feature: Added V2 API endpoint for Connections.

[jordan-simonovski]

Summary

Added connections endpoint to /api/v2/connections supporting list, get, create, update, all using Bearer token auth.

References

See Linear ticket for more information on this.

resolves: HDX-4530

[changeset-bot]

🦋 Changeset detected

Latest commit: a9bed8b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@hyperdx/api	Minor
@hyperdx/app	Minor
@hyperdx/otel-collector	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	Jun 12, 2026 9:40pm
hyperdx-storybook	Ready	Preview, Comment	Jun 12, 2026 9:40pm

[github-actions]

🔴 Tier 4 — Critical

Touches auth, data models, config, tasks, OTel pipeline, ClickHouse, or CI/CD.

Why this tier:

• Critical-path files (2):
  • packages/api/src/routers/external-api/v2/connections.ts
  • packages/api/src/routers/external-api/v2/index.ts

Review process: Deep review from a domain expert. Synchronous walkthrough may be required.
SLA: Schedule synchronous review within 2 business days.

Stats

• Production files changed: 7
• Production lines changed: 1068 (+ 462 in test files, excluded from tier calculation)
• Branch: jordansimonovski/connections-apiv2
• Author: jordan-simonovski

To override this classification, remove the review/tier-4 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.

[greptile-apps]

Greptile Summary

Adds a full CRUD /api/v2/connections endpoint to the external API, mirroring the internal v1 connections router but with Bearer token auth, proper response envelopes, and password-never-returned guarantees.

• New external router (external-api/v2/connections.ts) implements GET list, GET by ID, POST create, PUT update, and DELETE with team-scoped authorization, Zod request validation, and formatExternalConnection to strip sensitive fields before returning.
• PUT semantics handle optional-field clearing correctly: hyperdxSettingPrefix clears on null/\"\", prometheusEndpoint clears on null, and omitting either field leaves the stored value unchanged via MongoDB $set.
• Test suite (external-api/__tests__/connections.test.ts) provides comprehensive integration coverage including auth isolation, password exclusion, optional-field clearing, and cross-team 404 guards across all five operations.

Confidence Score: 5/5

Safe to merge — auth scoping, password exclusion, and field-clearing semantics are all correctly implemented and well-tested.

The new external connections router correctly enforces team isolation on every operation, never leaks passwords, and handles the tricky PUT partial-update semantics (keep/clear optional fields) properly. Test coverage is thorough across auth, isolation, and edge cases.

openapi.json — POST create is documented as 200 instead of 201, and the 403 response is missing from several single-resource operation specs.

Important Files Changed

Filename	Overview
packages/api/src/routers/external-api/v2/connections.ts	New external v2 connections router with full CRUD. Auth scoping, password stripping, and schema validation are correct. Minor: POST returns 200 instead of 201, and a few OpenAPI docs are missing the 403 response.
packages/api/src/routers/external-api/tests/connections.test.ts	Comprehensive integration tests covering auth isolation, password exclusion, optional-field clearing, and 404/401/400 edge cases across all five operations.
packages/api/src/controllers/connection.ts	New controller functions for CRUD operations, all correctly scoped to team. updateConnection uses $set/$unset atomically.
packages/api/src/routers/external-api/v2/index.ts	Mounts the new connections router with rate limiter and validateUserAccessKey middleware, consistent with all other v2 routes.
packages/api/openapi.json	New Connection, CreateConnectionRequest, UpdateConnectionRequest schemas added. POST create endpoint documents 200 instead of the conventional 201, and 403 is missing from several single-resource operation docs.

_{Reviews (4): Last reviewed commit: "Merge branch 'main' into jordansimonovsk..." | Re-trigger Greptile}

[github-actions]

E2E Test Results

✅ All tests passed • 202 passed • 3 skipped • 1307s

Status	Count
✅ Passed	202
❌ Failed	0
⚠️ Flaky	1
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →

[knudtty]

Just team adjacent requests

[knudtty]

I feel like this regex might be overkill, probably fine though

[knudtty]

Assuming only one team is fine here

[knudtty]

same comment, assuming one team is fine

[jordan-simonovski]

Given the team ID is derived from the personal tokens in UI, I feel it would be a security issue if we could modify multiple teams with the one token.
We may need to rethink how we manage API tokens in the future if we want to be able to define team IDs dynamically.