Skip to main content
This page covers technical details about configuring connectors for your organization, including authentication setup, access control, and security considerations. Connectors enable WRITER Agent to access enterprise tools through Writer’s Model Context Protocol (MCP) gateway. After you configure connectors in AI Studio, users in your organization can connect to them through WRITER Agent. For step-by-step connector configuration instructions, see Setting up connectors in the Writer Help Center.
MCP connectors are currently available for WRITER Agent. Connectors do not currently support Agent Builder, no-code agents, or API integrations.

How MCP gateway works

Writer’s MCP gateway sits between WRITER Agent and partner MCP servers. This architecture provides centralized security, access control, and observability for enterprise deployments. You can use the MCP gateway to connect your WRITER Agent to supported connectors. Connector requests flow through the following steps:
  1. Client connection: WRITER Agent connects to Writer’s unified MCP server
  2. Request submission: WRITER Agent sends HTTP requests to the MCP gateway endpoint
  3. Authentication: The gateway validates user identity and permissions using your Writer organization’s access controls
  4. Request routing: Authenticated requests are routed to the appropriate partner MCP server
  5. Response delivery: Results are returned to the agent through the secure channel

Available connectors

Writer provides connectors to enterprise tools across multiple categories. Below is a list of currently supported connectors.
ConnectorAuth typeProvider authentication docs
FactSetOAuth 2.0View docs
GmailOAuth 2.0View docs
GongAPI key + Tenant URLView docs
Google CalendarOAuth 2.0View docs
Google DocsOAuth 2.0View docs
Google SheetsOAuth 2.0View docs
HubSpotOAuth 2.0View docs
Microsoft CalendarOAuth 2.0View docs
Microsoft OneDriveOAuth 2.0View docs
Microsoft OutlookOAuth 2.0View docs
Microsoft SharePointOAuth 2.0View docs
Microsoft TeamsOAuth 2.0View docs
PitchBookAPI keyView docs
SlackOAuth 2.0View docs

Set up connectors

Connector setup happens in AI Studio under Connectors & Tools. For step-by-step instructions on configuring connectors, selecting tools, and managing permissions, see Setting up connectors. The sections below cover the technical authentication requirements for connectors.

Set up connector authentication

The three types of authentication for connectors are OAuth 2.0, API key, and tenant-based. The type of authentication required for a connector depends on the third-party service, and the connector configuration flow in AI Studio guides you through the required setup. OAuth 2.0 connectors (FactSet, Google, Microsoft, Slack, HubSpot):
  • Most OAuth connectors support WRITER-managed authentication (no OAuth app setup required)
  • Alternatively, you can create your own OAuth application for custom branding and control
  • FactSet, Slack, and HubSpot require organization-managed OAuth (WRITER-managed not available)
  • See Set up OAuth for details on both options
API key connectors (PitchBook, Gong):
  • Require an API key from the third-party service
  • Some services require additional configuration like tenant URLs
  • See the available connectors table for links to the provider’s documentation on how to create API keys
Tenant-based connectors (Gong):
  • Uses an API key and an additional tenant URL to authenticate requests
  • Require your organization’s specific instance URL. For example: https://yourcompany.gong.io
  • Used to identify your organization’s instance in multi-tenant services

Set up OAuth

Most OAuth connectors support two authentication options in AI Studio: WRITER-managed OAuth (recommended for most users):
  • Writer provides and manages the OAuth application
  • No OAuth app setup required
  • Users authorize access to their account when they first use the connector
  • Faster setup with less configuration
Organization-managed OAuth:
  • You create and manage your own OAuth application with the provider
  • Provides more control and custom branding
  • Requires OAuth app configuration with client ID and client secret
  • Required for: FactSet, HubSpot, Slack
FactSet, HubSpot, and Slack connectors only support organization-managed OAuth. All other OAuth connectors support both options.

OAuth connection levels

When configuring an OAuth connector, you choose whether to use user-level or org-level authentication: User-level OAuth (most common):
  • Each user connects their own personal account (their Gmail, Slack, etc.)
  • OAuth authentication happens when individual users first try to use the connector
  • Administrators configure the connector in AI Studio, but don’t authenticate during setup
  • Users authenticate through WRITER Agent the first time they interact with the connector
Org-level OAuth:
  • A single shared OAuth connection for the entire organization
  • OAuth authentication happens during connector setup in AI Studio
  • Administrators authenticate with the provider when configuring the connector
  • Users can immediately use the connector without individual authentication
With user-level OAuth, administrators set up the connector configuration (OAuth app credentials, enabled tools, access permissions), but the actual OAuth authentication happens later when each user first uses the connector. With org-level OAuth, administrators complete the OAuth authentication during the initial connector setup.

Create OAuth applications for organization-managed authentication

If you choose organization-managed OAuth, or if using a connector that requires it, you need to create an OAuth application with the provider:
  1. Follow the provider’s documentation to create an OAuth application. View the available connectors for links to provider documentation.
  2. Add the following Writer redirect URI to the list of allowed redirect URIs in your OAuth application’s settings: 
    https://app.writer.com/mcp/oauth/callback
  3. Copy the client ID and client secret for use in AI Studio
The gateway uses this redirect URI to receive authorization codes from third-party services after users grant permission.

