Skip to content

Assembly Connectors

The connector and integration patterns referenced throughout Assembly › Connectors draw on the 2024-2026 agentic-integration research lineage. This page catalogs the canonical bindings, authentication patterns, validation methods, and the selection criteria the platform uses when configuring connectors for a given Unitt.

Model Context Protocol

MCP, introduced by Anthropic in late 2024 and now jointly governed by Anthropic, OpenAI, and Google, has become the de-facto "USB-C for AI-native applications" and is the dominant connector substrate in 2026. The Official MCP Registry counted ~1,200 servers at end-Q1 2025, 6,800 at year-end 2025, and 9,400+ by mid-April 2026, a 7.8× year-over-year expansion. 78% of enterprise AI teams report at least one MCP-backed agent in production. Managed MCP servers are now first-party from Snowflake (Cortex Analyst / Search / Agents), Databricks (Unity-Catalog-governed Genie, Vector Search, UC Functions), ServiceNow (native MCP in Zurich release with A2A support), Salesforce (Composio / Agentforce-fronted MCP), and SAP (via partner gateways). MCPB bundles (.mcpb, manifest spec 0.3 as of December 2025) wrap server code, manifest, and deps into one portable ZIP.

OAuth 2.1 + PKCE, DPoP, Workload Identity Federation

OAuth 2.1 (mandatory PKCE, no implicit flow, exact redirect-URI match, mandatory refresh-token rotation, no password grant) is the baseline for agent connectors because agent runtimes are public clients with no secure secret storage. The pattern is per-agent short-lived access tokens (minutes), narrow scopes per tool, RFC 8693 token exchange to swap a user / principal token for a task-scoped agent token. DPoP (RFC 9449) cryptographically binds tokens to a per-client keypair via a JWT proof signed on every request; the 2026 stance is "DPoP is when, not if" (Aembit, WorkOS DPoP). For machine-to-machine, Workload Identity Federation lets EC2 / Lambda / GKE / Azure workloads exchange their native attestation for short-lived STS tokens with no exported keys.

OpenAPI / Spec-Driven Connectors

OpenAPI 3.x → MCP code generation (Speakeasy Gram, @taskade/mcp-openapi-codegen, FastMCP, openapi-mcp-generator) yields type-safe MCP tool definitions in seconds from any REST spec, with response schemas surfaced as structuredContent in the MCP tool result. Both Anthropic and OpenAI tool-use schemas align with JSON-Schema / OpenAPI parameter blocks, so the OpenAPI spec doubles as the tool descriptor. Keep OpenAPI as source-of-truth, regenerate MCP tools per release.

Credential Vaults

  • HashiCorp Vault Enterprise namespaces carve a single cluster into isolated mini-Vaults; the canonical pattern for per-tenant agent scoping (one namespace per tenant or per agent fleet), with Vault Agent injectors annotated vault.hashicorp.com/namespace=<tenant>.
  • AWS Secrets Manager uses hierarchical naming (/<env>/<tenant>/<connector>/<secret>) plus ABAC on session-tag-derived role assumption; April 2026 added managed external secrets for MongoDB Atlas and Confluent Cloud.
  • Azure Key Vault (tenant ID + RBAC, 2026 ML-pipeline integration) and GCP Secret Manager (notification-driven rotation, IAM bindings) are the equivalents on each cloud.

Cross-cloud policies should be mapped at the role tier, not per-secret, to avoid permission sprawl.

Webhook Ingest

Inbound connectors verify HMAC-SHA256 signatures over the raw body using a shared secret, with a constant-time compare, replay-window check (timestamp tolerance ~5 minutes), and per-source key rotation. The dominant 2026 pattern offloads work: the webhook endpoint validates the signature, enqueues onto Kafka / Pub-Sub / SQS, and returns 200 within milliseconds; the agent worker consumes from the topic. Event-triggered agents treat webhooks, inbound email, and inter-agent messages as first-class triggers.

