1,"description":"Maximum requests per time window"}}},"SMIMEVersion":{"type":"string","enum":["v2","v3"],"description":"S/MIME version (not typically exposed on UI)"},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for outbound messages to partner"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for outbound messages to partner"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default base64)"},"signatureEncoding":{"type":"string","enum":["base64","binary"],"description":"Signature encoding format"}}},"userStationInfo":{"type":"object","description":"User (local) station configuration — used on the EXPORT side.\nControls how inbound messages from the partner are processed.\n","required":["signing","encryptionType"],"properties":{"mdn":{"type":"object","description":"MDN settings for inbound messages","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"mdnEncoding":{"type":"string","enum":["base64","binary"],"description":"MDN encoding format"}}},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for inbound message verification"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for inbound message decryption"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default binary)"},"compressed":{"type":"boolean","description":"Whether to compress messages","default":false}}},"encrypted":{"type":"object","description":"Encrypted certificate and key data (stored encrypted at rest).\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPrivateKey":{"type":"string","writeOnly":true,"description":"PEM-encoded X.509 private key for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"}}},"unencrypted":{"type":"object","description":"Unencrypted certificate data for identity and partner verification.\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPublicKey":{"type":"string","description":"PEM-encoded X.509 public certificate for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"},"partnerCertificate":{"type":"string","description":"PEM-encoded X.509 certificate for the trading partner.\nRequired when partnerStationInfo.encryptionType != NONE or userStationInfo.signing != NONE,\nor when partnerStationInfo.mdn.verifyMDNSignature is true.\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling","minimum":1,"maximum":10},"preventCanonicalization":{"type":"boolean","description":"Prevent canonicalization of message content","default":false}}},"Filesystem":{"type":"object","description":"Configuration for filesystem connections. Used when the connection type is \"filesystem\".\n\nFilesystem connections provide access to the local filesystem on a Celigo on-premise Agent.\nThis enables file-based integrations with directories on the agent's host machine or\nmounted network drives.\n\n**Agent requirement**\nA Celigo Agent is REQUIRED for filesystem connections (set _agentId on the parent\nconnection object). The agent provides the filesystem access — cloud-only\ndeployments cannot use this connection type.\n\n**Ping**\nSet ping.directoryPath to a directory the agent can access to verify the connection.\n","properties":{"ping":{"type":"object","description":"Health check configuration for validating filesystem access.","properties":{"directoryPath":{"type":"string","description":"Absolute directory path on the agent's host used for connection health checks.\nThe system verifies the directory exists and is accessible.\nExample: \"/data/integrations/incoming\" or \"C:\\\\Data\\\\Integrations\".\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent filesystem operations.\n","minimum":1,"maximum":100},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling.\n","minimum":1,"maximum":100}}},"DynamoDB":{"type":"object","description":"Configuration for Amazon DynamoDB connections. Used when the connection type is \"dynamodb\".\n\nProvides access to DynamoDB tables for NoSQL data integrations.\nUses AWS IAM credentials for authentication.\n\n**Required fields**\n- aws.accessKeyId\n- aws.secretAccessKey\n\nThe IAM credentials must have appropriate DynamoDB permissions\n(dynamodb:GetItem, dynamodb:PutItem, dynamodb:Query, dynamodb:Scan, etc.).\n","required":["aws"],"properties":{"aws":{"type":"object","description":"AWS IAM credentials for DynamoDB authentication. REQUIRED.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication.\nFrom an IAM user or role with DynamoDB access permissions.\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent DynamoDB operations.\nDynamoDB throughput is governed by table-level read/write capacity units.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on throughput feedback.\n","minimum":1,"maximum":100}}},"JDBC":{"type":"object","description":"Configuration for JDBC (Java Database Connectivity) connections.\nUsed when the connection type is \"jdbc\".\n\nJDBC connections provide access to databases through Java-based JDBC drivers,\nincluding databases not natively supported by Celigo's RDBMS connector.\n\n**When to use jdbc vs rdbms**\n- Use RDBMS for: MySQL, PostgreSQL, MS SQL, Snowflake, Oracle, BigQuery, Redshift, MariaDB.\n- Use JDBC for: NetSuite (SuiteAnalytics), Databricks, DB2, Workday, and other databases\n  accessible via a JDBC driver deployed on a Celigo Agent.\n\n**Required fields**\n- type (always required — selects the JDBC driver)\n- host, database, user, password (for most types)\n- For Oracle: use serviceName instead of database\n- For wallet auth: set authType to \"wallet\" and provide the wallet file\n\n**Agent requirement**\nMost JDBC connections require a Celigo on-premise Agent (set _agentId on the connection)\nbecause the JDBC driver runs on the agent, not in the cloud.\n","required":["type"],"properties":{"type":{"type":"string","enum":["agent","netsuitejdbc","databricks","oracle:thin","sqlserver","activedirectory","db2","workday"],"description":"JDBC driver/connection type. REQUIRED.\n\n- \"agent\" — Generic JDBC driver deployed on a Celigo Agent. Requires driverPath.\n- \"netsuitejdbc\" — NetSuite SuiteAnalytics JDBC driver for reporting and analytics queries.\n- \"databricks\" — Databricks SQL/Spark via JDBC.\n- \"oracle:thin\" — Oracle Database via the Oracle Thin JDBC driver.\n- \"sqlserver\" — Microsoft SQL Server via the JTDS or Microsoft JDBC driver.\n- \"activedirectory\" — SQL Server with Active Directory authentication.\n- \"db2\" — IBM DB2 database.\n- \"workday\" — Workday via JDBC (for report/data access).\n"},"version":{"type":"string","description":"JDBC driver version. Used for driver compatibility when multiple versions are available."},"host":{"type":"string","description":"Database server hostname or IP address.\nFor NetSuite JDBC, use the SuiteAnalytics Connect hostname\n(e.g., \"account-id.connect.api.netsuite.com\").\n"},"port":{"type":"number","description":"Database server port number. Default varies by driver type."},"database":{"type":"string","description":"Database or catalog name. For Oracle, use the serviceName field instead.\n"},"user":{"type":"string","description":"Database username for authentication."},"password":{"type":"string","description":"Database password (encrypted at rest).","writeOnly":true},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle JDBC connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"authType":{"type":"string","enum":["customjdbc","wallet"],"description":"Authentication method for the JDBC connection.\n\n- \"customjdbc\" — Standard username/password authentication (default).\n- \"wallet\" — Oracle Wallet authentication. Provide the wallet file in the wallet field.\n  The wallet contains encrypted credentials so username/password are not needed separately.\n"},"wallet":{"type":"string","description":"Oracle Wallet file contents (encrypted at rest).\nREQUIRED when authType is \"wallet\". Contains the auto-login wallet (cwallet.sso)\nwith encrypted credentials for passwordless Oracle authentication.\n","writeOnly":true},"driverPath":{"type":"string","description":"File path to the JDBC driver JAR on the Celigo Agent.\nREQUIRED when type is \"agent\" (generic JDBC).\nThe driver must be deployed on the agent before creating the connection.\n"},"properties":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional JDBC connection properties as name/value pairs.\nThese are passed directly to the JDBC driver as connection properties.\nUse for driver-specific settings like SSL mode, connection timeout,\napplication name, etc.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nJDBC connections often run through a single Agent, so keep this value\nconservative to avoid overwhelming the Agent or database.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"VAN":{"type":"object","description":"Configuration for VAN (Value Added Network) connections.\nUsed when the connection type is \"van\".\n\nVAN connections provide EDI document exchange through a Value Added Network provider.\nDocuments are sent to and received from a VAN mailbox identified by the mailboxId.\n\nThe as2Id field links this VAN connection to an AS2 identity for document routing,\nand contentBasedFlowRouter enables routing inbound documents to different flows\nbased on document content.\n","properties":{"mailboxId":{"type":"number","description":"VAN mailbox identifier. Identifies the specific mailbox on the VAN provider\nthat this connection sends to and receives from.\n"},"as2Id":{"type":"string","description":"AS2 identifier for this VAN station. Used as the \"From\" identifier when sending\ndocuments and the \"To\" identifier when receiving. Must be unique across all\nintegrator.io users. Cannot be changed after creation.\n"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration for inbound VAN documents.\nRoutes incoming documents to different flows based on document content\nusing a custom JavaScript function.\n","properties":{"function":{"type":"string","description":"Name of the JavaScript routing function in the referenced script."},"_scriptId":{"type":"string","format":"objectId","description":"Reference to the script resource containing the routing function."}}}}},"MCP":{"type":"object","description":"Configuration for MCP (Model Context Protocol) connections.\nUsed when the connection type is \"mcp\".\n\nMCP connections enable Celigo to call tools exposed by an external MCP server\nover HTTP. The MCP server provides a set of callable tools that can be invoked\nduring flow execution.\n\n**Required fields**\n- serverURL (the MCP server's HTTP endpoint)\n- http.auth.type (must be one of: \"token\", \"oauth\", or \"custom\")\n\n**Authentication**\nMCP connections authenticate via the http sub-object, which reuses the same\nauth configuration as HTTP connections but with a restricted set of auth types.\nOnly \"token\", \"oauth\", and \"custom\" are valid for MCP connections.\n","properties":{"protocol":{"type":"string","enum":["http"],"description":"Transport protocol for communicating with the MCP server.\nCurrently only \"http\" is supported.\n"},"serverURL":{"type":"string","description":"MCP server endpoint URL. REQUIRED.\nMust be a valid absolute URL (e.g., \"https://mcp-server.example.com/mcp\").\nThe system validates this as a proper URL.\n","format":"uri"},"timeout":{"type":"number","description":"Request timeout in milliseconds for MCP tool invocations.\nIf the MCP server does not respond within this time, the request fails.\n"},"allowedTools":{"type":"array","description":"Optional allowlist of MCP tool names that this connection may invoke.\nWhen set, only tools in this list can be called. When omitted or empty,\nall tools exposed by the MCP server are available.\n","items":{"type":"string"}},"http":{"type":"object","description":"HTTP transport configuration for the MCP connection, including authentication and headers.\n\nThe auth.type MUST be one of: \"token\", \"oauth\", or \"custom\".\nOther auth types (basic, cookie, jwt, etc.) are not supported for MCP connections.\n","properties":{"_iClientId":{"type":"string","format":"objectId","description":"Reference to an OAuth iClient for OAuth-based MCP authentication.\nRequired when http.auth.type is \"oauth\".\n"},"auth":{"$ref":"#/components/schemas/auth"},"headers":{"type":"array","description":"Default HTTP headers included in every request to the MCP server.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value."}},"required":["name","value"]}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive MCP configuration."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive MCP configuration (encrypted at rest)."}}}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"Wrapper":{"type":"object","description":"Configuration for Wrapper connections. Used when the connection type is \"wrapper\".\n\nWrapper connections are custom-built connectors deployed on a Celigo Stack.\nThey allow developers to implement custom authentication, data transformation,\nand API interaction logic using server-side JavaScript on a dedicated stack.\n\n**When to use**\nUse wrapper connections when:\n- The target API has non-standard authentication not supported by HTTP connections.\n- Custom server-side logic is needed for connection management.\n- You need a fully custom connector deployed on a Celigo Stack.\n\n**Required fields**\n- pingFunction (name of the function that tests connection health)\n- _stackId (set on the parent connection object — references the Celigo Stack)\n\n**Custom fields**\nUse encrypted/unencrypted fields to store connection-specific configuration.\nThe wrapper code on the Stack accesses these values at runtime.\n","required":["pingFunction"],"properties":{"pingFunction":{"type":"string","description":"Name of the JavaScript function on the Stack that tests connection health.\nThis function is called when the user clicks \"Test Connection\" in the UI.\nIt should verify that the connection credentials are valid and the target\nsystem is reachable.\n"},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nThese values are accessible to the wrapper code on the Stack at runtime.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values (API keys, passwords, etc.).\nValues are encrypted at rest and decrypted only on the Stack at runtime.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_stackId":{"type":"string","format":"objectId","description":"Reference to the stack this wrapper connection uses."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations through this wrapper connection.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"ResourceResponse":{"type":"object","description":"Core response fields shared by all Celigo resources","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource.\n\nThe _id is used in:\n- API endpoints that operate on a specific resource (e.g., GET, PUT, DELETE)\n- References from other resources (e.g., flows that use this resource)\n- Job history and error tracking\n\nFormat: 24-character hexadecimal string\n"},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was initially created.\n\nThis read-only field is automatically set during resource creation and cannot\nbe modified. It provides an audit trail for when the resource was first added\nto the system, which can be useful for:\n\n- Resource lifecycle management\n- Audit and compliance reporting\n- Troubleshooting integration timelines\n- Identifying older resources that may need review\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was most recently updated.\n\nThis read-only field is automatically updated whenever any property of the\nresource is modified. It provides an audit trail that can be used for:\n\n- Determining if a resource has changed since it was last reviewed\n- Monitoring configuration changes during troubleshooting\n- Implementing cache invalidation strategies\n- Synchronizing related resources based on modification time\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix)\nand will always be equal to or later than the createdAt timestamp.\n"},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was marked for deletion.\n\nWhen this field is present and contains a valid timestamp, it indicates\nthat the resource has been soft-deleted (moved to the recycle bin) but not\nyet permanently removed from the system. This allows for recovery of\naccidentally deleted resources within a specified retention period.\n\nThe deletedAt timestamp enables:\n- Filtering deleted resources from active resource listings\n- Implementing time-based retention policies for permanent deletion\n- Tracking deletion events for audit and compliance purposes\n- Resource recovery workflows with clear timeframes\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\nWhen null or absent, the resource is considered active.\n"}},"required":["_id"]},"IAResourceResponse":{"type":"object","description":"Integration app response fields for resources that are part of integration apps","properties":{"_integrationId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the specific integration instance that contains this resource.\n\nThis field is only populated for resources that are part of an integration app\ninstallation. It contains the unique identifier (_id) of the integration\nresource that was installed in the account.\n\nThe integration instance represents a specific installed instance of an\nintegration app, with its own configuration, settings, and runtime environment.\n\nThis reference enables:\n- Tracing the resource back to its parent integration instance\n- Permission and access control based on integration ownership\n- Lifecycle management (enabling/disabling, updating, or uninstalling)\n"},"_connectorId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the integration app that defines this resource.\n\nThis field is only populated for resources that are part of an integration app.\nIt contains the unique identifier (_id) of the integration app (connector)\nthat defines the structure, behavior, and templates for this resource.\n\nThe integration app is the published template that can be installed\nmultiple times across different accounts, with each installation creating\na separate integration instance (referenced by _integrationId).\n\nThis reference enables:\n- Identifying the source integration app for this resource\n- Determining which template version is being used\n- Linking to documentation, support, and marketplace information\n"}}},"AIDescription":{"type":"object","description":"AI-generated descriptions and documentation for the resource.\n\nThis object contains automatically generated content that helps users\nunderstand the purpose, behavior, and configuration of the resource without\nrequiring them to analyze the technical details. The AI-generated content\nis sanitized and safe for display in the UI.\n","properties":{"summary":{"type":"string","description":"Brief AI-generated summary of the resource's purpose and functionality.\n\nThis concise description provides a quick overview of what the resource does,\nwhat systems it interacts with, and its primary role in the integration.\nThe summary is suitable for display in list views, dashboards, and other\ncontexts where space is limited.\n\nMaximum length: 10KB\n"},"detailed":{"type":"string","description":"Comprehensive AI-generated description of the resource's functionality.\n\nThis detailed explanation covers the resource's purpose, configuration details,\ndata flow patterns, filtering logic, and other technical aspects. It provides\nin-depth information suitable for documentation, tooltips, or detailed views\nin the administration interface.\n\nThe content may include HTML formatting for improved readability.\n\nMaximum length: 10KB\n"},"generatedOn":{"type":"string","format":"date-time","description":"Timestamp indicating when the AI description was generated.\n\nThis field helps track the freshness of the AI-generated content and\ndetermine when it might need to be regenerated due to changes in the\nresource's configuration or behavior.\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"403-forbidden":{"description":"Forbidden. The authenticated caller does not have permission to perform this operation.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/connections/{_id}":{"get":{"summary":"Get a connection","description":"Retrieves a specific connection by its unique identifier.\nReturns the complete connection configuration including authentication settings.\n","operationId":"getConnectionById","tags":["Connections"],"parameters":[{"in":"path","name":"_id","required":true,"schema":{"type":"string"},"description":"The unique identifier of the connection"}],"responses":{"200":{"description":"Connection retrieved successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Response"}}}},"401":{"$ref":"#/components/responses/401-unauthorized"},"403":{"$ref":"#/components/responses/403-forbidden"},"404":{"$ref":"#/components/responses/404-not-found"}}}}}}
```

## Update a connection

> Updates an existing connection configuration. This is a full-replace operation —\
> send the complete connection document, not just the fields you want to change.<br>

