Documentation
Register a Connector
One registration for apps and sources — client auth, source declarations, scopes
Updated July 4, 2026
Register a Connector with Dialogues
A Connector is the single registration object for anything that brings data into, or uses data from, a person's Topos. It replaces the old split between "apps" and "sources": a connector has an optional client facet (auth: PKCE or client secret, redirect URIs) and an optional sources facet (data contracts: schema, parser, delivery). Your app_id from the old model is your connector_id — nothing is renamed.
Before any user clicks Attach Dialogues, your connector must exist in the registry with the right policy. Skipping scopes, sources, or redirect setup is the most common reason attach fails.
Next: Add Dialogues auth
Section A — Decide what you're building
Answer two questions; they decide which facets you configure:
- Does it bring data into a Topos?
- The owner uploads files or types entries themselves → sources facet only, delivery: owner_upload (or owner_ui). No auth configuration, ever. - Your software pushes data → sources facet with delivery: client_push plus a client facet (Section B).
- Does it read data?
- A person reading a friend's data → stop — no connector needed. The owner shares directly from Topos → Sharing (permission ticket → approval → token). - An app or service → client facet with read scopes. Sources facet may be empty (read-only services write nothing back).
| Configuration | Example | Facets |
|---|---|---|
| Owner-mediated data in | CSV export upload | sources only |
| Software pushes data | browser extension | client + sources |
| Read-only service | simulations app | client only |
Checkpoint: You know which facets your connector needs.
Section B — Choose client shape (client facet only)
Use the Integration Modes table in Tutorial 2 — Add Dialogues auth to pick your auth path. When registering, set client_auth_mode to match:
- Browser extension →
integration_profile: chrome_extension,client_auth_mode: public_pkce - Web or mobile with backend →
integration_profile: web,client_auth_mode: client_secret_required(issuecas_*in App Sheaf) - Public SPA or mobile without backend →
public_pkcewith PKCE in the client legacy_none— local dev only; not for production
Checkpoint: Your registry row matches the Integration Mode you will follow in Tutorial 2.
Section C — Declare sources and scopes before registration
- Write your
allowed_scopeslist (what Grant Access may request). Examples:activity:write,activity:read. - Declare every source you will write. Each declaration carries
source_id, schema, and
delivery (owner_upload | owner_ui | local_sync | client_push). Every source_id must be an active source that already exists on the platform (public catalog or your organization's created sources) — do not invent new source IDs here. Examples: browser_visits, browser_events, starred_websites.
- If you need a new stream, create and activate the source first (see
Tutorial 3 — Create sources), then declare it on your connector.
- Register first, validate at ingest: at
app_ingesttime the payloadsource_idmust
be declared on your connector. Undeclared sources are logged today and will be rejected once enforcement is on (CONNECTOR_SOURCE_ENFORCEMENT=enforce).
Checkpoint: Scope list and source declarations are written down.
Section D — Register in App Sheaf (recommended)
- Open App Sheaf → Connectors → Create. The wizard walks the Section A decision
tree: intent → data path → client shape → source declarations.
- Enter
connector_id(your stableapp_id) and display name. - Owner-mediated connectors go straight to the source wizard — no auth steps are shown.
- Software-push and read-only connectors configure the client facet: integration profile,
auth mode, redirect URIs, scopes.
- For Chrome extension: enable automatic per-install redirect registration if you distribute unpacked/dev builds.
- Save. Confirm the connector shows
public_pkcewhen the profile is Chrome extension.
Checkpoint: Connector appears in Sheaf; production public clients are not left on legacy_none.
Section E — Register via Control Plane API
POST /v1/connectors is the primary endpoint. (POST /v1/apps still works as a deprecated alias with identical behavior — responses carry Deprecation/Sunset headers.)
curl -sS -X POST "https://cp.logu3s.com/v1/connectors" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"connector_id": "my-extension",
"name": "My Extension",
"active": true,
"integration_profile": "chrome_extension",
"client_auth_mode": "public_pkce",
"extension_redirect_auto_register": true,
"allowed_scopes": ["activity:write"],
"sources": [
{ "source_id": "browser_visits", "delivery": "client_push" }
],
"allowed_redirect_uris": []
}'- Requires owner or admin bearer token.
- If you omit
client_auth_mode, the default may belegacy_none— setpublic_pkceexplicitly for public clients. sources[]declarations keepallowed_source_idsin sync automatically (and vice versa
for legacy writes). Each declared source_id must refer to an existing, active source.
- Add or update declarations later with
POST /v1/connectors/{connector_id}/sources;
remove one with DELETE /v1/connectors/{connector_id}/sources/{source_id} (declaration only — never deletes ingested data).
- Confirm with
GET /v1/connectors/{connector_id}.
Checkpoint: API response shows the facets and declarations from Sections A–C.
Section F — Redirect URIs (client facet)
- Web apps: Add exact callback URLs to
allowed_redirect_urisat create/edit time. They must match theredirect_uriyou send on/connectbyte-for-byte. - Extension (load unpacked / GitHub): Each install gets a new
chrome.runtime.id. Register redirects per install viaPOST /v1/apps/{app_id}/extension-install/redirects. This registerschrome-extension://<id>/…andhttps://<id>.chromiumapp.org/. - Extension (Chrome Web Store): One fixed extension ID for all users. Register that ID once in Sheaf or via the redirect API; pin it in metadata if supported.
- Optional
erk_*: Third-party extensions can issue an extension register key (POST /v1/apps/{app_id}/extension-register-key/issue) and sendX-Topos-Extension-Register-Keyon redirect registration. Storeerk_*in private build config — not in public GitHub. Do not rely on any special-case behavior of the referencebrowser-history-pluginfor your ownapp_id.
Checkpoint: Redirect strategy matches how you ship the client (web vs unpacked vs store).
Section G — Verify registration
curl -sS "https://cp.logu3s.com/v1/connectors/my-extension" \
-H "Authorization: Bearer $TOKEN"- Confirm
facetsshows the shape you intended ({"client": true, "sources": true}for a data-pushing app). - Confirm
client.client_auth_modeispublic_pkce(orclient_secret_requiredfor confidential web) viaGET /v1/connectors/{connector_id}/client-auth. - Compare
allowed_scopesandsources[]to Section C; each declared source must still map to an active source.
Checkpoint: Ready for Tutorial 2 — Add Dialogues auth.
Reference — browser-history-plugin
| Field | Value |
|---|---|
| connector_id | browser-history-plugin |
| Facets | client (public_pkce, chrome_extension) + sources |
| Source | github.com/dialoguesai/browser-history-plugin |
| Scopes | activity:write |
| Declared sources | browser_visits, browser_events, starred_websites (all client_push) |
Reference implementation: github.com/dialoguesai/browser-history-plugin.