Integrations

Integrations connect your external tools to IAS so that agents have richer context and can communicate on your behalf. There are two categories:

• Knowledge integrations pull documents and tickets into the Context Lake so agents can reference them during planning and execution.
• Communication integrations let agents draft and send messages through Gmail or Slack, always with your explicit approval first.

All integrations are managed from Settings > Integrations in the Command Center. Each integration stores its credentials encrypted in the Convex backend and can be scoped to a specific workstream and space for provenance control.

Knowledge integrations

Knowledge integrations feed external documents and tickets into the Context Lake. Once connected, you can browse available documents from the Context Lake screen, select individual items to track, and refresh them on demand. Tracked documents become context items that agents can reference when working on goals.

Google Drive

Google Drive integration uses OAuth to connect your Google account and import Google Docs and Sheets into the Context Lake.

What gets ingested: Individual documents you choose to track. IAS does not bulk-import your entire Drive. You search for documents from the Context Lake UI, select the ones you want, and IAS fetches their content. Tracked documents can be refreshed on demand to pick up changes.

Setup:

1. Create a Google OAuth client in the Google Cloud Console.
2. Configure the following environment variables:

3. Add the redirect URI to your Google OAuth client: <your-app-url>/integrations/google-drive/callback.
4. In the Console, go to Settings > Integrations and click Connect on the Google Drive card.
5. Complete the OAuth flow in Google, granting drive.readonly access.

Scope requested: https://www.googleapis.com/auth/drive.readonly

Notion

Notion integration uses an internal integration token (not OAuth) to connect to your Notion workspace and import pages into the Context Lake.

What gets ingested: Individual pages and databases you choose to track. You search for pages from the Context Lake UI, select the ones relevant to your project, and IAS fetches their content. Tracked pages can be refreshed on demand.

Setup:

1. Create a Notion internal integration and copy its secret token.
2. In your Notion workspace, share the pages or databases you want IAS to access with the integration.
3. In the Console, go to Settings > Integrations and click Connect on the Notion card.
4. Paste your integration token, optionally select a workstream and space, and click Connect.

No additional environment variables are required beyond the token you provide during setup. The token is stored encrypted in the Convex backend.

Confluence

Confluence integration uses an Atlassian API token to connect to your Confluence instance and import pages into the Context Lake.

What gets ingested: Individual pages you choose to track, similar to Google Drive and Notion. You search from the Context Lake UI, select pages, and IAS fetches their content.

Setup:

1. Create an Atlassian API token for your account.
2. In the Console, go to Settings > Integrations and click Connect on the Confluence card.
3. Enter your Confluence base URL (e.g., https://your-domain.atlassian.net/wiki), your email, and the API token.
4. Optionally select a workstream and space, then click Connect.

Jira

Jira integration syncs tickets from a Jira project directly into IAS as Intentions, making them available for AI-assisted planning and execution.

What gets ingested: Jira issues matching your configuration (project key and/or JQL filter). Unlike the document integrations above, Jira supports automated periodic sync. You can configure a sync interval (e.g., every 30 minutes) or trigger sync manually.

Setup:

1. Create an Atlassian API token for your account.
2. In the Console, go to Settings > Integrations and click Connect on the Jira card.
3. Enter your Jira base URL (e.g., https://your-domain.atlassian.net), email, and API token.
4. Optionally provide a project key (e.g., ACME) and/or a JQL filter to scope which issues are synced.
5. Select a workstream and space (required for Jira to enable provenance-aware ingestion).
6. Configure sync settings: enable periodic sync with an interval, or leave it manual-only.
7. Click Save, then use Sync now in the integrations table to import issues.

Additional options:

• Capture replies -- when enabled, Jira comment replies are captured as decision answers, closing the loop between Jira discussions and IAS decision requests.
• JQL filter -- use any valid JQL query to limit which issues are synced (e.g., project = ACME AND statusCategory != Done).

Communication integrations

Communication integrations enable agents to send messages through Gmail and Slack. IAS uses an approval-first model: agents draft messages as part of goal execution, and those drafts appear as decision requests in your Inbox. Messages are only sent after you explicitly approve them.

Gmail

Gmail integration uses OAuth to connect your Google account. Once connected, agents can draft emails that you approve and send through your Gmail account.

What it does: When a goal involves sending an email, the orchestrator creates a decision request with the draft message. You review it in the Inbox, and on approval, IAS sends the email via the Gmail API. The send action and its result are recorded as auditable events.

Setup:

1. Use the same Google OAuth client configured for Google Drive (they share credentials).
2. Configure the following environment variables (if not already set for Google Drive):

3. Add the redirect URI: <your-app-url>/integrations/gmail/callback.
4. In the Console, go to Settings > Integrations and click Connect on the Gmail card.
5. Complete the OAuth flow, granting the requested Gmail scopes.

