Sources
Connect Fabric Agents to external data — MCP servers, REST APIs, and local folders. How sources work, how to add one, and how the agent uses them in conversations.
Sources are how Fabric Agents connects to the world. When you add a source, the agent gains tools it can call inside a conversation — read your Linear issues, search your Gmail, list files in a folder, call your internal API.
The three kinds
| Type | What it is | Typical use |
|---|---|---|
| MCP | A Model Context Protocol server that exposes tools over HTTP, SSE, or a local stdio process. | Linear, GitHub, Notion, custom MCP servers you run yourself. |
| API | A REST endpoint the agent can call directly with configured authentication. | Google APIs, Slack, Microsoft Graph, your own OpenAPI. |
| Local | A folder on your machine the agent can read from and (in Execute mode) write to. | Obsidian vaults, code repos, data directories. |
You can mix all three in the same conversation.
Adding a source
The fastest way is to tell the agent:
"Add Linear as a source."
The agent searches for an existing setup guide, asks clarifying questions (which teams? read-only?), configures authentication, writes the guide.md so future sessions know how to use it, and validates the connection before handing back.
If you prefer to do it by hand, use Sources → Add Source in the sidebar:
- Pick the type — MCP, API, or Local.
- Fill in the config (base URL, auth method, allowed patterns).
- For auth-gated sources, click Connect and paste a credential or complete the OAuth flow.
- The source is ready to use.
Authentication
| Source type | Supported auth |
|---|---|
| MCP | none, bearer token, oauth (standard OAuth 2.0) |
| API | none, bearer, header (custom header name), query (API key in querystring), basic, oauth, provider-specific (Google, Microsoft, Slack), multi-header (e.g., Datadog's dual-key scheme) |
| Local | Not applicable — local folders don't need auth. |
Credentials go into the OS keychain where available. On Linux they're encrypted in ~/.fabric-agent/credentials/. They're never written to workspace config files, so committing your workspace to a repo won't leak secrets.
Token refresh
Two paths keep long-lived sources working without you re-authenticating every hour:
- OAuth sources refresh automatically using the refresh token returned at connect time.
- API sources with
renewEndpoint— if the service issues short-lived tokens via a dedicated renewal URL, configure it inconfig.jsonand Fabric Agents calls it to rotate tokens automatically. Useful for bearer-token APIs that don't speak full OAuth.
See the Agent setup guide for the renewEndpoint schema.
Enable / disable
Sources are workspace-scoped. When a source is enabled in a workspace, every session in that workspace has access to its tools. Disabling a source hides it from new sessions without deleting the config — re-enable any time.
A source is considered "usable" when enabled and either:
- It requires no authentication (
authType: 'none'), or - It has valid stored credentials.
Sources that require auth but have no credentials show a yellow "Needs auth" indicator in the sidebar.
Per-session context
Inside a chat, the agent sees every enabled source. To signal you want to emphasise one (or bring in one that's disabled by default), @source it:
@linear What's assigned to me this sprint?Permissions and Explore mode
Each source carries a permissions.json that describes what the agent can do in Explore (safe) mode — typically read operations only.
You write simple patterns like list or search; the app automatically scopes them to your source (mcp__linear__.*list.*, mcp__linear__.*search.*, and so on).
- MCP:
allowedMcpPatterns— tool name regexes - API:
allowedApiEndpoints— method + path regexes - Local:
allowedBashPatterns— shell-command prefixes
In Ask to Edit and Execute modes, all source tools are available (subject to your mode-level overrides).
Where configs live
Per source:
~/.fabric-agent/workspaces/{workspace-id}/sources/{source-slug}/
├── config.json # identity, auth type, provider-specific config
├── guide.md # agent-facing usage guide (markdown)
├── permissions.json # Explore-mode allowlist (optional)
└── icon.svg # auto-discovered; falls back to favicon for web sourcesThe guide.md is what the agent reads at session start to know how to use the source — what the common tools do, rate limits, authentication quirks, gotchas. Agents write this file for you when they set up the source; you can edit it any time.
Icons
Source icons render in the sidebar, @ picker, and session headers. Resolution order:
- Emoji in
config.icon(e.g."🧵"). - Local file referenced by
config.icon(e.g."./icon.svg"). - URL in
config.icon— downloaded and cached on first use. - Auto-discovered
icon.svgoricon.pngin the source folder. - Favicon of the provider domain (e.g.
linear.app's favicon).
Icons cache locally once downloaded, so offline use works fine after the first successful setup.
What about the built-in source?
Out of the box, Fabric Agents runs an always-available MCP server named fabric-agents-docs that lets the agent search this documentation site directly. You don't need to add or configure it — it's wired into every session automatically. You'll see it referenced when the agent does mcp__fabric-agents-docs__SearchFabricAgents(...).
Related
- MCP servers — overview, connecting, and authentication for MCP sources
- REST APIs — REST API source type
- Local folders — bookmark a folder on your machine
- Permissions — the Explore / Ask / Execute model
- Agent setup guide — what happens when you say "add Linear as a source"
Azure AI Foundry
Connect Azure-hosted OpenAI-compatible endpoints to Fabric Agents using Microsoft Entra ID (Azure AD) Bearer-token auth. Resource discovery, deployment selection, and token refresh are handled automatically.
MCP Servers
How MCP (Model Context Protocol) sources work in Fabric Agents — supported transports, tool namespacing, and the overall model.