Connectors
A connector is the credentialed link between Flows and an external system — Shopify, NetSuite, Klaviyo, Stripe, and dozens more. Flows read from and write to connectors; runs report on what happened. Without a healthy connector, nothing downstream works.
What's a connector
A connector profile bundles four things: the target system, the auth credentials, the requested scopes, and the active/disabled state. One customer can have many profiles per system — for example, Shopify · US store and Shopify · EU store as two distinct profiles. Each flow binds to exactly one source profile and one destination profile.
Lifecycle & status
| Status | Color | What it means |
|---|---|---|
| active | green | Credentials valid; the last 5 calls succeeded. |
| degraded | amber | Recent calls have been failing — usually expired OAuth tokens or revoked permissions. Flows continue to attempt runs and may fail until you reconnect. |
| disabled | slate | Paused intentionally by you or an admin. No flow can use it until re-enabled. |
| pending | blue | Auth handoff in progress. Auto-resolves once the OAuth callback completes. |
Connector status is recomputed every 60 seconds from cached health checks. Force a refresh with the cache button in the top bar.
Auth methods
| Method | Used by | Notes |
|---|---|---|
| OAuth 2.0 | Shopify, HubSpot, Salesforce, QuickBooks Online, Klaviyo | Tokens auto-refresh. We store refresh tokens encrypted with per-customer KMS keys. |
| API key | Stripe, Mailchimp, SendGrid, custom REST APIs | Stored once; never displayed again. Rotate from the connector detail page. |
| Basic auth | Legacy SOAP and on-prem APIs | Use only over TLS. We log the user but never the password. |
| JWT bearer | NetSuite TBA, custom OIDC backends | Signed with a per-tenant private key managed in KMS. |
| IP allowlist + key | SFTP, on-prem databases via tunnel | Combine with our static egress IPs (see below). |
Scopes & permissions
APIXX requests the minimum scopes needed for the flows you build. You can audit the granted scopes from the connector detail page; expanding scopes later requires re-auth with the new set.
Adding a connector
- Open Connectors and click Add connector.
- Pick the system from the catalog. Filter by category (commerce, ERP, marketing, finance, custom).
- Provide the system-specific inputs — domain, account ID, region.
- Complete the auth handoff (OAuth redirect, API key paste, key upload).
- APIXX runs a verification call. On success, status flips to active.
Reconnecting
A connector goes degraded when credentials stop working — almost always an expired refresh token, a revoked OAuth grant, or a rotated API key on the source side. Open the profile and click Reconnect:
- OAuth profiles re-run the consent flow. Existing flows resume automatically.
- API-key profiles prompt for the new key. The old one is destroyed on save.
- Reconnects are recorded in the audit log with the admin who performed them.
Credential rotation
For compliance-sensitive customers we recommend a 90-day rotation cadence on API-key connectors. APIXX can email an admin 14 days before a known-expiry credential lapses if you opt in from Settings.
IP allowlisting
For source systems that require an allowlist, APIXX sends all outbound traffic from a small set of static IPs per region. Your account team will provide the current list during onboarding; it's also pinned in the connector detail page for any allowlist-required system.
Connector catalog
The catalog is the canonical list of supported systems. Each entry includes the auth method, supported entities, latency characteristics, and rate-limit posture. Don't see what you need? Custom REST and GraphQL connectors are available — talk to your account team.