These docs cover the S6S workflow engine — the developer playground layer underneath the product. For the main AI Visibility product (brand monitoring, the unified Report, fix actions), start at /docs/ai-visibility.

Credentials

Workflows that call external services need credentials. S6S manages them securely with AES-256-GCM encryption and automatic token refresh.

Two types of credentials

OAuth providers

Google, Slack, Discord. One-click “Connect” flow. Tokens refresh automatically.

For Google sub-services (Drive, Sheets, YouTube, Gmail), they all share one Google OAuth connection but each API must be enabled separately in Google Cloud Console.

API key providers

Telegram, Notion, Pinterest, custom. Paste your API key. Stored encrypted.

The deploy response includes setup_url and setup_instructions to help users get their keys.

How credentials work in workflows

  1. Add "credential": "provider_name" to a step in your recipe.
  2. On deploy, S6S checks if the credential is connected for your account.
  3. If missing: the response includes a missing_credentials array with a connect_url for each.
  4. The connect_url opens a dedicated connect page — OAuth providers start a consent flow, API key providers show an input form.
  5. Once connected, redeploy or re-run — credentials are injected automatically.
Deploy response with missing credentials
{
  "ok": true,
  "workflowId": "uuid",
  "missing_credentials": [
    {
      "provider": "slack",
      "connect_url": "https://s6s.ai/credentials/connect/slack",
      "setup_url": null,
      "setup_instructions": null
    }
  ]
}

Managing credentials

Dashboard

The /credentials page shows all connected services with their status.

Connect new

Click a provider to start an OAuth flow or paste an API key.

Revoke

Delete a credential binding to remove access. Workflows using it will fail until reconnected.

API

GET /api/v1/credentials lists your credential bindings. Secrets are never exposed in API responses.

Google sub-services

Several Google services share a single OAuth connection. Each Google API must be enabled individually in Google Cloud Console.

ServiceCredential
google_drivegoogle
google_sheetsgoogle
youtubegoogle
gmailgoogle
google_calendargoogle

The deploy response includes api_setup_hints with direct enable URLs for each required Google API. Share these links with your users.

Security

  • All secrets encrypted at rest with AES-256-GCM
  • OAuth tokens auto-refresh before expiry
  • Secrets never appear in workflow JSON, logs, or step outputs
  • Use credentialRef in workflow definitions — never raw tokens