Configure Celigo connections and iClients -- credential and configuration objects that authenticate to external systems. Use when creating or editing connections, choosing auth methods, setting up OAuth, managing iClients (shared credential stores), or troubleshooting connectivity.
설치
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Configure Celigo connections and iClients -- credential and configuration objects that authenticate to external systems. Use when creating or editing connections, choosing auth methods, setting up OAuth, managing iClients (shared credential stores), or troubleshooting connectivity.
Configuring Connections
A connection is a credential and configuration object that lets Celigo communicate with an external system. Every export and import references a connection via _connectionId. Connections must be created before the resources that use them.
Concerns when configuring a connection:
Authentication -- choosing the right auth method (OAuth, token, basic, key-pair, certificate, etc.) and providing the correct credentials
Concurrency -- how many parallel requests Celigo can make to the target system (concurrencyLevel). Can be shared across connections via _borrowConcurrencyFromConnectionId
Health monitoring -- ping configuration to verify connectivity and detect credential expiration (offline status)
Pre-built connectors -- HTTP connectors and trading partner connectors provide pre-configured auth, base URLs, and endpoint definitions for 550+ applications
Debug logging -- temporary debug mode to capture raw request/response data for troubleshooting
iClients -- reusable OAuth credential stores (client ID/secret, scopes, token endpoints) shared across connections. See iClients section below.
What system do you need to connect to? This determines the connection type, auth method, and configuration shape.
2. Name the connection after the system, not the operation
Connection names should describe the system and environment -- not what a specific flow does with them. Connections are shared across exports, imports, and flows, so operation-specific names become misleading as soon as a second resource uses the same connection.
Bad (operation-specific)
Good (system/environment)
Shopify - Customer Upsert
Shopify - my-store
Microsoft Dynamics 365 Business Central - Companies Export
Microsoft Dynamics 365 Business Central - sandbox
Stripe - Invoice Fetch
Stripe - Production
If the account has multiple environments or instances of the same system, include the distinguishing detail (store name, environment, account ID). Otherwise just the system name is fine.
3. Check for existing connections
Before creating a new connection, check what already exists in the account and marketplace:
# Search the account for existing connections by name or keyword
celigo account search "<application-name>"# Show what uses a connection (exports, imports)
celigo account dependencies connection <id>
# Find offline connections used by enabled flows, orphaned connections
celigo account lint
# Search marketplace for pre-built integration templates
celigo templates marketplace
# Preview a template's connection model
celigo templates preview <id> --model Connection
# List all connections
celigo connections list
# Filter by type
celigo connections list | grep -i "<application-name>"
The account index auto-refreshes when stale (>4 hours). Force a fresh snapshot with celigo account snapshot.
Reusing an existing connection avoids duplicate credentials and shares concurrency.
When presenting connection choices to the user, filter out connections that are offline: true or have status: "offline". Only show online/active connections as options. If ALL matching connections are offline, mention that and let the user decide whether to proceed with an offline connection or fix connectivity first.
4. Check for a pre-built connector and global iClient
For HTTP connections, search for a pre-built connector before configuring manually:
# Search HTTP connectors (550+ apps: Shopify, Stripe, HubSpot, etc.)
celigo http-connectors list
celigo http-connectors get <id> --full # see auth config, endpoints, resources# Search trading partner connectors (EDI, AS2, VAN)
celigo tp-connectors list
If an HTTP connector exists, set http._httpConnectorId and http._httpConnectorVersionId on the connection. The connector provides auth templates, base URL, and pre-built endpoints.
Check for a global iClient. Many pre-built connectors ship with a global (Celigo-managed) iClient -- a shared OAuth app registration that handles authorization out of the box (e.g., Microsoft Business Central, Shopify, Google). When a global iClient is available:
Use it by default. Set http.auth.type: "oauth" with http.auth.oauth.useIClientFields: true and http._iClientId pointing to the global iClient ID.
Do not fall back to static bearer token auth (auth.type: "token") just because you don't have live credentials yet. The connection should be created with the correct OAuth auth shape and saved as offline: true.
Only create a custom iClient if the customer has their own app registration (e.g., their own Azure AD app, Shopify private app) or if the global iClient doesn't have the required scopes/consent for their tenant.
To find existing global iClients, check any working connection in the account that uses the same connector -- its http._iClientId will reference the global iClient. You can also inspect the connector's auth configuration via http-connectors get <id> --full.
5. Choose the type, auth method, and build
Use the Connection Types table above to pick the type value and open the matching schema for available auth options and required fields.
Every connection needs at minimum: name, type, and the type-specific config block (http{}, netsuite{}, ftp{}, etc.).
Offline connections must use the correct auth shape. When creating a connection without live credentials (e.g., demo, placeholder, or pre-staging), always configure the full auth structure the connection will ultimately use -- OAuth type, iClient reference, grant type, etc. -- and save with offline: true. This ensures the connection can be authorized in place later without reconfiguration. Never substitute static token auth as a shortcut for an OAuth connection.
6. Test the connection
celigo connections ping <id>
For OAuth connections, authorize via browser first: celigo connections authorize <id>.