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Request":{"type":"object","description":"Fields that can be sent when creating or updating a connection","properties":{"name":{"type":"string","description":"Descriptive identifier for the connection resource in human-readable format.\n\nThis string serves as the primary display name for the connection across the application UI and is used in:\n- API responses when listing connections\n- Error and audit logs for traceability\n- Flow builder UI components\n- Integration configuration dashboards\n\nWhile not required to be globally unique in the system, using descriptive, unique names is strongly recommended\nfor clarity when managing multiple connections. The name should indicate the target system and purpose.\n\nMaximum length: 200 characters\nAllowed characters: Letters, numbers, spaces, and basic punctuation\n","maxLength":200},"type":{"type":"string","description":"The type of connection determining which authentication and connectivity options are available","enum":["netsuite","salesforce","ftp","s3","rest","wrapper","http","rdbms","mongodb","as2","filesystem","mcp","dynamodb","jdbc","van"]},"externalId":{"type":"string","description":"External identifier for the connection, often used for integration with third-party systems"},"assistant":{"type":"string","description":"Application name in lowercase for HTTP connections to systems with integrator.io adaptors.\nUsed to identify the target application being connected to.\nExamples - Shopify: \"shopify\", eBay: \"ebay\".\nOnly applicable for HTTP connection types.\n"},"_agentId":{"type":"string","format":"objectId","description":"Reference to a Celigo on-premise Agent. Required for connection types that need\nlocal network or filesystem access (JDBC, filesystem, Oracle RDBMS).\nThe agent establishes a secure tunnel between the on-premise environment and integrator.io.\n"},"_borrowConcurrencyFromConnectionId":{"type":"string","format":"objectId","description":"Reference to another connection to share concurrency limits with.\nWhen set, this connection's concurrency is counted against the referenced\nconnection's limit instead of maintaining its own.\n"},"debugDate":{"type":"string","format":"date-time","description":"Date until which debug logging is enabled for this connection"},"settingsForm":{"type":"object","description":"Dynamic form configuration for connection-specific settings"},"settings":{"type":"object","description":"Connection-specific settings and configurations"},"pgp":{"type":"object","description":"PGP encryption settings for file-based connections"},"ssl":{"$ref":"#/components/schemas/SSL"},"netsuite":{"$ref":"#/components/schemas/NetSuite"},"salesforce":{"$ref":"#/components/schemas/Salesforce"},"ftp":{"$ref":"#/components/schemas/FTP"},"s3":{"$ref":"#/components/schemas/S3"},"rest":{"$ref":"#/components/schemas/REST"},"http":{"$ref":"#/components/schemas/HTTP"},"rdbms":{"$ref":"#/components/schemas/RDBMS"},"mongodb":{"$ref":"#/components/schemas/MongoDB"},"as2":{"$ref":"#/components/schemas/AS2"},"filesystem":{"$ref":"#/components/schemas/Filesystem"},"dynamodb":{"$ref":"#/components/schemas/DynamoDB"},"jdbc":{"$ref":"#/components/schemas/JDBC"},"van":{"$ref":"#/components/schemas/VAN"},"mcp":{"$ref":"#/components/schemas/MCP"},"wrapper":{"$ref":"#/components/schemas/Wrapper"}},"required":["name","type"],"anyOf":[{"title":"NetSuite","required":["netsuite"],"properties":{"netsuite":{"$ref":"#/components/schemas/NetSuite"}}},{"title":"Salesforce","required":["salesforce"],"properties":{"salesforce":{"$ref":"#/components/schemas/Salesforce"}}},{"title":"FTP","required":["ftp"],"properties":{"ftp":{"$ref":"#/components/schemas/FTP"}}},{"title":"S3","required":["s3"],"properties":{"s3":{"$ref":"#/components/schemas/S3"}}},{"title":"REST","required":["rest"],"properties":{"rest":{"$ref":"#/components/schemas/REST"}}},{"title":"HTTP","required":["http"],"properties":{"http":{"$ref":"#/components/schemas/HTTP"}}},{"title":"RDBMS","required":["rdbms"],"properties":{"rdbms":{"$ref":"#/components/schemas/RDBMS"}}},{"title":"MongoDB","required":["mongodb"],"properties":{"mongodb":{"$ref":"#/components/schemas/MongoDB"}}},{"title":"AS2","required":["as2"],"properties":{"as2":{"$ref":"#/components/schemas/AS2"}}},{"title":"Filesystem","required":["filesystem"],"properties":{"filesystem":{"$ref":"#/components/schemas/Filesystem"}}},{"title":"MCP","required":["mcp"],"properties":{"mcp":{"$ref":"#/components/schemas/MCP"}}},{"title":"DynamoDB","required":["dynamodb"],"properties":{"dynamodb":{"$ref":"#/components/schemas/DynamoDB"}}},{"title":"JDBC","required":["jdbc"],"properties":{"jdbc":{"$ref":"#/components/schemas/JDBC"}}},{"title":"VAN","required":["van"],"properties":{"van":{"$ref":"#/components/schemas/VAN"}}},{"title":"Wrapper","required":["wrapper"],"properties":{"wrapper":{"$ref":"#/components/schemas/Wrapper"}}}]},"SSL":{"type":"object","description":"SSL/TLS certificate configuration for secure database connections.\n\nUsed by RDBMS and other connection types that support client certificate authentication\nor connections to servers with private CA-signed certificates.\n\n**Usage rules**\n- Provide cert + key together for client certificate (mutual TLS) authentication.\n- Provide ca alone when the server uses a certificate signed by a private CA.\n- cert/key and ca can be combined for mTLS with a private CA.\n- passphrase is only needed when the private key is encrypted.\n","properties":{"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format (encrypted at rest).\nProvide this when the database server uses a certificate signed by a private CA\nthat is not in the system's default trust store.\n","writeOnly":true},"key":{"type":"string","description":"Client private key in PEM format (encrypted at rest).\nREQUIRED alongside cert for client certificate (mTLS) authentication.\nCannot be provided without cert.\n","writeOnly":true},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key (encrypted at rest).\nOnly needed when the PEM private key in the key field is password-protected.\n","writeOnly":true},"cert":{"type":"string","description":"Client certificate in PEM format (encrypted at rest).\nREQUIRED alongside key for client certificate (mTLS) authentication.\nCannot be provided without key.\n","writeOnly":true}}},"NetSuite":{"type":"object","description":"Configuration for NetSuite ERP connections. Used when the connection type is \"netsuite\".\n\nNetSuite connections support two authentication methods:\n- Token-Based Authentication (TBA) — recommended for production. Requires tokenId and tokenSecret.\n- Basic authentication (email/password) — legacy method, limited functionality.\n\n**Required fields by auth type**\n- authType \"token\": account, tokenId, tokenSecret, roleId\n- authType \"token-auto\": account (tokens are managed automatically via iClient)\n- authType \"basic\": account, email, password, roleId\n\n**Environment**\nThe environment field selects which NetSuite instance to connect to.\nThe account ID format changes based on environment (e.g., \"123456\" for production,\n\"123456_SB1\" for non-production).\n","properties":{"authType":{"type":"string","enum":["basic","token","token-auto"],"description":"Authentication method for the NetSuite connection.\n\n- \"token\" — Token-Based Authentication (TBA). Recommended for production.\n  Requires tokenId and tokenSecret from a NetSuite integration record.\n- \"token-auto\" — Automatic token management via Celigo's iClient.\n  Tokens are provisioned and rotated automatically.\n- \"basic\" — Legacy email/password authentication. Not recommended for\n  new connections; has limited API access compared to TBA.\n"},"account":{"type":"string","description":"NetSuite account ID. REQUIRED for all auth types.\n\nThis is the account identifier visible in NetSuite under Setup > Company > Company Information.\nThe value is automatically uppercased.\n\nFormat varies by environment:\n- Production: \"123456\" or \"TSTDRV123456\"\n- Non-production: \"123456_SB1\" (suffix indicates the environment number)\n- Beta: \"123456\" (same as production, but with environment set to \"beta\")\n"},"environment":{"type":"string","enum":["production","beta"],"description":"NetSuite environment to connect to.\n\n- \"production\" — Live production instance.\n- \"beta\" — NetSuite beta/release-preview environment.\n\nDefaults to \"production\" when not specified.\n"},"tokenId":{"type":"string","description":"NetSuite TBA token ID (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated in NetSuite under Setup > Users/Roles > Access Tokens.\nMust be paired with the corresponding tokenSecret.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"NetSuite TBA token secret (encrypted at rest). REQUIRED when authType is \"token\".\n\nGenerated alongside the tokenId in NetSuite. Treat as a sensitive credential.\n","writeOnly":true},"entityId":{"type":"string","description":"NetSuite entity/user ID associated with the token."},"tokenName":{"type":"string","description":"Human-readable name of the NetSuite access token for identification purposes."},"roleId":{"type":"string","description":"NetSuite role ID that determines the permissions for this connection.\n\nThe role controls which records, fields, and operations are accessible.\nMust match the role associated with the access token in NetSuite.\n"},"email":{"type":"string","description":"NetSuite user email address. REQUIRED when authType is \"basic\".\nUsed as the login credential for basic (email/password) authentication.\n","format":"email"},"password":{"type":"string","description":"NetSuite user password (encrypted at rest). REQUIRED when authType is \"basic\".","writeOnly":true},"requestLevelCredentials":{"type":"boolean","description":"When true, authentication credentials are sent with each individual API request\nrather than maintaining a persistent session. Enable this for environments\nwhere session-based auth is unreliable.\n"},"dataCenterURLs":{"type":"object","description":"NetSuite data center URL overrides. Normally auto-discovered from the account ID.\nOnly set this to override the default data center routing.\n"},"accountName":{"type":"string","description":"Human-readable NetSuite account name (display purposes only)."},"roleName":{"type":"string","description":"Human-readable name of the NetSuite role (display purposes only)."},"wsdlVersion":{"type":"string","description":"NetSuite WSDL (Web Services Description Language) version for SuiteTalk Web Services.\n\nControls which API version is used for SOAP-based operations. Newer versions\nmay include additional record types and fields.\n\n- \"latest\" — Use the most recent stable WSDL version.\n- \"next\" — Use the next (pre-release) WSDL version.\n- Specific versions like \"2023.2\" pin to that exact API version.\n","enum":["latest","next","2023.2","2023.1","2022.2","2022.1"],"default":"latest"},"applicationId":{"type":"string","description":"NetSuite application ID from the integration record.\nRequired for some authentication configurations to identify the calling application.\n"},"concurrencyLevelRESTlet":{"type":"number","description":"Maximum concurrent requests to NetSuite RESTlet endpoints.\nNetSuite enforces governance limits on concurrent RESTlet requests per account.\nKeep this low to avoid SuiteScript governance errors.\n","minimum":1,"maximum":10,"default":1},"concurrencyLevelWebServices":{"type":"number","description":"Maximum concurrent requests to NetSuite SuiteTalk Web Services (SOAP API).\nNetSuite enforces concurrency limits per account — exceeding them causes\n\"Only one request may be made against a session at a time\" errors.\n","minimum":1,"maximum":10,"default":5},"concurrencyLevel":{"type":"number","description":"General concurrency level for this connection. Controls the overall\nmaximum concurrent requests across all operation types.\n","minimum":1,"maximum":10,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit and governance feedback.\n","minimum":1,"maximum":10},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for token-based authentication."}}},"Salesforce":{"type":"object","description":"Configuration for Salesforce CRM connections. Used when the connection type is \"salesforce\".\n\nSalesforce connections authenticate via OAuth 2.0 with two supported flows:\n- JWT Bearer Token — server-to-server auth using a Salesforce Connected App. Recommended for automated integrations.\n- Refresh Token — interactive OAuth flow where the user authorizes via browser. Good for user-context integrations.\n\n**Required fields by flow type**\n- oauth2FlowType \"jwtBearerToken\": username (Salesforce username of the authorized user)\n- oauth2FlowType \"refreshToken\": refreshToken (obtained via browser-based OAuth flow)\n\n**Environment selection**\nThe login endpoint defaults to login.salesforce.com for production orgs.\n","properties":{"baseURI":{"type":"string","description":"Custom Salesforce instance URL. Overrides the default login URL.\n\nNormally auto-discovered during OAuth authentication. Only set this to\nforce a specific instance URL (e.g., \"https://mycompany.my.salesforce.com\").\n","format":"uri"},"oauth2FlowType":{"type":"string","enum":["jwtBearerToken","refreshToken"],"description":"OAuth 2.0 authentication flow type.\n\n- \"jwtBearerToken\" — Server-to-server JWT Bearer Token flow. Does not require\n  user interaction. Requires a Salesforce Connected App with a digital certificate,\n  and the username field must be set to the authorized Salesforce user.\n- \"refreshToken\" — Authorization Code / Refresh Token flow. Requires initial\n  browser-based authorization, then uses the refresh token for ongoing access.\n\nChoose \"jwtBearerToken\" for automated server-to-server integrations.\nChoose \"refreshToken\" for integrations that operate in a specific user's context.\n"},"username":{"type":"string","description":"Salesforce username for JWT Bearer Token authentication.\nREQUIRED when oauth2FlowType is \"jwtBearerToken\".\n\nThis is the Salesforce login username (email) of the user whose permissions\nthe integration will operate under.\n"},"bearerToken":{"type":"string","description":"OAuth access/bearer token (encrypted at rest).\nTypically auto-managed by the system during OAuth flows. Rarely set manually.\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest). REQUIRED when oauth2FlowType is \"refreshToken\".\nObtained during the initial browser-based OAuth authorization flow.\n","writeOnly":true},"packagedOAuth":{"type":"boolean","description":"When true, uses Celigo's pre-configured Connected App for OAuth.\nWhen false, you must provide your own Connected App credentials via iClient.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of access granted.\n\nCommon scopes:\n- \"full\" — Full access to all Salesforce APIs.\n- \"refresh_token\" — Allows obtaining refresh tokens for long-lived access.\n- \"api\" — Access to REST and SOAP APIs.\n\nDefaults to [\"full\", \"refresh_token\"] which provides complete API access.\n","default":["full","refresh_token"]},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests to Salesforce.\nSalesforce enforces per-org API request limits. Setting this too high\nmay exhaust your org's API call allocation faster.\n","minimum":1,"maximum":25,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback from Salesforce.\n","minimum":1,"maximum":25}}},"FTP":{"type":"object","description":"Configuration for FTP/SFTP/FTPS file transfer connections. Used when the connection type is \"ftp\".\n\nSupports three file transfer protocols:\n- FTP — Standard File Transfer Protocol (unencrypted). Default port 21.\n- SFTP — SSH File Transfer Protocol (encrypted via SSH). Default port 22.\n- FTPS — FTP over TLS/SSL (encrypted via TLS). Default port 21 (explicit) or 990 (implicit).\n\n**Required fields**\n- type (ftp, sftp, or ftps)\n- hostURI (server hostname or IP)\n- username\n\n**Authentication**\n- FTP/FTPS: username + password\n- SFTP: username + password, OR username + authKey (SSH private key), OR both\n\n**Pgp encryption**\nOptional PGP encryption/decryption can be enabled for file-level security,\nindependent of transport-level encryption. Requires pgpEncryptKey and/or pgpDecryptKey.\n","required":["type","hostURI","username"],"properties":{"type":{"type":"string","enum":["ftp","sftp","ftps"],"description":"File transfer protocol type. REQUIRED.\n\n- \"ftp\" — Standard FTP. No transport encryption. Default port 21.\n- \"sftp\" — SSH-based file transfer. Encrypted transport. Default port 22.\n  Supports SSH key authentication via the authKey field.\n- \"ftps\" — FTP over TLS/SSL. Encrypted transport. Default port 21 (explicit TLS)\n  or 990 (implicit TLS — set useImplicitFtps to true).\n\nPrefer \"sftp\" for security. Use \"ftps\" when the server requires TLS.\nOnly use \"ftp\" for legacy systems that don't support encryption.\n"},"hostURI":{"type":"string","description":"FTP server hostname or IP address. REQUIRED.\nDo NOT include the protocol prefix (e.g., use \"ftp.example.com\", not \"sftp://ftp.example.com\").\n"},"port":{"type":"number","description":"Server port number. Defaults vary by type:\n- FTP: 21\n- SFTP: 22\n- FTPS (explicit): 21\n- FTPS (implicit): 990\n","minimum":1,"maximum":65535,"default":21},"username":{"type":"string","description":"Username for server authentication. REQUIRED."},"password":{"type":"string","description":"Password for server authentication (encrypted at rest).\nFor SFTP, either password or authKey (SSH key) is required.\n","writeOnly":true},"authKey":{"type":"string","description":"SSH private key for SFTP key-based authentication (encrypted at rest).\nOnly used when type is \"sftp\". Provide the full PEM-encoded private key.\nCan be used alone or alongside a password for two-factor auth.\n","writeOnly":true},"usePassiveMode":{"type":"boolean","description":"When true, uses passive mode for FTP/FTPS data connections.\nIn passive mode, the client initiates both control and data connections,\nwhich works better through firewalls and NAT. Enable for most scenarios.\n","default":true},"enableHostVerification":{"type":"boolean","description":"When true, verifies the server's SSH host key (SFTP) or TLS certificate (FTPS).\nDisable only for development/testing with self-signed certificates.\n","default":true},"userDirectoryIsRoot":{"type":"boolean","description":"When true, treats the user's home directory as the root directory.\nAll paths are relative to the user's home directory rather than the server root.\n","default":false},"useImplicitFtps":{"type":"boolean","description":"When true, uses implicit FTPS (TLS connection established immediately on port 990).\nWhen false, uses explicit FTPS (starts as FTP on port 21, upgrades to TLS via STARTTLS).\nOnly applies when type is \"ftps\".\n","default":false},"requireSocketReUse":{"type":"boolean","description":"When true, requires the data connection to reuse the same TLS session as the control connection.\nSome FTPS servers require this for security. Only applies to FTPS connections.\n","default":false},"entryParser":{"type":"string","enum":["UNIX","UNIX-TRIM","VMS","WINDOWS","OS/2","OS/400","AS/400","MVS","UNKNOWN-TYPE","NETWARE","MACOS-PETER"],"description":"File listing format parser. Controls how directory listings from the server are interpreted.\nMost servers use UNIX format. Only change this if directory listings appear garbled.\n\n- \"UNIX\" — Standard Unix/Linux servers (most common).\n- \"WINDOWS\" — Windows FTP servers using DOS-style listings.\n- \"MVS\" — IBM mainframe MVS systems.\n- \"AS/400\" — IBM AS/400 (iSeries) systems.\n- Other values are for specific legacy server platforms.\n"},"pgpEncryptKey":{"type":"string","description":"PGP public key for encrypting files before upload (encrypted at rest).\nWhen set, files are PGP-encrypted before being sent to the server.\n","writeOnly":true},"pgpDecryptKey":{"type":"string","description":"PGP private key for decrypting files after download (encrypted at rest).\nWhen set, downloaded files are automatically PGP-decrypted.\n","writeOnly":true},"pgpPassphrase":{"type":"string","description":"Passphrase for the PGP private key (encrypted at rest).","writeOnly":true},"pgpKeyAlgorithm":{"type":"string","enum":["CAST5","3DES","AES-128","AES-192","AES-256"],"description":"Symmetric encryption algorithm used for PGP operations.\nAES-256 is recommended for strong encryption. CAST5 is the PGP default.\nMust match the algorithm expected by the recipient when encrypting.\n"},"pgpSignAndVerify":{"type":"boolean","description":"When true, PGP-signs outbound files and verifies signatures on inbound files.\nProvides authenticity and integrity verification on top of encryption.\n","default":false},"tradingPartner":{"type":"boolean","description":"When true, this connection is associated with a trading partner configuration\nfor B2B/EDI file exchanges.