Connections
A Connection is an OAuth link between your Aerostack workspace and a third-party provider (Google, GitHub, Slack, Notion, …). Once connected, every MCP server for that provider works automatically — Gmail, Drive, Calendar, and Sheets all share one Google connection; you don’t connect each app separately.
Tokens are encrypted with AES-256-GCM, refreshed in the background, and never returned through the dashboard or API. Aerostack injects them only at request time, scoped to a single tool call.
How it works
You connect Google once
↓
Aerostack stores access_token + refresh_token (encrypted)
↓
You install Gmail / Drive / Calendar MCPs — no extra setup
↓
On every tool call, Aerostack pulls the latest token,
injects it into the MCP request, and refreshes if expiredTwo ways to connect Google
| Aerostack-Verified | Custom (BYO) | |
|---|---|---|
| Status | Coming soon | Available now |
| Setup time | 0 min (just click Connect) | ~5 min (you create your own Google OAuth app) |
| Test-user limit | None | 100 (from your Cloud Console) |
| Quota | Shared across Aerostack users | Your own quota — independent |
| Refresh tokens | Auto-rotate forever | Auto-rotate forever |
| ”App not verified” warning | Hidden | Shown on first authorize (one click past) |
If you can spare 5 minutes, BYO is recommended today — your tokens never expire, your quota is your own, and you don’t wait on Google verification.
→ Connect Google (Custom OAuth) — full guide
Other providers
| Provider | Status |
|---|---|
| Notion | ✅ Available |
| GitHub | ✅ Available |
| Slack | ✅ Available |
| Linear | ✅ Available |
| Atlassian (Jira / Confluence) | ✅ Available |
| Discord | ✅ Available |
| Figma | ✅ Available |
| Canva | ✅ Available |
| Trello | ✅ Available |
| Microsoft (Outlook, OneDrive, Teams) | 🟡 Coming soon |
| Dropbox | ✅ Available |
| Asana | ✅ Available |
| HubSpot | ✅ Available |
| Salesforce | ✅ Available |
| Google (Gmail, Drive, Calendar, Sheets) | 🟡 Verified app coming soon · ✅ Custom OAuth available |
Security model
- Each token is encrypted with a per-environment AES-256-GCM key. The dashboard never returns plaintext.
- Refresh tokens rotate before expiry via a background cron — your MCP calls keep working without manual intervention.
- Disconnecting from the dashboard immediately revokes the broker token and deletes the encrypted secret. Your provider account is untouched.
- A connection is per-workspace, not per-user — workspace members share the same tokens. Use separate workspaces if you need separate identities.