Sovereign Platform is in pre-launch alpha.
Not yet available to purchase. Sign up for our mailing list for upcoming launch dates.
Loading documentation, please wait.
Sovereign Platform is in pre-launch alpha.
Not yet available to purchase. Sign up for our mailing list for upcoming launch dates.
Before your workflows can interact with external services like Confluence, Jira, or Monday.com, you need to set up credentials. How this works depends on your deployment type.
If you are on the Managed tier (Nemorion-hosted), most popular services are pre-configured. We have already registered the OAuth applications with the major service providers on your behalf. You simply:
No admin setup is required — we handle the OAuth registration behind the scenes.
If you are running Sovereign on your own infrastructure, you need to register OAuth applications yourself. This is a one-time setup per service.
Self-Hosted Setup Required
The steps below apply to self-hosted deployments (Starter, Professional, Enterprise, and Air-Gapped tiers). If you are on the Managed tier, skip ahead to "Users Connect" — the admin registration is already done for you.
Layer 1: Admin registers the OAuth application (once)
An administrator registers the OAuth application details — the client ID and client secret obtained from the external service's developer console. This is done once per service and applies to the entire deployment.
Layer 2: Users authorize their connection (per user)
Individual users click "Connect" and go through the OAuth flow to authorize Sovereign to act on their behalf. They never see or handle client secrets — they just log in to the service and approve access.
This is similar to how you connect apps to your Google account: someone registered the app with Google (Layer 1), and you just click "Allow" when prompted (Layer 2).
One Setup, Many Users
Once an admin registers the OAuth application for a service, any number of users can connect their own accounts. The admin setup is a one-time task per service.
Some services use API keys instead of OAuth. For these, users provide their API key directly, and it is stored securely alongside OAuth credentials.
All credentials are protected with multiple layers of security:
Encryption Key Management
The encryption master key must be configured securely. In production, use a dedicated key management service (such as Azure Key Vault or HashiCorp Vault) rather than environment variables. See Configuration Reference for details.
Users can view their active connections and see which services are connected. Each connection shows the service name, when it was authorized, and its current status (active, expired, or revoked).
Users can disconnect from a service at any time. This revokes the stored tokens and prevents further API calls to that service on their behalf.
Administrators can configure policies that control how connections are used:
To connect a new external service to your deployment:
Obtain OAuth credentials from the service's developer console. You will need the client ID and client secret. Set the redirect URI to your Auth Service's callback URL.
Register the OAuth application in your Sovereign deployment's admin settings, providing the client ID, client secret, and any service-specific configuration.
Users connect by clicking the "Connect" button for that service, which launches the OAuth authorization flow in their browser.
For services using API keys, users enter their key directly — no admin registration step is needed.