\n","default":false},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent file transfer operations.\nFTP servers often have low connection limits — keep this value conservative.\n","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on server response feedback.\n","minimum":1,"maximum":10}}},"S3":{"type":"object","description":"Configuration for Amazon S3 connections. Used when the connection type is \"s3\".\n\nProvides access to Amazon S3 buckets for file-based integrations (upload, download,\nlist, and delete operations). Uses AWS IAM credentials for authentication.\n\n**Required fields**\n- accessKeyId (AWS access key)\n- secretAccessKey (AWS secret key)\n\n**Ping**\nSet pingBucket to an accessible S3 bucket name so Celigo can verify\nthe connection credentials are valid.\n","required":["accessKeyId","secretAccessKey"],"properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication. REQUIRED.\nFrom an IAM user or role with S3 access permissions (s3:GetObject, s3:PutObject, s3:ListBucket, etc.).\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest). REQUIRED.\nPaired with the accessKeyId. Treat as a sensitive credential.\n","writeOnly":true},"pingBucket":{"type":"string","description":"S3 bucket name used for connection health checks (ping).\nThe system performs a HEAD request on this bucket to verify credentials.\nMust be a bucket the IAM credentials have access to.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent S3 operations.\nS3 has high throughput limits, so this can be set relatively high.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"REST":{"type":"object","description":"Configuration for REST connector connections. Used when the connection type is \"rest\".\n\nREST connections are template-driven HTTP connections that use a pre-built HTTP Connector\ndefinition. The connector template pre-configures authentication, base URI, and other\nsettings — the user only fills in credentials and account-specific values.\n\n**Rest vs http connections**\n- Use \"rest\" when connecting to an application that has a Celigo HTTP Connector template\n  (referenced via _httpConnectorId). The connector provides pre-configured API settings.\n- Use \"http\" for fully custom API connections where you configure everything manually.\n\n**Authentication**\nThe authType field selects the authentication method. Available methods depend on the\nconnector template. Credentials are stored in the appropriate auth sub-fields (basicAuth,\nbearerToken, refreshToken, oauth, etc.).\n","required":["mediaType","baseURI","authType"],"properties":{"mediaType":{"type":"string","enum":["json","urlencoded","xml","csv"],"description":"Default content type for API requests and responses.\n\n- \"json\" — application/json (most common for REST APIs).\n- \"xml\" — application/xml (for XML-based APIs).\n- \"urlencoded\" — application/x-www-form-urlencoded (for form-style APIs).\n- \"csv\" — text/csv (for CSV-based data exchange).\n"},"baseURI":{"type":"string","description":"Base URL for all API requests. REQUIRED.\nAll relative URIs in exports and imports are appended to this base URL.\nMay be pre-populated by the HTTP Connector template.\n","format":"uri"},"authType":{"type":"string","enum":["basic","token","oauth","custom","cookie","jwt","hmac","wsse","oauth1"],"description":"Authentication method for this connection. REQUIRED.\n\n- \"basic\" — HTTP Basic Auth. Requires basicAuth.username and basicAuth.password.\n- \"token\" — Bearer token or API key. Requires bearerToken. Supports auto-refresh.\n- \"oauth\" — OAuth 2.0. Requires oauth configuration and typically authURI/oauthTokenURI.\n- \"cookie\" — Cookie-based session auth. Requires cookieAuth configuration.\n- \"jwt\" — JWT-based authentication.\n- \"hmac\" — HMAC signature authentication.\n- \"wsse\" — WS-Security. Requires basicAuth credentials.\n- \"oauth1\" — OAuth 1.0a. Requires oauth.oauth1 configuration.\n- \"custom\" — No built-in auth; credentials in headers or encrypted fields.\n"},"authURI":{"type":"string","description":"OAuth 2.0 authorization endpoint URI.\nUsed for OAuth authorization code flow where users authorize via browser.\n","format":"uri"},"oauthTokenURI":{"type":"string","description":"OAuth 2.0 token endpoint URI.\nUsed to exchange authorization codes for access tokens and to refresh tokens.\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation.\nOnly use for development/testing with self-signed certificates.\n","default":false},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the connector has non-standard OAuth requirements.\n","default":false},"isHTTPProxy":{"type":"boolean","description":"When true, this REST connection acts as an HTTP proxy for another connection.\n","default":false},"authHeader":{"type":"string","description":"Custom HTTP header name for the authorization token.\nDefaults to \"Authorization\". Change only if the API uses a non-standard header.\n","default":"Authorization"},"retryHeader":{"type":"string","description":"HTTP response header name containing retry-after delay for rate-limited requests.\nDefaults to \"Retry-After\" (HTTP standard).\n","default":"Retry-After"},"authScheme":{"type":"string","enum":["MAC","OAuth","Bearer","Hmac"],"description":"Authorization header scheme/prefix prepended before the token value.\nProduces headers like \"Authorization: Bearer <token>\".\nDefaults to \"Bearer\" which is the most common scheme.\n","default":"Bearer"},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access granted.\n"},"scopeDelimiter":{"type":"string","description":"Delimiter character between multiple OAuth scopes.\nDefaults to a space (\" \") per the OAuth 2.0 spec. Some APIs use commas.\n","default":" "},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent API requests.\nSet based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on rate limit feedback.\n","minimum":1,"maximum":100},"bearerToken":{"type":"string","description":"Bearer token or API key for authentication (encrypted at rest).\nUsed when authType is \"token\".\n","writeOnly":true},"refreshToken":{"type":"string","description":"OAuth refresh token (encrypted at rest).\nUsed to obtain new access tokens when they expire.\n","writeOnly":true},"tokenLocation":{"type":"string","enum":["header","url"],"description":"Where to include the access token in outbound requests.\n- \"header\" — Sent in the Authorization header (default, most common).\n- \"url\" — Sent as a URL query parameter (use tokenParam for the parameter name).\n","default":"header"},"tokenParam":{"type":"string","description":"URL query parameter name for the access token when tokenLocation is \"url\".\n","default":"access_token"},"basicAuth":{"type":"object","description":"Basic authentication credentials. REQUIRED when authType is \"basic\" or \"wsse\".\n","properties":{"username":{"type":"string","description":"Username for Basic authentication."},"password":{"type":"string","description":"Password for Basic authentication (encrypted at rest).","writeOnly":true}}},"cookieAuth":{"type":"object","description":"Cookie-based session authentication configuration.\nREQUIRED when authType is \"cookie\".\n","properties":{"uri":{"type":"string","description":"Login endpoint URI. REQUIRED. The system sends a request here to obtain session cookies."},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with credentials)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication."}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"refreshTokenMethod":{"type":"string","enum":["POST","PUT","GET"],"description":"HTTP method for token refresh requests.\n","default":"POST"},"refreshTokenBody":{"type":"string","description":"Request body template for token refresh requests."},"refreshTokenURI":{"type":"string","description":"URI for the token refresh endpoint.","format":"uri"},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new access token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshTokenMediaType":{"type":"string","enum":["json","urlencoded"],"description":"Content type for token refresh request bodies.","default":"json"},"refreshTokenHeaders":{"type":"array","description":"Additional headers to include in token refresh requests.","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}},"headers":{"type":"array","description":"Default HTTP headers included in every API request.\nUse for API keys in custom headers, content negotiation, or required headers.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value. Supports handlebars expressions."}},"required":["name","value"]}},"pingRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for connection health check requests.\nShould be a lightweight endpoint (e.g., \"/me\", \"/health\").\n"},"pingSuccessPath":{"type":"string","description":"JSON path to extract a success indicator from the ping response.\nIf the value matches one of pingSuccessValues, the ping succeeds.\n"},"pingSuccessValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping at pingSuccessPath."},"pingFailurePath":{"type":"string","description":"JSON path to extract a failure indicator from the ping response.\n"},"pingFailureValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping at pingFailurePath."},"pingMethod":{"type":"string","enum":["GET","POST"],"description":"HTTP method for ping requests.","default":"GET"},"pingBody":{"type":"string","description":"Request body for ping requests (when pingMethod is POST)."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values.\nField definitions are in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"info":{"type":"object","description":"Additional metadata about the REST connection, populated by the system.","readOnly":true}}},"OAuth":{"type":"object","description":"OAuth 2.0 and OAuth 1.0a authentication configuration.\n\nUsed as a sub-object within HTTP and REST connection auth configurations.\nSupports three OAuth 2.0 grant types and OAuth 1.0a for legacy APIs.\n\n**Oauth 2.0 grant types**\n- \"authorizationcode\" — Authorization Code flow (browser-based user consent).\n  Requires authURI, tokenURI, and user authorization via browser.\n- \"clientcredentials\" — Client Credentials flow (server-to-server, no user).\n  Requires tokenURI, clientId, clientSecret.\n- \"password\" — Resource Owner Password flow (username/password exchange).\n  Requires tokenURI, username, password, clientId, clientSecret.\n\n**Oauth 1.0a**\nFor OAuth 1.0a APIs, configure the oauth1 sub-object with consumer key/secret\nand access token/secret. Supports HMAC, RSA, and PLAINTEXT signature methods.\n","properties":{"type":{"type":"string","enum":["custom","assistant"],"description":"OAuth configuration mode.\n- \"custom\" — Fully user-configured OAuth settings.\n- \"assistant\" — Pre-configured via an application assistant connector.\n"},"grantType":{"type":"string","enum":["authorizationcode","clientcredentials","password","implicit"],"description":"OAuth 2.0 grant type that determines the authentication flow.\n\n- \"authorizationcode\" — Authorization Code flow. Most secure. Requires user\n  authorization via browser redirect. Use for integrations that act on behalf of a user.\n- \"clientcredentials\" — Client Credentials flow. Server-to-server authentication\n  without user involvement. Use for machine-to-machine integrations.\n- \"password\" — Resource Owner Password Credentials flow. Exchanges username/password\n  directly for tokens. Only use when the API does not support other flows.\n- \"implicit\" — Implicit flow (legacy, not recommended for new integrations).\n","default":"authorizationcode"},"authURI":{"type":"string","format":"uri","description":"OAuth 2.0 authorization endpoint URL.\nREQUIRED for \"authorizationcode\" grant type. The user is redirected to this URL\nto authorize the application.\n"},"tokenURI":{"type":"string","format":"uri","description":"OAuth 2.0 token endpoint URL.\nREQUIRED for \"authorizationcode\", \"clientcredentials\", and \"password\" grant types.\nThe system exchanges credentials or authorization codes for access tokens at this URL.\n"},"skipOauthValidations":{"type":"boolean","description":"When true, skips Celigo's built-in OAuth configuration validation.\nUse when the API has non-standard OAuth requirements that conflict with validation rules.\n","default":false},"scope":{"type":"array","items":{"type":"string"},"description":"OAuth scopes to request during authorization. Controls the level of API access.\nScope values are API-specific (e.g., \"read\", \"write\", \"admin\").\n"},"scopeDelimiter":{"type":"string","description":"Delimiter between multiple scope values. Defaults to a space (\" \") per the\nOAuth 2.0 spec. Some APIs use commas or other delimiters.\n","default":" "},"clientId":{"type":"string","description":"OAuth client ID (application ID) registered with the API provider.\nREQUIRED for all OAuth 2.0 grant types.\n"},"clientSecret":{"type":"string","description":"OAuth client secret (encrypted at rest).\nREQUIRED for \"authorizationcode\" and \"clientcredentials\" grant types.\n","writeOnly":true},"username":{"type":"string","description":"Resource owner username. REQUIRED when grantType is \"password\".\n"},"password":{"type":"string","description":"Resource owner password (encrypted at rest). REQUIRED when grantType is \"password\".\n","writeOnly":true},"clientCredentialsLocation":{"type":"string","enum":["header","body"],"description":"Where to send client credentials in token requests.\n\n- \"header\" — Send as HTTP Basic Auth header (default, recommended by OAuth spec).\n- \"body\" — Send as form parameters in the request body.\n  Use when the API does not support Basic Auth for client credentials.\n","default":"header"},"accessTokenPath":{"type":"string","description":"JSON path to extract the access token from the token endpoint response.\nDefaults to \"access_token\" per the OAuth 2.0 spec.\nChange only if the API returns the token at a non-standard path.\n"},"accessTokenHeaders":{"type":"array","description":"Additional HTTP headers to include in token endpoint requests.\nUse for APIs that require custom headers beyond the standard OAuth parameters.\n","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"accessTokenBody":{"type":"string","description":"Additional body content to include in token endpoint requests.\nAppended to the standard OAuth parameters.\n"},"oauth2RedirectUrl":{"type":"string","description":"OAuth 2.0 redirect URI (callback URL) registered with the API provider.\nMust exactly match the redirect URI configured in the OAuth application registration.\n"},"useIClientFields":{"type":"boolean","description":"When true, uses iClient-managed OAuth credentials (clientId/clientSecret)\ninstead of the values in this configuration.\n"},"oauth1":{"type":"object","description":"OAuth 1.0a configuration for legacy APIs that use the older OAuth protocol.\n\n**Required fields**\n- consumerKey (always required)\n- accessToken (always required)\n- For HMAC methods: consumerSecret and tokenSecret\n- For RSA methods: consumerPrivateKey\n","properties":{"consumerKey":{"type":"string","description":"OAuth 1.0a consumer key (API key). REQUIRED.\nIdentifies the application making the request.\n"},"consumerSecret":{"type":"string","description":"OAuth 1.0a consumer secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"accessToken":{"type":"string","description":"OAuth 1.0a access token (encrypted at rest). REQUIRED.\nRepresents the user's authorization for the application to access their data.\n","writeOnly":true},"tokenSecret":{"type":"string","description":"OAuth 1.0a token secret (encrypted at rest).\nREQUIRED for HMAC and PLAINTEXT signature methods.\n","writeOnly":true},"signatureMethod":{"type":"string","enum":["HMAC-SHA1","HMAC-SHA256","HMAC-SHA512","RSA-SHA1","RSA-SHA256","RSA-SHA512","PLAINTEXT"],"description":"OAuth 1.0a request signing method.\n\nHMAC methods (require consumerSecret and tokenSecret):\n- \"HMAC-SHA1\" — Most widely supported (legacy).\n- \"HMAC-SHA256\" — More secure HMAC variant.\n- \"HMAC-SHA512\" — Strongest HMAC variant.\n\nRSA methods (require consumerPrivateKey):\n- \"RSA-SHA1\" — RSA signing (legacy).\n- \"RSA-SHA256\" — More secure RSA variant.\n- \"RSA-SHA512\" — Strongest RSA variant.\n\n- \"PLAINTEXT\" — No cryptographic signing. Only for testing over HTTPS.\n"},"consumerPrivateKey":{"type":"string","description":"RSA private key for OAuth 1.0a RSA signature methods (encrypted at rest).\nREQUIRED when signatureMethod is RSA-SHA1, RSA-SHA256, or RSA-SHA512.\n","writeOnly":true},"realm":{"type":"string","description":"OAuth realm value included in the Authorization header.\nSome APIs require this to identify the authentication domain.\n"}}},"pkceCodeVerifier":{"type":"string","description":"PKCE (Proof Key for Code Exchange) code verifier for enhanced OAuth 2.0 security.\nManaged internally by the system during authorization code flows.\n","writeOnly":true}}},"HTTP":{"type":"object","description":"Configuration for HTTP/REST API connections. Used when the connection type is \"http\".\n\nThis is the most versatile connection type in Celigo, supporting any REST, SOAP, or generic HTTP API.\nIt handles authentication, request/response formatting, rate limiting, and connection health checks.\n\n**When to use**\n- Any REST or SOAP API not covered by a specialized connector (Salesforce, NetSuite, etc.)\n- Custom HTTP integrations with APIs that use standard auth methods\n- GraphQL APIs (set formType to \"graph_ql\")\n- Amazon Selling Partner API (set type to \"Amazon-SP-API\")\n\n**Authentication models**\nThe auth.type field selects the authentication strategy. Each type requires specific sub-fields:\n- \"basic\" — HTTP Basic Auth (username/password)\n- \"token\" — Bearer token or API key with optional auto-refresh\n- \"oauth\" — OAuth 2.0 (authorization code, client credentials, or password grant)\n- \"jwt\" / \"jwtbearer\" — JWT-based authentication with HMAC or RSA signing\n- \"cookie\" — Cookie-based session authentication\n- \"digest\" — HTTP Digest Authentication\n- \"oauth1\" — OAuth 1.0a (HMAC or RSA signatures)\n- \"custom\" — No built-in auth; credentials go in headers or encrypted fields\n- \"wsse\" — WS-Security UsernameToken (SOAP APIs)\n- \"specific\" — Platform-specific auth (e.g., PTX)\n","required":["mediaType"],"properties":{"mediaType":{"type":"string","enum":["xml","json","urlencoded","form-data","plaintext"],"description":"Default content type for outbound HTTP request bodies. REQUIRED.\n\nThis controls the Content-Type header and how request bodies are serialized:\n- \"json\" — application/json. Use for most modern REST APIs.\n- \"xml\" — application/xml. Use for SOAP or XML-based APIs.\n- \"urlencoded\" — application/x-www-form-urlencoded. Use for form-style POST bodies.\n- \"form-data\" — multipart/form-data. Use for file uploads or multipart requests.\n- \"plaintext\" — text/plain. Use for raw text payloads.\n\nDefault to \"json\" unless the API documentation specifies otherwise.\n"},"successMediaType":{"type":"string","enum":["xml","csv","json","plaintext"],"description":"Expected content type of successful API responses. Controls how response bodies are parsed.\n\n- \"json\" — Parse response as JSON (default for most APIs).\n- \"xml\" — Parse response as XML.\n- \"csv\" — Parse response as CSV.\n- \"plaintext\" — Treat response as raw text, no parsing.\n\nIf omitted, the system infers the format from the response Content-Type header.\n"},"errorMediaType":{"type":"string","enum":["xml","json","plaintext"],"description":"Expected content type of error responses from the API. Controls how error response bodies are parsed for extracting error messages.\n\nIf omitted, defaults to the same format as successMediaType.\n"},"baseURI":{"type":"string","description":"Base URL for all API requests made through this connection. REQUIRED.\n\nAll relative URIs in exports and imports are appended to this base URL.\nMust be an absolute URL (e.g., \"https://api.example.com/v2\").\nHandlebars expressions are supported for dynamic URLs.\n\nDo NOT include trailing slashes — relative URIs in exports/imports should start with \"/\".\n","format":"uri"},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for API requests.\n\nOnly set to true for development/testing with self-signed certificates.\nNEVER disable in production — it removes protection against man-in-the-middle attacks.\n","default":false},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent HTTP requests this connection can make simultaneously.\n\nHigher values increase throughput but may trigger API rate limits.\nSet this based on the target API's rate limit documentation.\n","minimum":1,"maximum":100,"default":25},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system automatically adjusts\nconcurrency between 1 and this value based on rate limit feedback.\n\nOnly relevant when autoRecoverRateLimitErrors is enabled on the connection.\n","minimum":1,"maximum":100},"retryHeader":{"type":"string","description":"HTTP response header name that contains the retry delay (in seconds) when rate-limited.