Required OAuth scopes

Each connector requires specific OAuth scopes to access third-party APIs. The connector configuration interface in AI Studio displays the required scopes when you configure a connector. Google Calendar OAuth scopes Some connectors require extensive OAuth scopes during authentication. This is because connectors often provide multiple tools with broad functionality across the integrated service. For example, a connector for a productivity service might include tools to:
  • Read and search documents
  • Create and modify files
  • Access calendar events
  • Send messages or notifications
  • Manage sharing permissions
Each of these capabilities requires corresponding OAuth scopes from the provider. Even if you disable specific tools in your connector configuration, the OAuth application still requests all scopes needed for the full set of available tools.
Currently, OAuth scopes are fixed per connector and do not adjust based on which tools are enabled. This means users will see requests for all scopes even if you’ve disabled certain tools.

Manage access control and permissions

Organization and IT administrators can control which users have access to connectors and configure granular permissions for connector functionality.

Configure connector availability

Connectors can be made available to users in two ways:
  • All users: The connector is immediately available to everyone in the organization
  • Select teams: Restrict the connector to specific teams. Users on non-approved teams can request access, which requires admin approval.
This access control model allows organizations to gradually roll out connectors or restrict sensitive integrations to specific teams.

Role-based administration

By default, only users with Org Admin and IT Admin roles can configure and manage connectors. These permissions can be adjusted through the roles and permissions settings in AI Studio to delegate connector management to other roles if needed.

Tool-level granular control

Within each connector, administrators can selectively enable specific tools rather than activating all available functionality. This provides fine-grained control over what actions AI agents can perform through each connector. For example, you might enable read-only tools for a connector while disabling tools that modify or delete data.

Revoke connector access

Administrators and users can revoke connector access at multiple levels: Revoke individual user access:
  • Users can disconnect their personal OAuth accounts from within WRITER Agent settings
  • Disconnecting removes the user’s authentication tokens but preserves the connector configuration
  • Users can reconnect by re-authorizing through the OAuth flow
Revoke team or organization access:
  • Administrators can disable a connector entirely from AI Studio’s Connectors & Tools interface
  • Disabling a connector immediately revokes access for all users
  • Re-enabling requires users to re-authenticate with their accounts
Revoke specific tool permissions:
  • Administrators can disable individual tools within a connector without removing the entire connector
  • Users retain their OAuth connections but cannot access disabled tools
  • Tool permissions can be re-enabled without requiring re-authentication

Connect as an end user

After administrators configure connectors in AI Studio, end users interact with them naturally through conversation in WRITER Agent.

User-level vs. org-level OAuth

Connectors can be configured with different OAuth authentication levels, which affects how users connect: User-level OAuth (most common):
  • Each user connects their own personal account (their Gmail, their Slack workspace, etc.)
  • Users authenticate individually with their own credentials
  • The connector accesses only that user’s data and permissions
  • Example: When you use the Gmail connector, it accesses your Gmail inbox, not a shared organizational inbox
Org-level OAuth (shared connection):
  • An administrator sets up a single OAuth connection for the entire organization
  • All users share the same authenticated connection
  • No individual user authentication required
  • Less common; typically used when accessing shared organizational resources rather than personal accounts
Most connectors use user-level OAuth where each person connects their own account. When a connector is configured with user-level OAuth, users must authenticate individually before using it.

How users interact with connectors

To use a connector, just ask the WRITER Agent for what you need in everyday language, like “Summarize my emails” or “Find messages in Slack.” If access is needed, the agent will let you know and help you connect your account. After you’re connected, you can keep making requests the same way—no special steps or commands required. Example interactions: Using Gmail: 
User: "Summarize my unread emails from this week"
Agent: [If not connected] "I need access to your Gmail to help with that.
       Please connect your Gmail account to continue."
       [Shows authentication button]

User: [Clicks to authenticate, completes OAuth flow]

Agent: "Thanks! I can now access your Gmail. Here's a summary of your
       unread emails from this week..."

First-time connection flow

For connectors configured with user-level OAuth, users must authenticate their personal account the first time they use a connector:
  1. User makes a request: “Search Slack for messages about the budget”
  2. Authentication prompt: Agent responds: “I need access to your Slack workspace to search messages. Please connect your Slack account.”
  3. OAuth authorization: User clicks the authentication button and is redirected to Slack’s authorization page
  4. Permission consent: User reviews the permissions and approves access
  5. Return to conversation: User is redirected back to WRITER Agent
  6. Task completion: Agent automatically retries the original request: “I found 15 messages about the budget…”
For connectors configured with org-level OAuth, users can immediately use the connector without individual authentication since the administrator has already set up the shared connection.

Known limitations

OAuth token expiration

Some providers automatically expire OAuth tokens after periods of inactivity:
  • Google services: OAuth credentials become invalid after 6 months of inactivity. If you haven’t used a Google connector (Gmail, Google Calendar, Google Docs, Google Sheets) for 6 months, you’ll need to re-authenticate.
The MCP gateway automatically handles token refresh for active connections, but cannot refresh tokens that have been revoked due to inactivity.

Fixed OAuth scopes

OAuth scopes are fixed per connector and do not adjust based on which tools are enabled. This means when you configure an OAuth connector, the OAuth application requests all scopes needed for every available tool, even if you disable certain tools in your connector configuration.

Next steps