Integrations
Hub is the identity backbone of The One Stack. Every product integrates with Hub for authentication, authorization, and user identity. This page explains how those integrations work.
Hub + PSA
Hub user IDs map directly to PSA agent records. When you create a user in Hub and grant them PSA access, a corresponding agent record is created in PSA automatically.
- User ID mapping — Hub
portal_user_idis stored as the PSA agent's identity - Role sync — Hub platform role influences PSA permissions (Admins get broader PSA access)
- SSO — PSA sessions are authenticated via the Hub session cookie
When a user is deactivated in Hub, their PSA agent is also deactivated. Tickets assigned to them remain visible but can no longer be edited by that user.
Hub + Portal
Hub organizations map to Portal client access. The relationship:
- Each Hub org can have multiple Portal client organizations
- Hub manages staff identity; Portal manages client identity
- Portal users authenticate through a separate flow (not Hub SSO)
- Staff users can access both Hub products and Portal admin views
Hub + All Products (JWT Token)
Every product receives user identity through the Hub JWT. The token structure:
| Claim | Description |
|---|---|
sub | User ID (portal_user_id) |
email | User's email address |
firstName, lastName | Display name components |
tenantId | Organization ID |
tenantSlug | Organization URL slug |
tenantName | Organization display name |
orgRole | Platform role (owner, admin, member, viewer) |
entitlements | Array of product slugs the org has access to |
Products validate the JWT signature, extract these claims, and use them for authorization decisions. No product stores its own copy of user credentials.
Hub + AI Gateway
The AI Gateway (which powers Jarvis and all AI features) reads the user's billing tier from Hub:
- AI Basic ($19/mo) — standard rate limits
- AI Pro ($35/mo) — higher rate limits, priority queue
- AI Enterprise ($59/mo) — highest limits, dedicated capacity
The AI tier is stored as an entitlement in Hub and passed to the AI Gateway with every request.
Hub + Defend
Hub audit events (logins, permission changes, access grants) are published to The One Bus and ingested by Defend's security analytics. This means:
- Failed login attempts appear in Defend's threat dashboard
- Permission escalations are flagged for review
- Login patterns are analyzed for anomalies
Bus Events
Hub publishes identity events to The One Bus that other products can subscribe to:
| Event | Triggered When |
|---|---|
hub.auth.login_success | User signs in successfully |
hub.auth.login_failed | Failed login attempt |
hub.iam.user_created | New user added to org |
hub.iam.user_deactivated | User deactivated |
hub.iam.permission_changed | Permission granted or revoked |
hub.iam.access_granted | Product access granted to user |
hub.iam.access_revoked | Product access revoked from user |
Products subscribe to these events to keep their local state in sync. For example, when a user is deactivated in Hub, PSA receives the user_deactivated event and deactivates the corresponding agent record.