\n\nDefaults to \"Retry-After\" which is the HTTP standard. Only change this if the API\nuses a non-standard header name for retry-after values.\n","default":"Retry-After"},"formType":{"type":"string","enum":["assistant","rest","http","graph_ql","assistant_graphql"],"description":"Controls the UI form layout for configuring this connection. Determines which\nfields are shown and how they are organized in the Celigo UI.\n\n- \"http\" — Standard HTTP connection form with full control over all fields.\n- \"rest\" — Simplified REST connector form linked to an HTTP connector template.\n- \"assistant\" — Application assistant form with pre-configured settings.\n- \"graph_ql\" — GraphQL-specific form with query/mutation support.\n- \"assistant_graphql\" — Application assistant form with GraphQL support.\n\nFor programmatic creation, \"http\" is the most common choice.\n"},"type":{"type":"string","enum":["Amazon-SP-API","Amazon-Hybrid","vendor_central"],"description":"Specific API type for Amazon integrations. Only set this for Amazon connections.\n\n- \"Amazon-SP-API\" — Amazon Selling Partner API.\n- \"Amazon-Hybrid\" — Hybrid Amazon connection supporting both MWS and SP-API.\n- \"vendor_central\" — Amazon Vendor Central API.\n"},"clientCertificates":{"type":"object","description":"Client certificate configuration for mutual TLS (mTLS) authentication.\n\nUse when the API server requires a client certificate to establish the TLS connection.\nYou can provide either a PEM cert/key pair OR a PFX bundle, but not both.\n","properties":{"cert":{"type":"string","description":"Client certificate in PEM format. Must be paired with the key field.\nCannot be used together with pfx.\n"},"key":{"type":"string","description":"Private key for the client certificate in PEM format (encrypted at rest).","writeOnly":true},"ca":{"type":"string","description":"Certificate Authority (CA) certificate in PEM format.\nUse when the server's certificate is signed by a private CA not in the default trust store.\n"},"passphrase":{"type":"string","description":"Passphrase to decrypt an encrypted private key or PFX bundle (encrypted at rest).","writeOnly":true},"pfx":{"type":"string","description":"PKCS#12 (.pfx/.p12) bundle containing both the certificate and private key (encrypted at rest).\nCannot be used together with cert/key.\n","writeOnly":true}}},"ping":{"type":"object","description":"Connection health check (ping) configuration. Defines how Celigo tests\nwhether this connection is alive and authenticated.\n\nWhen configured, Celigo sends an HTTP request to the specified endpoint and\nevaluates the response to determine connection health. The ping runs when\ntesting the connection in the UI and periodically during flow execution.\n","properties":{"relativeURI":{"type":"string","description":"Relative URI appended to baseURI for the ping request.\nShould be a lightweight, fast endpoint (e.g., \"/me\", \"/health\", \"/api/v1/status\").\n"},"method":{"type":"string","enum":["GET","POST","PUT","HEAD"],"description":"HTTP method for the ping request. Defaults to GET.\nUse POST only if the health endpoint requires it.\n","default":"GET"},"body":{"type":"string","description":"Request body for the ping request. Only used when method is POST or PUT.\nFor form-data mediaType, must be valid multipart form data.\n"},"successPath":{"type":"string","description":"JSON path or XPath expression to extract a success indicator from the ping response.\nIf the value at this path matches one of the successValues, the ping succeeds.\nIf omitted, any 2xx response is considered successful.\n"},"successValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a successful ping when found at successPath.\nRequires successPath to be set.\n"},"allowArrayforSuccessPath":{"type":"boolean","description":"Whether the value at successPath can be an array (any matching element counts as success)."},"failPath":{"type":"string","description":"JSON path or XPath expression to extract a failure indicator from the ping response.\nIf the value at this path matches one of the failValues, the ping fails even if the HTTP status is 2xx.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values that indicate a failed ping when found at failPath.\nRequires failPath to be set.\n"},"errorPath":{"type":"string","description":"JSON path or XPath expression to extract a human-readable error message from\na failed ping response. The extracted message is shown to the user in the UI.\n"}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"rateLimit":{"type":"object","description":"Rate limiting configuration. Defines how the system detects and handles\nAPI rate limit responses.\n\nWhen rate limiting is detected, the system pauses requests and waits for\nthe retry-after period before resuming. The retryHeader field on the parent\nHTTP object controls which response header contains the wait time.\n","properties":{"failStatusCode":{"type":"number","description":"HTTP status code that indicates the API is rate-limiting requests.\nDefaults to 429 (Too Many Requests) which is the HTTP standard.\nChange only if the API uses a non-standard status code for rate limits.\n","default":429},"failPath":{"type":"string","description":"JSON path or XPath to check in response bodies for rate limit indicators.\nUsed when APIs return 200 OK but embed rate limit errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate rate limiting. Requires failPath to be set.\n"},"limit":{"type":"number","minimum":1,"description":"Maximum number of requests per rate-limit window. When set, the connection's\neffective concurrency level must be 1 to ensure proper rate limit enforcement.\n"}}},"headers":{"type":"array","description":"Default HTTP headers included in every request made through this connection.\nUse for API keys in custom headers, content negotiation, or any headers the API requires on all requests.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name (e.g., \"X-API-Key\", \"Accept\")."},"value":{"type":"string","description":"Header value. Supports handlebars expressions for dynamic values."}},"required":["name","value"]}},"encrypted":{"type":"object","description":"Encrypted custom fields for storing sensitive configuration values (API secrets,\nprivate keys, etc.) that don't fit standard auth fields. Values are encrypted at rest.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields available on this connection.\nEach entry describes a field in the encrypted object — its ID, label, and UI position.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."}}}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields available on this connection.\nEach entry describes a field in the unencrypted object.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip or help text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_iClientId":{"type":"string","format":"objectId","description":"ID of the iClient used for OAuth authentication."},"_httpConnectorId":{"type":"string","format":"objectId","description":"ID of the HTTP connector template this connection is based on."},"_httpConnectorApiId":{"type":"string","format":"objectId","description":"ID of the HTTP connector API definition."},"_httpConnectorVersionId":{"type":"string","format":"objectId","description":"ID of the HTTP connector version."}}},"JWT":{"type":"object","description":"JWT (JSON Web Token) authentication configuration.\n\nUsed when auth.type is \"jwtbearer\" on HTTP connections. The system generates\na signed JWT and uses it as a bearer token for API authentication.\n\n**Signing methods**\n- HMAC (HS256/HS384/HS512): Symmetric signing using a shared secret.\n  Requires the secret field.\n- RSA (RS256/RS384/RS512): Asymmetric signing using an RSA private key.\n  Requires the privateKey field.\n- ECDSA (ES256/ES384/ES512): Asymmetric signing using an elliptic curve private key.\n  Requires the privateKey field.\n\n**Required fields**\n- algorithm (signing algorithm)\n- secret (for HMAC algorithms) OR privateKey (for RSA/ECDSA algorithms)\n- At least one claim (issuer, subject, audience, or customClaims)\n","properties":{"algorithm":{"type":"string","enum":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"description":"JWT signing algorithm. REQUIRED.\n\nHMAC algorithms (symmetric — use the secret field):\n- \"HS256\" — HMAC with SHA-256 (default, most common).\n- \"HS384\" — HMAC with SHA-384.\n- \"HS512\" — HMAC with SHA-512.\n\nRSA algorithms (asymmetric — use the privateKey field):\n- \"RS256\" — RSA with SHA-256 (most common for RSA).\n- \"RS384\" — RSA with SHA-384.\n- \"RS512\" — RSA with SHA-512.\n\nECDSA algorithms (asymmetric — use the privateKey field):\n- \"ES256\" — ECDSA with P-256 curve and SHA-256.\n- \"ES384\" — ECDSA with P-384 curve and SHA-384.\n- \"ES512\" — ECDSA with P-521 curve and SHA-512.\n","default":"HS256"},"secret":{"type":"string","description":"Shared secret key for HMAC signing algorithms (HS256/HS384/HS512).\nEncrypted at rest. REQUIRED when using an HMAC algorithm.\nNot used with RSA or ECDSA algorithms.\n","writeOnly":true},"privateKey":{"type":"string","description":"Private key in PEM format for RSA or ECDSA signing (encrypted at rest).\nREQUIRED when using an RSA (RS*) or ECDSA (ES*) algorithm.\nNot used with HMAC algorithms.\n","writeOnly":true},"publicKey":{"type":"string","description":"Public key for JWT verification. Optional — used when the API requires\nthe public key to be registered for signature verification.\n"},"issuer":{"type":"string","description":"JWT \"iss\" (issuer) claim. Identifies the principal that issued the JWT.\nTypically a client ID, service account email, or application identifier.\n"},"subject":{"type":"string","description":"JWT \"sub\" (subject) claim. Identifies the subject of the JWT.\nOften the user or service account the token represents.\n"},"audience":{"type":"string","description":"JWT \"aud\" (audience) claim. Identifies the intended recipient of the JWT.\nTypically the API endpoint URL or resource server identifier.\n"},"expiresIn":{"type":"number","description":"JWT expiration time in seconds from the current time.\nThe \"exp\" claim is set to (now + expiresIn). After this time, the JWT is invalid\nand the system generates a new one.\n","default":3600},"notBefore":{"type":"number","description":"JWT \"nbf\" (not before) claim in seconds from the current time.\nThe JWT is not valid before this time.\n"},"issuedAt":{"type":"boolean","description":"When true, includes the \"iat\" (issued at) claim with the current timestamp.\n","default":true},"jwtId":{"type":"boolean","description":"When true, includes a unique \"jti\" (JWT ID) claim for each generated token.\nUseful for preventing token replay attacks.\n","default":false},"customClaims":{"type":"object","description":"Additional custom claims to include in the JWT payload.\nUse for API-specific claims not covered by the standard fields\n(e.g., roles, permissions, custom scopes).\n"},"token":{"type":"string","description":"Pre-generated JWT token value (encrypted at rest).\nWhen set, this static token is used instead of generating one dynamically.\nUse only when the API provides a long-lived JWT that does not need to be regenerated.\n","writeOnly":true}}},"RDBMS":{"type":"object","description":"Configuration for relational database connections. Used when the connection type is \"rdbms\".\n\nCeligo has native support for these database systems:\n- MySQL, MariaDB\n- PostgreSQL\n- Microsoft SQL Server (mssql), Azure Synapse (azuresynapse)\n- Oracle\n- Snowflake\n- Google BigQuery\n- Amazon Redshift\n\n**Required fields**\n- type (always required — selects the database system)\n- host, database, user, password (for most database types)\n- Snowflake: additionally requires snowflake.warehouse and snowflake.authType (\"basic\" or \"keyPair\")\n- BigQuery: requires bigquery.projectId, bigquery.dataset, bigquery.clientEmail, bigquery.privateKey\n- Redshift: requires host, database, user, password; optionally redshift.aws credentials for IAM auth\n- Oracle: uses serviceName instead of database\n\n**Database-specific notes**\n- For Oracle, set serviceName (not database) and optionally serverType and instanceName.\n- For Snowflake, snowflake.authType is REQUIRED: use \"basic\" for password auth, \"keyPair\" for RSA key-pair auth.\n- For MS SQL Server with Azure AD service principal auth, set mssql.authType to \"azure-service-principal\".\n- For BigQuery, use service account credentials (clientEmail + privateKey).\n","required":["type"],"properties":{"type":{"type":"string","enum":["mysql","postgresql","mssql","snowflake","oracle","bigquery","redshift","mariadb","azuresynapse"],"description":"The specific relational database system to connect to. REQUIRED.\n\nThis determines the SQL dialect, connection driver, default port, and\nwhich additional sub-fields are required.\n\n- \"mysql\" — MySQL (default port 3306)\n- \"mariadb\" — MariaDB (default port 3306)\n- \"postgresql\" — PostgreSQL (default port 5432)\n- \"mssql\" — Microsoft SQL Server (default port 1433)\n- \"azuresynapse\" — Azure Synapse Analytics (default port 1433)\n- \"oracle\" — Oracle Database (default port 1521). Uses serviceName instead of database.\n- \"snowflake\" — Snowflake Data Cloud. Requires snowflake.warehouse.\n- \"bigquery\" — Google BigQuery. Requires service account credentials in the bigquery sub-object.\n- \"redshift\" — Amazon Redshift. Optionally uses AWS IAM credentials.\n"},"host":{"type":"string","description":"Database server hostname or IP address.\nREQUIRED for all types except BigQuery (which uses Google's API endpoints).\n\nFor Snowflake, use the account URL format: \"account_identifier.snowflakecomputing.com\".\nFor Redshift, use the cluster endpoint: \"cluster-name.region.redshift.amazonaws.com\".\n"},"port":{"type":"number","description":"Database server port number. If omitted, uses the default port for the database type:\n- MySQL/MariaDB: 3306\n- PostgreSQL: 5432\n- MS SQL/Azure Synapse: 1433\n- Oracle: 1521\n- Snowflake: 443\n- Redshift: 5439\n","minimum":1,"maximum":65535},"database":{"type":"string","description":"Database name to connect to. REQUIRED for most types.\n\nFor Oracle, use the serviceName field instead of database.\nFor BigQuery, use bigquery.dataset to specify the target dataset.\n"},"instanceName":{"type":"string","description":"Named instance identifier. Used by MS SQL Server and Oracle when the server\nhosts multiple database instances. Not required for default instances.\n"},"user":{"type":"string","description":"Database username for authentication.\nREQUIRED for all types except BigQuery (which uses service account auth).\n"},"password":{"type":"string","description":"Database password (encrypted at rest). REQUIRED alongside user for password-based auth.","writeOnly":true},"version":{"type":"string","description":"Database server version string. Used by some drivers for compatibility adjustments."},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"serverType":{"type":"string","enum":["dedicated","shared","pooled"],"description":"Oracle server connection type. Controls the server process model.\n\n- \"dedicated\" — Each connection gets its own server process. Best for heavy workloads.\n- \"shared\" — Connections share a pool of server processes. More resource-efficient.\n- \"pooled\" — Database Resident Connection Pooling (DRCP). Best for many short-lived connections.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nSet based on the database server's connection limit and available resources.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100},"disableStrictSSL":{"type":"boolean","description":"When true, disables strict SSL/TLS certificate validation for the database connection.\nOnly use for development/testing with self-signed certificates.\n","default":false},"snowflake":{"type":"object","description":"Snowflake-specific configuration. REQUIRED when type is \"snowflake\".\n","required":["warehouse","authType"],"properties":{"warehouse":{"type":"string","description":"Snowflake virtual warehouse name. REQUIRED for Snowflake connections.\nThe warehouse provides compute resources for queries. Must be a warehouse\nthe user role has access to.\n"},"schema":{"type":"string","description":"Default Snowflake schema. If omitted, queries must fully-qualify table names\n(e.g., DATABASE.SCHEMA.TABLE).\n"},"role":{"type":"string","description":"Snowflake security role to use for the session. Determines which databases,\nschemas, and warehouses are accessible. Defaults to the user's default role.\n"},"authType":{"type":"string","enum":["basic","keyPair"],"description":"Authentication type for Snowflake. REQUIRED.\n\n- \"basic\" — Username/password authentication. Use for standard username/password connections.\n- \"keyPair\" — Key-pair authentication using RSA private key.\n  When using keyPair, provide the RSA private key in the connection's key field.\n\nWhen creating placeholder/dummy connections, use \"basic\".\n"}}},"mssql":{"type":"object","description":"Microsoft SQL Server / Azure Synapse-specific configuration.\n","properties":{"authType":{"type":"string","enum":["basic","azure-service-principal"],"description":"Authentication type for MS SQL Server.\n\n- \"basic\" — Standard SQL Server authentication with username/password (default).\n- \"azure-service-principal\" — Azure Active Directory service principal authentication.\n  Requires an iClient configuration with the service principal credentials.\n","default":"basic"}}},"bigquery":{"type":"object","description":"Google BigQuery-specific configuration. REQUIRED when type is \"bigquery\".\nUses Google Cloud service account credentials for authentication.\n","properties":{"projectId":{"type":"string","description":"Google Cloud project ID that contains the BigQuery datasets. REQUIRED.\nFound in the Google Cloud Console project settings.\n"},"dataset":{"type":"string","description":"Default BigQuery dataset name. REQUIRED.\nQueries will target tables within this dataset unless fully-qualified names are used.\n"},"clientEmail":{"type":"string","description":"Google Cloud service account email address. REQUIRED.\nFormat: \"service-account-name@project-id.iam.gserviceaccount.com\".\nThe service account must have BigQuery Data Editor and BigQuery Job User roles.\n"},"privateKey":{"type":"string","description":"Google Cloud service account private key in PEM format (encrypted at rest). REQUIRED.\nDownloaded as part of the service account JSON key file.\n","writeOnly":true}}},"redshift":{"type":"object","description":"Amazon Redshift-specific configuration. AWS credentials are optional —\nonly needed for IAM-based authentication instead of standard username/password.\n","properties":{"aws":{"type":"object","description":"AWS credentials for IAM-based Redshift authentication.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication."},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"clusterIdentifier":{"type":"string","description":"Redshift cluster identifier. Required for IAM-based authentication."},"region":{"type":"string","description":"AWS region where the Redshift cluster is deployed. Required for IAM-based authentication.\n","enum":["us-east-1","us-east-2","us-west-1","us-west-2","eu-west-1","eu-west-2","eu-west-3","eu-central-1","ap-southeast-1","ap-southeast-2","ap-northeast-1","ap-northeast-2","ap-south-1","sa-east-1","ca-central-1"]}}},"ssl":{"$ref":"#/components/schemas/SSL"},"options":{"type":"array","description":"Additional database driver connection options as name/value pairs.\nUse for driver-specific settings not covered by the standard fields\n(e.g., connection timeout, charset, application name).\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Option name (driver-specific)."},"value":{"type":"string","description":"Option value."}},"required":["name","value"]}}}},"MongoDB":{"type":"object","description":"Configuration for MongoDB connections. Used when the connection type is \"mongodb\".\n\nSupports standalone MongoDB instances, replica sets, and MongoDB Atlas clusters.\n\n**Required fields**\n- host (array of one or more server addresses)\n- database (target database name)\n\n**Authentication**\nUsername and password are optional — only required when the MongoDB server has\nauthentication enabled (which is recommended for production).\nUse authSource to specify the authentication database if it differs from the target database.\n\n**Replica sets**\nFor replica sets, provide all member hostnames in the host array and set\nthe replicaSet field to the replica set name.\n","required":["host","database"],"properties":{"host":{"type":"array","items":{"type":"string"},"description":"MongoDB server addresses. REQUIRED. An array of one or more host:port strings.\n\n- Standalone: [\"mongodb.example.com:27017\"]\n- Replica set: [\"rs1.example.com:27017\", \"rs2.example.com:27017\", \"rs3.example.com:27017\"]\n- MongoDB Atlas: [\"cluster0-shard-00-00.abc.mongodb.net:27017\", ...]