OAuth 2.1 for AI integrations

Coralogix supports OAuth 2.1 with OpenID Connect (OIDC) for authentication and authorization across AI-powered integrations.

Use it to:

Avoid storing separate Coralogix credentials in external AI tools.
Ensure the integration operates within the signed-in user’s existing access control and permissions.
Establish a secure, scalable foundation for expanding AI-powered workflows across teams.

This article explains how Coralogix OAuth works for AI integrations, what the tokens represent, how team access works today, and the current options for disconnecting or blocking access.

How it works

Coralogix OAuth tokens represent a user context. An integration uses OAuth to authenticate a user and then call Coralogix APIs on that user’s behalf.

OAuth access tokens issued by Coralogix represent a user context, not a standalone API key or service account.

A typical OAuth flow looks like this:

The integration redirects the user to Coralogix to sign in and approve requested access (scopes).
Coralogix authenticates the user (for example, via SSO and any configured MFA policies).
Coralogix returns an authorization response to the integration.
The integration exchanges the authorization response for an access token (and optionally a refresh token).
The integration utilizes Coralogix APIs by calling them with the access token.
Coralogix evaluates every request based on the authenticated user’s permissions, policy scopes, and team membership. The integration does not receive additional privileges.

Get an access token

Before an integration can access private Coralogix data, it requests an access token. The integration includes one or more scope values in the scope parameter to indicate the permissions it is requesting.

Scopes

Scopes define which resources and actions the token allows. Some integrations require specific scopes, while others are optional.
Scope What it allows
openid Enables OpenID Connect sign-in so the app can authenticate you.
email Identifies you as a Coralogix user (email address).
profile Lets the app read basic profile details for display (for example, name).
offline_access Allows the app to refresh its token so it stays connected without repeated approvals.
cx_teams:list Lets the app list the teams you belong to (availability depends on the integration).

Team access

Team access behavior depends on the integration you are connecting:

MCP integrations: Support a single team only. You choose one team during setup, and the integration operates within that team.
Olly integrations: Automatically have access to all teams the signed-in user belongs to. Select one team at a time using Olly’s data sources.

What happens after you approve

When you approve access, Coralogix sends an authorization code to the integration. The integration exchanges that code for tokens (access_token and refresh_token) and then uses the access token to call Coralogix APIs on your behalf, limited to the requested scopes and your existing permissions.

Your password is never shared with the external tool.
Your existing security policies still apply:
- SSO and MFA requirements are enforced at sign-in.
- If your account is disabled or your team membership changes, access changes accordingly.
The integration cannot exceed what you are already allowed to do in Coralogix.

Revoking access

To block an integration from accessing Coralogix, use one of these options.

From the external tool

Many integrations provide a Disconnect from Coralogix or Sign out of Coralogix option. Use that first when available.

From Coralogix

Remove the user from the relevant team(s) to block access to those teams.
Adjust the user’s roles or permissions to reduce what the token can do (the integration is always limited by the user’s permissions).

After access is blocked or tokens are revoked, the next time the integration tries to use Coralogix, it will fail and prompt the user to reconnect through the OAuth flow.

Authentication metadata

All actions performed using a token include authentication metadata indicating that the request was made using an OAuth 2.0 token, along with the client_id that created it.

FAQs

Can an app access more data than I can?

No. The integration cannot exceed your own permissions. All actions are executed on behalf of the authenticated user and evaluated against that user’s roles, scopes, and team membership.

Is this token usable as a general API key?

Yes. Tokens can be used as a user_token and as an api_key replacement. This is what Olly is meant to benefit from when calling the Prime API to fetch data.

Why does team access differ by integration?

Coralogix applies different limitations depending on the authorized client.

For MCP integrations, each MCP token can be authorized for only one team. There is no limit on the number of MCP integrations a user can create, allowing them to create one token per team and set up multiple MCP connections to IDEs as needed.

Previous Create and Manage Groups

Next MFA

Scope	What it allows
`openid`	Enables OpenID Connect sign-in so the app can authenticate you.
`email`	Identifies you as a Coralogix user (email address).
`profile`	Lets the app read basic profile details for display (for example, name).
`offline_access`	Allows the app to refresh its token so it stays connected without repeated approvals.
`cx_teams:list`	Lets the app list the teams you belong to (availability depends on the integration).