Connect Rollout to external services. Connections hold the credentials that workflow nodes use, the API Request node reaches any REST API, incoming webhooks bring events in, and MCP plus the desktop app extend workflows to AI assistants and local devices.
Status: Alpha (features may change).
Connections
A Connection stores a credential — an OAuth grant, an API token, an SSH key — that workflow nodes use to act on external systems. Manage them at Settings → Connections.
Adding a connection
- Open Settings → Connections
- Click Add connection
- Pick a provider from the catalog
- For Google: name the connection, pick scopes, choose who can use it, then click Continue to Google to complete the OAuth consent flow
- For other providers: enter the credential fields and click Save
Workflow nodes that need a connection also offer to create one from the node’s settings, pre-set with the scopes that node requires.
Available providers
| Provider | Kind | Use it for |
|---|---|---|
| OAuth | Gmail, Sheets, and Drive nodes | |
| Atlassian | API token | Jira nodes |
| GitHub | Token | GitHub nodes, private repos, image pushes |
| Telegram Bot | Bot token | Telegram nodes (token from @BotFather) |
| SSH Host | Credential | Run commands on a remote host over SSH |
| Tailscale | Connectivity | Reach private hosts from workflow runs |
| Container Registry | Credential | Push built images (GHCR, Docker Hub, GCR, …) |
| 1Password | Service account token |
Resolve op:// secret references |
| Vector Store (Qdrant) | Credential | Point retrieval at your own Qdrant |
| LLM Provider (BYOK) | API key | Bring your own LLM key, billed to your provider account |
| Cartesia (Text-to-Speech) | API key | Streaming text-to-speech |
| Deepgram (Speech-to-Text) | API key | Streaming speech-to-text |
Google connections and scopes
Each Google connection carries only the scopes you select when creating it. Scope presets: Gmail (read), Gmail (modify), Gmail (send), Sheets, Sheets (read), Drive (files), Drive (full), Drive (read), and Calendar (read).
You can keep multiple Google connections for the same account — for example a Sheets-only connection next to a Gmail-send one. Nodes only accept connections whose scopes cover what they need.
By default, connections use Rollout’s shared OAuth client. Expand Use my own OAuth client to supply your own Google OAuth client instead — tokens are then cryptographically limited to the granted scopes. Changing the client later requires re-authorizing.
Sharing and access
Connections are private by default: only the person who created one can use it. The Who can use it picker (at creation, or later in the connection’s details) shares it with a team or the whole workspace. Only the connection owner or a workspace admin can change sharing. The list shows each connection’s visibility: Private, Team, or Workspace.
Managing connections
Click a connection row to open its details, where you can:
- Rename the connection
- Test the credential and see its health status
- Reauth a Google connection when it needs fresh consent
- Review granted scopes and which workflows use it
- Delete it — the confirmation lists the workflows that would break
Credentials are encrypted at rest. OAuth tokens refresh automatically when they expire; a connection that needs your attention shows a Reauth badge in the list.
Google nodes
| Node | What it does |
|---|---|
| Gmail: New Email (trigger) | Starts the workflow when a Gmail message arrives; configurable to fire on new Sheets rows or new Drive files instead |
| Gmail Send, Gmail Reply | Send an email, or reply within an existing thread |
| Gmail Search, Gmail Get | Search messages, or fetch one with bodies, headers, and attachment info |
| Gmail Update, Gmail Archive, Gmail Trash, Gmail Labels | Mark as read / modify labels, archive, trash or restore, list account labels |
| Sheets Append, Sheets Read, Sheets Update, Sheets Clear | Append rows, read rows as objects, upsert by key column, clear a range |
| Drive Upload, Drive Download, Drive Search, Drive Move, Drive Create Folder | File and folder operations in Drive |
Note: the trigger polls, so events may be delayed by the poll interval (default 60 seconds, configurable on the node).
Other integration nodes
- Jira (Atlassian connection): Jira Create Issue, Jira Get Issue, Jira Search, Jira Update Issue, Jira Comment, Jira Transition
- GitHub (GitHub connection): GitHub Open PR, GitHub Get PR, GitHub List PRs
- Telegram (Telegram Bot connection): Telegram Send Message, Telegram Parse Update
- Perplexity: Perplexity Search
Secrets
Store standalone API keys and tokens at Settings → Secrets. Secrets are write-only: a value is set once at creation and is never readable again, in the UI or anywhere else. Names are UPPER_SNAKE_CASE.
If the workspace has a 1Password connection, a secret can instead be a 1Password reference (op://vault/item/field) resolved at run time.
Secrets use the same private / team / workspace sharing model as connections. Secret-typed node fields reference a stored secret by name, and secret values are redacted from persisted run history and streamed logs.
Webhooks (incoming)
Receive data from external services using the Incoming Webhook trigger.
Setting up a webhook
- Add an Incoming Webhook trigger to your workflow
- Copy the webhook URL from the node settings
- Configure your external service to POST to this URL
- The payload becomes available to downstream nodes
Security options
- HMAC verification - Validate signatures (SHA-1, SHA-256, or SHA-512) from services like GitHub or Stripe
- Timestamp validation - Reject old requests to prevent replay attacks
- Token rotation - Regenerate the webhook URL if it leaks
Sensitive request headers (authorization, cookies, signature headers) are redacted before the request is stored as node output.
See Visual Workflows for detailed webhook configuration.
Troubleshooting
Google connection fails
- Use Reauth on the connection’s details, or disconnect and reconnect
- Grant all requested permissions on the consent screen
- Check that third-party cookies are not blocked
API Request returns 401/403
- Verify your API key or credentials
- Check the Authorization header format
- Ensure the API key has the required permissions
Webhook not triggering workflow
- Confirm the webhook URL is correct
- Check that the workflow is saved and enabled
- Verify the external service is sending requests
- Look for rate limit errors in the response (HTTP 429)