Scopes requested:

• https://www.googleapis.com/auth/gmail.send -- send emails on your behalf
• https://www.googleapis.com/auth/gmail.metadata -- read message metadata for thread resolution

Target identifiers: When the agent targets a specific recipient or thread, it uses these formats:

• New email to a contact: externalId = "<recipientEmail>"
• Reply to a thread: externalId = "<threadId>" or "<threadId>|<recipientEmail>"

Slack

Slack integration uses OAuth to connect your Slack workspace. Once connected, agents can draft Slack messages that you approve and send.

What it does: Same approval-first flow as Gmail. Agents draft messages targeting specific channels or threads, you review and approve them in the Inbox, and IAS sends them via the Slack API.

Setup:

1. Create a Slack app in the Slack API dashboard.
2. Configure the following environment variables:

3. Add the redirect URI to your Slack app: <your-app-url>/integrations/slack/callback.
4. In the Console, go to Settings > Integrations and click Connect on the Slack card.
5. Complete the OAuth flow, authorizing IAS in your Slack workspace.

Bot scopes requested: chat:write, channels:read, users:read

Target identifiers:

• Channel message: externalId = "<channelId>" (e.g., C123)
• Direct message: externalId = "<dmChannelId>" (e.g., D123)
• Thread reply: externalId = "<channelId>:<threadTs>" (e.g., C123:1700000000.000100)

Inbound replies (Slack Events API): IAS can capture replies to messages it sends, enabling follow-up triggers and reply-received events.

To enable this:

1. Enable the Events API in your Slack app settings.
2. Set the Request URL to: https://<your-convex-deployment>.convex.site/integrations/slack/events/v1
3. Subscribe to the message events you need (e.g., message.channels, message.im).
4. Set the IAS_SLACK_SIGNING_SECRET Convex environment variable to your Slack app's signing secret.

Inbound messages are recorded as integration events (with eventKey="communication.message.received"). IAS does not store the message body in event metadata -- only structural identifiers like channel ID and thread timestamp.

How integration data flows into the Context Lake

Knowledge integrations (Google Drive, Notion, Confluence, Jira) write data into the Context Lake through a consistent pipeline:

1. Connection -- you authenticate with the external service and IAS stores encrypted credentials.
2. Discovery -- you browse available documents or tickets from the Context Lake UI (or, for Jira, via automated sync).
3. Tracking -- selected items are stored as context items with a pointer to the external source, a content hash, and metadata.
4. Extraction -- IAS extracts and normalizes the text content, storing it as a text extract for search, preview, and context pack assembly.
5. Policy enforcement -- all stored content respects the workspace data policy. In metadata_only mode, titles and bodies are stripped unless explicitly allowlisted.

Communication integrations (Gmail, Slack) also generate integration events that flow into the Context Lake as context items, providing an audit trail of messages sent and replies received.

Space-level attachment

When connecting any integration, you can optionally attach it to a specific workstream and space. This serves two purposes:

• Provenance boundaries -- content ingested through that integration inherits the space's visibility tier (internal, shared, or client). This ensures that, for example, client-specific documents stay within the client space and are not surfaced in internal-only views.
• Policy scoping -- future policy decisions can be applied per-space, giving you fine-grained control over what gets stored and surfaced.

If you do not select a space, the integration is workspace-wide and its data is available across all spaces.

For Jira integrations, space attachment is required. This ensures that synced tickets are ingested with provenance-aware boundaries from the start.

Security model

IAS takes a defense-in-depth approach to integration security:

• Encrypted credential storage -- all OAuth tokens and API keys are encrypted at rest using the IAS_CREDENTIALS_ENCRYPTION_KEY before being stored in the Convex backend.
• Minimal scopes -- OAuth integrations request only the scopes they need. Google Drive requests read-only access. Gmail requests send and metadata access. Slack requests write and channel-read access.
• Approval-first communication -- agents never send messages autonomously. Every outbound email or Slack message requires explicit human approval through the Inbox.
• Auditable write-back -- every communication action is recorded with full provenance: the decision request, the approval, the send attempt, and the result (success or failure).
• Test and disconnect controls -- each integration can be tested (to verify credentials are still valid), disabled (to pause without losing configuration), or fully disconnected (which revokes the stored credential).
• No bulk access -- knowledge integrations do not crawl your entire Drive, Notion workspace, or Confluence instance. You explicitly choose which documents to track.

Managing integrations

After connecting an integration, it appears in the Configured table on the Integrations settings page. From there you can:

For Jira integrations, you can also click the integration name to edit its configuration (base URL, project key, JQL filter, sync interval, and other settings).