How Circuit handles integration credentials
When a user connects an integration, Circuit stores the resulting credential (access token, refresh token, API key, or shared key) so it can read data on the user’s behalf.| Property | Behavior |
|---|---|
| Credential storage | Tokens are encrypted at rest in Circuit’s database. They are never returned to the browser or exposed in the API. |
| Token refresh | Where the provider supports refresh tokens (offline_access and equivalents), Circuit refreshes tokens automatically in the background. Users do not need to reauthenticate periodically. |
| Revocation | When a user disconnects an integration, Circuit deletes the stored credential. Users and admins can also revoke access from the provider’s own side at any time. |
| Scope of access | Circuit only reads data through the scopes a user (or admin) granted. Scopes are listed on each integration’s setup page. |
| Transit | All calls to provider APIs use TLS 1.2 or higher. |
Integrations that require admin involvement
Most integrations work out of the box for individual users. The ones below typically need admin attention before users can connect, either because the provider’s defaults restrict third-party apps or because the integration is workspace-scoped rather than user-scoped.| Integration | Why admin involvement is likely | Where to approve |
|---|---|---|
| Microsoft Outlook | Entra ID tenants often block third-party apps by default | Entra admin consent |
| Microsoft Dynamics 365 | Same Entra tenant policy applies | Entra admin consent |
| Microsoft OneDrive | Same Entra tenant policy applies | Entra admin consent |
| Microsoft SharePoint | Workspace-scoped data; admin selects which sites Circuit can read | Entra admin consent |
| Google Workspace (Gmail, Calendar) | Workspace admins can restrict third-party app access | Google Workspace approval |
| Google Drive | Same Workspace policy applies | Google Workspace approval |
| Confluence | Atlassian site admin must authorize third-party apps | Atlassian approval |
| Salesforce | Salesforce admins may restrict OAuth apps by policy | The user’s Salesforce administrator |
| Bluebeam | Studio API access can be limited by org policy | The Bluebeam org administrator |
Granting admin consent in Microsoft Entra ID
Circuit’s Microsoft integrations (Outlook, Dynamics 365, OneDrive, SharePoint) authenticate through a single Circuit-published enterprise application in your Entra tenant. When a tenant requires admin approval for third-party apps, the first user to connect sees the consent screen blocked, and the integration cannot complete until an admin grants tenant-wide consent.Required role
The admin granting consent needs one of these Entra roles:- Cloud Application Administrator for most permissions
- Application Administrator for most permissions
- Privileged Role Administrator if Microsoft Graph application permissions are involved
Steps in the Entra admin center
Sign in to the Microsoft Entra admin center
Open entra.microsoft.com and sign in as a Cloud Application Administrator (or higher).
Open the Circuit enterprise application
Go to Entra ID > Enterprise apps > All applications. Search for Circuit and select it. If Circuit does not appear, ask one user to begin the connection flow first; their attempt provisions the app in your tenant even though their consent is blocked.
Review the requested permissions
Select Permissions under Security. The page lists every Microsoft Graph scope Circuit will request. Compare it against the per-integration page in this documentation.
Direct admin consent URL
If you know Circuit’s client ID for the integration you want to approve, you can navigate directly to:Limiting which users can use the integration
After granting consent, Entra still lets you restrict the application to specific users or groups. On the Circuit enterprise application:- Open Properties and set Assignment required? to Yes.
- Open Users and groups and assign the users or groups allowed to connect.
Approving Circuit in Google Workspace
Google Workspace administrators can control which third-party OAuth applications access Workspace data (Gmail, Drive, Calendar, Contacts). Restrictive policies will block Circuit’s connection screen until an admin marks the app as Trusted or Limited.Required role
The admin needs the Service Settings administrator privilege (typically held by Super Admins).Steps in the Google Admin Console
Open API controls
In the Google Admin Console, go to Menu > Security > Access and data control > API controls.
Open Manage App Access
Click Manage App Access to see the list of configured and accessed third-party apps.
Configure Circuit as a new app
Click Configure new app, then OAuth App Name Or Client ID. Enter Circuit’s OAuth client ID (listed on the Google Workspace and Google Drive pages) and click Search.
Select the org units and access level
Choose the organizational units where Circuit should be approved. Then choose an access level:
- Trusted: Circuit can access both restricted and unrestricted Google services.
- Limited: Circuit can access only unrestricted services.
