Integrations
The One Migrate integrates with several other products in The One Stack and with external cloud services.
The One Hub (Authentication)
Direction: Hub → Migrate
Auth: Hub SSO JWT (PORTAL_SSO_SECRET)
All user logins to Migrate go through Hub SSO. When you click "Migrate" in the Hub Bar, Hub generates a short-lived JWT that Migrate validates to create or update a local session. Users never enter a separate Migrate password.
Setup required: None — this is automatic for all Migrate tenants provisioned via Hub.
The One Mission (RockRMS Import Target)
Direction: Migrate → Mission
Auth: X-Integration-Key header
When a RockRMS import job runs, the Migrate agent posts data batches to the Mission import API:
POST /api/import/peoplePOST /api/import/familiesPOST /api/import/groupsPOST /api/import/contributionsPOST /api/import/attendancePOST /api/import/prayer-requests
Setup required:
- The target Mission organization must exist.
- An integration key for that organization must be generated in Mission → Settings → Integrations.
- The key is entered in the RockRMS import job configuration.
- The Migrate agent must have outbound HTTPS access to the Mission API URL.
What can break: If the Mission integration key is rotated or revoked, RockRMS import jobs will fail with 403 Forbidden from the Mission API. Regenerate the key in Mission and update the job configuration.
The One Hub Billing
Direction: Migrate → Hub Billing
Auth: HUB_BILLING_API_URL + internal
A background timer runs daily at 01:15 UTC and reports each tenant's gb_transferred metric to the Hub Billing API. This drives the $0.40/GB line item on your Hub invoice.
Mailbox counts are also reported and drive the $12/mailbox line item.
Setup required: None — automatic. The HUB_BILLING_API_URL environment variable is set during Migrate provisioning.
The One Bus (Event Mesh)
Direction: Migrate → Bus
Auth: BUS_INTEGRATION_KEY
Migrate emits events to the shared Bus for cross-product automation:
| Event | Trigger |
|---|---|
agent.registered | A new agent registers or re-registers |
agent.command.pause | A pause command is issued to an agent |
agent.command.resume | A resume command is issued |
agent.command.cancel | A cancel command is issued |
job.created | A new job is created |
job.completed | A job reaches completed status |
job.failed | A job reaches failed status |
These events can be consumed by Bus subscribers (e.g., PSA to auto-close a ticket when a job completes, On-Call to alert on job failure).
The One PSA (Ticket Linking)
Direction: Reference only (no live API calls)
Projects and jobs can store psa_ticket_id and psa_project_id fields for cross-reference. These are display-only links — Migrate does not make API calls to PSA during migration.
To auto-close a PSA ticket on job completion, configure a Bus subscription in your PSA automation rules to listen for job.completed events.
Azure Blob Storage
Direction: Agent → Azure Storage Auth: Per-job write-only SAS tokens vended by Migrate API
The desktop agent uploads data directly to Azure Blob Storage. It never holds long-lived Azure credentials.
How credential vending works:
- Agent calls
GET /api/jobs/{id}/credentialswith its agent API key. - Migrate API decrypts the project's stored OAuth refresh token from Key Vault.
- API exchanges the refresh token for a storage access token.
- API generates a user delegation SAS with create+write permissions only, scoped to the specific container, valid for 1 hour.
- Agent uploads using the SAS token.
- Agent refreshes the SAS before it expires.
Setup required: Connect an Azure Storage account to each project via the OAuth flow (see Projects).
AWS SES (Email Notifications)
Direction: Migrate → AWS SES Auth: SES access key + secret from Key Vault
Migrate sends email notifications via AWS SES for:
- Job completed (success)
- Job failed
- Azure credentials expiring soon
From address: [email protected]
Configuration: Set via SES_ACCESS_KEY, SES_SECRET_KEY, and SES_REGION environment variables in the Migrate API Function App.