Nembl
Developer Guide
Connectors

Connectors

The connector framework is Nembl's system for integrating with external services. Connectors handle authentication, API communication, and data mapping so that workflows can interact with third-party tools without custom code.

Connector Framework Overview

Each connector encapsulates:

  • Authentication -- OAuth 2.0, API key, or custom auth, managed through Nembl's credential storage.
  • Actions -- predefined operations the connector can perform (e.g., "send message", "create issue").
  • Triggers -- events from the external service that can start a workflow (e.g., "new issue created").
  • Data mapping -- translation between the external service's data format and Nembl's workflow variables.

How Connectors Fit in the Platform

Workflow Phase
  └── Connector Action
        └── Connector (e.g., Slack)
              └── External API call
                    └── Response → next workflow phase

Connectors are invoked during workflow execution. When a phase reaches a connector action, Nembl calls the external API, processes the response, and passes the result to the next phase.

Installing Connectors

From the Connector Catalog

  1. Navigate to Settings > Connectors.
  2. Click Add Connector.
  3. Browse or search the connector catalog.
  4. Click Install on the connector you need.
  5. The connector appears in your installed list, ready for authentication.

Connector Categories

CategoryConnectors
CommunicationSlack (3 actions), Microsoft Teams, Email (API-based via Resend/SendGrid)
Project ManagementJira, GitHub (3 actions), Linear
IT OperationsPagerDuty, OpsGenie (2 actions), ServiceNow (3 actions)
CRM & SalesSalesforce (4 actions), HubSpot (3 actions), Chargebee (3 actions)
Documents & SignaturesDocuSign (2 actions)
GeneralGeneric REST (any method), Outbound Webhook

OAuth Flow

Most connectors use OAuth 2.0 for authentication, which provides scoped, revocable access without storing passwords.

Connecting via OAuth

  1. Open the installed connector from Settings > Connectors.
  2. Click Connect.
  3. You are redirected to the external service's authorization page (e.g., Slack's "Allow Access" screen).
  4. Authorize Nembl to access the required scopes.
  5. You are redirected back to Nembl with the connection confirmed.

OAuth Token Lifecycle

  • Access tokens are short-lived (typically 1 hour) and refreshed automatically.
  • Refresh tokens are stored securely as secrets in your company namespace.
  • If a refresh token expires or is revoked, Nembl marks the connector as disconnected and prompts you to re-authorize.

Reconnecting

If a connector becomes disconnected:

  1. Navigate to Settings > Connectors.
  2. The disconnected connector shows a warning badge.
  3. Click Reconnect and complete the OAuth flow again.

Credential Management

API Key Connectors

For connectors that use API keys (PagerDuty, OpsGenie, Linear, Generic REST):

  1. Open the connector.
  2. In the Authentication section, click Set API Key.
  3. Enter the key or select an existing vault.
  4. Click Save.

Credential Storage

All credentials (OAuth tokens and API keys) are stored as Nembl Vaults under your company namespace, encrypted at rest:

nembl/{companyId}/connector-{connectorSlug}

Credentials are encrypted at rest and in transit. They are never exposed in logs, audit trails, or API responses.

Rotating Credentials

  1. For API key connectors: generate a new key in the external service, update the secret in Nembl, verify the connection, then revoke the old key.
  2. For OAuth connectors: click Reconnect to generate new tokens. The old tokens are automatically revoked.

Using Connectors in Workflow Phases

Adding a Connector Action

  1. Open a workflow in the builder.
  2. Select or create a PROCESS phase.
  3. In the property panel, set Automation type to Connector call.
  4. Pick the connector and action from the catalog below.
  5. Fill in the required config fields. Any field value supports {{variable}} interpolation from instance variables.
  6. Optional: set Response variable to capture the API response for use in downstream phases.

Full Connector Catalog

Communication

ServiceActionAuthConfig
SlackSend MessageWebhookwebhookUrl, channel (opt), message
SlackIncoming Webhook (Block Kit)WebhookwebhookUrl, blocks (JSON)
SlackBot MessageOAuth 2.0channel, message
Microsoft TeamsSend MessageWebhookwebhookUrl, title, message (Adaptive Card)
EmailSend EmailAPI keyapiUrl, apiKey, from, to, subject, body (HTML)

Email connector targets a generic HTTP email API (Resend, SendGrid, etc.) — apiUrl points at the send endpoint.