\n\nInclude the port number with each host. Default MongoDB port is 27017.\n"},"database":{"type":"string","description":"Target MongoDB database name. REQUIRED.\nAll operations (reads/writes) target collections within this database.\n"},"username":{"type":"string","description":"MongoDB username for authentication.\nRequired when the MongoDB server has authentication enabled.\n"},"password":{"type":"string","description":"MongoDB password (encrypted at rest). Required alongside username.","writeOnly":true},"replicaSet":{"type":"string","description":"MongoDB replica set name. Required when connecting to a replica set.\nThe driver uses this to discover all replica set members and handle failover.\nFor MongoDB Atlas, this is typically \"atlas-xxxxxx-shard-0\".\n"},"ssl":{"type":"boolean","description":"When true, connects to MongoDB over TLS/SSL.\nRequired for MongoDB Atlas and recommended for all production deployments.\n","default":false},"authSource":{"type":"string","description":"MongoDB authentication database — the database where the user credentials are stored.\nDefaults to the value of the database field. Set to \"admin\" if the user was created\nin the admin database (common for shared MongoDB deployments and Atlas).\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent MongoDB operations.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"AS2":{"type":"object","description":"AS2 (Applicability Statement 2) connection configuration for EDI","required":["as2Id","partnerId"],"properties":{"as2Id":{"type":"string","description":"AS2 identifier for this station. Trading partners use this as the \"To\"\nidentifier when sending documents, and integrator.io uses it as the \"From\"\nidentifier when sending documents to partners.\n\nIMPORTANT: This value must be unique across ALL integrator.io users to\nensure inbound documents are routed correctly. It CANNOT be updated after\ncreation. Use a different identifier for each environment (e.g., production vs. non-production).\n\nIf not provided, a unique value will be auto-generated.\n"},"partnerId":{"type":"string","description":"AS2 partner identifier"},"_tpConnectorId":{"type":"string","format":"objectId","description":"Reference to a trading partner connector"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration","properties":{"function":{"type":"string","description":"Name of the routing function"},"_scriptId":{"type":"string","format":"objectId","description":"Reference to script containing the routing function"}}},"partnerStationInfo":{"type":"object","description":"Partner (remote) station configuration — used on the IMPORT side.\nControls how messages are sent TO the trading partner.\n","required":["as2URI","signing","encryptionType"],"properties":{"as2URI":{"type":"string","format":"uri","description":"Partner's AS2 endpoint URI"},"mdn":{"type":"object","description":"MDN (Message Disposition Notification) settings","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"verifyMDNSignature":{"type":"boolean","description":"Whether to verify the MDN signature from the partner"}}},"auth":{"type":"object","description":"Authentication for the partner AS2 endpoint","properties":{"type":{"type":"string","enum":["basic","token"],"description":"Authentication type"},"failStatusCode":{"type":"number","description":"HTTP status code indicating auth failure"},"failPath":{"type":"string","description":"JSON path to check for auth failure"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate auth failure"},"basic":{"type":"object","description":"Basic auth credentials","properties":{"username":{"type":"string","description":"Username for basic auth"},"password":{"type":"string","writeOnly":true,"description":"Password for basic auth (encrypted)"}}},"token":{"type":"object","description":"Token-based auth configuration","properties":{"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Headers for token refresh requests"},"refreshToken":{"type":"string","writeOnly":true,"description":"Refresh token (encrypted)"}}}}},"rateLimit":{"type":"object","description":"Rate limiting configuration","properties":{"failStatusCode":{"type":"number"},"failPath":{"type":"string"},"failValues":{"type":"array","items":{"type":"string"}},"limit":{"type":"number","minimum":1,"description":"Maximum requests per time window"}}},"SMIMEVersion":{"type":"string","enum":["v2","v3"],"description":"S/MIME version (not typically exposed on UI)"},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for outbound messages to partner"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for outbound messages to partner"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default base64)"},"signatureEncoding":{"type":"string","enum":["base64","binary"],"description":"Signature encoding format"}}},"userStationInfo":{"type":"object","description":"User (local) station configuration — used on the EXPORT side.\nControls how inbound messages from the partner are processed.\n","required":["signing","encryptionType"],"properties":{"mdn":{"type":"object","description":"MDN settings for inbound messages","required":["mdnSigning"],"properties":{"mdnURL":{"type":"string","description":"URL for asynchronous MDN"},"signatureProtocol":{"type":"string","enum":["pkcs7-signature"],"description":"MDN signature protocol"},"mdnSigning":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"MDN signing algorithm"},"mdnEncoding":{"type":"string","enum":["base64","binary"],"description":"MDN encoding format"}}},"signing":{"type":"string","enum":["NONE","SHA1","MD5","SHA256"],"description":"Message signing algorithm for inbound message verification"},"encryptionType":{"type":"string","enum":["NONE","DES","RC2","3DES","AES128","AES256"],"description":"Message encryption type for inbound message decryption"},"encoding":{"type":"string","enum":["base64","binary"],"description":"Content transfer encoding (default binary)"},"compressed":{"type":"boolean","description":"Whether to compress messages","default":false}}},"encrypted":{"type":"object","description":"Encrypted certificate and key data (stored encrypted at rest).\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPrivateKey":{"type":"string","writeOnly":true,"description":"PEM-encoded X.509 private key for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"}}},"unencrypted":{"type":"object","description":"Unencrypted certificate data for identity and partner verification.\nRequired when signing or encryption is enabled (not NONE).\nAuto-generated self-signed certificates will be injected if not provided.\n","properties":{"userPublicKey":{"type":"string","description":"PEM-encoded X.509 public certificate for this station.\nRequired when partnerStationInfo.signing != NONE or userStationInfo.encryptionType != NONE.\n"},"partnerCertificate":{"type":"string","description":"PEM-encoded X.509 certificate for the trading partner.\nRequired when partnerStationInfo.encryptionType != NONE or userStationInfo.signing != NONE,\nor when partnerStationInfo.mdn.verifyMDNSignature is true.\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations","minimum":1,"maximum":10,"default":1},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling","minimum":1,"maximum":10},"preventCanonicalization":{"type":"boolean","description":"Prevent canonicalization of message content","default":false}}},"Filesystem":{"type":"object","description":"Configuration for filesystem connections. Used when the connection type is \"filesystem\".\n\nFilesystem connections provide access to the local filesystem on a Celigo on-premise Agent.\nThis enables file-based integrations with directories on the agent's host machine or\nmounted network drives.\n\n**Agent requirement**\nA Celigo Agent is REQUIRED for filesystem connections (set _agentId on the parent\nconnection object). The agent provides the filesystem access — cloud-only\ndeployments cannot use this connection type.\n\n**Ping**\nSet ping.directoryPath to a directory the agent can access to verify the connection.\n","properties":{"ping":{"type":"object","description":"Health check configuration for validating filesystem access.","properties":{"directoryPath":{"type":"string","description":"Absolute directory path on the agent's host used for connection health checks.\nThe system verifies the directory exists and is accessible.\nExample: \"/data/integrations/incoming\" or \"C:\\\\Data\\\\Integrations\".\n"}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent filesystem operations.\n","minimum":1,"maximum":100},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling.\n","minimum":1,"maximum":100}}},"DynamoDB":{"type":"object","description":"Configuration for Amazon DynamoDB connections. Used when the connection type is \"dynamodb\".\n\nProvides access to DynamoDB tables for NoSQL data integrations.\nUses AWS IAM credentials for authentication.\n\n**Required fields**\n- aws.accessKeyId\n- aws.secretAccessKey\n\nThe IAM credentials must have appropriate DynamoDB permissions\n(dynamodb:GetItem, dynamodb:PutItem, dynamodb:Query, dynamodb:Scan, etc.).\n","required":["aws"],"properties":{"aws":{"type":"object","description":"AWS IAM credentials for DynamoDB authentication. REQUIRED.","properties":{"accessKeyId":{"type":"string","description":"AWS access key ID for IAM authentication.\nFrom an IAM user or role with DynamoDB access permissions.\n"},"secretAccessKey":{"type":"string","description":"AWS secret access key (encrypted at rest).","writeOnly":true}}},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent DynamoDB operations.\nDynamoDB throughput is governed by table-level read/write capacity units.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on throughput feedback.\n","minimum":1,"maximum":100}}},"JDBC":{"type":"object","description":"Configuration for JDBC (Java Database Connectivity) connections.\nUsed when the connection type is \"jdbc\".\n\nJDBC connections provide access to databases through Java-based JDBC drivers,\nincluding databases not natively supported by Celigo's RDBMS connector.\n\n**When to use jdbc vs rdbms**\n- Use RDBMS for: MySQL, PostgreSQL, MS SQL, Snowflake, Oracle, BigQuery, Redshift, MariaDB.\n- Use JDBC for: NetSuite (SuiteAnalytics), Databricks, DB2, Workday, and other databases\n  accessible via a JDBC driver deployed on a Celigo Agent.\n\n**Required fields**\n- type (always required — selects the JDBC driver)\n- host, database, user, password (for most types)\n- For Oracle: use serviceName instead of database\n- For wallet auth: set authType to \"wallet\" and provide the wallet file\n\n**Agent requirement**\nMost JDBC connections require a Celigo on-premise Agent (set _agentId on the connection)\nbecause the JDBC driver runs on the agent, not in the cloud.\n","required":["type"],"properties":{"type":{"type":"string","enum":["agent","netsuitejdbc","databricks","oracle:thin","sqlserver","activedirectory","db2","workday"],"description":"JDBC driver/connection type. REQUIRED.\n\n- \"agent\" — Generic JDBC driver deployed on a Celigo Agent. Requires driverPath.\n- \"netsuitejdbc\" — NetSuite SuiteAnalytics JDBC driver for reporting and analytics queries.\n- \"databricks\" — Databricks SQL/Spark via JDBC.\n- \"oracle:thin\" — Oracle Database via the Oracle Thin JDBC driver.\n- \"sqlserver\" — Microsoft SQL Server via the JTDS or Microsoft JDBC driver.\n- \"activedirectory\" — SQL Server with Active Directory authentication.\n- \"db2\" — IBM DB2 database.\n- \"workday\" — Workday via JDBC (for report/data access).\n"},"version":{"type":"string","description":"JDBC driver version. Used for driver compatibility when multiple versions are available."},"host":{"type":"string","description":"Database server hostname or IP address.\nFor NetSuite JDBC, use the SuiteAnalytics Connect hostname\n(e.g., \"account-id.connect.api.netsuite.com\").\n"},"port":{"type":"number","description":"Database server port number. Default varies by driver type."},"database":{"type":"string","description":"Database or catalog name. For Oracle, use the serviceName field instead.\n"},"user":{"type":"string","description":"Database username for authentication."},"password":{"type":"string","description":"Database password (encrypted at rest).","writeOnly":true},"serviceName":{"type":"string","description":"Oracle service name. Used instead of the database field for Oracle JDBC connections.\nThis is the TNS service name or pluggable database (PDB) service name.\n"},"authType":{"type":"string","enum":["customjdbc","wallet"],"description":"Authentication method for the JDBC connection.\n\n- \"customjdbc\" — Standard username/password authentication (default).\n- \"wallet\" — Oracle Wallet authentication. Provide the wallet file in the wallet field.\n  The wallet contains encrypted credentials so username/password are not needed separately.\n"},"wallet":{"type":"string","description":"Oracle Wallet file contents (encrypted at rest).\nREQUIRED when authType is \"wallet\". Contains the auto-login wallet (cwallet.sso)\nwith encrypted credentials for passwordless Oracle authentication.\n","writeOnly":true},"driverPath":{"type":"string","description":"File path to the JDBC driver JAR on the Celigo Agent.\nREQUIRED when type is \"agent\" (generic JDBC).\nThe driver must be deployed on the agent before creating the connection.\n"},"properties":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional JDBC connection properties as name/value pairs.\nThese are passed directly to the JDBC driver as connection properties.\nUse for driver-specific settings like SSL mode, connection timeout,\napplication name, etc.\n"},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent database connections.\nJDBC connections often run through a single Agent, so keep this value\nconservative to avoid overwhelming the Agent or database.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts the number of\nconcurrent connections between 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"VAN":{"type":"object","description":"Configuration for VAN (Value Added Network) connections.\nUsed when the connection type is \"van\".\n\nVAN connections provide EDI document exchange through a Value Added Network provider.\nDocuments are sent to and received from a VAN mailbox identified by the mailboxId.\n\nThe as2Id field links this VAN connection to an AS2 identity for document routing,\nand contentBasedFlowRouter enables routing inbound documents to different flows\nbased on document content.\n","properties":{"mailboxId":{"type":"number","description":"VAN mailbox identifier. Identifies the specific mailbox on the VAN provider\nthat this connection sends to and receives from.\n"},"as2Id":{"type":"string","description":"AS2 identifier for this VAN station. Used as the \"From\" identifier when sending\ndocuments and the \"To\" identifier when receiving. Must be unique across all\nintegrator.io users. Cannot be changed after creation.\n"},"contentBasedFlowRouter":{"type":"object","description":"Content-based routing configuration for inbound VAN documents.\nRoutes incoming documents to different flows based on document content\nusing a custom JavaScript function.\n","properties":{"function":{"type":"string","description":"Name of the JavaScript routing function in the referenced script."},"_scriptId":{"type":"string","format":"objectId","description":"Reference to the script resource containing the routing function."}}}}},"MCP":{"type":"object","description":"Configuration for MCP (Model Context Protocol) connections.\nUsed when the connection type is \"mcp\".\n\nMCP connections enable Celigo to call tools exposed by an external MCP server\nover HTTP. The MCP server provides a set of callable tools that can be invoked\nduring flow execution.\n\n**Required fields**\n- serverURL (the MCP server's HTTP endpoint)\n- http.auth.type (must be one of: \"token\", \"oauth\", or \"custom\")\n\n**Authentication**\nMCP connections authenticate via the http sub-object, which reuses the same\nauth configuration as HTTP connections but with a restricted set of auth types.\nOnly \"token\", \"oauth\", and \"custom\" are valid for MCP connections.\n","properties":{"protocol":{"type":"string","enum":["http"],"description":"Transport protocol for communicating with the MCP server.\nCurrently only \"http\" is supported.\n"},"serverURL":{"type":"string","description":"MCP server endpoint URL. REQUIRED.\nMust be a valid absolute URL (e.g., \"https://mcp-server.example.com/mcp\").\nThe system validates this as a proper URL.\n","format":"uri"},"timeout":{"type":"number","description":"Request timeout in milliseconds for MCP tool invocations.\nIf the MCP server does not respond within this time, the request fails.\n"},"allowedTools":{"type":"array","description":"Optional allowlist of MCP tool names that this connection may invoke.\nWhen set, only tools in this list can be called. When omitted or empty,\nall tools exposed by the MCP server are available.\n","items":{"type":"string"}},"http":{"type":"object","description":"HTTP transport configuration for the MCP connection, including authentication and headers.\n\nThe auth.type MUST be one of: \"token\", \"oauth\", or \"custom\".\nOther auth types (basic, cookie, jwt, etc.) are not supported for MCP connections.\n","properties":{"_iClientId":{"type":"string","format":"objectId","description":"Reference to an OAuth iClient for OAuth-based MCP authentication.\nRequired when http.auth.type is \"oauth\".\n"},"auth":{"$ref":"#/components/schemas/auth"},"headers":{"type":"array","description":"Default HTTP headers included in every request to the MCP server.\n","items":{"type":"object","properties":{"name":{"type":"string","description":"Header name."},"value":{"type":"string","description":"Header value."}},"required":["name","value"]}},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive MCP configuration."},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive MCP configuration (encrypted at rest)."}}}}},"auth":{"type":"object","description":"Authentication configuration for the API connection.\n\nThe auth.type field selects the authentication strategy. Each type requires\nspecific sub-fields — see the type field description for details.\n","properties":{"type":{"type":"string","enum":["custom","basic","token","oauth","wsse","cookie","jwt","digest","specific","oauth1","jwtbearer"],"description":"Authentication method for this connection. Determines which auth sub-fields are required.\n\n- \"basic\" — HTTP Basic Auth. Requires: auth.basic.username and auth.basic.password.\n- \"token\" — API key or bearer token. Requires: auth.token with token value and location.\n  Supports automatic token refresh via refreshMethod/refreshRelativeURI.\n- \"oauth\" — OAuth 2.0. Requires: auth.oauth with grant type, URIs, and credentials.\n  Supports authorization code, client credentials, and password grant flows.\n- \"jwtbearer\" — JWT Bearer Token. Requires: auth.jwt with signatureMethod and payload.\n  HMAC methods need a secret; RSA/EC methods need a privateKey.\n- \"cookie\" — Cookie-based session auth. Requires: auth.cookie.uri (login endpoint).\n- \"digest\" — HTTP Digest Auth. Requires: auth.basic.username and auth.basic.password.\n- \"oauth1\" — OAuth 1.0a. Requires: auth.oauth.oauth1 with consumer key/secret and tokens.\n- \"custom\" — No built-in auth handling. Put credentials in headers or encrypted fields.\n- \"wsse\" — WS-Security. Requires: auth.basic.username and auth.basic.password.\n- \"specific\" — Platform-specific auth (e.g., PTX).\n- \"jwt\" — Legacy JWT auth. Prefer \"jwtbearer\" for new connections.\n"},"failStatusCode":{"type":"number","description":"HTTP status code that indicates an authentication failure (e.g., 401, 403).\nWhen this status code is received, the system triggers re-authentication\nbefore retrying the request.\n"},"failPath":{"type":"string","description":"JSON path or XPath expression to check in response bodies for authentication failure indicators.\nUsed when APIs return 200 OK but embed auth errors in the response body.\n"},"failValues":{"type":"array","items":{"type":"string"},"description":"Values at failPath that indicate an authentication failure.\nRequires failPath to be set.\n"},"skipFollowAuthorizationHeader":{"type":"boolean","description":"When true, the Authorization header is NOT forwarded on HTTP redirects.\nEnable this for APIs that redirect to a different domain after authentication.\n"},"basic":{"type":"object","description":"Basic authentication credentials. REQUIRED when auth.type is \"basic\", \"wsse\", or \"digest\".\n","properties":{"username":{"type":"string","description":"Username for Basic/Digest/WSSE authentication."},"password":{"type":"string","description":"Password for Basic/Digest/WSSE authentication (encrypted at rest).","writeOnly":true}}},"token":{"type":"object","description":"Token-based authentication configuration. REQUIRED when auth.type is \"token\".\n\nSupports static API keys/bearer tokens and automatic token refresh flows.