Skip to main content
Noorle provides secure credential management for all connector types. Multiple authentication methods with encrypted storage.

Authentication Methods

No Authentication

For public endpoints with no auth required. 
{
  "auth_config": {
    "type": "none"
  }
}

Bearer Token

API key in Authorization header. 
{
  "auth_config": {
    "type": "bearer",
    "token": "sk-abc123..."
  }
}
Used by: Stripe, OpenAI, GitHub, most modern APIs

Basic Authentication

Username:password in header. 
{
  "auth_config": {
    "type": "basic",
    "username": "user",
    "password": "pass"
  }
}
Used by: Older APIs, legacy services

API Key (Custom Header)

API key in custom header. 
{
  "auth_config": {
    "type": "api_key",
    "header_name": "X-API-Key",
    "key_value": "your-key"
  }
}
Used by: many cloud and REST APIs

OAuth 2.0

Dynamic token exchange and refresh. 
{
  "auth_config": {
    "type": "oauth2",
    "provider": "custom",
    "authorization_url": "https://auth.example.com/oauth/authorize",
    "token_url": "https://auth.example.com/oauth/token",
    "client_id": "your-client-id",
    "client_secret": "your-secret",
    "scopes": ["read", "write"]
  }
}
Used by: Google, GitHub, Slack, enterprise APIs

Configuring Authentication

REST Connector

  1. Connectors > Select connector
  2. Click Authentication
  3. Choose method
  4. Enter credentials
  5. Click Test
  6. Click Save

MCP Registry

  1. Connectors > Select connector
  2. View required credentials (shown during setup)
  3. Enter API key or authorize OAuth
  4. Connector tests automatically

Custom MCP

  1. Connectors > Select connector
  2. Click Authentication
  3. Set headers or environment variables
  4. Provide credentials
  5. Test connection

Encryption

At Rest

All credentials encrypted using AES-256-GCM:
  • Encryption key managed by Noorle
  • Credentials never logged
  • Safe to store in configuration

In Transit

All connections use HTTPS/TLS:
  • End-to-end encryption
  • Certificate validation
  • No credential exposure

Display

Never shows full credentials:
  • Display only last 6 characters
  • Example: sk-abc123...
  • Full key shown only when first created

OAuth 2.0 Flow

OAuth 2.0 handles credential exchange securely:
1

User Clicks Authorize

Click Authorize button in connector setup.
2

Redirected to Service

Browser redirects to service’s OAuth authorization page.
3

Grant Permissions

User grants permissions that connector needs.
4

Return to Noorle

Service redirects back to Noorle with authorization code.
5

Exchange for Token

Noorle exchanges code for access token (happens server-side).
6

Token Stored

Access token stored securely, encrypted at rest.
7

Auto-Refresh

Token automatically refreshed before expiry.
Benefits:
  • User never shares password
  • Credentials stay on service
  • Automatic refresh
  • Revocable at any time

Scope Management

Scopes control what connector can access: 
OAuth scopes: ["repo", "user:email"]
Means connector can:
  • ✓ Access repositories
  • ✓ Read email addresses
  • ✗ Delete repositories (not requested)
  • ✗ Modify settings (not requested)
Only request scopes you need (principle of least privilege).

Credential Rotation

Rotate Bearer Token

  1. Generate new token from service
  2. In connector, click Edit Authentication
  3. Update token value
  4. Test new token works
  5. Save
Old token still works during transition period.

Rotate OAuth Token

  1. Connector auto-rotates OAuth tokens
  2. No action needed
  3. Old token revoked automatically
  4. New token fetched before expiry

Rotate API Keys

  1. Generate new key from service
  2. In connector, click Edit Authentication
  3. Update key value
  4. Test works
  5. Optionally disable old key at service

Testing Authentication

Always test after configuring:
  1. Connectors > Select connector
  2. Click Test
  3. Select operation/tool
  4. Provide sample input
  5. Execute
  6. Verify success
If test fails, check:
  • Credentials are correct
  • Token hasn’t expired
  • Key has required permissions
  • Service is online

Common Auth Issues

”Invalid Credentials”

  • Double-check API key or token
  • Verify correct auth type
  • Check if secret characters copied correctly
  • Try regenerating token/key

”Insufficient Permissions”

  • OAuth scopes may be too limited
  • Re-authorize with more scopes
  • Check service role/tier
  • Verify account permissions

”Token Expired”

  • OAuth tokens auto-refresh (should be automatic)
  • Bearer tokens: manually update
  • Check if service revoked access
  • Re-authorize OAuth flow

”Authentication URL Not Found”

  • OAuth endpoints may have changed
  • Check service documentation
  • Verify correct provider configuration
  • Try custom OAuth setup

Security Best Practices

API Keys

  • Treat like passwords
  • Store in secret manager, not code
  • Rotate regularly (quarterly)
  • Use minimum scope/permissions
  • Disable unused keys immediately

OAuth

  • Review scopes before authorizing
  • Revoke access if no longer needed
  • Check authorized apps regularly
  • Only use for necessary integrations

Multi-factor Authentication

Enable 2FA on services with sensitive integrations:
  • GitHub
  • Stripe
  • Cloud services

Audit Log

Monitor who uses connectors:
  1. Connectors > Select connector
  2. View Activity tab
  3. Check recent usage
  4. Alert on suspicious activity

Credential Deletion

To completely remove credentials:
  1. Delete the connector entirely
    • Credentials removed
    • Service revoked (if OAuth)
    • Cannot undo
OR
  1. Update to different auth method
    • Old credentials replaced
    • Previous method no longer used
    • Still cannot undo

Integration-Specific Auth

Stripe

GitHub

Slack

  • Type: OAuth 2.0 or Bearer
  • OAuth scopes: chat:write, channels:read
  • Token: Xoxb-… (bot token)

Next Steps