Custom API actions
Custom actions extend an Agent Team without turning it into an unrestricted HTTP client. Each connection fixes the host, authentication boundary, operation, schema, effect, and risk before a run can use it.
Choose the smallest connection
Use a signed webhook for one reviewed POST target, a reviewed API operation for a fixed HTTPS path and JSON contract, or a remote MCP connection whose available tools have been explicitly reviewed. Prefer a native provider action when Codelit already models the service.
- Open the responsible Agent card and add a Custom tool.
- Choose Signed webhook, Reviewed API, or Remote MCP and enter the fixed HTTPS endpoint.
- Review authentication, operation risk, input schema, and response boundary before connecting.
Protect credentials and input
Secrets are encrypted in the hosted vault and are not rendered back after saving. Reviewed API inputs must match the bounded JSON schema. String fields may use {{handoff}} to insert the prior Agent output without allowing it to change the destination or method.
Approve the exact request
Hosted custom writes require a human approval gate. The review binds the decision to the user, run, tool, operation, rendered input, and expiry; changing the request invalidates that approval. Responses are capped, treated as untrusted data, and retained as bounded evidence.
- Use low-risk read operations for grounding.
- Require approval before every external write.
- Keep receiver operations idempotent.
- Remove the connection when the workflow no longer needs it.