Waveguide

Connections

Connections are the accounts your agent works with. Each one is a single OAuth click from Dashboard → Connections; you approve the scopes on the provider’s own consent screen, and the token goes straight into Waveguide’s encrypted vault. The AI model never sees your credentials — see Security for how that’s enforced.

You can connect as little as one account to start. Starter plans include up to 3 connections; Growth and Scale are unlimited.

Gmail

What the agent does with it: reads incoming mail relevant to the growth loop (lead replies, platform notifications), drafts and sends replies as you, and watches for new-lead signals in real time via push notifications.

Autonomy: reading is free-tier (T1). Sending is a T2 action — it requires approval until you create a standing policy like “auto-approve first replies to new leads.”

Google Calendar

What the agent does with it: reads your availability to propose booking slots to leads, and watches for changes (a booked call is a strong conversion signal worth recording in the ledger).

Autonomy: read-only by default (T0). Creating events is T2.

Meta Ads

What the agent does with it: reads campaign/ad-set/ad performance, receives lead-form webhooks instantly, proposes and executes budget changes and pause/scale decisions, and launches creative variants.

Autonomy: reads are free (T0). Budget changes and campaign launches are T2 and always respect your hard daily spend cap — which defaults to $0 until you raise it. The cap is enforced in the proxy, not in the prompt.

Stripe

What the agent does with it: reads payment events so revenue is attributed back to campaigns and leads in the ledger — closing the loop from ad dollar to actual dollar.

Autonomy: read-only. Waveguide never initiates charges, refunds, or payouts on your Stripe account.

Slack / Telegram

Chat channels are set up separately (they’re where the agent reports, not accounts it operates). See Channels.

Managing connections

  • Status for every connection is on the Connections page: active, expired, or revoked.
  • Disconnecting removes the credential from the vault immediately. In-flight sessions lose access at the proxy on the next call.
  • If a provider expires a token, the agent flags it in your brief and the dashboard shows a reconnect prompt.

What the agent can never do

Regardless of connections, the proxy enforces hard rules: no action outside your granted scopes, no spend above your daily cap, no T2/T3 action without approval or a standing policy, and no calls to providers you haven’t connected.