Categories and examples
CRM
CRM
Salesforce — OAuth-based access to standard and custom objects, bulk APIs where supported, and incremental sync patterns aligned with API limits.HubSpot — Contacts, companies, deals, tickets, and marketing objects with OAuth or private app tokens depending on your HubSpot subscription.
ERP
ERP
NetSuite — Token-based authentication (TBA) or OAuth 2.0 as enabled for your account; respect governance around saved searches and SuiteQL usage.SAP — Cloud and hybrid scenarios often combine OData connectors with on-prem RFC where licensed; coordinate with basis teams for routers and allowlists.
Commerce
Commerce
Shopify — Admin API with OAuth; track REST vs GraphQL timelines from Shopify’s platform notices.Stripe — Restricted API keys scoped to the resources Planasonix needs (for example read on
charges and customers only).Marketing and ads
Marketing and ads
Meta (Marketing API), Google Ads, LinkedIn Ads, TikTok for Business — OAuth with advertiser account selection; comply with platform ad policies and data use terms.Mailchimp, Klaviyo — Audience and campaign analytics; API keys or OAuth per vendor requirements.
HR
HR
Workday — Integration system user or OAuth patterns as supported; often requires IP allowlisting.BambooHR — API key per subdomain; limit keys to HR system owners.
Analytics and CDP
Analytics and CDP
Mixpanel, Amplitude — Project keys and service accounts for server-side export APIs.Segment — Workspace token for configuration and replay APIs where available.
Collaboration
Collaboration
Google Sheets — OAuth with Drive file scope; use service accounts with domain-wide delegation only when your administrator approves.Slack — Bot tokens for channel and conversation reads; subscribe to Slack app rotation and revocation events.
How OAuth works for SaaS connections
Most SaaS connectors use OAuth 2.0 so Planasonix never stores the user’s primary password.Register an OAuth app with the vendor
You create an application in the vendor’s developer console (for example Salesforce Connected App, Google Cloud OAuth client). You record the client ID, client secret, and redirect URI that Planasonix provides for your workspace or region.
Store client credentials in Planasonix
Add an OAuth-type credential with the client ID and secret. Restrict who can attach this credential to new connections through workspace roles.
Authorize the connection
An admin or integration owner clicks Authorize. The browser redirects to the vendor login and consent screen. After approval, Planasonix receives an authorization code, exchanges it for access and refresh tokens, and stores refresh material encrypted.
Scopes and least privilege
Request only the OAuth scopes the pipeline needs (for example read-only CRM scopes for extract jobs). Broader scopes increase blast radius if a token leaks and complicate security reviews.Some vendors issue non-expiring or long-lived refresh tokens only for certain app types. Read the vendor’s token lifetime documentation and plan for periodic reauthorization if they enforce rolling refresh invalidation.
Operational guidance
- Use separate OAuth apps per environment (prod vs sandbox) so consent, data residency, and rate limits stay isolated.
- Align API version headers or base paths with what your connector expects before you schedule high-volume syncs.
- Monitor 429 responses and vendor status pages; backoff settings on the connection reduce failed job noise.
Related topics
APIs and webhooks
Custom HTTP endpoints not covered by a packaged connector.
Credentials management
Sharing rules, rotation, and OAuth credential records.
Reverse ETL
Push warehouse-modeled data into SaaS destinations.
Connections overview
How SaaS connections fit the broader connection model.