Product surfaces#
LumenFlow currently exposes external integrations through three different product surfaces:
| Surface | What it's for | Current examples |
|---|---|---|
| Tool Connections | Governed conn:* tools inside Sidekick | Gmail, Google Calendar, Google Docs, Google Sheets, GitHub, HubSpot, Jira, Notion, Outlook, OneDrive, Microsoft To Do, Greenhouse |
| Channels | Messaging and inbound/outbound conversation transport | Slack, Discord, Telegram, Microsoft Teams, Twilio SMS, custom webhooks |
| Advanced Custom MCP | Self-hosted or custom tool servers | Internal tools, niche SaaS, bespoke workflows |
Connection methods#
Depending on the integration, setup uses one of these methods:
| Method | Use case | Setup |
|---|---|---|
| OAuth | Google, Slack, GitHub, HubSpot, Atlassian, Microsoft, Notion | One-click authorize |
| API key | Greenhouse and some custom services | Paste key in settings |
| MCP | Advanced custom tools | Deploy or register MCP server |
| Webhooks | Inbound events and messaging channels | Configure endpoint URL and verification |
How connections work#
- You add a Tool Connection or channel in Settings → Connections
- LumenFlow securely stores the credentials
- Sidekick discovers the governed actions available from that integration
- Governance rules control which actions are allowed
Connection lifecycle#
Connections follow a simple lifecycle: add the service, authorize via OAuth (or paste an API key), and the connection becomes active. OAuth tokens are refreshed automatically. You can revoke access at any time from settings.
For newer integrations, v1 means the integration is real and
installable today, but intentionally bounded. LumenFlow exposes the
most useful governed actions first and expands later instead of
claiming the provider's full API on day one.
Security#
- OAuth tokens are encrypted at rest
- Credentials are never exposed in the UI after initial setup
- All connection activity appears in the audit trail
- Revoking a connection immediately stops all related actions
info LumenFlow requests minimal scopes by default. You choose exactly which permissions to grant during OAuth authorization.