OAuth Integrations
OAuth integrations use a popup-based authorization flow. Tokens are encrypted in the vault and refreshed automatically.Flow
- User clicks “Connect” on the Integrations page
- Backend returns an auth_url for the OAuth provider
- Frontend opens a popup to that URL
- User authorizes in the popup
- Provider redirects back with an auth code
- Backend exchanges code for tokens, stores encrypted
- Integration marked as connected
Supported Providers
| Provider | Scopes |
|---|---|
| Gmail | gmail.modify (read, send, search, label) |
| Google Calendar | calendar (events, availability) |
| Google Drive | drive (files, docs, sheets) |
| Slack | chat:write, channels:read, files:write |
| Notion | Full access (pages, databases) |
| GitHub | repo, read:org |
| Shopify | products, orders, inventory |
| Discord | bot, messages.read |
| Linear | read, write |
| Jira | read:jira-work, write:jira-work |
| Airtable | data.records:read/write |
| Figma | files:read |
Token Security
- Encrypted at rest with per-user keys
- Refresh tokens rotated on every use
- Auto-expire and re-authorize if refresh fails
- Immediate revocation on disconnect
- Never logged or exposed to agents directly