> ## Documentation Index
> Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect app at the organization level

> Connects an app using direct credentials (API key, service account, etc.) at the organization level. The connection is shared by every project in the organization. Available on OneCLI Cloud and self-hosted Enterprise. Requires admin role.



## OpenAPI

````yaml /openapi.yaml post /org/apps/{provider}/connect
openapi: 3.1.0
info:
  title: OneCLI API
  version: '1.0'
  description: >
    The OneCLI API lets you manage agents, secrets, policy rules, app
    connections, and user settings programmatically.


    **Base URL:** `https://api.onecli.sh/v1` (Cloud) or
    `http://localhost:10254/v1` (self-hosted)


    ## Authentication


    All endpoints require authentication via one of:


    - **API Key** — `Authorization: Bearer <key>` header. Generate keys in the
    dashboard or via `GET /v1/user/api-key`.

    - **Session** — Cookie-based session from the web dashboard.


    For organization-scoped API keys, include the `X-Project-Id` header to
    specify which project to operate on.
servers:
  - url: https://api.onecli.sh/v1
    description: OneCLI Cloud
  - url: http://localhost:10254/v1
    description: Self-hosted (Docker)
security:
  - bearerAuth: []
tags:
  - name: Agents
    description: Manage agents and their access tokens, secrets, and configuration.
  - name: Secrets
    description: Manage credentials that the gateway injects into outbound requests.
  - name: Rules
    description: >-
      Manage policy rules that control how agents interact with external
      services.
  - name: User
    description: Manage your user profile and API keys.
  - name: Projects
    description: >-
      Manage projects within your organization. Requires admin role for
      create/update and owner role for delete. Cloud only.
  - name: Team
    description: Provision team members programmatically. Requires admin role. Cloud only.
  - name: Apps
    description: >-
      Manage app connections (OAuth and direct credentials), BYOC configuration,
      permission catalogs, and blocklists.
  - name: Connections
    description: App connections as a top-level resource.
  - name: Utility
    description: Health check and project resource summaries.
  - name: Agent Setup
    description: >-
      Endpoints agents and orchestrators use to bootstrap gateway access
      (container config, credential stubs, gateway skill).
  - name: Migration
    description: Migrate data from a self-hosted instance to OneCLI Cloud.
  - name: Organization Settings
    description: >-
      Organization-wide policy settings. Available on OneCLI Cloud and
      self-hosted Enterprise.
  - name: Organization Secrets
    description: >-
      Manage secrets at the organization level. Organization secrets apply
      across all projects. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Organization Rules
    description: >-
      Manage policy rules at the organization level. Organization rules apply
      across all projects. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Organization Connections
    description: >-
      Manage app connections at the organization level. Available on OneCLI
      Cloud and self-hosted Enterprise.
  - name: Organization App Config
    description: >-
      Connect apps (OAuth and direct credentials) and manage BYOC app
      configuration at the organization level. Available on OneCLI Cloud and
      self-hosted Enterprise.
  - name: Partner Organizations
    description: >-
      Create and manage customer organizations as a partner. Requires a Partner
      API key. Cloud only.
  - name: Partner Projects
    description: Manage projects within an unclaimed partner organization. Cloud only.
  - name: Partner Secrets
    description: >-
      Manage partner-level secrets inherited by every organization you manage.
      Cloud only.
  - name: Partner Budgets
    description: >-
      Cap how much an organization can spend on a partner LLM key. Owner or
      admin only. Cloud only.
  - name: Partner Members
    description: >-
      Manage who can sign in to your partner portal. Owner or admin only. Cloud
      only.
  - name: Organization Partner
    description: Inspect and detach an organization's partner relationship. Cloud only.
paths:
  /org/apps/{provider}/connect:
    post:
      tags:
        - Organization App Config
      summary: Connect app at the organization level
      description: >-
        Connects an app using direct credentials (API key, service account,
        etc.) at the organization level. The connection is shared by every
        project in the organization. Available on OneCLI Cloud and self-hosted
        Enterprise. Requires admin role.
      operationId: connectOrgApp
      parameters:
        - $ref: '#/components/parameters/provider'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - fields
              properties:
                fields:
                  type: object
                  additionalProperties:
                    type: string
                  description: Credential fields required by the app
                  example:
                    apiKey: sk-...
                connectionId:
                  type: string
                  description: Reconnect an existing connection
                label:
                  type: string
                  description: >-
                    Display label for the connection. Defaults to a label
                    derived from the credential metadata.
                method:
                  type: string
                  description: >-
                    Connection method to use for apps with multiple methods
                    (e.g. OAuth primary + API-key alternate). An unrecognized
                    value is rejected.
      responses:
        '200':
          description: Connected
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
        '400':
          description: Validation error or provider not available
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Insufficient role or not a member of the organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
components:
  parameters:
    provider:
      name: provider
      in: path
      required: true
      schema:
        type: string
      description: App provider identifier (e.g., `gmail`, `github`, `jira`)
  schemas:
    Error:
      description: |
        Error responses take one of two shapes depending on the failing layer:
        route-level validation returns the flat shape (`{ "error": "..." }`),
        while authentication failures (401/403) and service errors (not-found,
        conflict, and service-level validation) return the envelope
        (`{ "error": { "message": "...", "type": "..." } }`).
      oneOf:
        - $ref: '#/components/schemas/ErrorFlat'
        - $ref: '#/components/schemas/ErrorEnvelope'
    ErrorFlat:
      type: object
      description: Flat error shape used by route-level validation.
      properties:
        error:
          type: string
      required:
        - error
    ErrorEnvelope:
      type: object
      description: >-
        Envelope error shape used for authentication failures and service
        errors.
      properties:
        error:
          type: object
          properties:
            message:
              type: string
            type:
              type: string
              description: Error category (e.g. `authentication_error`).
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: API key obtained from the dashboard or `GET /user/api-key`

````