Kambrium provides two approaches for authenticating users with external SaaS tools (Pipedrive, Gmail, etc.), each suited for different integration scenarios.

Authentication Methods

API Key Authentication

Simple authentication using SaaS provider API keys - best for services that support it.

OAuth 2.1 Authentication

Standards-based OAuth flows for secure, token-based authentication with external services.

Integration Approaches

Direct Web UI

Best for: Individual connections and quick setup

Users complete authentication directly in Kambrium’s web interface:

  • Click “Connect to [SaaS provider]” button
  • Complete OAuth flow on provider’s site
  • Credentials securely stored by Kambrium
  • Ready to use with MCP servers

When to use: Creating individual SaaS connections for your own use, prototyping, or simple integrations.

Management API Integration

Best for: Production applications and customer-facing solutions

Embed authentication flows into your own application:

  • Your application initiates OAuth through Kambrium’s API
  • Users see your branding throughout the flow
  • Full control over user experience
  • Credentials managed programmatically

When to use: Building customer-facing applications where users need to connect their own SaaS accounts through your branded interface.

OAuth Integration

For production applications requiring seamless user experience, Kambrium provides OAuth authorization URL generation that allows you to integrate OAuth flows into your application.

OAuth Integration Guide

Complete guide to integrating OAuth flows in your application

Implementation Examples

Via Web Interface

Users authenticate through the Kambrium dashboard when creating MCP server connections:

  1. Navigate to “Create MCP Server”
  2. Select SaaS provider (e.g., Pipedrive)
  3. Choose authentication method
  4. Complete OAuth flow or provide API key
  5. MCP server ready for use

Via Management API

Programmatic authentication for your application:

{
  "mcp_server": "pipedrive",
  "access_type": "write",
  "auth_method": "oauth"
}

For API key authentication:

{
  "mcp_server": "pipedrive",
  "access_type": "write",
  "api_key": "user-provided-api-key"
}

Schema Validation

The Management API enforces proper authentication method usage to prevent conflicts:

Valid Requests

// API Key method (default)
{
  "mcp_server": "pipedrive",
  "api_key": "user-provided-key"
}

// OAuth method
{
  "mcp_server": "pipedrive",
  "auth_method": "oauth"
}

Invalid Request

// Returns 422 error - cannot mix authentication methods
{
  "mcp_server": "pipedrive",
  "auth_method": "oauth",
  "api_key": "should-not-be-provided"
}

How MCP Servers Use Credentials

Once authenticated, MCP servers use the stored credentials to make API calls to SaaS providers on behalf of users. The MCP server handles all SaaS API interactions - users only need to provide initial authentication.