Integrations — AZMX AI

01The interop promise

AZMX is what stays. Everything around it can change.

The mistake most AI tools make is asking you to commit to a stack on top of committing to them. AZMX takes the opposite shape: every AI provider you'd choose, every standard your auditors want, every connector your team already uses — pluggable, swappable, vendor-neutral.

Switch providers between turns. Swap your IdP without re-issuing keys. Move from cloud AI to local AI in one toggle. The thing that stays consistent across all of it is AZMX itself — the trust floor, the audit log, the keyboard shortcuts, the muscle memory.

02AI providers

Eleven supported. Pick whichever your team has accounts for.

Your key. Your choice. AZMX is provider-agnostic — keys stay in a private user-only file on your machine, requests go directly from your device to the provider, AZMX is not on the network path.

A

Anthropic

Claude Sonnet · Opus · Haiku. Get a key →

O

OpenAI

GPT-4o · GPT-4.1 · o-series reasoning. Get a key →

G

Google (Gemini)

Gemini 2.5 Pro · Flash. Get a key →

⚡

Groq

Low-latency Llama · Mixtral · Qwen. Get a key →

C

Cerebras

Very-fast Llama · Qwen inference. Get a key →

x

xAI (Grok)

Grok 3 · Grok 4. Get a key →

D

DeepSeek

Chat + Code models, low cost. Get a key →

N

NVIDIA NIM

Hosted at build.nvidia.com or self-hosted. Get a key →

Az

Azure OpenAI

Any resource + any deployment. Set up →

▣

Ollama (local)

One-click setup. Qwen2.5-Coder · Granite · Llama. Install →

▣

LM Studio (local)

GUI model manager + OpenAI-compatible server. Install →

+

OpenAI-compatible

Any custom endpoint — Vertex AI, Bedrock-via-LiteLLM, your gateway. URL + key.

03MCP connectors

Seventeen curated. Add your own in one JSON file.

AZMX is MCP-native. The agent calls tools through the open Model Context Protocol — your code repo, your cluster, your database, your message bus.

⌥

GitHub · GitLab

PRs, issues, repos, code search via your fine-grained token.

⎈

Kubernetes

kubectl from the agent — list/describe pods, read logs, manage deployments.

▣

Postgres · SQLite · Redis

Read-only queries, schema introspection, key-value access.

📁

Filesystem · Drive

Allow-listed local directories. Google Drive list/read/search.

🔍

Brave Search · Google Maps

Web search + maps via your API keys.

💬

Slack

Read channels, post messages.

⌚

Time · Fetch · Puppeteer

Time / timezone, URL fetch with Markdown conversion, headless Chromium.

⊡

Memory · Sequential thinking

Persistent KV memory, multi-step scratchpad.

+

Custom MCP server

Workspace .azmx/mcp.json or community-catalog submission. See the full catalog →

04Identity + SSO

The protocols your IdP already speaks.

SAML 2.0 SP

Full SP loop — AuthnRequest, ACS, Response parsing, IdP certificate + issuer pinning, XML-DSig SignatureValue + DigestValue verify. Standard /sso/metadata endpoint for IdP auto-configuration.

SCIM 2.0

RFC 7644 + RFC 7643 user provisioning. Bulk seat issuance from Okta, Azure AD, Google Workspace, or any standards-compliant IdP.

OAuth 2.1 + PKCE

For HTTP MCP transports. Tokens persisted in the same 0600 secrets file as your API keys — never plain settings, never the OS keychain.

PIV / CAC

X.509 trust evaluator, challenge issuance, RSA-SHA256 + ECDSA-SHA256 verify. Smart-card-native flow for U.S. federal contexts.

Magic-link auth

Default for the Admin Console (Pro+). No password to leak, no MFA to roll out. Polar.sh as MoR for self-serve checkout.

RBAC

Admin · Member · Observer roles. Centrally managed via the Admin Console or org-policy file.

05Monitoring + SIEM + observability

Where the audit log goes.

The hash-chained audit log streams to whichever observability stack you already pay for. Signed JSONL pages, OTel-ready hooks, no proprietary forwarder required.

Splunk

Splunk Universal Forwarder tails azmx-audit.json as plain JSONL. Hash-chain integrity verified at the indexer.

Datadog

Datadog Agent forwards the audit log as a JSON log source. Tag by seat, license, agent run.

OpenTelemetry

An OTel collector ingests the signed audit pages and routes to whichever backend your fleet uses. Standards-compliant, no AZMX-specific glue.

Elastic / OpenSearch

Filebeat tails the audit log. Same JSON shape, same hash-chain verification.

Grafana Loki

Promtail tails as a structured log stream. Useful when your team already lives in Grafana.

Webhooks

Spend anomaly alerts (Teams+) fire to Slack · Discord · Microsoft Teams via standard webhook URLs.

06Standards + compliance

Open specs and audit boxes — by name.

FIPS 140-3 (the Enterprise build's allowlist evaluator)Required by some U.S. federal procurement.
SOC 2 Type IIAttestation report + policies under NDA.
CycloneDX 1.5 SBOMSigned per release. Verifiable cryptographically.
DPA (GDPR Article 28)Standard sub-processor list + technical and organizational measures.
OWASP ASVS-aligned secret-screenBuilt-in DLP path screen on .env, .ssh/*, credentials*, vault.yaml, etc.
Ed25519 signed releasesAuto-updater verifies signatures against an embedded public key. Customer-rooted on Enterprise.
RFC 8259 (JSON) · RFC 7515 (JWS) · RFC 8032 (Ed25519)The exact wire formats AZMX uses for license tokens, audit log, and signed manifests.

07Payments + commerce

How licenses get issued.

Self-serve Pro and Teams flow through Polar.sh as our Merchant of Record. Polar handles tax, chargebacks, and the receipt → license-token exchange. Annual or monthly, no per-seat AI markup.

Enterprise procurement runs outside Polar — direct PO, custom terms, customer-rooted license issuer setup, named SLA support. Email [email protected].

Air-gapped customers can issue licenses entirely offline using their own Ed25519 keypair — no AZMX or Polar dependency in the runtime trust chain.

08How to add an integration

Two paths. Both shipped.

Workspace-onlyDrop a .azmx/mcp.json into your repo. Anyone who opens it gets prompted to trust + install your custom MCP server.

Org-policyTeams pin allowed connectors centrally via the org-policy file. MDM-friendly, fail-safe.

Community catalogSend a PR to AzmxAI/azmx · mcp-servers/. Accepted manifests ship in the bundled catalog on next release.

Custom AI providerAny OpenAI-compatible endpoint plugs in via Settings → Models → Custom. Configure URL + key + model ID.

Authoring guides: MCP_AUTHORING.md · AGENT_AUTHORING.md · SKILL_AUTHORING.md

09What we don't lock you into

The list of opt-outs that survives across tiers.

No required AI providerAny of 11. Or none — local works.
No required IdPSAML 2.0 + SCIM 2.0 — bring your own. Or none — SSO is optional.
No required SIEMPlain JSONL audit log. Tail it with any tool that reads JSON.
No required telemetryOff by default. Verifiable at your OS firewall.
No required accountFree + trial work with zero account creation. AZMX checkout for paid tiers.
No required cloud connection (Enterprise)Self-hosted issuer + local-only AI lock = AZMX runs with zero outbound.

AZMX speaks your stack.