Overview
OneCLI connects AI agents to Attio through OAuth or a scoped API key. Agents can read and manage CRM data such as contacts, companies, deals, lists, notes, and tasks, with credentials injected into requests to the Attio API automatically. This is useful for agents that enrich records, move deals through a pipeline, or capture notes and tasks without manual CRM data entry.How it works
OneCLI sits between your agent and Attio as a transparent proxy. When an agent calls the Attio API, the gateway matches the request, injects the stored credential, and forwards it toapi.attio.com. Your agent never sees the token or API key.
Because the gateway speaks the Attio REST API directly, agents use the same endpoints and request shapes as any Attio client. There is no SDK to install and no Attio-specific code in your agent. You connect Attio once, assign it to an agent, and the agent can read and write CRM data within the permissions you grant.
OneCLI also handles the connection lifecycle. For OAuth connections it refreshes expiring access tokens for you. For API key connections it injects your key on every request. In both cases credentials are encrypted at rest and only decrypted inside the gateway at request time.
Setup
OAuth is the default connection method and requires no setup beyond authorizing OneCLI.Authorize
Click Connect to Attio. You’ll be redirected to Attio to sign in and authorize OneCLI. Review the requested permissions and click Allow.
Configure
OAuth works out of the box. If you want tighter control over what an agent can reach, connect Attio with your own API key instead and grant it only the scopes you need, rather than the full OAuth scope set. For example, create a read-only key, or one limited to specific objects.Create a scoped API key in Attio
In Attio, create an API key and select only the scopes your agents require. Attio’s guide walks through this: Generating an API key.
Permissions
OAuth connections request the following scopes. With an API key, you choose the scopes when you create the key in Attio.| Permission | Access | Description |
|---|---|---|
| Records | Read & write | Contacts, companies, and deals |
| Object configuration | Read & write | Custom objects and attributes |
| List entries | Read & write | Entries in lists |
| List configuration | Read & write | Lists and their columns |
| Notes | Read & write | Notes on records |
| Tasks | Read & write | Tasks and assignments |
| Comments | Read & write | Threads and comments |
| Files | Read & write | Upload and view files |
| Webhooks | Read & write | Manage webhooks |
| User management | Read | View workspace members |
| Meetings | Read & write | View and manage meetings |
| Call recordings | Read | Transcripts and speakers |
What agents can do
- Search and manage contacts, companies, and deals
- Create and update records, custom objects, and attributes
- Organize lists and list entries
- Add notes, tasks, and comments to records
- Upload and read files attached to records
- Read meeting details and call recording transcripts
- Manage webhooks for real-time updates
Disconnecting
You can disconnect Attio at any time. OAuth connections- In OneCLI, open Connections > Attio and remove the connection.
- In Attio, you can also revoke access by uninstalling OneCLI from the installed apps section of your workspace settings.
- In OneCLI, open Connections > Attio and remove the connection.
- In Attio, revoke or delete the API key so it can no longer be used.