Skip to content

Connect to SaaS Applications

What is a SaaS connection?

A Fides SaaS (Software as a Service) Connection allows a user to connect to a third-party application (e.g., Mailchimp, Stripe, Hubspot), and execute data access and erasure requests against that application. Fides represents your SaaS connections as a Dataset, accessed via a Connection, and configured by a SaaS config.

Supported SaaS applications

The current implementation of the SaaS framework can support any SaaS application that uses these features:

  • Basic auth, bearer auth, OAuth2 (Authorization Code Flow)
  • Data access via HTTP requests
  • Erasure via HTTP requests
  • Pagination based on headers and response contents

The following features are planned for future releases and will allow for the configuration of broader types of connections:

  • Custom Python functions for access and erasure requests
  • Retry logic based on status codes and response contents

For full examples of supported Connections, see the example configurations.

Configure a SaaS connector

When running the Fides webserver, you may navigate to the interactive API docs at http://{server_url}/docs (e.g., to access the following endpoints.

Create a Connection of type saas

    "name": "SaaS Application",
    "key": {saas_key},
    "connection_type": "saas",
    "access": "read"

Add a SaaS Config (in JSON format)

    "fides_key": "mailchimp_connector_example",
    "name": "Mailchimp SaaS Config",
    "type": "mailchimp",
    "description": "A sample schema representing the Mailchimp connector for fides"

Configure your secrets

  "domain": "{mailchimp_domain}",
  "username": "{mailchimp_username}",
  "api_key": "{mailchimp_api_key}"

Add a Dataset (in JSON format)

    "name":"Mailchimp Dataset",
    "description":"A sample dataset representing the Mailchimp connector for fidesops",

Additional considerations

The following constraints are enforced by the API validation:

  1. A SaaS connector dataset cannot have any identities or references in the fidesops_meta. These relationships must be defined in the SaaS config.
  2. SaaS config references can only have a direction of from.
  3. The fides_key between the SaaS config and the Dataset must match in order to be associated.

Set up a SaaS connector from a template

To create all the resources necessary to set up a SaaS Connector in one request, you can create a connector from a template. This creates a saas Connection with your supplied name and description, using your supplied secrets.

The example below creates a mailchimp saas connector, and would need the relevant mailchimp secrets.

Your instance_key will become the identifier for the related Dataset. By default, the saas connection config is enabled with write access.

    "name": "My Mailchimp connector",
    "description": "Production Mailchimp Instance",
    "secrets": {
        "domain": "{{mailchimp_domain}}",
        "api_key": "{{mailchimp_api_key}}",
        "username": "{{mailchimp_username}}"
    "instance_key": "primary_mailchimp",