Where to configure
| Need | Console location | When to use |
|---|---|---|
| OAuth or GitHub App | Connected Apps | recommended flow for GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Linear, and ClickUp when the provider supports delegated authorization |
| Manual credential | Credentials | tokens or credentials created outside the OAuth flow |
| Private/on-prem VCS | Connectors | when the VCS is on a private network or when the VCS token must remain in the customer’s environment |
| Programmatic API use | API Keys | internal integrations, automations, and MCP |
| Outbound webhooks | Webhooks | sending Acrity events to external systems |
How secrets are stored
Credential secrets, OAuth tokens, and sensitive overrides are stored encrypted in the database with AES-256-GCM. API key data uses a different model: the complete key is shown once and Acrity stores only an HMAC-SHA-256 hash with pepper for verification. Connector tokens follow the one-time display principle. The complete token appears at creation or rotation time; after that, Acrity keeps a SHA-256 hash for verification, not reusable plaintext.Connected Apps
UseConnected Apps when you want a guided authorization flow. This flow reduces manual error, enables reauthorization in the Console, and shows when the installation needs new permission.
Recommended flow:
Grant permissions in the provider
Confirm the authorized organization, account, repositories, or projects.
Manual credentials
UseCredentials when the provider requires a manual token, when the organization already has dedicated credentials, or when an OAuth flow is not appropriate.
When creating a credential:
- Choose the provider.
- Define a name that helps audit, such as
github-app-prodorjira-service-account. - Fill in the fields required by the provider.
- Validate the credential before linking it to repositories.
- Use the credential only in repositories that need it.
Connectors
UseConnectors when the VCS is on a private network or when internal policy requires the VCS token to remain in the customer’s environment. The connector is installed in the customer’s infrastructure and maintains the required bridge with Acrity.
In the Console, a Workspace admin creates the connector, chooses the provider, downloads the installation artifact, and copies the one-time displayed secrets. The connector page shows status, heartbeat, discovered repositories, and rotation actions.
Rotation
Rotate secrets when:- a person with access to the secret leaves the team;
- a token was copied to an unsafe location;
- the provider requires renewal;
- an integration stops being used;
- internal policy defines a periodic cycle.