ViksaAIDocs
Start now
Platform

API Fleet

Expose external REST APIs to your agents as MCP tools. Tenants configure auth once; end users authenticate through connectors.

What it does#

API Fleet lets you register third-party HTTP APIs (Stripe, internal microservices, SaaS products) as service folders inside a Viksa project. Each folder holds one or more endpoints parsed from OpenAPI or added manually. Enabled endpoints become virtual tools that agents can call at runtime.

Core concepts#

ConceptDescription
Service folderNamed registry for a base URL plus a list of endpoints (GET /users, POST /charges, …).
Auth methodReusable auth profile (API key, bearer, basic, OAuth2) shared across folders.
User Auth KMSYour cloud KMS key (AWS, GCP, or Azure) used to encrypt end-user credentials — separate from project vault secrets.
Connect linkHTTPS URL sent in WhatsApp/Telegram chat; end users enter credentials or complete OAuth on Viksa-hosted pages.
headless_user_authMongo collection storing per-user encrypted credentials keyed by connector user + service.

Setup workflow#

  1. 1

    Configure User Auth KMS

    In API Fleet → Configure Auth KMS, pick AWS KMS, GCP Cloud KMS, or Azure Key Vault. Viksa runs an encrypt/decrypt round-trip before saving.
  2. 2

    Create auth methods

    Define how end users authenticate (OAuth app registration, API key header name, etc.). Credentials are not entered here — only the schema.
  3. 3

    Create a service folder

    Set the service base URL, optional description, and link a saved auth method (or leave public). Bulk-import from OpenAPI/Postman or add endpoints manually.
  4. 4

    Enable endpoints

    Toggle endpoints on in the folder detail view. Disabled endpoints are not exposed as agent tools.
  5. 5

    End users connect via Volt

    When an agent needs auth, Volt sends a connect link in chat. See Channel Hub for connector setup.

Authentication types#

auth_typeEnd-user experience
noneNone (public API — no per-user credentials)
api_keyAPI key — end user enters key on connect page
bearerBearer token — validated before save
basicBasic auth — username/password validated before save
oauth2OAuth2 — connect link redirects to provider; tokens saved on callback

End-user connect URLs#

Connect links are hosted on the Viksa public API domain — not your customer domain:

Example connect URLtxt
https://api.viksaai.com/headless/user-auth/connect?api_id=srv_…
user_id=connector_user_…
channel=whatsapp
project_id=prj_…
org_id=org_…
account_id=acc_…
  • OAuth2 — GET shows a button that redirects to the provider; callback hits /headless/oauth/callback
  • API key / bearer / basic — GET renders a form; POST validates against the target API before KMS encrypt + save
  • End users never paste secrets into chat — only open the link

KMS providers#

encryption_modeProvider
aws_kmsAWS KMS
gcp_kmsGoogle Cloud KMS
azure_keyvaultAzure Key Vault

Data storage#

CollectionScopeContents
headless_apisprojectService folders and embedded endpoints
headless_auth_methodsprojectReusable auth schemas (no end-user secrets)
headless_auth_kmsproject (1 doc)KMS mode + config for credential encryption
headless_user_authproject + userEncrypted end-user credentials per connector identity
REST API referenceAll headless-service endpoints, auth modes, and request examples.Channel HubConnect WhatsApp, Telegram, and other channels that deliver connect links.Agents — Auth & credentialsHow agents use tools and project-level secrets.