Terraform Internal Services (Fetch + Secrets)
An agent that reaches your internal corporate services with the fetch action, authenticated by two kinds of secret: a shared service token for machine-to-machine calls, and a personal OAuth secret so the agent can act on behalf of the signed-in employee.
This example shows the two ways an agent authenticates when it calls your internal services with the fetch action, and when to reach for each.
A shared secret is the agent's own machine identity. It is one account-wide bearer token the agent presents to internal systems that trust it as a service account - no human in the loop, the same identity on every conversation. Use it for read-only platform data that everyone may see, like a service catalogue or health endpoint.
A personal OAuth secret represents the employee talking to the agent. The first time someone triggers an ability that uses it, ChatBotKit asks them to sign in through your SSO and stores their token; the agent then calls permission-enforcing systems as that employee, so the backend applies its normal access control. Use it for anything scoped to the person - their tickets, their time-off balance, opening an incident in their name.
The abilities are written in the structured fetch format (a !fetch action tag with !string parameters and !reference secret helpers). Secrets resolve to a complete Authorization value including the Bearer scheme, so headers carry the reference directly with no manual prefix. The open_incident ability uses both secrets in one request: the shared service token authenticates the agent to the internal API gateway, while the employee's forwarded OAuth token attributes the incident to a real person.
This is the pattern for internal copilots and operations assistants that sit in front of corporate APIs and must respect both service trust and per-user permissions.
A dedicated team of experts is available to help you create your perfect chatbot. Reach out via or chat for more information.