\nThe token can be sent in a header (Authorization), query parameter, or request body.\n","properties":{"token":{"type":"string","description":"The API key or bearer token value (encrypted at rest).\nREQUIRED unless automatic token refresh is configured.\n","writeOnly":true},"location":{"type":"string","enum":["url","header","body"],"description":"Where to include the token in outbound requests.\n- \"header\" — Sent in an HTTP header (most common). Use headerName and scheme to control format.\n- \"url\" — Sent as a URL query parameter. Use paramName to set the parameter name.\n- \"body\" — Included in the request body.\n"},"headerName":{"type":"string","description":"HTTP header name for the token when location is \"header\".\nDefaults to \"Authorization\" if omitted.\n"},"scheme":{"type":"string","description":"Token scheme/prefix when sent in a header. Prepended before the token value.\nCommon values: \"Bearer\", \"Token\", \"Basic\".\nExample: scheme \"Bearer\" produces header \"Authorization: Bearer <token>\".\n"},"paramName":{"type":"string","description":"Query parameter name for the token when location is \"url\".\nExample: paramName \"api_key\" produces URL \"?api_key=<token>\".\n"},"refreshMethod":{"type":"string","enum":["GET","POST","PUT"],"description":"HTTP method for automatic token refresh requests.\nREQUIRED when no static token is provided (refresh-based auth flow).\n","default":"POST"},"refreshRelativeURI":{"type":"string","description":"Relative URI (appended to baseURI) for the token refresh endpoint.\nThe system calls this endpoint to obtain a new token when the current one expires.\n"},"refreshBody":{"type":"string","description":"Request body to send with the token refresh request."},"refreshMediaType":{"type":"string","enum":["json","urlencoded","xml","plaintext"],"description":"Content type for the token refresh request body.\n","default":"urlencoded"},"refreshResponseMediaType":{"type":"string","enum":["json","xml"],"description":"Expected content type of the token refresh response."},"refreshTokenPath":{"type":"string","description":"JSON path to extract the new token from the refresh response.\nExample: \"access_token\" or \"data.token\".\n"},"refreshToken":{"type":"string","description":"Refresh token used to obtain a new access token (encrypted at rest).","writeOnly":true},"refreshTokenLocation":{"type":"string","enum":["header","body"],"description":"Where to include the refresh token in refresh requests."},"refreshHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"description":"Additional headers to include in token refresh requests."},"tokenPaths":{"type":"array","items":{"type":"string"},"description":"JSON paths to extract multiple token values from the refresh response.\nUse when the refresh response contains tokens at different paths that need\nto be stored for subsequent requests.\n"}}},"oauth":{"$ref":"#/components/schemas/OAuth"},"cookie":{"type":"object","description":"Cookie-based session authentication. REQUIRED when auth.type is \"cookie\".\n\nThe system authenticates by sending a request to the login URI, captures the\nsession cookies from the response, and includes them in all subsequent API requests.\n","properties":{"uri":{"type":"string","description":"Login endpoint URI for cookie authentication. REQUIRED.\nThe system sends a request to this URI to obtain session cookies.\n"},"body":{"type":"string","description":"Request body for the login request (e.g., JSON with username/password)."},"method":{"type":"string","description":"HTTP method for the login request (typically POST)."},"successStatusCode":{"type":"number","description":"HTTP status code that confirms successful authentication.\nIf the login response returns this status code, the session cookies are captured.\n"}}},"jwt":{"$ref":"#/components/schemas/JWT"}}},"Wrapper":{"type":"object","description":"Configuration for Wrapper connections. Used when the connection type is \"wrapper\".\n\nWrapper connections are custom-built connectors deployed on a Celigo Stack.\nThey allow developers to implement custom authentication, data transformation,\nand API interaction logic using server-side JavaScript on a dedicated stack.\n\n**When to use**\nUse wrapper connections when:\n- The target API has non-standard authentication not supported by HTTP connections.\n- Custom server-side logic is needed for connection management.\n- You need a fully custom connector deployed on a Celigo Stack.\n\n**Required fields**\n- pingFunction (name of the function that tests connection health)\n- _stackId (set on the parent connection object — references the Celigo Stack)\n\n**Custom fields**\nUse encrypted/unencrypted fields to store connection-specific configuration.\nThe wrapper code on the Stack accesses these values at runtime.\n","required":["pingFunction"],"properties":{"pingFunction":{"type":"string","description":"Name of the JavaScript function on the Stack that tests connection health.\nThis function is called when the user clicks \"Test Connection\" in the UI.\nIt should verify that the connection credentials are valid and the target\nsystem is reachable.\n"},"unencrypted":{"type":"object","description":"Unencrypted custom fields for non-sensitive configuration values.\nThese values are accessible to the wrapper code on the Stack at runtime.\nField definitions are specified in unencryptedFields.\n"},"unencryptedFields":{"type":"array","description":"Metadata defining the unencrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the unencrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"encrypted":{"type":"object","description":"Encrypted custom fields for sensitive configuration values (API keys, passwords, etc.).\nValues are encrypted at rest and decrypted only on the Stack at runtime.\nField definitions are specified in encryptedFields.\n"},"encryptedFields":{"type":"array","description":"Metadata defining the encrypted custom fields on this connection.","items":{"type":"object","properties":{"id":{"type":"string","description":"Field identifier — matches the key in the encrypted object."},"label":{"type":"string","description":"Human-readable label shown in the UI."},"required":{"type":"boolean","default":false},"position":{"type":"number","description":"Display order in the UI form."},"helpText":{"type":"string","description":"Tooltip text shown next to the field in the UI."},"type":{"type":"string","description":"Field type hint for the UI (e.g., \"text\", \"select\")."}}}},"_stackId":{"type":"string","format":"objectId","description":"Reference to the stack this wrapper connection uses."},"concurrencyLevel":{"type":"number","description":"Maximum number of concurrent operations through this wrapper connection.\n","minimum":1,"maximum":100,"default":5},"targetConcurrencyLevel":{"type":"number","description":"Target concurrency level for auto-scaling. The system adjusts concurrency\nbetween 1 and this value based on performance feedback.\n","minimum":1,"maximum":100}}},"Response":{"type":"object","description":"Complete connection object as returned by the API","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"$ref":"#/components/schemas/IAResourceResponse"},{"type":"object","properties":{"aiDescription":{"$ref":"#/components/schemas/AIDescription"},"salesforce":{"allOf":[{"$ref":"#/components/schemas/Salesforce"},{"type":"object","properties":{"info":{"type":"object","description":"Additional Salesforce connection information","readOnly":true}}}]},"netsuite":{"allOf":[{"$ref":"#/components/schemas/NetSuite"},{"type":"object","properties":{"suiteAppInstalled":{"type":"boolean","description":"Whether the Celigo SuiteApp is installed","readOnly":true}}}]},"_integrationId":{"type":"string","format":"objectId","description":"ID of the integration this connection belongs to","readOnly":true},"_connectorId":{"type":"string","format":"objectId","description":"ID of the connector template this connection is based on","readOnly":true},"_id":{"type":"string","format":"objectId","description":"Unique identifier for the connection","readOnly":true},"offline":{"type":"boolean","description":"Whether the connection is currently offline/disabled","readOnly":true},"_userId":{"type":"string","format":"objectId","description":"ID of the user who owns this connection","readOnly":true},"createdAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was created","readOnly":true},"lastModified":{"type":"string","format":"date-time","description":"Timestamp when the connection was last modified","readOnly":true},"deletedAt":{"type":"string","format":"date-time","description":"Timestamp when the connection was soft-deleted (if applicable)","readOnly":true},"needsAuthorization":{"type":"boolean","description":"Whether this connection requires OAuth2 or similar authorization flow","readOnly":true},"isAmazonSPConnection":{"type":"boolean","description":"Whether this is an Amazon Selling Partner API connection","readOnly":true},"concurrencyInfo":{"type":"object","description":"Current concurrency usage and limits for this connection","readOnly":true,"properties":{"currentLevel":{"type":"number","description":"Current concurrency level being used"},"targetLevel":{"type":"number","description":"Target concurrency level"},"maxLevel":{"type":"number","description":"Maximum allowed concurrency level"},"borrowedFrom":{"type":"string","description":"ID of connection this is borrowing concurrency from"}}},"rateLimit":{"type":"object","description":"Rate limiting information for this connection","readOnly":true,"properties":{"isRecovering":{"type":"boolean","description":"Whether the connection is currently recovering from rate limits"},"lastErrorAt":{"type":"string","format":"date-time","description":"Timestamp of last rate limit error"},"retryCount":{"type":"number","description":"Number of retry attempts for rate limit recovery"}}},"status":{"type":"string","enum":["active","inactive","error","pending","offline"],"description":"Current operational status of the connection","readOnly":true},"lastPingAt":{"type":"string","format":"date-time","description":"Timestamp of last successful ping test","readOnly":true},"lastPingStatus":{"type":"string","enum":["success","failed","pending"],"description":"Result of the last ping test","readOnly":true},"capabilities":{"type":"object","description":"Discovered or configured capabilities of this connection","readOnly":true,"properties":{"read":{"type":"boolean","description":"Supports read operations"},"write":{"type":"boolean","description":"Supports write operations"},"delete":{"type":"boolean","description":"Supports delete operations"},"realtime":{"type":"boolean","description":"Supports real-time data streaming"},"batch":{"type":"boolean","description":"Supports batch operations"}}},"quotas":{"type":"object","description":"Usage quotas and limits for this connection","readOnly":true,"properties":{"daily":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}},"monthly":{"type":"object","properties":{"limit":{"type":"number"},"used":{"type":"number"},"remaining":{"type":"number"}}}}},"_sourceId":{"type":"string","format":"objectId","description":"ID of the source this connection was created from","readOnly":true},"_templateId":{"type":"string","format":"objectId","description":"ID of the template this connection was generated from","readOnly":true},"draft":{"type":"boolean","description":"Whether this connection is in draft state","readOnly":true},"draftExpiresAt":{"type":"string","format":"date-time","description":"Timestamp when the draft connection expires","readOnly":true},"debugUntil":{"type":"string","format":"date-time","description":"Timestamp until which debug logging is enabled","readOnly":true},"apiIdentifier":{"type":"string","description":"API identifier for this connection","readOnly":true}}}]},"ResourceResponse":{"type":"object","description":"Core response fields shared by all Celigo resources","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource.\n\nThe _id is used in:\n- API endpoints that operate on a specific resource (e.g., GET, PUT, DELETE)\n- References from other resources (e.g., flows that use this resource)\n- Job history and error tracking\n\nFormat: 24-character hexadecimal string\n"},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was initially created.\n\nThis read-only field is automatically set during resource creation and cannot\nbe modified. It provides an audit trail for when the resource was first added\nto the system, which can be useful for:\n\n- Resource lifecycle management\n- Audit and compliance reporting\n- Troubleshooting integration timelines\n- Identifying older resources that may need review\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was most recently updated.\n\nThis read-only field is automatically updated whenever any property of the\nresource is modified. It provides an audit trail that can be used for:\n\n- Determining if a resource has changed since it was last reviewed\n- Monitoring configuration changes during troubleshooting\n- Implementing cache invalidation strategies\n- Synchronizing related resources based on modification time\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix)\nand will always be equal to or later than the createdAt timestamp.\n"},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp indicating when the resource was marked for deletion.\n\nWhen this field is present and contains a valid timestamp, it indicates\nthat the resource has been soft-deleted (moved to the recycle bin) but not\nyet permanently removed from the system. This allows for recovery of\naccidentally deleted resources within a specified retention period.\n\nThe deletedAt timestamp enables:\n- Filtering deleted resources from active resource listings\n- Implementing time-based retention policies for permanent deletion\n- Tracking deletion events for audit and compliance purposes\n- Resource recovery workflows with clear timeframes\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\nWhen null or absent, the resource is considered active.\n"}},"required":["_id"]},"IAResourceResponse":{"type":"object","description":"Integration app response fields for resources that are part of integration apps","properties":{"_integrationId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the specific integration instance that contains this resource.\n\nThis field is only populated for resources that are part of an integration app\ninstallation. It contains the unique identifier (_id) of the integration\nresource that was installed in the account.\n\nThe integration instance represents a specific installed instance of an\nintegration app, with its own configuration, settings, and runtime environment.\n\nThis reference enables:\n- Tracing the resource back to its parent integration instance\n- Permission and access control based on integration ownership\n- Lifecycle management (enabling/disabling, updating, or uninstalling)\n"},"_connectorId":{"type":"string","format":"objectId","readOnly":true,"description":"Reference to the integration app that defines this resource.\n\nThis field is only populated for resources that are part of an integration app.\nIt contains the unique identifier (_id) of the integration app (connector)\nthat defines the structure, behavior, and templates for this resource.\n\nThe integration app is the published template that can be installed\nmultiple times across different accounts, with each installation creating\na separate integration instance (referenced by _integrationId).\n\nThis reference enables:\n- Identifying the source integration app for this resource\n- Determining which template version is being used\n- Linking to documentation, support, and marketplace information\n"}}},"AIDescription":{"type":"object","description":"AI-generated descriptions and documentation for the resource.\n\nThis object contains automatically generated content that helps users\nunderstand the purpose, behavior, and configuration of the resource without\nrequiring them to analyze the technical details. The AI-generated content\nis sanitized and safe for display in the UI.\n","properties":{"summary":{"type":"string","description":"Brief AI-generated summary of the resource's purpose and functionality.\n\nThis concise description provides a quick overview of what the resource does,\nwhat systems it interacts with, and its primary role in the integration.\nThe summary is suitable for display in list views, dashboards, and other\ncontexts where space is limited.\n\nMaximum length: 10KB\n"},"detailed":{"type":"string","description":"Comprehensive AI-generated description of the resource's functionality.\n\nThis detailed explanation covers the resource's purpose, configuration details,\ndata flow patterns, filtering logic, and other technical aspects. It provides\nin-depth information suitable for documentation, tooltips, or detailed views\nin the administration interface.\n\nThe content may include HTML formatting for improved readability.\n\nMaximum length: 10KB\n"},"generatedOn":{"type":"string","format":"date-time","description":"Timestamp indicating when the AI description was generated.\n\nThis field helps track the freshness of the AI-generated content and\ndetermine when it might need to be regenerated due to changes in the\nresource's configuration or behavior.\n\nThe timestamp is recorded in ISO 8601 format with UTC timezone (Z suffix).\n"}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"400-bad-request":{"description":"Bad request. The server could not understand the request because of malformed syntax or invalid parameters.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"403-forbidden":{"description":"Forbidden. The authenticated caller does not have permission to perform this operation.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"422-unprocessable-entity":{"description":"Unprocessable entity. The request was well-formed but was unable to be followed due to semantic errors.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/connections/{_id}":{"put":{"summary":"Update a connection","description":"Updates an existing connection configuration. This is a full-replace operation —\nsend the complete connection document, not just the fields you want to change.\n","operationId":"updateConnection","tags":["Connections"],"parameters":[{"in":"path","name":"_id","required":true,"schema":{"type":"string"},"description":"The unique identifier of the connection to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Request"}}}},"responses":{"200":{"description":"Connection updated successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Response"}}}},"400":{"$ref":"#/components/responses/400-bad-request"},"401":{"$ref":"#/components/responses/401-unauthorized"},"403":{"$ref":"#/components/responses/403-forbidden"},"404":{"$ref":"#/components/responses/404-not-found"},"422":{"$ref":"#/components/responses/422-unprocessable-entity"}}}}}}
```

## Delete a connection

> Deletes a connection. The connection is soft-deleted and retained in the\
> recycle bin for 30 days before permanent removal. Use\
> \`POST /v1/recycleBinTTL/connections/{\_id}\` to restore it during that window.<br>

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"responses":{"400-bad-request":{"description":"Bad request. The server could not understand the request because of malformed syntax or invalid parameters.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"403-forbidden":{"description":"Forbidden. The authenticated caller does not have permission to perform this operation.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}}},"paths":{"/v1/connections/{_id}":{"delete":{"summary":"Delete a connection","description":"Deletes a connection. The connection is soft-deleted and retained in the\nrecycle bin for 30 days before permanent removal. Use\n`POST /v1/recycleBinTTL/connections/{_id}` to restore it during that window.\n","operationId":"deleteConnection","tags":["Connections"],"parameters":[{"in":"path","name":"_id","required":true,"schema":{"type":"string"},"description":"The unique identifier of the connection to delete"}],"responses":{"204":{"description":"Connection deleted successfully"},"400":{"$ref":"#/components/responses/400-bad-request"},"401":{"$ref":"#/components/responses/401-unauthorized"},"403":{"$ref":"#/components/responses/403-forbidden"},"404":{"$ref":"#/components/responses/404-not-found"}}}}}}
```

## Patch a connection

> Partially updates a connection using a JSON Patch document (RFC 6902).\
> Only the \`replace\` operation is supported, and only on the following\
> whitelisted paths:\
> \
> \| Path | Description |\
> \|------|-------------|\
> \| \`/name\` | Connection display name |\
> \| \`/debugDate\` | Debug logging expiry (ISO-8601, max 1 hour from now) |\
> \| \`/debugUntil\` | Alias for \`/debugDate\` |\
> \
