Connections
Connections are owner-authorised, scoped credentials Black Box uses to act in external systems. We use OAuth and short-lived tokens wherever possible; we never ask for or store passwords. The owner sees every connection in the Power Grid and can revoke any of them in one click.
In one breath
- OAuth and refresh tokens only — passwords never leave the owner.
- Scopes per-specialist, audited in the Power Grid.
- One-click revoke, automatic rotation, attention card on failure.
How a connection is added
From the dashboard the owner picks a service, completes the provider's OAuth consent, and Black Box stores only the refresh token (encrypted at rest) plus the granted scopes. The owner sees a row in the Power Grid: which scopes, which specialists may use it, and the last time it was used.
Scoping and least privilege
Each specialist gets the narrowest scope that lets it do the job. The Sales Specialist needs Gmail send-as for one alias, not full mailbox read. The Coding Specialist needs GitHub repo write on one repo, not the whole org. Out-of-scope use trips the circuit breaker.
Revocation and rotation
One-click revoke removes the token from Black Box and (where the provider supports it) calls the provider's revoke endpoint. Tokens auto-rotate on the provider's expiry; failed rotation surfaces an attention_required card rather than silently breaking a run.