Connected Apps let you link external services — like your CRM, meeting transcripts, or internal tools — so Brightwave's agents can pull data from them during research.
How it works
When you connect an app, you provide the API endpoint and credentials. Brightwave encrypts your credentials at rest and injects them automatically when an agent needs to access the service. Agents never see your API keys directly — authentication is handled through a secure proxy.
Setting up a connected app
- Go to Settings → Connected Apps.
- Click Add App and enter the service details: name, base URL, authentication type, and credentials.
- Add an optional label, notes, and any extra headers the API requires.
- Save the app.
Supported authentication types include API key (header or query parameter), Bearer token, Basic auth, and OAuth.
OAuth connections
OAuth-based connected apps are currently in research preview. Availability may be limited.
For services that support OAuth, agents can set up the connection for you directly in chat. When you ask the agent to access a service like Microsoft 365, Dropbox, Box, or Salesforce, it initiates an OAuth flow — you'll see a secure authorization card in the chat where you complete sign-in and grant access. Once authorized, the agent can use the connected service immediately.
OAuth connections are personal — each user authorizes their own account. Tokens refresh automatically in the background, so you don't need to re-authorize unless you revoke access.
Sharing connected apps
API-key connected apps can be shared across your organization. The app owner shares the app from Settings → Connected Apps, and team members can then enable it in their own projects without seeing the API key.
Shared apps appear alongside personal apps in the composer's Connected Apps submenu. Team members can enable or disable a shared app per project but cannot edit the credentials, rotate the key, or disconnect the app — only the owner can manage the underlying connection.
OAuth connections cannot be shared. Each team member authorizes their own OAuth access.
Enabling apps per project
Connected apps are enabled at the project level. Open the Connected Apps submenu in the composer toolbar and toggle on the apps you want agents to use for that project. This keeps your integrations scoped — agents only access what's relevant.
External access
Control whether agents can reach external websites beyond your connected apps. Open the Connected Apps submenu in the composer toolbar and hover over External access to choose:
- Connected apps only — agents can only call the APIs you've explicitly connected.
- Connected apps + websites — agents can also search the web and access public websites during research.
This setting applies per project, so you can lock down sensitive workspaces while leaving others open.
What agents can do
Once an app is enabled for a project, agents can make authenticated requests to the service as part of their research. For example, an agent could pull deal data from your CRM, fetch meeting transcripts, or query an internal analytics API — all within a single research workflow.
Agents can also manage connected apps on your behalf. Ask an agent to connect a new service, enable an app for the current project, or share an API-key app with your team — the agent handles it through secure in-chat prompts that keep credentials and authorization flows under your control.
Security
- Encrypted at rest — API keys are encrypted using AES with AWS-managed key rotation.
- Never exposed to agents — credentials are injected at the proxy layer; agents cannot read or extract them.
- Domain validation — Brightwave rejects connections to internal networks, localhost, and IP addresses to prevent misuse.
- Project-scoped — each app must be explicitly enabled per project.