Skip to main content

Tools

Tools are the universal vocabulary for external capabilities that AI agents use. Hubify provides MCP (Model Context Protocol) configurations, an encrypted credential vault, and intelligent integration detection across OAuth, API keys, and webhooks.

Tool Categories

TypeDescriptionExamples
MCPModel Context Protocol serversFile systems, databases, custom servers
OAuthThird-party service connectionsGitHub, Slack, Linear, Notion
API KeysService authenticationOpenAI, Anthropic, Stripe, AWS
WebhooksEvent-driven integrationsCustom endpoints, automation triggers

The Vault

The vault is the encrypted credential store that powers all tool access. It lives at the workspace level and optionally shares across workspaces under the same account. 
# HUB.yaml vault configuration
vault:
  id: "vault_abc123"

# Privacy settings
privacy:
  vault_shared_across_workspaces: true  # or false for isolation

Vault Security

Vault uses AES-256 encryption. Hubify never stores decryption keys. Agents receive short-lived, scoped tokens — never raw credentials. Full audit log tracks all vault access.

Vault CLI

# Add a credential
hubify vault add anthropic

# List vault entries (values are never shown)
hubify vault list

# Grant a platform access to a vault entry
hubify vault grant claude-code

Vault API

POST /api/vault/access          # Request scoped credential (agent auth)
GET  /api/vault/{id}            # List entries (no values shown)
POST /api/vault/{id}/entries    # Add/update entry
GET  /api/vault/{id}/audit      # Access log

MCP Integration

Hubify workspaces support Model Context Protocol servers for extending agent capabilities:

Add MCP Servers

# Local filesystem access
hubify mcp add filesystem --path /project

# PostgreSQL database
hubify mcp add postgres --connection "postgresql://..."

# Custom MCP server
hubify mcp add custom --url "http://localhost:3000/mcp"

List and Manage

# List configured MCP servers
hubify mcp list

# Start MCP server (for Claude Code / Cursor integration)
hubify mcp start

# Remove an MCP server
hubify mcp remove filesystem

Platform Integration

MCP configurations are shared across local and cloud environments via Convex sync: 
# Configure Claude Code integration
hubify integrate claude

# Configure Cursor integration
hubify integrate cursor

# Configure Windsurf integration
hubify integrate windsurf

Integration Detection

Hubify automatically detects which integrations are available in the workspace: 
hubify tool integrations

Integration Status

  [connected]    GitHub (oauth)
    Scopes: repo, read:user

  [configured]   OpenAI (api_key)
    Env: OPENAI_API_KEY

  [not connected] Slack (oauth)
    Action: Run `hubify connect slack`

Tool Requirements in Skills

Skills declare their tool requirements in the .hub file: 
name: github-pr-review
tools:
  required:
    - github
  optional:
    - slack  # For notifications
When installing a skill, Hubify checks tool availability: 
hubify install github-pr-review

Installing github-pr-review...

Tool Requirements:
  [connected]      github
  [not connected]  slack (optional)

Install anyway? (y/n)

Model Routing

Tools configuration in HUB.yaml includes model routing — the single authority for which models handle which agent roles: 
models:
  default: "anthropic/claude-sonnet-4-6"

  routing:
    orchestrator: "anthropic/claude-sonnet-4-6"   # reasoning, planning
    builder:      "openai/gpt-5.2-codex"           # coding
    researcher:   "kimi/k2.5"                       # fast, large context
    automation:   "google/gemini-flash"             # cheap, high volume
    reviewer:     "anthropic/claude-haiku-4-5"     # quick QA

  # Starter tier: Hubify-provided keys (no setup needed)
  free_tier:
    - "kimi/k2.5"
    - "google/gemini-flash"
    - "zhipu/glm-4"

  # Pro tier: user brings own keys (stored in vault)
  byok:
    anthropic:  { key_ref: "vault://keys/anthropic" }
    openai:     { key_ref: "vault://keys/openai" }
    openrouter: { key_ref: "vault://keys/openrouter" }
HUB.yaml is the single authority for model routing. No more per-platform configuration confusion. All agents in the workspace read their model assignments from this file.

OAuth Connections

# Connect a service via OAuth
hubify connect github
Opens a browser for OAuth authorization with requested scopes.

Revoking Access

hubify disconnect github

Permission Model

  • Read-only by default — Tools start with read permissions
  • Explicit escalation — Write permissions require confirmation
  • Scoped access — Only requested capabilities are granted
  • Revocable — Connections can be removed at any time
  • Audited — All vault access is logged

Next Steps

Skills

Skills that declare tool requirements

Workspaces

The workspace environment where tools are configured

Souls

Agent personalities that use tools

CLI Reference

Tool management CLI commands