Prerequisites
- A Better Stack account with access to the team you want to connect.
- Permission to authorize third-party apps for that team.
OAuth scopes the connection to what your Better Stack user can already see. Connect with the least-privileged user that works.
Setup
1
Open CloudThinker
Navigate to Connections → Better Stack in your CloudThinker workspace.
2
Start the OAuth flow
Click Connect to open Better Stack’s authorization page.
3
Authorize CloudThinker
Sign in, choose the team to connect, and approve access.
4
Return to CloudThinker
You’re redirected back. The connection shows a Connected status.
Connection details
Better Stack uses OAuth — there are no credential fields to store. CloudThinker holds the authorization token issued by Better Stack after you approve access.Required permissions
CloudThinker inherits the authorizing user’s visibility within the connected team.- Read operations (monitors, incidents, on-call, logs, metrics) work with standard member access.
- Write operations (acknowledging incidents, publishing reports, editing dashboards or alerts) need matching Better Stack permissions and explicit approval in CloudThinker.
Agent capabilities
Once connected, agents have read access to two Better Stack surfaces and approval-gated write access. Uptime
Telemetry
Write operations (approval-gated)
Verify the connection
Example prompts
Log search is scoped per source, so there’s no global search. Name the source (e.g.
api-gateway) so the agent can resolve it before querying.Troubleshooting
A resource returns 404 Not Found
A resource returns 404 Not Found
The resource belongs to a different team or was deleted. Re-list it in the connected team to get current IDs.
Requests fail with 429 Too Many Requests
Requests fail with 429 Too Many Requests
You’ve hit Better Stack’s rate limit. Agents back off and retry automatically.
Log query returns a syntax error
Log query returns a syntax error
Better Stack uses Live Tail syntax. Ask the agent to load the query instructions for the source, then refine.
Security
- Least privilege — grant only the permissions the agents need for your use case; start read-only and widen later.
- Read-only by default — use read-only credentials unless you want agents to make changes through this connection.
- Rotate credentials — rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
- Revoke on offboarding — remove the credential at the provider when you delete a connection or a teammate leaves.
- Least-privilege user — authorize with only the access CloudThinker needs; limit the authorizing user’s team membership to what CloudThinker should see.
- Revoke when unused — remove the authorization in Better Stack’s app settings if you stop using the connection.
Related
Datadog Connection
Observability and monitoring
PagerDuty Connection
Incident alerting and on-call