Create a connect session
{ "connectUrl", "token", "projectId", "expiresAt" }. Redirect the user’s browser to connectUrl. Hub hosts the connect page and the OAuth callback.
Receive the delivery
When the user finishes connecting, Hub POSTs a signed JSON envelope to yourdeliveryUrl. The body is { "type", "payload" }, with these headers:
| Header | Value |
|---|---|
x-corsair-signature | sha256=<hex> — HMAC-SHA256 of the raw request body, keyed with your signing secret |
x-corsair-timestamp | Unix seconds when Hub sent it; reject if older than a few minutes (replay guard) |
x-corsair-project | Your project id |
x-corsair-nonce | Unique per delivery |
verify passes: parse the body, exchange or store the credential, and respond 200.
List connections
{ tenantId, plugin, status, authKind, connectedAt, expiresAt }, deduplicated by tenantId:plugin.