Connector Validation

Validation in mature agent platforms is a three-stage probe: (1) probe; low-cost reachability / auth check (GET /healthz or MCP tools/list), (2) dry-run; submit a no-op or dry_run=true request against the real endpoint (analogous to Kubernetes server-side dry-run or Redis ACL DRYRUN), (3) permission check; assert the agent's principal has the minimum scopes each tool requires.

Canonical status states: ready, pending, failed, expired (token TTL elapsed), permission-denied (auth ok, scope insufficient), requires-review (manual approval gate). Each state has prescribed remediation (refresh, re-consent, escalate).

Identity And Blast Radius

CSA's 2026 framing is the "identity explosion": NHIs (service principals, agents, secrets) outnumber humans ~100:1, and 82% of organizations have unknown AI agents already running. Mitigation stack: every agent gets a distinct workload identity (not a shared service account); credentials are short-lived (minutes) and DPoP-bound; vault namespaces scoped per-tenant per-agent so a compromise blast-radius is one tenant × one tool × one TTL; CAEP enables real-time revocation. CSA launched the CSAI Foundation in March 2026 specifically to govern the agentic control plane.

MCP Security

Tool poisoning (CVE-2025-54136 MCPoison in Cursor) embeds adversarial directives in MCP tool descriptions that ride into the model context with full ambient authority; the Cursor case pinned trust to a config key name, not the command, allowing silent command swap after approval. Indirect prompt injection over MCP injects instructions via retrieved content the agent then "obeys." The 2026 defense is the MCP Gateway pattern: every tool call mediated through a central proxy that enforces allow-lists, OAuth / OIDC propagation, signs each tool descriptor, logs every allow / deny / mutate with a cryptographic trace ID to SIEM, and severs the session if a server attempts to register an unapproved tool mid-run (TrueFoundry, Microsoft).

Operational Limits

Per-connector resilience uses three layers: token-bucket rate limits (per-agent + per-tenant, 429 + Retry-After); circuit breakers (Closed → Open on error / cost-velocity → Half-Open probe); retry budgets with exponential backoff + jitter (1 / 2 / 4 / 8 s). Failure handling enumerates retry, fallback, skip, escalate, terminate. A documented hazard (TrueFoundry rate-limiting) is quadratic context growth from retry loops, so retry budgets must be enforced outside the agent loop.

Selection Criteria

Connector Class Auth Vault Scope Transport Validation Resilience
Cloud control Workload Identity Federation → STS Per-tenant IAM role MCP / HTTPS direct Probe + IAM SimulatePrincipalPolicy dry-run CB + retry budget; fallback read-replica
Data warehouse OAuth 2.1 + PKCE → managed MCP Vault namespace + UC ACLs Managed MCP Probe (SHOW TABLES) + role check Per-tenant QPS; fallback cached result
Transactional DB Vault dynamic creds (TTL ≤ 1h) Vault DB engine, per-agent role Direct TCP via sidecar SELECT 1 + ACL DRYRUN CB on conn pool; fallback read replica
Object storage STS AssumeRole + DPoP Path prefix per tenant SDK or MCP HeadObject + ABAC tag check Retry with jitter; skip non-critical
SaaS OAuth 2.1 + PKCE + refresh rotation Per-user delegated token Managed / OpenAPI-gen MCP Probe /me + scope introspect Gateway rate-limit; escalate on 403
Communication OAuth 2.1 user-delegated Per-workspace token MCP auth.test + channel ACL probe Retry on 429; fallback queue
Webhook ingest HMAC-SHA256 + timestamp window Per-source secret Kafka / Pub-Sub bridge Signature self-test + replay test DLQ on schema fail
Browser automation Sandboxed creds, per-job ephemeral JIT vault lease MCP (Playwright-MCP) URL allowlist + screenshot probe Terminate on infinite-loop heuristic
Source control GitHub App + fine-grained PAT Per-repo install token MCP GET /repos/:r + scope check CB on rate-limit reset
Vector DB API key in vault, short-lived Namespace per tenant MCP or SDK Dimension / index probe Retry; fallback keyword search

Cross-References