REST APIs
Connect Fabric Agents to any REST API — authentication options, raw body support, query presets, and token refresh via renewEndpoint.
An API source lets the agent call any HTTP service directly. It's the right pick when:
- The service has a REST API but no MCP server.
- You need tight control over what endpoints the agent can reach.
- You want to talk to an internal service, a custom API, or a vendor that only exposes OpenAPI / curl-style docs.
Add an API source the fast way by telling the agent:
"Add Datadog as a source."
or paste an OpenAPI spec into the chat and let it configure the source. This page documents the config schema so you can understand, edit, or hand-author it.
Config schema
Every API source is a folder under ~/.fabric-agent/workspaces/{workspace-id}/sources/{source-slug}/. The core of config.json looks like:
{
"id": "datadog_b1c2d3",
"name": "Datadog",
"slug": "datadog",
"provider": "datadog",
"type": "api",
"icon": "https://www.datadoghq.com/favicon.ico",
"tagline": "Monitoring, logs, and APM",
"enabled": true,
"api": {
"baseUrl": "https://api.datadoghq.com/",
"authType": "header",
"headerNames": ["DD-API-KEY", "DD-APPLICATION-KEY"],
"testEndpoint": {
"method": "GET",
"path": "/api/v1/validate"
}
}
}All API-specific fields live under api:
| Field | Type | Required | Purpose |
|---|---|---|---|
baseUrl | string | ✓ | API root. Trailing / is expected. |
authType | none | bearer | header | query | basic | oauth | ✓ | How credentials are attached to requests. |
authScheme | string | – | Bearer prefix. Defaults to "Bearer ". Set to "" for raw-token APIs. |
headerName | string | – | Header name for single-header auth (e.g. X-API-Key). |
headerNames | string[] | – | Header names for multi-header auth (see below). |
queryParam | string | – | Query-string parameter for authType: "query" (e.g. api_key). |
defaultHeaders | Record<string, string> | – | Static headers sent on every request — API version hints, tenant IDs, etc. |
testEndpoint | ApiTestEndpoint | – | Endpoint hit to validate auth. Required when authType ≠ none. |
renewEndpoint | ApiRenewEndpoint | – | Optional endpoint for automatic token refresh. See below. |
queryPresets | ApiQueryPreset[] | – | Named reusable queries surfaced in the agent's guide.md. |
oauth | ApiOAuthConfig | – | Static OAuth endpoints and scopes for providers Fabric Agents doesn't know natively. |
googleService / microsoftService / slackService | string | – | Provider-specific shortcut for well-known services (Gmail, Graph, Slack App). |
azureDevOpsOrganization / azureDevOpsProject / azureDevOpsTeam | string | – | Azure DevOps context fields. |
Authentication types
authType | Credential shape | Sent as |
|---|---|---|
none | – | No auth header. |
bearer | single token | Authorization: Bearer <token> (prefix controlled by authScheme). Set authScheme: "" for bare-token APIs. |
header | single token | <headerName>: <token> — great for X-API-Key-style services. |
header + headerNames | JSON object keyed by each header name | Sends multiple headers at once (e.g. Datadog's DD-API-KEY + DD-APPLICATION-KEY). |
query | single token | Appended as ?<queryParam>=<token>. |
basic | {username, password} JSON | Authorization: Basic base64(user:pass). |
oauth | access token + refresh token + clientId | Authorization: Bearer <access_token>. Refreshed automatically. |
Provider-specific OAuth
Google, Microsoft, and Slack have their own OAuth flows. Rather than filling in oauth with URLs and scopes manually, set:
googleServiceto one of the known services (Gmail, Calendar, Drive, Docs, Sheets, YouTube, Search Console), plus optionalgoogleScopesfor custom scope sets.microsoftServicefor Graph-backed services (Outlook, Teams, SharePoint).slackServicefor Slack App installs.
Each of these triggers the right consent screen and stores credentials with the same source_oauth shape as generic OAuth. If you're using your own Google Cloud project (common in OSS setups), pass googleOAuthClientId and googleOAuthClientSecret in the config and Fabric Agents will use those instead of the built-in app credentials.
