Integrations — bRRAIn Docs

Connecting bRRAIn to your other tools — OAuth credentials, webhooks, and built-in integrations.

Integrations

Integrations are how bRRAIn reaches out to (and is reached by) the rest of your tool stack — your CRM, your code host, your messaging tool, your ticketing system. The Console manages every credential, webhook, and connection in one place.

Two kinds of integrations

  • Outbound — bRRAIn calling another system (post a Slack message, file a Jira ticket, write to your data warehouse).
  • Inbound — another system calling bRRAIn (a webhook from Stripe, a GitHub event, a Linear status change).

Both kinds appear on Console → Integrations.

Built-in integrations

We ship typed integrations for 28+ vendors out of the box, including:

  • Communication — Slack, Microsoft Teams, Discord, Twilio, Intercom.
  • Code & dev — GitHub, Linear, Jira, Asana, Trello.
  • CRM & sales — Salesforce, HubSpot, Zoho, PagerDuty, Zendesk, Mailchimp, SendGrid.
  • Data & files — Google Drive, Notion.
  • Calendar & email — Google Calendar, Gmail, Microsoft 365 Calendar.
  • Payments & commerce — Stripe, Shopify, QuickBooks.
  • Productivity — Airtable, Monday, Zoom.
  • Generic — any HTTP service via the Generic HTTP integration.

Each typed integration knows the vendor's API quirks: pagination shape, auth refresh flow, idempotency keys, rate-limit headers, webhook signing scheme. You don't have to code any of that.

Adding an OAuth integration

For OAuth-based vendors:

  1. Go to Console → Integrations → + Add.
  2. Pick the vendor.
  3. Click Connect. We open the vendor's OAuth consent screen in a popup.
  4. Sign in to the vendor and approve the requested scopes.
  5. The popup closes and the integration appears as Connected.

The OAuth tokens are encrypted at rest with your organization's vault key (see Data encryption). They never appear in the Console or in API responses.

Adding a token-based integration

Some vendors (older APIs, internal tools) authenticate with a long-lived API key:

  1. + Add → Pick vendor → Use API key.
  2. Paste the key. Optionally set a label and a rotation reminder.
  3. Save.

The key is encrypted at rest and is never displayed in the Console after save.

Configuring webhooks (inbound)

Each integration that supports inbound events shows a Webhooks tab. To accept events from the vendor:

  1. Click Add webhook subscription.
  2. The page shows the vendor-specific webhook URL bRRAIn has provisioned for you (signed and unique to your organization).
  3. For supported vendors, click Auto-register — we use the vendor API to create the subscription on your behalf.
  4. For unsupported vendors, copy the URL into the vendor's UI and paste in the signing secret we generate.

Inbound events are validated cryptographically (HMAC over the body using the signing secret). Unsigned or wrong-signed events are rejected.

Per-integration permissions

Each integration declares the scopes it can use. By default, only Architects and Sovereigns can configure integrations; only members with a role at or above the integration's required role can use it.

You can also restrict an integration to specific zones — a Slack integration that's only allowed to receive notifications about events in the engineering zone, for example.

Connection health

Every integration shows a health pip:

  • Green — connected and the last test call succeeded.
  • Amber — credentials are valid but recent calls have been slow or returning warnings.
  • Red — recent calls are failing. Click for the error and remediation steps.

You can run a one-shot Test connection at any time. The result is logged for audit.

Token rotation and expiry

We track expiry on every credential. You'll see a warning in the Console 30 days before an OAuth token's refresh expires or an API key's documented rotation interval is due.

For OAuth integrations, refresh happens automatically. For API keys, rotation is your responsibility; the warning gives you time to issue a new key.

Operator-managed credentials

Some installations need the same OAuth credentials shared across many organizations (multi-tenant resellers, OEM scenarios). The Operator Env Config admin (visible to Sovereigns) lets you store operator-side OAuth client IDs and secrets that all of your tenants inherit. Each tenant still authenticates against the vendor and gets per-tenant tokens — they just share the upstream client app.

Removing an integration

Click the row action menu and Remove integration. The credentials are wiped immediately. Any extension or orchestration that was using the integration shows a broken-connection warning until it's reconfigured against a new integration.

Audit

Every integration add, edit, removal, token refresh, and test call is audit-logged with the actor and the result. Webhook deliveries are logged with the inbound payload's signature and verification result; payload bodies are not logged by default (to avoid spilling sensitive data into the audit trail).

Where to next

  • Marketplace install — most extensions consume integrations you've configured here.
  • Notifications — outbound channels often layer on top of integrations.
  • API: Webhooks — programmatic alternative to the Console webhook UI.