- Specific Google data: Circuit can access only the scopes you list. Useful when you want to permit Drive access but block Gmail, for example.
- Blocked: Circuit cannot access Google data. Use this to prevent the integration entirely.
Approving Circuit in Atlassian
Atlassian site admins approve third-party OAuth apps (Confluence, Jira) at the organization level. Until approval is granted, users hitting Circuit’s connection flow see a “Your site admin must authorize this app” error.Required role
Organization admin or Site admin on the Atlassian organization.Steps in Atlassian Administration
Open Atlassian Administration
Go to admin.atlassian.com and select your organization.
Reviewing and revoking access
Each integration can be revoked from two places: inside Circuit and inside the provider.| Provider | Where users review or revoke Circuit’s access |
|---|---|
| Microsoft | myapps.microsoft.com > Manage your applications |
| myaccount.google.com/permissions | |
| Atlassian | id.atlassian.com > Connected apps |
| Salesforce | Setup > Connected Apps OAuth Usage (admin) or Personal Information > Connections (user) |
| Slack | Workspace Settings & administration > Manage apps |
| Notion | Settings & Members > Connections |
| HubSpot | Settings > Integrations > Connected apps |
| GitHub | Settings > Applications > Authorized OAuth Apps / Personal access tokens |
| Bluebeam | Bluebeam Studio account settings |
Data residency
A few integrations let users (or admins) choose where data is read from:- Bluebeam: Studio API is region-scoped. Users pick
us,eu,au,uk, orsewhen connecting. See Bluebeam. - Salesforce: Circuit detects the user’s Salesforce instance URL during OAuth. If your org migrates between data centers (for example, during a Hyperforce move), affected users may need to reconnect.
- Azure Blob Storage: The user supplies the storage account name and access key, so all data stays within the storage account’s existing region.
Network requirements
Circuit calls provider APIs from outbound IP ranges that vary by deployment. If your organization restricts egress, the destinations Circuit needs to reach include:*.microsoft.com,*.microsoftonline.com,graph.microsoft.comfor Microsoft 365 integrations*.googleapis.com,accounts.google.comfor Google Workspace and Drive*.atlassian.com,*.atlassian.netfor Confluence and Jira*.salesforce.com,*.my.salesforce.com,*.force.comfor Salesforce*.slack.comfor Slack*.notion.com,api.notion.comfor Notion*.hubapi.com,*.hubspot.comfor HubSpotapi.github.comfor GitHub*.bluebeam.com,studioapi.bluebeam.comfor Bluebeam*.blob.core.windows.netfor Azure Blob Storage
Per-integration scope summary
The table below summarizes what each integration reads or writes. Full scope details are on each integration’s setup page.| Integration | Reads | Writes | Notes |
|---|---|---|---|
| Slack | None | Messages | Posts as the connecting user or bot |
| Salesforce | Records, schema | Records | Subject to the user’s Salesforce permissions |
| HubSpot (transactional) | Contacts | Transactional emails | Uses a HubSpot-approved email template |
| Microsoft Dynamics 365 | Entities | Entities | Subject to the user’s Dynamics security role |
| Microsoft Outlook | Mail, shared mail | Drafts only | Circuit never sends mail on the user’s behalf |
| Google Workspace | Gmail, Calendar, Contacts | Gmail drafts | Calendar is read-only |
| Bluebeam | Projects, documents, sessions | Annotations, sessions | Region-scoped |
| Google Drive (feed) | Files in selected folders | None | User picks scope at connect time |
| OneDrive (feed) | Files the user picks | None | User picks scope at connect time |
| SharePoint (feed) | Sites the admin authorizes | None | Site-scoped |
| Confluence (feed) | Spaces the user selects | None | Subject to user’s Confluence permissions |
| Notion (feed) | Pages and databases shared with the connection | None | User must explicitly share each page in Notion |
| GitHub (feed) | Repositories the PAT grants | None | PAT-scoped |
| Azure Blob Storage (feed) | Containers in the supplied account | None | Shared-key authentication |
| HubSpot Forms (feed) | Form submissions | None | API key authentication |
| RSS (feed) | Public feed contents | None | No authentication required |
Where to get help
- For integration setup questions, see the per-integration pages under Integrations.
- For broader security questions, see Security overview and SSO setup.
- For approval bottlenecks at the provider level, the provider’s own admin docs are usually the fastest path. Links are included on each integration page.