Note: connections set and iclients set only apply PATCH-whitelisted fields (e.g. name, debugDate, debugUntil; iclients also oauth2.failPath). PATCH never re-sends the masked credentials GET returns as "******", so it's safe. Any non-whitelisted field errors instead of falling back to a full PUT that would overwrite stored secrets -- use update (which guards against submitting masked values) for those.
Pre-Submit Checklist
Before creating or updating a connection, verify:
name describes the system/environment, not a specific operation (e.g., "Shopify - my-store", not "Shopify - Customer Upsert")
Type-specific config block is present (http{}, netsuite{}, rdbms{}, etc.)
Auth credentials are real values, not masked "******" from a prior GET
For HTTP connectors: http._httpConnectorId and http._httpConnectorVersionId are set
For OAuth connections: uses global iClient if connector provides one; custom iClient only when needed
For OAuth connections: auth.type is "oauth" (not "token" with a static bearer), even if saving offline: true
For NetSuite: netsuite.authType is token-auto (not deprecated basic)
For RDBMS: host, port, database, user, and password are all provided
Gotchas
These apply to both connections and iClients unless noted:
GET masks credentials. Passwords, tokens, and secrets are returned as "******". Never round-trip a GET response back to PUT without restoring the real values. This is why set only PATCHes whitelisted non-credential fields, and update refuses a payload still containing "******" unless you pass --force.
PUT erases omitted fields. Always GET first, modify, then PUT the complete object.
OAuth connections need browser authorization after creation. Creating via API sets up the shell, but tokens come from a browser redirect. Use celigo connections authorize <id>.
Connections only:
rest type is legacy. Always use type: "http" for new REST connections.
NetSuite basic auth is deprecated. Use token-auto (Celigo-managed TBA) for new connections.
Debug logs are connection-scoped. Enabling debug captures request/response data for all flows using that connection.
_borrowConcurrencyFromConnectionId shares slots. The borrowing connection's concurrencyLevel is ignored.
Name connections after the system, not the operation. Connections are shared across resources. "Shopify - my-store" is correct; "Shopify - Customer Upsert" is not.
Use the global iClient for OAuth connectors. When a pre-built connector ships with a global iClient, use it with auth.type: "oauth" -- do not substitute auth.type: "token" with a static bearer token, even for offline/dummy connections. Static tokens expire and produce the wrong auth shape.
Common Errors
Error
Cause
Fix
401 Unauthorized
Invalid or expired credentials
Verify auth credentials; for OAuth, re-run celigo connections authorize <id>
403 Forbidden
Valid credentials but insufficient permissions
Check the user/role permissions in the target system
422 Unprocessable Entity -- invalid type
type value is not recognized or misspelled
Use exact values from Connection Types: http, netsuite, salesforce, rdbms, etc.
Verify host/URL, credentials, firewall rules, and VPN/agent requirements
ECONNREFUSED / ETIMEDOUT
Network-level failure to target system
Check host/port, DNS resolution, firewall rules; for on-prem systems, verify _agentId is set
OAuth invalid_grant
Refresh token expired or revoked
Re-authorize: celigo connections authorize <id>
"******" saved as credential
Round-tripped a GET response back to PUT
Never PUT masked values; always provide real credentials on update
iClients (OAuth Credential Stores)
An iClient is a reusable OAuth credential store -- it holds the client ID, client secret, scopes, and provider-specific OAuth configuration that can be shared across multiple connections. Instead of embedding OAuth app credentials directly in each connection, you create one iClient and reference it.
When Do You Need an iClient?
Scenario
iClient needed?
HTTP connection with pre-built connector that has a global iClient
Use the global iClient -- set http._iClientId to the connector's built-in iClient ID. No custom iClient needed.
HTTP connection with OAuth2 using a custom app registration
Yes -- create a custom iClient with your clientId/clientSecret, reference via http._iClientId
Salesforce connection with packagedOAuth: false
Yes -- store Connected App credentials in iClient
NetSuite connection with authType: "token-auto"
Yes -- store integration record's consumer key/secret in iClient
HTTP connection with pre-built connector (no global iClient)
Maybe -- check if the connector's auth requires one
HTTP connection with token auth (no OAuth)
No -- credentials go directly on the connection
Database, FTP, or non-OAuth connections
No
The rule of thumb: if a global iClient exists for the connector, use it. If the connection uses OAuth and you're bringing your own app registration, create a custom iClient.
_httpConnectorId is immutable. Once an iClient is linked to an HTTP connector, it cannot be changed. Create a new iClient if you need a different connector.
provider determines valid fields. Setting provider: "netsuite" means the netsuite block is used; provider: "custom_oauth2" means the oauth2 block. Mismatching provider and config block silently ignores the wrong block.
Handlebars references use {{{iClient.fieldName}}} to access values stored in encrypted or unencrypted objects. For JWT: {{{iClient.jwt.token}}}.
validDomainNames is required for custom OAuth2. Provide each unique domain from your auth/token/revoke URLs (without scheme or path).
Deleting an iClient breaks referencing connections. Connections that reference a deleted iClient will fail to authorize. Check for references before deleting.