Secure Connections
Secure Connections is a beta preview feature in the April 2026 release. General availability (GA) is scheduled for the May 2026 release, available after May 29th, 2026.
Secure Connections lets your organization exchange resources with partner registries over authenticated, encrypted channels. An outbound Sending Connection pushes data you own to a partner; an inbound Receiving Connection pulls data a partner pushes to you.
Navigation: Admin hub > Secure Connections (or go to /admin/secure-connections)
Feature flag: Secure Connections must be enabled per-user in Application Settings > Experimental Features > Secure Connections before the admin panel is accessible. See Application Settings.
Deployment prerequisite: The Secure Connection Service (SCS) must be installed and configured at the infrastructure level before any of the in-product features described here are available. IT administrators should complete the steps in Secure Connection Service Setup (Helm chart, Zitadel, S3 buckets, Master Key) first.
For end users: Once a Sending Connection is configured here, users with Editor access on a file can share it with the partner organization through the file's Share dialog. The end-user-facing flow, including all certification prompts and the rules under which files are automatically removed from a connection, is documented in Secure Connections (User Guide).
Troubleshooting: For sync failures, authentication errors, and other operational issues, see Debugging Secure Connections.
Page Layout
The page is split into two tabs: Sending Connections and Receiving Connections. Each tab shows a sortable table of configured connections. Use the Active / All toggle (top-right of the tab bar) to include archived connections in the list.
Columns common to both tabs:
| Column | Description |
|---|---|
| (status icon) | Live sync health. Click to open the Sync Status detail page. |
| Name | Display name of the connection. Archived connections are visually dimmed. |
| Description | Optional free-text description. |
| Shared ID | Opaque identifier exchanged with the partner platform. |
| Inbox / Outbox | The object store this connection reads from or writes to. |
| Transform Config | Number of active transformation rules. Click to edit. |
| (actions) | Edit, Edit Transform Config, Edit Owners (receiving only), Archive. |
Sending-only columns:
| Column | Description |
|---|---|
| Permitted Control Tags | Control tags allowed to flow through this connection. |
| Permitted Infosec Level | Maximum infosec classification allowed (only visible when infosec is enabled). |
Add a Connection
Click Add Secure Connection (top-right), then choose Add Sending Connection or Add Receiving Connection.
Add a Sending Connection
A sending connection pushes resources from this platform to a partner.
- Fill in Name and optionally Description.
- Select an Outbox — the object store whose contents are sent to the partner. A warning appears if the chosen outbox is already used by another sending connection.
- Enter a Shared ID — a short identifier for the channel (letters, digits,
.,-,_only; no spaces). A random suffix is appended automatically on submit to guarantee uniqueness. - Enter and confirm a Shared Secret — treat this like a password. It is never retrievable after this dialog closes.
- Optionally assign Permitted Infosec Level (visible when infosec is enabled) — the maximum classification level allowed through this connection.
- Optionally assign Permitted Control Tags — only files carrying these tags will be eligible for sync.
- Check the certification box confirming this connection will share data with an external organization.
- Click Create.
After creation, a credentials screen shows the final Shared ID (with its appended suffix) and a masked Shared Secret — both copyable. Share these with the partner so they can configure the matching receiving connection. The secret cannot be retrieved again once you close this screen.
Add a Receiving Connection
A receiving connection accepts resources pushed to this platform by a partner.
- Fill in Name and optionally Description.
- Select an Inbox — the object store where incoming data lands. A warning appears if the chosen inbox is already used by another receiving connection.
- Enter the Shared ID provided by the sending-side partner.
- Enter the Shared Secret provided by the sending-side partner.
- Click Create.
The creating user is automatically set as the initial owner of the new receiving connection.
Edit a Connection
Click the actions menu on a connection row > Edit.
Editable fields for both kinds:
- Name, Description
- Inbox / Outbox — changing the store takes effect going forward; previously synced data stays in place. A confirmation checkbox is required before saving.
- Shared Secret — click Reset Secret (sending) or Update Secret (receiving) to stage a new value. The new secret is only applied when you click Save. For sending connections, confirm by entering it twice; for receiving connections, enter the new value provided by the sending side.
Sending-only editable fields:
- Permitted Infosec Level (when infosec is enabled)
- Permitted Control Tags
The Shared ID is read-only after creation but can be copied from the edit dialog.
Transform Config
Transformation rules rewrite control tags on resources as they pass through a connection. They are applied in this fixed order regardless of the order they are listed: removes, then maps, then adds.
Click the actions menu on a connection > Edit Transform Config (or click the transform count badge directly).
Rule Types
| Rule | What it does |
|---|---|
| Add Control Tag | Always stamps the chosen tag onto every synced resource. No predicate required. |
| Remove Control Tag | Always strips the chosen tag from every synced resource. No value required. |
| Map Control Tag | Replaces one tag with another on synced resources. |
Each rule requires a Description explaining why it exists.
Sending Connection Rules
- Predicate (Map, Remove): choose from the connection's permitted control tags.
- Value (Add, Map): choose from the connection's permitted control tags.
- If no permitted tags are configured for the connection, all dropdowns are disabled.
Receiving Connection Rules
- Predicate (Map, Remove): choose from the incoming tags sent by the partner platform.
- Value (Add, Map): choose from your organization's active local control tags.
- A warning is shown if any incoming tags are not covered by a Remove or Map rule — uncovered incoming tags will cause sync to fail.
As part of the Shared Cybersecurity Responsibility Model, administrators are expected to make good-faith mappings from the sending platform's control tags to valid equivalent local tags.
Manage Owners (Receiving Connections)
Owners of a receiving connection are granted view access to every file that arrives through it, and may reshare those files at the viewer level with other users (resharing to another secure connection is not permitted).
Classification gating: Receiving Connection Owners are not automatically assigned the infosec level or control tags carried by an incoming file. An Owner whose own classification does not satisfy the file's infosec level, or who does not hold every control tag the file carries, will not see the file even though connection ownership grants the underlying view role. To make a file visible to an Owner, an administrator must assign that user the matching infosec level and control tags through the Administrator Guide.
- Click the actions menu on a receiving connection > Edit Owners.
- Search for users by name and click to add them.
- Remove an owner by clicking the remove button next to their name.
- Click Update to save.
Sync Status
Each active connection displays a sync status icon indicating the health of its most recent synchronization:
| Icon | Meaning |
|---|---|
| Success | Last sync completed without errors. |
| Degraded | Sync completed with partial errors. |
| Failure | Sync failed. |
Click the icon to open the Sync Status detail page (/admin/secure-connections/:kind/:connectionId/sync-status). For help interpreting sync events and resolving failures, see Debugging Secure Connections.
Sync Status Detail Page
The page shows a paginated list of sync events for the connection, newest first.
- Each row shows how many resources were updated, a preview of the sync message, the timestamp, and the overall status badge.
- Click a row (or the chevron) to expand it and see per-resource status, resource IDs, and individual messages. Click any resource ID to copy it.
- Click a truncated message to open it in full in a dialog.
Use the All / With updates toggle to filter to only sync events where at least one resource was modified.
Archive a Connection
Archiving stops synchronization and hides the connection from the default (Active) view. It cannot be undone.
- Click the actions menu on a connection > Archive.
- Confirm in the dialog.
To view archived connections, switch the Active / All toggle to All. Archived rows are dimmed and their action menus are disabled.