> All other paths are rejected with \`422\`.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"JsonPatchRequest":{"type":"array","description":"A JSON Patch document (RFC 6902). Send an array of patch\noperations. Only the `replace` operation is supported, and only\non whitelisted fields — all other paths are rejected with 422.","minItems":1,"items":{"$ref":"#/components/schemas/JsonPatchOperation"}},"JsonPatchOperation":{"type":"object","description":"A single JSON Patch operation (RFC 6902).","required":["op","path"],"properties":{"op":{"type":"string","enum":["replace"],"description":"The operation to perform. Only `replace` is supported."},"path":{"type":"string","description":"JSON Pointer (RFC 6901) to the field to patch. Only\nwhitelisted paths are accepted — unlisted paths return\n`422` with `\"<path> is not a whitelisted property\"`."},"value":{"description":"The new value to set at the given path."}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"422-unprocessable-entity":{"description":"Unprocessable entity. The request was well-formed but was unable to be followed due to semantic errors.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/connections/{_id}":{"patch":{"summary":"Patch a connection","description":"Partially updates a connection using a JSON Patch document (RFC 6902).\nOnly the `replace` operation is supported, and only on the following\nwhitelisted paths:\n\n| Path | Description |\n|------|-------------|\n| `/name` | Connection display name |\n| `/debugDate` | Debug logging expiry (ISO-8601, max 1 hour from now) |\n| `/debugUntil` | Alias for `/debugDate` |\n\nAll other paths are rejected with `422`.","operationId":"patchConnection","tags":["Connections"],"parameters":[{"in":"path","name":"_id","required":true,"schema":{"type":"string"},"description":"The unique identifier of the connection to patch"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/JsonPatchRequest"}}}},"responses":{"204":{"description":"Connection patched successfully"},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"$ref":"#/components/responses/404-not-found"},"422":{"$ref":"#/components/responses/422-unprocessable-entity"}}}}}}
```

## Ping an existing connection

> Runs the adaptor's ping routine against a saved connection to verify that\
> its credentials and network configuration still work. \*\*No data is read,\
> written, or modified\*\* — the call is a pure reachability + auth check.\
> \
> Behavior is adaptor-specific:\
> \- \*\*HTTP/REST\*\* connections execute the configured \`ping\` relativeURI\
> &#x20; (or fall back to \`baseURI\`) and expect a 2xx response from the remote.\
> \- \*\*RDBMS/JDBC\*\* connections open a driver session and run the driver's\
> &#x20; validation query.\
> \- \*\*MCP\*\* connections issue a \`tools/list\` request against the configured\
> &#x20; \`serverURL\`.\
> \- \*\*NetSuite / Salesforce\*\* connections exchange a minimal token refresh\
> &#x20; or session-validation call with the vendor.\
> \
> Request body is optional and currently ignored — pass \`{}\` or no body.\
> \
> \*\*Method quirk:\*\* the route is also bound to \`GET\` and behaves\
> identically to \`POST\` (same response, still triggers the live ping).\
> \`PUT\`/\`DELETE\` return 404. The UI and CLI both use \`POST\` — prefer it\
> for documentation and client code.\
> \
> \*\*Response-code convention (important):\*\* the HTTP status is almost\
> always \*\*200\*\*, even when the adaptor-level outcome is a failure. Success\
> returns \`{code:200}\`; adaptor-level failures return \`{errors:\[...]}\` with\
> the HTTP status still 200. Callers \*\*must inspect the body\*\*, not just\
> the HTTP status, to determine outcome. The only non-200 status this\
> endpoint commonly returns is \*\*404\*\* when \`\_id\` does not resolve to a\
> connection.\
> \
> AI guidance: this endpoint is the right health check for a known,\
> persisted connection. For a not-yet-saved connection doc (e.g. the\
> "Test" button in the connection editor before first save), use the\
> unscoped counterpart \`POST /v1/connections/ping\` instead.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/connections/{_id}/ping":{"post":{"summary":"Ping an existing connection","description":"Runs the adaptor's ping routine against a saved connection to verify that\nits credentials and network configuration still work. **No data is read,\nwritten, or modified** — the call is a pure reachability + auth check.\n\nBehavior is adaptor-specific:\n- **HTTP/REST** connections execute the configured `ping` relativeURI\n  (or fall back to `baseURI`) and expect a 2xx response from the remote.\n- **RDBMS/JDBC** connections open a driver session and run the driver's\n  validation query.\n- **MCP** connections issue a `tools/list` request against the configured\n  `serverURL`.\n- **NetSuite / Salesforce** connections exchange a minimal token refresh\n  or session-validation call with the vendor.\n\nRequest body is optional and currently ignored — pass `{}` or no body.\n\n**Method quirk:** the route is also bound to `GET` and behaves\nidentically to `POST` (same response, still triggers the live ping).\n`PUT`/`DELETE` return 404. The UI and CLI both use `POST` — prefer it\nfor documentation and client code.\n\n**Response-code convention (important):** the HTTP status is almost\nalways **200**, even when the adaptor-level outcome is a failure. Success\nreturns `{code:200}`; adaptor-level failures return `{errors:[...]}` with\nthe HTTP status still 200. Callers **must inspect the body**, not just\nthe HTTP status, to determine outcome. The only non-200 status this\nendpoint commonly returns is **404** when `_id` does not resolve to a\nconnection.\n\nAI guidance: this endpoint is the right health check for a known,\npersisted connection. For a not-yet-saved connection doc (e.g. the\n\"Test\" button in the connection editor before first save), use the\nunscoped counterpart `POST /v1/connections/ping` instead.","operationId":"pingConnection","tags":["Connections"],"parameters":[{"in":"path","name":"_id","required":true,"schema":{"type":"string","format":"objectId"},"description":"Connection ID to ping."}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"Currently ignored; reserved for future per-ping overrides.","additionalProperties":true}}}},"responses":{"200":{"description":"Ping executed. **Inspect the body** to determine outcome — success and\nadaptor-level failures both return HTTP 200.\n\n- **Success** shape: `{code: 200}` — the adaptor confirmed reachability.\n- **Adaptor-level failure** shape: `{errors: [...]}` — the adaptor\n  reached the remote system (or attempted to) and the outcome was not\n  a 2xx. Common `source` values:\n  - `application` — the remote system returned a non-2xx status\n    (`code` is the upstream integer status, e.g. `401`, `500`).\n  - `resource` — network/DNS error (`code` is a string like\n    `invalid_host`, `ECONNRESET`).\n  - `connection` — the connection's stored auth state is invalid\n    (e.g. `missing_token`).\n  - `connector` — adaptor-level rejection (e.g. `mcp_tools_list_failed`).","content":{"application/json":{"schema":{"oneOf":[{"title":"Ping success","type":"object","properties":{"code":{"type":"integer","description":"Mirrors the HTTP status — always 200 on success."}},"required":["code"],"additionalProperties":true},{"$ref":"#/components/schemas/Error"}]}}}},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"description":"No connection found for the given `_id`. The body is an `invalid_ref`\nerror — note this is a 404, not a 400, and the field pointer is `_id`.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Fetch debug logs for a connection

> Returns the buffered debug log stream for the connection — request/response pairs captured\
> from recent exports, imports, and lookups that used this connection. Debug capture is\
> gated by the connection's \`debugDate\` field: logs are only recorded while \`debugDate\` is\
> in the future.\
> \
> The response body is a \*\*plain text stream\*\* (not JSON). Each log entry takes the form:\
> \
> \`\`\`\
> \<ISO-8601 timestamp> \<traceKey> \<resourceType> \<resourceId>\
> \<single-line JSON payload>\
> \`\`\`\
> \
> Entries are separated by blank lines. The JSON payload shape differs between request and\
> response entries — requests carry \`{url, method, body, headers, requestIndex}\`; responses\
> carry \`{headers, body}\` captured from the remote system. Paired entries share the same\
> \`traceKey\`.\
> \
> Debug logs are \*\*shared across every flow\*\* that uses this connection — filter by\
> \`resourceId\` client-side if you only care about one export/import.\
> \
> AI guidance:\
> \- Enable debug first via \`PUT /v1/connections/{\_id}\` with \`debugDate\` set to a future ISO timestamp.\
> &#x20; Without a future \`debugDate\`, the buffer stays empty.\
> \- Sensitive header values are redacted server-side (e.g. \`"Authorization": "\*\*\*\*\*\*\*\*"\`).\
> \- Prefer \`GET /v1/flows/{\_id}/jobs/{\_jobId}/logs\` for step-scoped execution logs tied to a\
> &#x20; specific run — this endpoint is the connection-level aggregate.

````json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}}},"paths":{"/v1/connections/{_id}/debug":{"get":{"operationId":"getConnectionDebugLogs","tags":["Connections"],"summary":"Fetch debug logs for a connection","description":"Returns the buffered debug log stream for the connection — request/response pairs captured\nfrom recent exports, imports, and lookups that used this connection. Debug capture is\ngated by the connection's `debugDate` field: logs are only recorded while `debugDate` is\nin the future.\n\nThe response body is a **plain text stream** (not JSON). Each log entry takes the form:\n\n```\n<ISO-8601 timestamp> <traceKey> <resourceType> <resourceId>\n<single-line JSON payload>\n```\n\nEntries are separated by blank lines. The JSON payload shape differs between request and\nresponse entries — requests carry `{url, method, body, headers, requestIndex}`; responses\ncarry `{headers, body}` captured from the remote system. Paired entries share the same\n`traceKey`.\n\nDebug logs are **shared across every flow** that uses this connection — filter by\n`resourceId` client-side if you only care about one export/import.\n\nAI guidance:\n- Enable debug first via `PUT /v1/connections/{_id}` with `debugDate` set to a future ISO timestamp.\n  Without a future `debugDate`, the buffer stays empty.\n- Sensitive header values are redacted server-side (e.g. `\"Authorization\": \"********\"`).\n- Prefer `GET /v1/flows/{_id}/jobs/{_jobId}/logs` for step-scoped execution logs tied to a\n  specific run — this endpoint is the connection-level aggregate.","parameters":[{"name":"_id","in":"path","required":true,"description":"The connection id.","schema":{"type":"string","format":"objectId"}}],"responses":{"200":{"description":"Debug log stream (plain text).","content":{"text/plain":{"schema":{"type":"string","description":"Newline-separated debug log entries. Each entry is a header line\n(`timestamp traceKey resourceType resourceId`) followed by a JSON payload line;\nentries are separated by blank lines."}}}},"204":{"description":"No debug logs available — either debug capture is disabled (no `debugDate` set, or it\nis in the past) or the buffer has been cleared."},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"$ref":"#/components/responses/404-not-found"}}}}}}
````

## Clear the debug log buffer for a connection

> Purges the connection's debug log buffer. Subsequent \`GET /v1/connections/{\_id}/debug\`\
> calls return 204 until new traffic is captured (assuming \`debugDate\` is still in the future).\
> \
> Idempotent: returns 204 whether the buffer held entries, was already empty, or the given\
> connection id does not exist. Does \*\*not\*\* clear the connection's \`debugDate\` — debug\
> capture remains enabled until \`debugDate\` expires or is removed via a PUT.\
> \
> AI guidance:\
> \- Use this between test runs to isolate logs for a single scenario.\
> \- To fully turn debug off, also \`PUT /v1/connections/{\_id}\` with \`debugDate\`\
> &#x20; removed from the body.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/connections/{_id}/debug":{"delete":{"operationId":"clearConnectionDebugLogs","tags":["Connections"],"summary":"Clear the debug log buffer for a connection","description":"Purges the connection's debug log buffer. Subsequent `GET /v1/connections/{_id}/debug`\ncalls return 204 until new traffic is captured (assuming `debugDate` is still in the future).\n\nIdempotent: returns 204 whether the buffer held entries, was already empty, or the given\nconnection id does not exist. Does **not** clear the connection's `debugDate` — debug\ncapture remains enabled until `debugDate` expires or is removed via a PUT.\n\nAI guidance:\n- Use this between test runs to isolate logs for a single scenario.\n- To fully turn debug off, also `PUT /v1/connections/{_id}` with `debugDate`\n  removed from the body.","parameters":[{"name":"_id","in":"path","required":true,"description":"The connection id.","schema":{"type":"string","format":"objectId"}}],"responses":{"204":{"description":"Debug buffer cleared (or no-op if the buffer was already empty / id unknown)."},"401":{"$ref":"#/components/responses/401-unauthorized"}}}}}}
```

## Query metadata for a connection (RDBMS catalog or HTTP passthrough)

> Fetches metadata from the target system behind the connection. Bimodal —\
> the server picks one of two branches based on the connection's \`type\`:\
> \
> \*\*RDBMS catalog (\`type: rdbms\` + \`type: jdbc\`)\*\* — runs a live catalog\
> lookup against the database. Request body carries the \`rdbms\` wrapper\
> (\`type: tables\` or \`columns\`, optional \`tables\`, optional\
> \`currentDBOnly\`). Results are cached; pass \`refreshCache: true\` to bypass\
> and repopulate.\
> \
> \- \`type: rdbms\` (mssql, mysql, postgresql, redshift, bigquery, snowflake,\
> &#x20; oracle) returns a \`{results: \[...]}\` envelope. Items are\
> &#x20; \`{database, schema, table}\` for \`tables\`; column responses add a\
> &#x20; \`columns\[]\` array with driver-level type metadata (\`actualDataType\`,\
> &#x20; \`dataTypeID\`, \`maxLength\`, \`precision\`, \`scale\`).\
> \- \`type: jdbc\` (Oracle-via-JDBC, NetSuite SuiteQL, IBM DB2, Workday)\
> &#x20; returns a \*\*bare array\*\* — no envelope, items lack \`database\`, and\
> &#x20; columns are leaner (\`{column, dataType, isNull}\`) with a sibling\
> &#x20; \`primaryKeys\[]\` array. Callers of the agent's SQLEngine wrap this to\
> &#x20; \`{results: \[...]}\` client-side; API-level consumers should handle both\
> &#x20; shapes.\
> \
> \*\*HTTP passthrough (\`type: http\`)\*\* — signs and forwards an HTTP request\
> through the connection's auth + \`baseURI\` and returns the target's raw\
> response. Used by the UI to run GraphQL introspection queries against\
> Shopify / other GraphQL endpoints, and to discover REST endpoints.\
> Request body carries the \`http\` wrapper (\`body\` required; optional\
> \`method\`, \`relativeURI\`, \`headers\[]\`). Response shape is opaque — it is\
> literally whatever the target server returned.\
> \
> \*\*Adaptor-specific metadata for NetSuite and Salesforce lives under\
> dedicated endpoints\*\*, not this one:\
> \- \`GET /v1/netsuite/metadata/suitescript/connections/{\_id}/recordTypes\[...]\`\
> \- \`GET /v1/salesforce/metadata/connections/{\_id}/sObjectTypes\[...]\`\
> \
> Calling this endpoint on unsupported connection types (FTP, S3, AS2,\
> filesystem, NetSuite SuiteScript, Salesforce) returns 422 \`not\_supported\`\
> regardless of wrapper.\
> \
> Empty result sets are legitimate on the RDBMS branch — they mean the\
> cache was empty for the query, the user lacks catalog permissions (e.g.\
> BigQuery: missing \`bigquery.tables.get\`), or the table is genuinely\
> empty of columns.\
> \
> AI guidance:\
> \- Pick the wrapper by connection type. Sending \`rdbms\` to an HTTP conn\
> &#x20; returns 422 \`unexpected\_error "export.http is missing"\`; sending \`http\`\
> &#x20; to an RDBMS conn returns 422 \`invalid\_type\`.\
> \- Prefer fully-qualified table names on Snowflake/BigQuery; unqualified\
> &#x20; names only work when the connection has a default schema.\
> \- \`rdbms.tables\` is overloaded: string OR array-of-strings (to batch\
> &#x20; multiple columns lookups in one call) OR omitted (for \`tables\` mode).\
> \- Use \`refreshCache: true\` sparingly — every call invalidates the cache\
> &#x20; and re-issues the underlying work.\
> \- Unknown body properties (including a redundant \`\_connectionId\`) are\
> &#x20; silently ignored — the path parameter is authoritative.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"ConnectionMetadataRequest":{"type":"object","description":"Metadata query for a connection. The endpoint is **bimodal** — the server\npicks one of two request branches based on the target connection's `type`:\n\n- **RDBMS branch** (`{rdbms: {...}}`) — used on `type: rdbms` and `type: jdbc`\n  connections to run catalog lookups (list tables / describe columns).\n- **HTTP passthrough branch** (`{http: {...}}`) — used on `type: http`\n  connections (including REST-flavored and GraphQL-over-HTTP) to issue an\n  HTTP request through the connection's configured baseURI and auth, then\n  return the target server's raw response.\n\nOnly one branch should be populated per call. If the wrong branch is used\nfor the connection type, the server returns 422 (`invalid_type` for RDBMS\nwrapper on an HTTP conn; `unexpected_error \"export.http is missing\"` for\nHTTP wrapper on an RDBMS conn). Non-supported types (FTP, S3, filesystem,\nAS2, NetSuite, Salesforce) return 422 `not_supported` regardless of\nwrapper — NetSuite/Salesforce use dedicated adaptor endpoints under\n`/v1/netsuite/metadata/...` and `/v1/salesforce/metadata/...`.\n\nUnknown top-level properties and a redundant body `_connectionId` are\nsilently accepted and ignored — the path parameter is authoritative.","properties":{"rdbms":{"type":"object","description":"RDBMS catalog query. Required for `type: rdbms` and `type: jdbc`\nconnections.","properties":{"type":{"type":"string","description":"Metadata category to fetch.\n- `tables` — list every table visible to the connection user.\n- `columns` — describe columns for the table(s) in `tables`.","enum":["tables","columns"]},"tables":{"description":"Overloaded by `type` and optional.\n- When `type: \"tables\"`: omit, pass `\"\"`, or pass any value — the\n  server lists every visible table either way. `tables` is not\n  required in this mode.\n- When `type: \"columns\"`: pass a fully-qualified table name as a\n  **string** (`database.schema.table`) OR an **array** of\n  fully-qualified names to batch multiple tables in one call.\n  Unqualified names only resolve when the connection has a default\n  schema.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"currentDBOnly":{"type":"boolean","description":"If `true`, restrict `type: tables` results to the connection's\ncurrent database. On connections that only ever see one database\n(most MSSQL/MySQL configs) this has no visible effect. Relevant on\ndrivers with cross-database access. Defaults to `false`."}},"required":["type"]},"http":{"type":"object","description":"HTTP passthrough payload. Required for `type: http` connections. The\nserver signs the request using the connection's auth, posts it to the\nconnection's `baseURI` + `relativeURI`, and returns the target's raw\nresponse. Used by the UI to run GraphQL introspection queries and to\ndiscover REST endpoints.","properties":{"body":{"type":"string","description":"Raw HTTP request body to send to the target. Required and\nnon-empty — an empty `body` returns 422 `cannot_fetch_metadata`.\nFor GraphQL endpoints, this is the JSON-encoded\n`{\"query\": \"...\"}` payload; for REST endpoints it's whatever the\ntarget expects."},"method":{"type":"string","description":"HTTP verb to use for the passthrough call. Defaults to `POST`.\nHonored by the server — e.g. `GET` / `PUT` surface the target's\nown method-rejection errors through as\n`422 cannot_fetch_metadata`."},"relativeURI":{"type":"string","description":"Optional path suffix appended to the connection's `baseURI`. When\nomitted, the connection's default endpoint path is used."},"headers":{"type":"array","description":"Optional extra request headers added on top of the connection's\nconfigured headers. Each item is `{name, value}`.","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}}},"required":["body"]},"refreshCache":{"type":"boolean","description":"If `true`, bypass the metadata cache and repopulate it from the live\ntarget (RDBMS driver call, or target HTTP request). Use sparingly —\nevery `refreshCache: true` call re-issues the underlying work.","default":false}}},"ConnectionMetadataResponse":{"description":"Response body for `PUT /v1/connections/{_id}/metadata`. Three possible\nshapes, picked by the target connection's `type`:\n\n1. **RDBMS envelope** (`type: rdbms` — mssql, mysql, postgresql, redshift,\n   bigquery, snowflake, oracle): `{results: [...]