Manual-Only Composio Tools
Manual-Only Composio Tools
Some toolkits cannot complete OAuth automatically through the standard Composio flow because they require out-of-band approval, allowlisting, or sandbox provisioning. The onboarding CLI surfaces these as MANUAL in the live progress table and points back to this doc.
LinkedIn (organic + Ads)
Problem: LinkedIn API access for marketing-tier scopes requires:
- A Marketing Developer Platform (MDP) application that the LinkedIn Partner team has approved.
- Each new tenant’s LinkedIn account must be added to the app’s authorized user list before OAuth consent succeeds.
Workaround (until productized):
- Use the Ascend MDP app’s Composio auth_config.
- Email
developer-relations@linkedin.com(or the Ascend partner contact) with the tenant’s LinkedIn org URN to add to the allowlist. - Wait 1–3 business days for confirmation.
- Then re-run
npm run onboard:client -- --slug <slug> --add-tool linkedin.
Pitfall: Without allowlisting, Composio OAuth returns ACTIVE but every API call 403s with “Application is not authorized for this member.” Always smoke-test with mcp__composio__LINKEDIN_GET_MY_INFO after onboarding.
Google Ads
Problem: Google Ads API requires a developer-token-allowlisted GCP OAuth client. Composio’s default GCP project is not allowlisted, so default auth_configs fail with DEVELOPER_TOKEN_PROHIBITED.
Workaround (already productized for Kahuna):
- Use the Ascend custom auth_config
ac_p9jMpo3Mmfk2which routes OAuth through Ascend GCP project705816965171(dev-token-allowlisted) — see ADR-055. - The onboarding CLI’s
auth-configs.jsonalready pinsgoogleads → ac_p9jMpo3Mmfk2. - Tenants don’t need to do anything different; the client click is normal OAuth.
For brand-new tenants whose Google Ads accounts are NOT on the developer-token allowlist:
- Submit a basic access application via the Google Ads API Center under the Ascend MCC.
- Wait for Google’s approval (1–4 weeks for basic access; longer for standard).
- During the wait, the tenant’s googleads tool will OAuth successfully but every query returns
DEVELOPER_TOKEN_PROHIBITED.
Salesforce sandbox vs production
Problem: Composio’s standard Salesforce auth_config targets login.salesforce.com (production). Sandboxes live at test.salesforce.com and require a different auth_config.
Workaround:
- If the tenant uses a sandbox: register a separate auth_config in Composio with
instanceUrlpointing at the sandbox subdomain (e.g.https://acme--dev.sandbox.my.salesforce.com). - Update
scripts/composio/auth-configs.jsonwith asalesforce_sandboxentry mapping to the new auth_config_id. - Pass
--tools salesforce_sandbox(notsalesforce) when onboarding.
QuickBooks Online
Problem: QBO realm_id (the company file ID) is required on every API call but Composio surfaces it only after the OAuth consent screen completes.
Workaround:
- Standard OAuth completes via the CLI;
connectedAccountIdis written immediately. - After ACTIVE, run a one-shot probe:
mcp__composio__QUICKBOOKS_GET_COMPANYINFO— Composio injects the realm_id automatically into theaccount_idparameter. - The CLI does NOT need to track realm_id separately; Composio handles it.
Pitfall: Old code paths that hardcode realm_id (e.g., account=9341455490822583 for Ascend in CLAUDE.md memory) must continue to pass that explicitly until they migrate to Composio-managed accounts.
Gong
Problem: Gong uses Basic Auth (not OAuth), and the API endpoint is region-specific (us-58396.api.gong.io for Kahuna’s instance).
Workaround:
- Composio’s
gongauth_config uses Basic Auth + aninstanceUrlfield. - Onboarding CLI prompts for the Gong API key + secret + region URL when
--tools gongis requested. - Stored in Composio, not in V5 KV (preserves invariant 5 v3).
Status table (as of 2026-05-18)
| Tool | Ascend canonical | Kahuna prod | Notes |
|---|---|---|---|
| googlesuper | ✅ | ✅ | Standard Google OAuth |
| googleads | ✅ (custom auth_config) | ✅ | Dev-token allowlist required for new MCC sub-accounts |
| linkedin (organic) | ✅ | ✅ | MDP allowlist required per-tenant |
| linkedin_ads | ❌ missing in ascend | ✅ | Register ascend-side auth_config |
| slack | ✅ | — | |
| hubspot | ❌ missing in ascend | ✅ | Register ascend-side auth_config |
| salesforce | ❌ missing in ascend | ✅ | Register ascend-side auth_config (prod) |
| gong | ❌ missing in ascend | ✅ | Basic Auth + region URL per-instance |
| apollo | ✅ | — | API key |
| gamma | ✅ | ✅ | API key |
| perplexityai | ✅ | — | API key |
| semrush | — | ✅ | API key |
| quickbooks | ✅ | — | OAuth with realm_id injection |
| vercel | ✅ | — | API key |
Until the 4 missing-in-ascend tools (hubspot, salesforce, gong, linkedin_ads) are registered with ascend-side auth_configs, new clients needing those tools must temporarily route through kahuna_prod project. The onboarding CLI will fail loud with a clear error pointing back to this doc.