Add a verified connector

Aperture maintains a registry of verified connectors with pre-configured defaults for known providers. When you add one from the connector picker, Aperture pre-fills the URL, authorization and token URLs, and scopes. You supply your OAuth client credentials. The picker lists every available provider. This guide uses Salesforce, Atlassian, and Slack as examples, but the steps are identical for any provider in the picker. For the full current list, refer to the connectors reference or open the picker.

Verified connectors use the per-user OAuth 2.0 authorization code flow, so each user authorizes individually after you configure the connector.

Prerequisites

Before you begin, you need the following:

• Admin access to the Aperture configuration, with the connectors feature flag enabled. Refer to get started with connectors.
• Permission to create an OAuth application in the provider's developer or admin console.

Step 1: Create the OAuth application at the provider

Configure the OAuth application on the provider first. Mismatched values between the provider and Aperture are the most common cause of connection failures.

1. Create an OAuth application in the provider's developer or admin console.
2. Register Aperture's callback URL as the redirect URI: https://<aperture-hostname>/aperture/auth/<connector-id>/callback. You set the connector ID in Aperture in Step 2: when you select a verified provider, Aperture pre-fills the ID with the provider name (for example, Salesforce). Keep it or change it, then use the same value here. If you prefer to lock the ID first, complete Step 2 before you register the callback URL.
3. Grant the application the scopes your users need. The picker pre-fills each provider's default scopes as editable chips, which you can add to or remove.
4. Note the client ID and client secret. You enter these in Aperture in the next step.

Step 2: Add the connector from the picker

Add and configure the connector in the Aperture dashboard:

1. In the Aperture dashboard, open Settings and go to Connectors.
2. Choose Add connector and select a verified provider from the list. Choose Custom connector to configure a provider that is not in the registry. Aperture pre-fills the URL, authorization URL, token URL, and default scopes, and sets the connector ID to the provider name.
3. Confirm or edit the connector ID, then enter your client ID and your client secret if your OAuth application uses one. PKCE-only applications can omit the secret. The connector ID must match the value you used in the callback URL.
4. When you select a verified provider, Aperture pre-fills any auth_params that provider requires for refresh tokens (for example, Atlassian's {"audience": "api.atlassian.com", "prompt": "consent"} or Google's {"access_type": "offline", "prompt": "consent"}). You normally do not need to change these. Refer to the connectors reference for auth_params details.
5. Save the connector. A live JSON preview shows the resulting configuration, with secrets masked.

The saved configuration is the authoritative source of truth. Registry defaults are starting points and are not enforced at runtime. Refer to the connectors reference for the registry's default URLs and scopes.

Step 3: Grant access

Verified connectors are deny-by-default like all connectors. Add a connectors grant so users can reach the connector's tools. Refer to grant access to MCP tools.

Step 4: Have users authorize

Because verified connectors use per-user OAuth, their tools do not appear until each user authorizes. Aperture fetches the tool catalog lazily on the first authenticated request from each user.

Tell your users to use the connector: open the Connectors page, select the connector, and choose Connect to complete the consent flow.

Related

• Set up a per-user OAuth 2.0 connector - Configure a custom connector that uses the same per-user OAuth flow.
• Connectors reference - The verified connectors registry, authentication types, and field definitions.