Skip to content

Integrations Admin

Platform admins manage the global integration layer from Admin → Integrations (/admin/integrations). This panel controls which integrations are available to all workspaces, what credentials back them, and who can use them.

Two credential modes

Every integration in the catalog operates in one of two modes.

Platform-managed credentials: A platform admin registers a single OAuth app (client ID + secret) or API key once. That credential is shared across all workspaces and users who have the integration enabled. Users never see an OAuth redirect; the agent simply uses the platform credential on their behalf. This is the lowest-friction path for integrations your whole organisation uses (e.g. a shared Slack workspace, a corporate GitHub org).

Per-user OAuth: Each user completes their own OAuth flow and receives their own token. The agent uses that user's token, so actions are attributable to the individual. Use this mode for integrations where personal identity matters (e.g. Google Calendar: you want events to appear in the right user's calendar, not a shared service account's).

The integration's catalog tile indicates which modes it supports. Many integrations support both: the platform credential is used as a fallback when no per-user token is present.

Enabling integrations

Single integration

  1. Go to Admin, Integrations, Browse.
  2. Find the integration and click Enable for all workspaces.
  3. If the integration requires OAuth, you will be prompted to add an OAuth app first.

Workspace admins can independently enable or disable integrations within their own workspace from Workspace Settings, Integrations, but they can only work with integrations the platform admin has made available.

Bulk wizard

To enable many integrations at once, use the bulk wizard:

  1. Admin, Integrations, Bulk Enable.
  2. Select up to 50 integrations with the checkboxes.
  3. Click Enable selected.

The API endpoint (POST /integrations/admin/enabled/bulk or POST /integrations/admin/platform-enabled/bulk) accepts up to 50 integration IDs in a single request. Integrations that are already enabled are updated in place (idempotent).

Configuring credentials

OAuth apps (platform-managed)

OAuth integrations that support platform mode require a registered OAuth app from the provider.

  1. Create an OAuth app in the provider's developer console (GitHub, Google, Slack, etc.).
  2. Set the redirect URI to https://<your-domain>/api/integrations/oauth/callback.
  3. In Doable: Admin, Integrations, OAuth Apps, Add.
  4. Enter the Client ID and Client Secret.
  5. Choose scope: Global (all workspaces) or Workspace-specific (one workspace only).

Client secrets are never returned in API responses. Only the last four characters of the client ID are exposed as a hint.

Alternatively, set environment variables before starting the API process. Doable auto-detects them without any DB configuration:

OAUTH_{INTEGRATION_ID}_CLIENT_ID=...
OAUTH_{INTEGRATION_ID}_CLIENT_SECRET=...

For Google integrations, GOOGLE_INTEGRATIONS_CLIENT_ID / GOOGLE_INTEGRATIONS_CLIENT_SECRET are shared across all Google-based integrations. Similarly GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET cover GitHub.

Non-OAuth credentials (API keys, basic auth)

For integrations that use an API key or HTTP basic auth rather than OAuth:

  1. Admin, Integrations, Credentials, Add.
  2. Select the integration and auth type (secret_text, basic_auth, or custom_auth).
  3. Enter the credential fields.

These are stored in platform_integration_credentials encrypted with pgp_sym_encrypt using the instance ENCRYPTION_KEY.

Credential vault

All credentials (OAuth client secrets and non-OAuth keys) are encrypted at rest in PostgreSQL.

Credential type Storage table Encryption
OAuth client secret (workspace) oauth_apps Envelope v1 (per-workspace DEK) or pgp_sym
OAuth client secret (global) oauth_apps pgp_sym with instance ENCRYPTION_KEY
API keys / basic auth platform_integration_credentials pgp_sym with instance ENCRYPTION_KEY
Per-user tokens integration_connections Envelope v1 or pgp_sym

Envelope encryption (DOABLE_ENVELOPE_ENCRYPTION=1) derives a per-workspace data encryption key (DEK) so that a compromised ENCRYPTION_KEY does not expose all workspaces at once. Global OAuth apps (no workspace_id) remain on the legacy pgp_sym path because envelope encryption requires a workspace ID to derive a DEK.

Rotation

To rotate an OAuth app credential, re-post to Admin, Integrations, OAuth Apps, Edit (or POST /integrations/admin/oauth-apps) with the new secret. The upsert is atomic; the old secret is replaced immediately.

To rotate a non-OAuth credential, re-post to POST /integrations/admin/credentials.

Revocation

  • OAuth app: Delete via Admin, Integrations, OAuth Apps, Delete (DELETE /integrations/admin/oauth-apps/:id). All users of that integration in the affected workspace(s) immediately lose the platform credential. Per-user tokens stored in integration_connections are not affected.
  • Non-OAuth credential: DELETE /integrations/admin/credentials/:integrationId.

After deletion, the integration's configured flag is set to false in workspace_enabled_integrations / platform_enabled_integrations on the next enable/check cycle.

Auditability

Every credential write and delete is recorded in the admin audit log (recordAdminAction). Log entries include:

Field Example
action integrations.oauth_app.upsert, integrations.platform_credentials.delete
resourceType integration
resourceId github, slack
details.clientIdTail Last 4 chars of client ID (OAuth)
details.isGlobal Whether the app is global or workspace-scoped
details.workspaceId Workspace UUID (if workspace-scoped)

Browse audit events from Admin, Audit Log, filtering by resource type integration.

For live call-level observability (which integration tools fired, how long they took, which are stuck), use the X-Ray panel at Admin, X-Ray (/xray/stats, /xray/active, /xray/stuck).

Security tradeoffs

Shared credentials = shared blast radius. If a platform OAuth token is compromised, every workspace that used it is affected. Mitigations:

  • Prefer narrow OAuth scopes. Grant only what the integration actually needs.
  • Use workspace-scoped OAuth apps rather than global ones where practical. A breach of one workspace's app does not affect others.
  • For integrations that touch sensitive personal data (email, calendar, documents), prefer per-user OAuth so each user's token is isolated.
  • Rotate credentials on a schedule or immediately when a team member with access departs.
  • Monitor the X-Ray "stuck" and "history" endpoints for anomalous call volumes.

Catalog size

Doable's integration catalog includes 630+ services via the Activepieces-derived piece registry. Not all of them support platform-managed credentials. Integrations that inherently require a personal identity (e.g. Gmail) are per-user only. The requiresOAuthApp flag on each integration definition controls whether the admin OAuth app panel is offered for that integration.