Authentication

Markdown

Composio simplifies authentication with Connect Links: hosted pages where users securely connect their accounts. There are two approaches. Choose based on where in your app users should authenticate.

Which approach should I use?

  • Users chat with your agent? Use in-chat authentication. The agent handles connection prompts automatically, no setup needed.
  • Want users connected before they chat? Use manual authentication. Your app calls session.authorize() during onboarding or from a settings page.

Not sure? Start with in-chat. You can add manual auth later.

In-chat authentication

By default, when a tool requires authentication, the agent prompts the user with a Connect Link. The user authenticates and confirms in chat. No setup needed. Just create a session and the agent handles OAuth flows, token refresh, and credential management automatically.

You: Summarize my emails from today

Agent: I need you to connect your Gmail account first. Please click here to authorize: https://connect.composio.dev/link/ln_abc123

You: Done

Agent: Here's a summary of your emails from today...

In-chat authentication guide

Configuration, callback URLs, and full examples

Manual authentication

Use session.authorize() to generate Connect Links programmatically when you want to control when and where users authenticate. Common use cases:

  • Onboarding: connect accounts during signup before the user ever chats with the agent
  • Settings page: let users manage their connections from a dedicated UI
  • Pre-flight checks: verify all required connections are active before starting a task

Manual authentication guide

session.authorize() API, callback URLs, and connection status checks

How Composio manages authentication

Behind the scenes, Composio uses auth configs to manage authentication.

An auth config is a blueprint that defines how authentication works for a toolkit across all your users. It specifies:

  • Authentication method: OAuth2, Bearer token, API key, or Basic Auth
  • Scopes: what actions your tools can perform
  • Credentials: your own app credentials or Composio's managed auth

Composio creates one auth config per toolkit, and it applies to every user who connects that toolkit. When a user authenticates, Composio creates a connected account that stores their credentials (OAuth tokens or API keys) and links them to your user ID. When you need to use your own OAuth credentials or customize scopes, you can create custom auth configs.

Composio handles this automatically:

  1. When a toolkit needs authentication, we create an auth config using Composio managed credentials
  2. The auth config is reused for all users authenticating with that toolkit
  3. Connected accounts are created and linked to your users

Most toolkits work out of the box with Composio managed OAuth. For API key-based toolkits, users enter their keys directly via Connect Link.

You only need to create a custom auth config when:

  • You want to use your own OAuth app credentials for white-labeling
  • You need specific OAuth scopes beyond the defaults
  • The toolkit doesn't have Composio managed auth
  • You have existing auth configs with connected accounts you want to use

To bring your own OAuth apps or customize scopes, see custom auth configs.

Tools and toolkits

How meta tools discover, authenticate, and execute tools

In-chat authentication

Let the agent prompt users to authenticate during conversation

Manual authentication

Generate Connect Links programmatically in your app

White-labeling

Customize OAuth screens with your branding

Custom auth configs

Use your own OAuth apps

On this page

Which approach should I use?In-chat authenticationManual authenticationHow Composio manages authenticationWhat to read nextRelated guides