Security first
All secrets are encrypted at rest and in transit. The LLM never accesses
real credentials - only placeholders such as <<stripe_api_key>> are exposed during
workflow setup and execution.
Create a system in superglue to use as reusable building blocks for building tools in superglue. Systems handle authentication and documentation retrieval automatically once configured.
The fastest way to create a system is through the agent interface. Visit app.superglue.cloud and start chatting with the agent.
superglue will:
Systems can also be created manually using the web application:
Navigate to systems
Click the “Systems” button in the sidebar
Open form
Click Add System to open the system form
Fill required fields
https://api.stripe.com)Click ‘Add System’
superglue saves your configuration and processes online documentation in the background if a documentation URL was provided
superglue supports many different authentication methods. All credentials are encrypted both at rest and in transit.
superglue supports both the client credentials flow and authorization code flow with automatic token refresh.
superglue handles:
Used when users grant access to their account data.
Examples: Slack, Salesforce, Google Services
Used for server-to-server communication with no user interaction.
Examples: Twilio, Auth0 Management API, Microsoft Graph
Required fields:
clientId, clientSecret, authorizationUrl, tokenUrlOptional fields:
scopes: space-separated OAuth scopesredirectUri: redirect URL after authorizationThe simplest authentication method. Provide an API key and superglue automatically determines where to include it based on the API’s documentation.
Possible placements:
Authorization: Bearer {key}X-API-Key: {key}?api_key={key}{email}/token:{apiKey})X-Shopify-Access-Tokenanystring as username and API key as passwordConnect to databases and data stores by providing connection details. Supported types include PostgreSQL, MSSQL, Redis, MongoDB, and FTP/SFTP servers.
PostgreSQL requires a connection URL in the format postgresql://<<user>>:<<password>>@<<host>>:<<port>>/<<database>> with credentials for user, password, host, port, and database.
MSSQL requires a connection URL in the format mssql://<<user>>:<<password>>@<<host>>:<<port>>/<<database>> with credentials for user, password, host, port, and database. For Azure SQL, use the fully qualified server name (e.g., myserver.database.windows.net).
Redis requires a connection URL in the format redis://<<user>>:<<password>>@<<host>>:<<port>>/<<database>> (or rediss:// for TLS). The database number (0-15) is optional and defaults to 0.
MongoDB requires a connection URL in the format mongodb://<<user>>:<<password>>@<<host>>:<<port>>/<<database>>?authSource=admin (or mongodb+srv://<<user>>:<<password>>@<<cluster>>/<<database>> for Atlas/SRV seedlists). Root users typically need authSource=admin.
FTP/SFTP requires a URL in the format sftp://<<host>>:<<port>> with username and password credentials.
For systems with unique authentication requirements, superglue supports multiple custom patterns.
credentials: { username: "your_username", password: "your_password"}Used by: Jenkins, Artifactory, legacy APIs
credentials: { "X-Custom-Auth": "your_auth_token", "X-API-Version": "v2", "X-Tenant-ID": "tenant_123"}Used by: Internal APIs, multi-tenant systems
credentials: { bearerToken: "eyJhbGciOiJIUzI1NiIs..."}Used by: GitHub (personal access tokens), GitLab, custom auth systems
credentials: { botToken: "xoxb-XXXXXX"}Used by: Slack and Discord
Security first
All secrets are encrypted at rest and in transit. The LLM never accesses
real credentials - only placeholders such as <<stripe_api_key>> are exposed during
workflow setup and execution.
Not ready to provide credentials?
Systems can be created without credentials and updated later. Credentials may also be supplied dynamically during tool execution.
Need help identifying credentials?
The agent can assist with figuring out which credentials are required and where to find them. e.g., “I want to connect to my company’s internal API but I’m not sure what authentication it uses.”
superglue automatically crawls and processes documentation upon system creation. This makes it possible for superglue to reason about endpoints, authentication, and data models without manual setup.
When creating a system, the documentationUrl or uploaded documentation files (like OpenAPI specs, PDFs, or HTML exports) are used as the primary source for this process. The more complete and accurate the provided material, the better superglue’s internal understanding of the system.
superglue’s fetchers handle most modern and legacy documentation types:
OpenAPI/Swagger
Extracts endpoints, parameters, and schemas from .json or .yaml specifications.
Mintlify & modern docs
Fetches content from popular hosted sites like Mintlify, ReadMe, or Docusaurus.
Static HTML & PDFs
Parses legacy or self-hosted documentation, including HTML exports and PDF manuals.
Database schemas
Automatically analyzes PostgreSQL and MSSQL schemas to identify tables, columns, and relationships.
Large APIs can have hundreds of endpoints. To improve accuracy and reduce processing time, you can provide specific keywords via the agent that describe what parts of the documentation are most relevant.
The agent automatically adjusts documentation processing based on your instructions:
Connect to Stripe and focus on customer and subscription endpointsThis ensures that only relevant documentation is processed and saved to the system. Keywords are used to:
Systems can be configured with separate development and production environments. This allows you to test integrations with sandbox/staging credentials before deploying to production.
mode: "dev" or mode: "prod" to control which system credentials are used# Create production systemcurl -X POST https://api.superglue.ai/v1/systems \ -H "Authorization: Bearer $API_KEY" \ -d '{ "id": "stripe", "name": "Stripe", "url": "https://api.stripe.com", "environment": "prod", "credentials": { "apiKey": "sk_live_..." } }'
# Create linked development systemcurl -X POST https://api.superglue.ai/v1/systems \ -H "Authorization: Bearer $API_KEY" \ -d '{ "id": "stripe", "name": "Stripe", "url": "https://api.stripe.com", "environment": "dev", "credentials": { "apiKey": "sk_test_..." } }'import { runTool } from "@superglue/client";
// Use production credentials (default)await runTool("my-tool", { inputs: { ... }, options: { mode: "prod" }});
// Use development/sandbox credentialsawait runTool("my-tool", { inputs: { ... }, options: { mode: "dev" }});When a tool runs with a specific mode:
prod is usedIf your system requires IP whitelisting (firewall rules, security groups, etc.), add superglue Cloud’s outbound IPs to your allowlist. See Cloud Networking for the current IPs.