Generic OAuth (api.oauth)
For services that don't fit the built-in shortcuts:
{
"api": {
"baseUrl": "https://service.example.com/",
"authType": "oauth",
"oauth": {
"authorizationUrl": "https://service.example.com/oauth/authorize",
"tokenUrl": "https://service.example.com/oauth/token",
"clientId": "abc123",
"clientSecret": "xyz789",
"scopes": ["read:data", "write:notes"]
}
}
}If the server publishes an RFC 9728 metadata document at baseUrl, Fabric Agents can discover the authorization and token URLs automatically. In that case, leaving oauth off and just setting authType: "oauth" is enough.
The agent-facing tool
When an API source is enabled, the agent gets one tool:
api_<source-slug>For the Datadog example above, it's api_datadog. The tool accepts:
| Arg | Purpose |
|---|---|
path | URL path relative to baseUrl. |
method | GET / POST / PUT / PATCH / DELETE / HEAD / OPTIONS. |
params | JSON body (for write methods) or query string (for GET). |
_intent | Optional human-readable description of what the call is trying to do — shown in the tool log. |
_rawBody | Escape hatch for non-JSON bodies. |
_contentType | Content-Type for _rawBody. Defaults to text/plain. |
The agent reads guide.md in the source folder to know what endpoints exist and which ones to call for a given task. You can edit guide.md any time to give the agent better hints.
Raw-body requests
Most modern APIs take JSON, but some want form-urlencoded, XML, or plain text:
{
"path": "/api/v1/legacy",
"method": "POST",
"_rawBody": "key1=value1&key2=value2",
"_contentType": "application/x-www-form-urlencoded"
}params is ignored when _rawBody is set.
Automatic token refresh — renewEndpoint
OAuth handles refresh automatically. For services that issue short-lived bearer tokens via a dedicated renewal URL (but no OAuth flow), configure renewEndpoint:
{
"api": {
"baseUrl": "https://api.example.com/",
"authType": "bearer",
"renewEndpoint": {
"method": "POST",
"path": "/auth/refresh",
"body": { "token": "{{token}}" },
"responseTokenField": "access_token",
"responseExpiresField": "expires_in"
}
}
}Fabric Agents calls this endpoint roughly five minutes before the current token expires:
{{token}}inbodyorheadersis substituted with the current token.responseTokenFieldnames the response field holding the new token (defaults toaccess_token).responseExpiresFieldnames the response field holding a TTL in seconds (defaults toexpires_in).
If renewal fails, the source flips to "needs auth" and the Reconnect button returns. No messages fail silently — the agent sees a clear auth error.
Query presets
Some services have awkward query languages (WIQL for Azure DevOps, PromQL for Prometheus, SPL for Splunk). Instead of hoping the agent remembers the syntax, bake common queries into the source:
{
"api": {
"baseUrl": "https://dev.azure.com/my-org/",
"queryPresets": [
{
"id": "my-active-bugs",
"name": "My active bugs",
"description": "WIQL for bugs assigned to me that aren't closed",
"query": "SELECT [System.Id] FROM WorkItems WHERE [System.AssignedTo] = @Me AND [System.WorkItemType] = 'Bug' AND [System.State] <> 'Closed'"
}
]
}
}Presets are rendered into guide.md so the agent knows they exist. It can use them verbatim or adapt them for variants.
Permissions (Explore mode)
Per-source permissions.json controls what endpoints the agent can reach in Explore (safe) mode:
{
"allowedApiEndpoints": [
{ "method": "GET", "path": "^/api/v2/", "comment": "All v2 reads" },
{ "method": "GET", "path": "^/api/v1/logs" }
]
}Each entry is a method plus a path regex. GET endpoints are the conservative default; any write method (POST, PUT, PATCH, DELETE) needs to be explicitly listed if you want it usable outside Execute mode.
Related
- Sources overview — scope, enable/disable, where credentials live.
- MCP servers — structured tool protocol; often simpler when available.
- Permissions — how Explore / Ask / Execute modes interact with allowlists.
MCP Authentication
Authentication for MCP sources in Fabric Agents — bearer tokens, OAuth with dynamic client registration, token refresh, and credential storage.
Local Folders
Bookmark folders on your machine as sources — Obsidian vaults, code repos, data directories. How the allowlist model works and what tools the agent gets.