Provider Connections

This page explains the lifecycle of a provider connection.

The connection lifecycle

conjra add <provider> │ ▼ Validate provider exists in registry │ ▼ Check if already connected ├─ Yes → Show masked keys, exit └─ No  → Prompt for credentials → Encrypt → Store → Confirm

Adding a provider

When you run conjra add <provider>, Conjra:

  1. Validates the provider name against supported list
  2. Checks if credentials already exist in the vault
  3. Prompts for required credential keys
  4. Encrypts with AES-256-GCM using your machine fingerprint
  5. Stores at ~/.conjra/vault/{provider}.enc
  6. Displays masked credentials

Credential prompts

Each provider specifies required credential keys:

  • Stripe: apiKey (secret key)
  • Supabase: accessToken (personal access token)
  • Twilio: accountSid + authToken (basic auth)
  • GitHub: accessToken (personal access token)

OAuth flow

OAuth 2.0 is partially implemented but not yet wired into the CLI. You will be prompted to enter a personal access token instead.

Removing a provider

conjra remove <provider>

Deletes the encrypted vault file.

Checking connection status

conjra status

Shows version, connected providers with masked keys, and MCP registration status.

When tools access credentials

When your AI calls an MCP tool, Conjra extracts the provider from the tool name (e.g., create_stripe_productstripe), decrypts the vault file, makes the API call, and returns the result. If the provider is not connected, it returns: Provider "stripe" is not connected. Run: conjra add stripe

Edit this page on GitHub
PreviousMCP Tools ExplainedNextConfig File