Connect providers

Caddi runs on top of your accounts at GitHub, Vercel, and Cloudflare. Repos, deploys, and DNS are billed to you. Caddi just orchestrates them.

Why three providers?

GitHub — to create repos, push branches, open promotion PRs, listen for push events.
Vercel — to create projects, set env vars per environment, watch deploy status.
Cloudflare — to manage your DNS so we can wire branded preview URLs and verify custom domains.

GitHub — App, not OAuth

We use a per-org GitHub App install (not OAuth on a user) so your agency can keep working when team members come and go. Install it on the org you want Caddi to create repos in.

Permissions requested:

repo — create repos and branches under your org.
admin:org — invite the App to repos created from templates.
workflow — to write and read workflow files when needed.

Vercel — OAuth on your team

From Settings → Integrations → Vercel choose the team Caddi should deploy to. Caddi uses the access token only to create projects and read deploy status — never to read source code.

Cloudflare — scoped API token

Generate a scoped API token at dash.cloudflare.com/profile/api-tokens with these scopes:

Zone — Edit
DNS — Edit
Workers Routes — Read (optional, for branded preview URLs)

Paste the token into Caddi. We encrypt it at rest with Supabase Vault (AES-256 envelope encryption, customer-managed key).

If a token expires or its scopes change, the affected feature shows a clear “reconnect” banner — Caddi will not silently fail.

Verify the connection

bash

# From inside Caddi:
Settings → Integrations → Run health check

# All three providers should report:
github       ok   (rate limit: 4982 / 5000 remaining)
vercel       ok   (team: northstar)
cloudflare   ok   (zones: 6)