Integrations
The AI Platform integrates with every product in The One Stack, flowing data in both directions: it enriches other products with AI capabilities, and it reads from them to provide contextual responses.
Integration Overview
| Product | Direction | What flows |
|---|---|---|
| PSA | Bidirectional | AI reads tickets for Jarvis context; generates ticket suggestions, RCA reports; auto-creates security incident tickets from Defend |
| CRM | Read | AI reads companies and contacts for Jarvis context; enrichment writes back to CRM records |
| Defend | Read | AI reads detections and device status; behavioral-analysis and attack-narrative are powered by the Gateway |
| RMM | Read | AI reads device inventory and patch status for Jarvis |
| Books | Bidirectional | Studio reads invoices for the Invoice Portal; AI explains billing to clients |
| Voice | Bidirectional | Call recap and transcription run through the Gateway; results stored in Voice |
| CMDB | Read | AI reads asset records; enrichment populates CMDB fields |
| People | Read | WorkDNA profiles pull from People; insider threat signals inform Defend |
| On-Call | Write | Govern AI incident escalations to on-call rotations |
| Hub | Auth | Hub SSO is the only login method for the AI Platform |
| Studio PSA (external) | Read | Studio app builder connects to external PSA systems (Zendesk, ConnectWise, etc.) |
Hub SSO
What flows: Authentication tokens (session establishment)
How it works:
Every AI Platform login goes through Hub SSO. When a user navigates to app.theonestudio.app, they are redirected to Microsoft Entra via the Hub OAuth bridge. After authentication, the Hub SSO session is exchanged for an oneai_session cookie.
If misconfigured:
- Users cannot log in
- Session cookies are invalid across subdomains
- API keys still work — only interactive login is broken
Setup: No manual configuration required. The integration is established at org provisioning time when your Hub organization is created.
PSA Integration
What flows: Ticket data (read), AI-generated content (write), security incidents (write)
Jarvis context: When you open Jarvis while viewing a ticket in PSA, the integration passes the ticket ID, status, company, assigned technician, and recent notes to Jarvis automatically.
Ticket suggestions:
The ticket-suggest feature route reads ticket fields and AI-generates category, priority, and resolution suggestions. These appear in the PSA ticket UI as inline suggestions.
RCA generation:
From the PSA ticket detail page, click Generate RCA to invoke the proposal-generate route with ticket context pre-populated.
Auto-create security tickets: When Defend detects a critical threat, the AI Platform automatically creates a PSA ticket with the detection summary, affected device, and recommended remediation steps.
If misconfigured:
- Jarvis in PSA loses ticket context (will ask you to describe the issue manually)
- Ticket suggestions stop appearing
- Auto-created security tickets will fail silently (check Governance → Incidents for errors)
Setup: No separate configuration required. PSA integration is enabled at the platform level for all Hub organizations that have both PSA and AI Platform subscriptions.
CRM Integration
What flows: Company and contact records (read), enriched data (write)
Jarvis context: When Jarvis is invoked from a CRM company or contact page, the integration passes company name, primary contact, recent activities, and open opportunities.
Data enrichment:
The data-enrichment feature route reads your CRM company and contact records and uses AI to fill in missing information (industry, employee count, website, LinkedIn, etc.) from public sources.
If misconfigured:
- Jarvis in CRM loses company context
- Enrichment requests fail with "Source data unavailable"
Setup: Automatic for Hub organizations with both CRM and AI Platform. No separate OAuth required.
Defend Integration
What flows: Detections, device telemetry, behavioral baselines (read), attack narratives (write)
Behavioral AI:
Defend passes device event streams to the AI Platform's behavioral-analysis route, which scores deviations from the 30-day baseline. Results flow back to Defend as anomaly alert scores.
Attack narrative: When an investigation is opened in Defend, the AI Platform generates a narrative attack chain summary using the process tree, lateral movement indicators, and MITRE ATT&CK context. This appears in the Defend Investigation tab.
If misconfigured:
- Behavioral anomaly scoring stops (Defend falls back to rule-based scoring only)
- Attack narratives show "AI narrative unavailable"
- Alert severity may be less accurate
Setup: Enabled automatically when both Defend and AI Platform are active. The Defend integration key is stored in the AI Platform's Key Vault.
Voice Integration
What flows: Call audio/transcripts (read), recaps and action items (write)
Call recap:
After a Voice call ends, the platform sends the transcript to the call-recap feature route. The resulting summary is stored in Voice and surfaced on the call detail page.
Live transcription assistance: During an active call, Jarvis in Voice can read the live transcript and provide suggested responses or relevant KB articles in real time.
If misconfigured:
- Post-call recaps do not appear in Voice
- Jarvis in Voice cannot read call context
Setup: Automatic for Hub organizations with both Voice and AI Platform. The Voice integration key is injected at provisioning.
Books Integration
What flows: Invoice data (read), payment setup (write via Studio)
Studio Invoice Portal: When you build an Invoice Portal in Studio, it connects to Books via OAuth to fetch invoice records for client display.
Jarvis context: When Jarvis is invoked from a Books invoice page, the integration provides invoice details (amount, due date, line items) for contextual assistance.
If misconfigured:
- Studio Invoice Portal shows empty invoice list
- Jarvis in Books cannot see invoice data
Setup: The Books integration for Studio requires explicit OAuth authorization during Studio onboarding. Navigate to Studio → Books → Connect Books to complete the flow.
Studio PSA Connections (External PSA)
Studio (the app builder add-on) also supports connecting to external PSA systems that are independent of The One PSA. This is for MSPs that use Zendesk, ConnectWise, Autotask, or Ticketmaster alongside The One Stack.
Supported external PSA systems:
- Zendesk Support
- ConnectWise Manage
- Autotask PSA
- Ticketmaster
What flows: Company records, ticket data (read-only to Studio)
Setup:
- Navigate to Studio → PSA
- Click Connect PSA
- Select your PSA vendor
- Complete the OAuth flow
If misconfigured:
- Studio apps that display ticket data show "Connection required"
- AI app recommendations do not populate (no company data to analyze)
Setting Up Integrations That Break
If an integration stops working, the AI Platform logs the failure in Governance → Incidents and surfaces a warning in the dashboard. Common resolution steps:
| Issue | Resolution |
|---|---|
| PSA context lost in Jarvis | Verify PSA subscription is active; check Hub organization provisioning |
| Books OAuth expired | Re-authorize at Studio → Books → Connect Books |
| Defend attack narratives unavailable | Check AI Gateway provider health; verify Defend integration key in Key Vault |
| Studio app shows empty data | Re-authorize PSA OAuth connection in Studio → PSA |
| Enrichment writes failing to CRM | Check CRM write permissions for the AI Platform service account |
Integration API Keys
Each integration uses a service-to-service API key (X-Integration-Key header). These keys are:
- Generated at provisioning time
- Stored in Azure Key Vault (not in code or config files)
- Rotated automatically every 90 days
- Scoped to specific operations (read-only where possible)
You do not manage integration keys manually. If you suspect a key has been compromised, contact support to force an immediate rotation.