Project Management

ServiceActionAuthConfig
JiraCreate IssueAPI keybaseUrl, email, apiToken, projectKey, issueType, summary, description (opt)
LinearCreate IssueAPI keyapiKey, teamId, title, description (opt), priority (opt, 0–4)
GitHubCreate IssueAPI key (PAT)token, owner, repo, title, body (opt), labels (opt)
GitHubComment on PRAPI key (PAT)token, owner, repo, prNumber, body
GitHubCreate Issue (OAuth)OAuth 2.0owner, repo, title, body (opt)

IT Operations

ServiceActionAuthConfig
PagerDutyTrigger IncidentAPI key (routing)routingKey, summary, severity, source (opt)
OpsGenieCreate AlertAPI keyapiKey, message, description, priority (P1–P5), tags, entity, alias
OpsGenieClose AlertAPI keyapiKey, alias, note
ServiceNowCreate IncidentBasicinstanceUrl, username, password, shortDescription, description (opt), urgency, impact, assignmentGroup, callerId
ServiceNowCreate Change RequestBasicinstanceUrl, username, password, shortDescription, description, type, risk, impact, assignmentGroup
ServiceNowQuery CMDBBasicinstanceUrl, username, password, query (sysparm_query), limit

CRM & Sales

ServiceActionAuthConfig
SalesforceCreate LeadOAuth 2.0firstName, lastName, company, email, phone, status
SalesforceCreate OpportunityOAuth 2.0name, stageName, amount, closeDate, accountId
SalesforceSOQL QueryOAuth 2.0soqlQuery
SalesforceUpdate RecordOAuth 2.0objectType, recordId, fields (JSON)
HubSpotCreate ContactAPI keyaccessToken, email, firstName, lastName, phone, company
HubSpotCreate DealAPI keyaccessToken, dealName, amount, dealStage, pipeline, closeDate
HubSpotSearch ObjectsAPI keyaccessToken, objectType (contacts/deals/companies/tickets), filterProperty, filterOperator (EQ/NEQ/GT/LT/CONTAINS), filterValue, limit
ChargebeeGet SubscriptionAPI keyapiUrl, apiKey, customerId, product (nembl/flagforge), responseVariable
ChargebeeCreate CheckoutAPI keyapiUrl, apiKey, product, planId, responseVariable
ChargebeeCustomer PortalAPI keyapiUrl, apiKey, customerId, responseVariable

Documents & Signatures

ServiceActionAuthConfig
DocuSignSend EnvelopeOAuth 2.0accountId, baseUrl, templateId, signerEmail, signerName
DocuSignGet Envelope StatusOAuth 2.0accountId, baseUrl, envelopeId

General-Purpose

ServiceActionAuthConfig
REST APIGeneric CallAPI key / noneurl, method (GET/POST/PUT/PATCH/DELETE), headers (JSON), body (JSON), authHeader, responseVariable
WebhookSend PayloadWebhookurl, payload (JSON, supports {{variables}})

Use REST API when you need a one-off call to a service Nembl doesn't have a dedicated connector for. Use Webhook for fire-and-forget notifications to inbound webhook URLs (e.g. custom Slack-compatible endpoints, third-party automation platforms).

Response Handling

Connector actions return data that can be used in later workflow phases:

Phase: "Create GitHub Issue"
  Action: GitHub → Create Issue
  Inputs:
    repo: "devopspolis/nembl"
    title: "{{ request.title }}"
    body: "{{ request.fields.description }}"
  Outputs:
    githubIssueUrl → {{ connectorResponse.html_url }}
    githubIssueNumber → {{ connectorResponse.number }}

Phase: "Notify Team"
  Action: Slack → Send Message
  Inputs:
    channel: "#engineering"
    message: "Created issue {{ githubIssueUrl }}"

Error Handling

When a connector action fails (e.g., external API returns an error):

  • The workflow phase is marked as failed.
  • The error details are logged in the workflow execution history.
  • If the phase has a retry configuration, Nembl retries the action automatically.
  • If retries are exhausted, the workflow follows the configured error path (if defined) or pauses for manual intervention.

Building Custom Integrations

For services without a dedicated connector, use the Generic REST API connector.

Configuring a Custom Connector

  1. Install the Generic REST API connector.
  2. Set the base URL, authentication method, and default headers.
  3. In workflow phases, configure the HTTP method, path, headers, and body for each action.

Advanced: Custom Request Transformations

For complex integrations, use workflow data phases to transform data before and after connector calls:

Phase 1: "Prepare Payload" (Data Transform)
  → Format request data into the external API's expected structure

Phase 2: "Call External API" (Generic REST Connector)
  → POST the transformed data

Phase 3: "Process Response" (Data Transform)
  → Extract and format the response for use in the workflow

Monitoring Connector Health

Connection Status

From Settings > Connectors, each connector shows its current status:

StatusMeaning
ConnectedAuthenticated and operational
DisconnectedAuthentication expired or revoked; needs reconnection
ErrorRecent API calls are failing; check the external service

Execution History

View connector action results from the workflow execution history:

  • Which connector and action were called
  • Request sent to the external API
  • Response received
  • Success or failure status
  • Error details if failed

Best Practices

  • Use dedicated service accounts. In the external service, create a service account specifically for Nembl rather than using a personal account.
  • Grant minimal scopes. When authorizing OAuth connectors, review the requested scopes and ensure they match what your workflows need.
  • Test connector actions. Before deploying a workflow with connector actions, test the phase individually to verify the integration works.
  • Handle failures gracefully. Configure error paths in your workflow so that connector failures do not block the entire process.
  • Monitor for disconnections. OAuth tokens can expire or be revoked by the external service. Check connector status weekly.
  • Use the Generic REST connector as a last resort. Dedicated connectors handle pagination, rate limiting, and error handling automatically.
External Agent ContractExecution Architecture