}`. Table items carry\n   `{database, schema, table}`; column items add a rich `columns[]` array\n   with driver-specific fields (`actualDataType`, `dataTypeID`,\n   `maxLength`, `precision`, `scale`, etc.).\n\n2. **JDBC bare array** (`type: jdbc` — Oracle-via-JDBC, IBM DB2, Workday,\n   NetSuite SuiteQL): **no envelope**. Response is a plain JSON array.\n   Items lack `database`, columns carry a leaner descriptor\n   (`{column, dataType, isNull}`), and column responses add a\n   `primaryKeys[]` array alongside `columns[]`. Callers of the agent /\n   CLI's SQLEngine wrap these to `{results: [...]}` client-side for a\n   uniform shape.\n\n3. **HTTP passthrough** (`type: http`): whatever the target server\n   returned. For GraphQL endpoints this is the GraphQL response\n   (`{data, extensions?, errors?}`); for REST endpoints it's the\n   endpoint's JSON body. Treat the shape as opaque — it is literally\n   whatever bytes the target returned.","oneOf":[{"$ref":"#/components/schemas/RDBMSMetadataEnvelope"},{"$ref":"#/components/schemas/JDBCMetadataBareArray"},{"$ref":"#/components/schemas/HTTPPassthroughResponse"}]},"RDBMSMetadataEnvelope":{"type":"object","description":"Envelope returned by `type: rdbms` connections (mssql, mysql, postgresql,\nredshift, bigquery, snowflake, oracle).","properties":{"results":{"type":"array","description":"Metadata items. Empty array is legitimate — indicates the cache has\nnothing for the query, the table has no columns accessible to the\nconnection user, or permissions are missing (e.g. BigQuery: missing\n`bigquery.tables.get`).","items":{"oneOf":[{"$ref":"#/components/schemas/RDBMSTable"},{"$ref":"#/components/schemas/RDBMSTableColumns"}]}}},"required":["results"]},"RDBMSTable":{"type":"object","description":"Table descriptor returned by `type: rdbms` connections when\n`rdbms.type == \"tables\"`.","properties":{"database":{"type":"string","description":"Database (or project, for BigQuery) containing the table."},"schema":{"type":"string","description":"Schema (or dataset, for BigQuery) containing the table."},"table":{"type":"string","description":"Table name."}},"required":["database","schema","table"]},"RDBMSTableColumns":{"type":"object","description":"Table-with-columns descriptor returned by `type: rdbms` connections when\n`rdbms.type == \"columns\"`. Carries the same table identifier fields as\n`RDBMSTable` plus a `columns[]` array of column descriptors.","properties":{"database":{"type":"string","description":"Database (or project, for BigQuery) containing the table."},"schema":{"type":"string","description":"Schema (or dataset, for BigQuery) containing the table."},"table":{"type":"string","description":"Table name."},"columns":{"type":"array","description":"Column descriptors for this table.","items":{"$ref":"#/components/schemas/RDBMSColumn"}}},"required":["database","schema","table","columns"]},"RDBMSColumn":{"type":"object","description":"Column descriptor inside a `type: rdbms` response. Field set is richer\nthan the JDBC variant and carries driver-level type metadata.","additionalProperties":true,"properties":{"column":{"type":"string","description":"Column name."},"actualDataType":{"type":"string","description":"Driver-reported type name (e.g. `varchar`, `int`, `NUMBER`)."},"dataType":{"type":"string","description":"Normalized Celigo-side type family (e.g. `string`, `number`,\n`boolean`, `datetime`). Used by the mapper UI."},"isNull":{"type":"string","description":"Nullability flag — always returned as the string `\"true\"` or\n`\"false\"`, not a JSON boolean."},"dataTypeID":{"type":"integer","description":"Driver-level numeric type code (e.g. `167` for varchar on MSSQL)."},"maxLength":{"type":"integer","description":"Max character length, where applicable. `-1` for unbounded."},"precision":{"type":"integer","description":"Numeric precision, where applicable. `0` when not numeric."},"scale":{"type":"integer","description":"Numeric scale, where applicable. `0` when not numeric."}},"required":["column"]},"JDBCMetadataBareArray":{"type":"array","description":"Bare array returned by `type: jdbc` connections. No enclosing\n`{results: ...}` envelope. Present on Oracle-via-JDBC and the driver\nfamilies the agent calls out specifically — NetSuite SuiteQL, IBM DB2,\nWorkday — which all route through this shape. Empty array is legitimate.","items":{"oneOf":[{"$ref":"#/components/schemas/JDBCTable"},{"$ref":"#/components/schemas/JDBCTableColumns"}]}},"JDBCTable":{"type":"object","description":"Table descriptor returned by `type: jdbc` connections when\n`rdbms.type == \"tables\"`. No `database` field — JDBC drivers surface\nonly schema + table.","properties":{"schema":{"type":"string","description":"Schema containing the table."},"table":{"type":"string","description":"Table name."}},"required":["schema","table"]},"JDBCTableColumns":{"type":"object","description":"Table-with-columns descriptor returned by `type: jdbc` connections when\n`rdbms.type == \"columns\"`. Adds `primaryKeys[]` alongside `columns[]`.","properties":{"schema":{"type":"string","description":"Schema containing the table."},"table":{"type":"string","description":"Table name."},"columns":{"type":"array","description":"Column descriptors for this table.","items":{"$ref":"#/components/schemas/JDBCColumn"}},"primaryKeys":{"type":"array","description":"Column names that participate in the table's primary key. Empty\narray (or omitted) when the driver did not report a PK.","items":{"type":"string"}}},"required":["schema","table","columns"]},"JDBCColumn":{"type":"object","description":"Column descriptor inside a `type: jdbc` response. Leaner than the RDBMS\nvariant — no driver-level type codes or length/precision/scale.","properties":{"column":{"type":"string","description":"Column name."},"dataType":{"type":"string","description":"Driver-reported type as a single string, possibly with parameters\n(e.g. `TIMESTAMP(6)`, `VARCHAR2`, `NUMBER`)."},"isNull":{"type":"string","description":"Nullability flag — string `\"true\"` or `\"false\"`, not a JSON boolean."}},"required":["column"]},"HTTPPassthroughResponse":{"description":"Raw response from the target HTTP server, piped through unchanged. Shape\nis target-dependent (GraphQL response envelope, REST JSON, error page,\netc.). OpenAPI cannot describe it more precisely. Use\n`cannot_fetch_metadata` in the 422 path when the target returns non-JSON.","type":"object","additionalProperties":true},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/connections/{_id}/metadata":{"put":{"operationId":"queryConnectionMetadata","tags":["Connections"],"summary":"Query metadata for a connection (RDBMS catalog or HTTP passthrough)","description":"Fetches metadata from the target system behind the connection. Bimodal —\nthe server picks one of two branches based on the connection's `type`:\n\n**RDBMS catalog (`type: rdbms` + `type: jdbc`)** — runs a live catalog\nlookup against the database. Request body carries the `rdbms` wrapper\n(`type: tables` or `columns`, optional `tables`, optional\n`currentDBOnly`). Results are cached; pass `refreshCache: true` to bypass\nand repopulate.\n\n- `type: rdbms` (mssql, mysql, postgresql, redshift, bigquery, snowflake,\n  oracle) returns a `{results: [...]}` envelope. Items are\n  `{database, schema, table}` for `tables`; column responses add a\n  `columns[]` array with driver-level type metadata (`actualDataType`,\n  `dataTypeID`, `maxLength`, `precision`, `scale`).\n- `type: jdbc` (Oracle-via-JDBC, NetSuite SuiteQL, IBM DB2, Workday)\n  returns a **bare array** — no envelope, items lack `database`, and\n  columns are leaner (`{column, dataType, isNull}`) with a sibling\n  `primaryKeys[]` array. Callers of the agent's SQLEngine wrap this to\n  `{results: [...]}` client-side; API-level consumers should handle both\n  shapes.\n\n**HTTP passthrough (`type: http`)** — signs and forwards an HTTP request\nthrough the connection's auth + `baseURI` and returns the target's raw\nresponse. Used by the UI to run GraphQL introspection queries against\nShopify / other GraphQL endpoints, and to discover REST endpoints.\nRequest body carries the `http` wrapper (`body` required; optional\n`method`, `relativeURI`, `headers[]`). Response shape is opaque — it is\nliterally whatever the target server returned.\n\n**Adaptor-specific metadata for NetSuite and Salesforce lives under\ndedicated endpoints**, not this one:\n- `GET /v1/netsuite/metadata/suitescript/connections/{_id}/recordTypes[...]`\n- `GET /v1/salesforce/metadata/connections/{_id}/sObjectTypes[...]`\n\nCalling this endpoint on unsupported connection types (FTP, S3, AS2,\nfilesystem, NetSuite SuiteScript, Salesforce) returns 422 `not_supported`\nregardless of wrapper.\n\nEmpty result sets are legitimate on the RDBMS branch — they mean the\ncache was empty for the query, the user lacks catalog permissions (e.g.\nBigQuery: missing `bigquery.tables.get`), or the table is genuinely\nempty of columns.\n\nAI guidance:\n- Pick the wrapper by connection type. Sending `rdbms` to an HTTP conn\n  returns 422 `unexpected_error \"export.http is missing\"`; sending `http`\n  to an RDBMS conn returns 422 `invalid_type`.\n- Prefer fully-qualified table names on Snowflake/BigQuery; unqualified\n  names only work when the connection has a default schema.\n- `rdbms.tables` is overloaded: string OR array-of-strings (to batch\n  multiple columns lookups in one call) OR omitted (for `tables` mode).\n- Use `refreshCache: true` sparingly — every call invalidates the cache\n  and re-issues the underlying work.\n- Unknown body properties (including a redundant `_connectionId`) are\n  silently ignored — the path parameter is authoritative.","parameters":[{"name":"_id","in":"path","required":true,"description":"The connection id. Must point to a connection of supported `type`\n(`rdbms`, `jdbc`, or `http`).","schema":{"type":"string","format":"objectId"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ConnectionMetadataRequest"}}}},"responses":{"200":{"description":"Metadata query succeeded. Shape depends on connection type — see the\nthree branches of `ConnectionMetadataResponse`:\n- RDBMS connections → `{results: [...]}` envelope.\n- JDBC connections → bare JSON array (no envelope).\n- HTTP connections → target server's raw response body (opaque).","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ConnectionMetadataResponse"}}}},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"$ref":"#/components/responses/404-not-found"},"422":{"description":"Request was structurally invalid or the connection does not support\nmetadata. Common error codes:\n- `not_supported` — the connection's `type` is neither `rdbms`,\n  `jdbc`, nor `http` (FTP, S3, AS2, filesystem, NetSuite SuiteScript,\n  Salesforce all hit this).\n- `invalid_type` — the `rdbms` wrapper was sent to a `type: http`\n  connection, or `rdbms.type` is not `tables`/`columns`. Message is\n  `\"invalid type: <value>\"`.\n- `unexpected_error \"export.http is missing...\"` — the `http` wrapper\n  was sent to a `type: rdbms`/`jdbc` connection, or the `rdbms`\n  wrapper was sent to a `type: http` connection by some other path.\n- `cannot_fetch_metadata` — HTTP passthrough target returned a\n  response that could not be parsed as JSON. Message echoes the\n  parser error (e.g. `Unexpected token '<'` when the target returned\n  an HTML error page). Also fires on `{http: {}}` or\n  `{http: {body: \"\"}}` (missing/empty body).\n- `unexpected_error` (generic) — the underlying database rejected\n  the query (auth failure, TLS mismatch, unreachable host). The\n  `message` echoes the driver error.\n- `<driver>_unexpected_error` — some drivers emit a prefixed code for\n  their surface errors (e.g. `big_query_unexpected_error` from\n  BigQuery when the dataset/table reference is invalid). Treat the\n  prefix as driver-scoped.\n\nNote: sending an **empty body** returns a bare `{code, message}`\nobject with `code: \"invalid_request\"`, not the standard\n`{errors: [...]}` envelope.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Purge the message queue for a connection

> Purges all messages from the connection's message queue. This is a\
> rate-limited operation — repeated calls within approximately 20 seconds\
> return a 429 error.\
> \
> Returns 204 on success. Returns 404 with code \`empty\_connection\_queue\`\
> if the queue is already empty.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/connections/{_id}/purgeMessages":{"post":{"operationId":"purgeConnectionMessages","tags":["Connections"],"summary":"Purge the message queue for a connection","description":"Purges all messages from the connection's message queue. This is a\nrate-limited operation — repeated calls within approximately 20 seconds\nreturn a 429 error.\n\nReturns 204 on success. Returns 404 with code `empty_connection_queue`\nif the queue is already empty.","parameters":[{"in":"path","name":"_id","required":true,"schema":{"type":"string"},"description":"The unique identifier of the connection."}],"responses":{"204":{"description":"Message queue purged successfully (no body returned)."},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"description":"The connection's message queue is already empty.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}}}}}}}},"429":{"description":"Rate limit exceeded. Wait approximately 20 seconds before retrying.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"}}}}}}}}}}}}}}
```

## Get the authorization URL to re-authorize a connection

> Returns a short-lived authorization URL for initiating (or re-running) the OAuth handshake\
> that backs this connection. The caller redirects the end user to this URL; once the user\
> consents at the provider, Celigo's OAuth callback writes the resulting tokens back to the\
> connection and flips \`needsAuthorization\` to \`false\`.\
> \
> Despite the \`oauth2\` segment, this endpoint serves the authorize URL for \*\*both OAuth 2.0\
> and OAuth 1.0a\*\* connections (e.g. NetSuite returns an OAuth 1.0a authorize URL with an\
> \`oauth\_token\` parameter). The single response field \`authorizationUrl\` carries the URL\
> regardless of flow.\
> \
> \*\*Path casing matters.\*\* The resource segment is singular \`connection\` (not plural\
> \`connections\`) — \`GET /v1/connections/{\_id}/oauth2\` returns 404.\
> \
> AI guidance:\
> \- Typical flow: open \`authorizationUrl\` in a browser, then poll\
> &#x20; \`GET /v1/connections/{\_id}\` until \`needsAuthorization\` flips to \`false\`, then call\
> &#x20; \`POST /v1/connections/{\_id}/ping\` to confirm tokens work.\
> \- The URL embeds a one-time token in the \`state\` parameter — it only works once and\
> &#x20; expires quickly. Request a fresh one if the flow was interrupted.\
> \- Historical response variants have used \`authorizationURL\` / \`authorize\_url\` keys;\
> &#x20; current production returns \`authorizationUrl\`. Robust clients should tolerate either.\
> \- Returns 400 \`invalid\_ref\` (not 404) on an unknown connection id.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"ConnectionOAuth2AuthorizationResponse":{"type":"object","description":"Authorization URL payload for restarting an OAuth handshake. One field, serves both\nOAuth 2.0 and OAuth 1.0a flows — the URL contents differ but the envelope does not.","properties":{"authorizationUrl":{"type":"string","format":"uri","description":"Short-lived authorization URL. Redirect the end user here to consent at the provider.\nEmbeds a one-time token in the `state` query parameter that expires quickly and is\ninvalidated after a single use."}},"required":["authorizationUrl"]},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/connection/{_id}/oauth2":{"get":{"operationId":"getConnectionOAuth2AuthorizationUrl","tags":["Connections"],"summary":"Get the authorization URL to re-authorize a connection","description":"Returns a short-lived authorization URL for initiating (or re-running) the OAuth handshake\nthat backs this connection. The caller redirects the end user to this URL; once the user\nconsents at the provider, Celigo's OAuth callback writes the resulting tokens back to the\nconnection and flips `needsAuthorization` to `false`.\n\nDespite the `oauth2` segment, this endpoint serves the authorize URL for **both OAuth 2.0\nand OAuth 1.0a** connections (e.g. NetSuite returns an OAuth 1.0a authorize URL with an\n`oauth_token` parameter). The single response field `authorizationUrl` carries the URL\nregardless of flow.\n\n**Path casing matters.** The resource segment is singular `connection` (not plural\n`connections`) — `GET /v1/connections/{_id}/oauth2` returns 404.\n\nAI guidance:\n- Typical flow: open `authorizationUrl` in a browser, then poll\n  `GET /v1/connections/{_id}` until `needsAuthorization` flips to `false`, then call\n  `POST /v1/connections/{_id}/ping` to confirm tokens work.\n- The URL embeds a one-time token in the `state` parameter — it only works once and\n  expires quickly. Request a fresh one if the flow was interrupted.\n- Historical response variants have used `authorizationURL` / `authorize_url` keys;\n  current production returns `authorizationUrl`. Robust clients should tolerate either.\n- Returns 400 `invalid_ref` (not 404) on an unknown connection id.","parameters":[{"name":"_id","in":"path","required":true,"description":"The connection id.","schema":{"type":"string","format":"objectId"}}],"responses":{"200":{"description":"Authorization URL ready for the end user to visit.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ConnectionOAuth2AuthorizationResponse"}}}},"400":{"description":"Connection id does not resolve.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"$ref":"#/components/responses/401-unauthorized"},"422":{"description":"Connection exists but is not configured for OAuth — e.g. an FTP, S3, or plain-auth\nHTTP connection. The server fails the handshake pre-check because the connection has\nno `authURI` in its config.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## List dependencies of a connection

> Returns the set of resources that depend on the specified resource.\
> The response is an object whose keys are dependent-resource types\
> (e.g. \`flows\`, \`imports\`) and whose values are arrays of dependency\
> entries.\
> \
> AI guidance:\
> \- An empty object \`{}\` means no other resources depend on the target.\
> &#x20; This is also returned for a well-formatted but nonexistent id.

```json
{"openapi":"3.1.0","info":{"title":"Connections","version":"1.0.0"},"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"DependencyResponse":{"type":"object","description":"Map of dependent-resource types to arrays of dependency entries.\nKeys are plural resource type strings (e.g. `flows`, `imports`,\n`connections`). An empty object `{}` means no dependents.\n","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/DependencyEntry"}}},"DependencyEntry":{"type":"object","description":"A single resource that depends on the queried resource.","properties":{"id":{"type":"string","description":"Unique identifier of the dependent resource."},"name":{"type":"string","description":"Display name of the dependent resource."},"paths":{"type":"array","description":"JSON-path-style pointers within the dependent resource's document\nthat reference the target resource.\n","items":{"type":"string"}},"accessLevel":{"type":"string","description":"The caller's access level on the dependent resource."},"dependencyIds":{"type":"object","description":"Map of resource types to arrays of ids that this dependent\nresource references on the target. Keys are singular or plural\nresource type strings; values are arrays of id strings.\n","additionalProperties":{"type":"array","items":{"type":"string"}}}},"required":["id","name","paths","accessLevel","dependencyIds"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n  is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/connections/{_id}/dependencies":{"get":{"operationId":"listConnectionDependencies","tags":["Connections"],"summary":"List dependencies of a connection","description":"Returns the set of resources that depend on the specified resource.\nThe response is an object whose keys are dependent-resource types\n(e.g. `flows`, `imports`) and whose values are arrays of dependency\nentries.\n\nAI guidance:\n- An empty object `{}` means no other resources depend on the target.\n  This is also returned for a well-formatted but nonexistent id.","parameters":[{"name":"_id","in":"path","required":true,"description":"Resource ID.","schema":{"type":"string","format":"objectId"}}],"responses":{"200":{"description":"Dependency map. Keys are resource-type strings; values are arrays\nof dependency entries. Returns `{}` when no dependents exist.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DependencyResponse"}}}},"401":{"$ref":"#/components/responses/401-unauthorized"}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.celigo.com/api/api-reference/connections.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.