How We Handle OAuth for 14 Enterprise Integrations
One-click OAuth for GitHub, Salesforce, Notion, and more. Here's how Alpha Agent handles enterprise integration auth without compromising security.
The two ways to authenticate an integration
Every integration Alpha Agent supports falls into one of two authentication models: OAuth or API key. Both get the job done, but they are fundamentally different in how they handle trust, and that difference matters when you are connecting production systems to an AI agent that acts on your behalf.
OAuth delegates authentication to the service itself. When you click “Connect GitHub,” you are redirected to GitHub’s authorization server, you approve the requested scopes, and GitHub issues a token directly to Alpha Agent. You never type a password or paste a key. The token is scoped to exactly the permissions you approved, and it can be revoked from either side at any time.
API key authentication is simpler but less controlled. You generate a key in the service’s dashboard, copy it, and paste it into Alpha Agent. That key typically grants broad access, does not expire automatically, and cannot be scoped to specific operations. If the key leaks, revocation requires manual intervention in the source service.
For enterprise teams managing dozens of integrations across multiple users, OAuth is the clear winner. It eliminates shared secrets, enforces granular permissions, and provides an auditable authorization trail. That is why we have invested in building OAuth flows for the integrations where it matters most.
The 14 OAuth integrations
Alpha Agent supports OAuth for the following services:
| Integration | Category | Key capabilities |
|---|---|---|
| GitHub | Developer tools | Repo access, issue management, PR workflows |
| GitLab | Developer tools | Project access, CI/CD pipelines, merge requests |
| Notion | Productivity | Page search, database queries, content creation |
| Salesforce | CRM | Contact lookup, opportunity tracking, report generation |
| HubSpot | CRM & Marketing | Contact management, deal pipelines, email sequences |
| Google Workspace | Productivity | Gmail, Drive, Calendar, Docs access |
| Atlassian | Productivity | Jira issues, Confluence pages, project boards |
| Slack | Communication | Channel messaging, thread context, workspace search |
| Discord | Communication | Server management, channel messaging, bot commands |
| Microsoft Teams | Communication | Chat, channel posts, meeting context |
| Linear | Developer tools | Issue tracking, project management, cycle planning |
| Figma | Design | File access, component inspection, comment threads |
| Asana | Productivity | Task management, project tracking, team workloads |
| Shopify | Commerce | Store data, order management, product catalog |
Each of these integrations uses the service’s official OAuth 2.0 flow with PKCE where supported. We request the minimum scopes necessary for the agent’s capabilities — read access by default, write access only when the integration requires it for actions like creating issues or sending messages.
For the full list of all 143+ integrations Alpha Agent supports, see 143 Integrations, One AI Assistant.
How the enterprise admin flow works
In a team environment, individual developers should not need to manage their own OAuth connections or API keys. Alpha Agent’s enterprise admin flow solves this with a connect-once, inherit-everywhere model.
Step 1: Admin connects. A team admin navigates to the integrations page in the Alpha Agent dashboard and clicks “Connect” on any OAuth-supported service. They authenticate with their organization’s account — typically a service account or admin-level credential — and approve the requested scopes.
Step 2: Token is encrypted and stored. The OAuth token returned by the service is encrypted with AWS KMS before it touches any persistent storage. The encrypted token is stored in the team’s DynamoDB record, not in a config file, not in an environment variable, and never in plaintext. This follows the same KMS encryption model we use for all secrets.
Step 3: Team inherits access. Every team member’s AI agent instance automatically inherits the admin-configured integrations. When a developer’s agent needs to search GitHub or query Salesforce, the management layer decrypts the team-level token and injects it into the user’s container at provisioning time. Individual users never see, copy, or manage the token.
Step 4: Revocation is instant. If an admin disconnects an integration, the token is deleted from the team record and revoked at the OAuth provider. The next time any team member’s container is provisioned, the integration is gone. No tokens linger in config files. No manual cleanup across individual accounts.
This model gives security teams what they need: centralized control, audit visibility, and the ability to revoke access across the entire organization from a single action.
KMS encryption for API key integrations
For the 129+ integrations that use API key authentication — AI providers like Anthropic and OpenAI, monitoring tools like Datadog and Sentry, databases like MongoDB and Supabase — Alpha Agent encrypts every key with AWS KMS before writing it to DynamoDB.
The encryption flow is straightforward:
- User enters an API key in the dashboard.
- The management Lambda encrypts the key using a dedicated KMS key with scoped IAM permissions.
- The encrypted ciphertext is stored in the user’s
encrypted_secretsmap in DynamoDB. - At container provisioning time, the Lambda decrypts each secret, assembles the runtime environment, and delivers it to the container through an encrypted S3 transfer.
No secret is ever stored in plaintext. Not in DynamoDB, not in S3, not in a config file on the container host. The KMS key itself is restricted by IAM policy to a single Lambda function, and every encrypt/decrypt operation is logged in CloudTrail.
For the full technical deep dive on our encryption architecture, see Inside Alpha Agent’s Security Model.
Why this matters for enterprise adoption
Enterprise security teams evaluating AI agent platforms ask predictable questions: Where are credentials stored? Who has access? Can you revoke across the organization? Is there an audit trail?
Alpha Agent’s answers:
- Storage: KMS-encrypted fields in DynamoDB. Never plaintext. Never config files.
- Access: Scoped IAM policies. Only the management Lambda can decrypt. Individual users never see raw tokens.
- Revocation: Admin disconnects once, propagates to all team members on next provision cycle.
- Audit: CloudTrail logs every KMS operation. Dashboard logs every connection and disconnection event.
These are not aspirational goals. They are the current production implementation, running today for every Alpha Agent customer.
Connect your stack
Alpha Agent supports 143+ integrations across developer tools, productivity suites, CRM platforms, AI providers, and more. Fourteen of those support one-click OAuth. The rest use KMS-encrypted API keys. All of them can be managed centrally by a team admin.
Browse the full integration catalog at /integrations, review our security architecture, or schedule a demo to see enterprise integration management in action.