Primitive/connections3 min read

Introducing /connections: connect each user's agents to 1,000+ apps

The connections primitive gives each end-user's agents authenticated access to 1,000+ third-party apps — per user, gated by the Account Kit, in one surface.

Connections primitive →Read the docs →

Primitive/connections
TL;DR
  • /connections connect each end-user's agents to 1,000+ third-party apps (formerly the /integrations primitive)
  • Per user, not per app key every connection belongs to one tenant user and is gated by that user's Account Kit
  • One surface list what's available, connect via a hosted link, list an app's tools, and execute a tool with structured arguments
  • Governed connects starting a connection is a sensitive action and can require human approval per Account Kit
  • Cheap reads Naïve keeps a local mirror of connection status so listing is fast; execute-time auth always goes through the provider
  • Composes with /browser for services that have no connector and with /vault for agent-generated secrets

An agent that can reason still can't do much until it can act inside the tools your users already live in — their inbox, their Slack, their GitHub, their Stripe. Naïve is the autonomous company infrastructure that gives agents real-world capabilities, and the /connections primitive (formerly /integrations) is how each of your end-users' agents gets authenticated access to 1,000+ third-party apps, per user, without you building an OAuth layer per customer.

Every connection belongs to one tenant user and is gated by that user's Account Kit. One customer's Gmail is never another customer's Gmail. That per-user binding is the whole point.

One surface: list, connect, discover, execute

Connections expose a small, uniform set of actions so an agent can work with any connected app the same way:

  • List — the apps available to a user (filtered by their Account Kit) with connection status.
  • Connect — start a connect flow; returns a hosted redirect link for the user to authorize.
  • Tools — list the tools a connected app exposes.
  • Execute — run a specific tool for the user with structured arguments.
  • Disconnect — remove (and optionally purge) an app for the user.
naive connections list --user alice
naive connections connect gmail --user alice
naive connections execute gmail GMAIL_SEND_EMAIL --user alice \
  --args '{"recipient_email":"lead@co.com","subject":"Hi","body":"..."}'

Connecting is per-user and governed

connect returns a hosted redirectUrl. You send the end-user there; once they finish authorizing, the connection becomes ACTIVE. Because a connection grants access under the user's own identity, it is a sensitive action — depending on the user's Account Kit, the connect can be gated for human approval before it takes effect.

const res = await naive.forUser(alice.id).connections.connect("gmail", {
  callbackUrl: "https://myapp.com/oauth/callback",
});
// Send the user to res.redirectUrl. After they finish, the connection becomes ACTIVE.

In a multi-tenant product this maps cleanly onto your own users: create a Naïve user per customer, and every connection, token, and execution stays scoped to that customer.

Cheap reads, live execution

Naïve keeps a local mirror of each user's connection status, so listing availability and checking what's connected are fast reads. Execute-time authorization always goes through the connections provider against the live token — so a stale mirror never lets an expired connection through. Freshly initiated connections are re-checked before the API answers.

What you can build

Give each customer an agent that works in their own accounts — A per-tenant assistant that reads and sends from the customer's own Gmail, posts to their Slack, or files issues in their GitHub — authorized once by that customer, isolated from every other tenant.

Run cross-app workflows from one agent loop — Pull from one app, push to another, all through the same connect-and-execute surface, with each step attributable to the end-user who owns the connections.

Reach the long tail with /browser — When an app isn't on the connector catalog, fall back to /browser so the agent can operate the web UI directly and vault any credentials it generates via /vault.

Compose with the rest of the runtime — Pair connections with /research, /image, and /social to run content and outreach workflows inside the tools your users already use.

Get started

Frequently Asked Questions
What is the connections primitive?+
Connections give a tenant user's agents authenticated access to 1,000+ third-party apps — Gmail, Slack, GitHub, Stripe, Notion, and more. Every connection is per-user and gated by that user's Account Kit. Agents list available apps, start a connect flow, discover an app's tools, and execute a tool with structured arguments — all through one surface.
How does connecting an app work?+
Call connect for a toolkit (e.g. gmail) and Naïve returns a hosted redirect link. Send the end-user there; once they finish authorizing, the connection becomes ACTIVE. Because it grants access under the user's identity, a connect can be gated for human approval depending on that user's Account Kit.
How is this scoped in a multi-tenant app?+
Every connection belongs to a single tenant user, so one customer's Gmail connection is never visible to another. The apps a user may connect are filtered by their Account Kit's allow and block lists, and each execute call runs against that specific user's authorized connection — isolation is enforced by the runtime, not by your code.
What if an app I need has no connector?+
Use the /browser primitive. When a service has no connector or the workflow only exists in a web UI, an agent can drive a governed browser session — including autonomous signup and login — and vault any credentials it generates. Connections cover the connector catalog; /browser covers the long tail.
How does execution stay fast and auditable?+
Naïve keeps a local mirror of each user's connection status, so listing and status checks are cheap reads. Execute-time authorization always goes through the connections provider against the live token. Connect flows, executions, and disconnects are all attributable to the specific end-user who owns the connection.
How much does the connections primitive cost?+
Connecting apps, listing availability, and discovering an app's tools are free. Per-action execution draws from your credit balance like other primitive calls; each credit is worth $0.50 per published docs. See usenaive.ai/pricing for current rates before quoting a figure.
How do I get started?+
Run naive connections list --user alice to see available apps, naive connections connect gmail --user alice to authorize, then naive connections execute gmail GMAIL_SEND_EMAIL --user alice --args '{...}'. The full guide is at usenaive.ai/docs/getting-started/connections.
DZ
Dennis ZaxCTO

CTO of Naïve. Building the open-source agent runtime.

@denniszax
Keep reading