Connecting integrations
How the OAuth flow works, what scopes get requested, and how to revoke access cleanly.
The model
ThorStack uses per-user OAuth for every integration that holds a person's data — mail, calendar, files, social. Each user authorizes their own connection. We never hold a shared service account that can read everyone's mail.
For tenant-level integrations (Shopify store, accounting ledger, marketplace seller) the connection is owned by the tenant and managed by an Admin.
The flow
- Open Settings → Integrations.
- Click the integration you want. We show a plain-English summary of what scopes will be requested before you ever leave Mission Control.
- Click Connect. You're redirected to the provider's consent screen.
- After consent, you land back on the integration page with a green health dot and the most recent sync timestamp.
Common scopes, explained
| Provider | Typical scopes |
|---|---|
| Google Workspace | gmail.modify, calendar, drive.metadata.readonly |
| Microsoft 365 | Mail.ReadWrite, Calendars.ReadWrite, Files.Read |
| Zoho | ZohoMail.messages.ALL, ZohoCalendar.calendar.ALL, ZohoCRM.modules.ALL |
| Shopify | read_orders, write_orders, read_inventory, write_inventory, read_customers |
| Etsy | listings_r, transactions_r, shops_r |
We request the narrowest scope that the modules you've switched on actually need. If you switch off a module, scopes contract on the next reconnect.
Revoking
Click Disconnect on the integration page. ThorStack stops syncing immediately and revokes the OAuth grant on the provider side within minutes. Your audit trail of what we synced while connected is retained — disconnecting doesn't erase history.
Next
- Google Workspace, Microsoft 365, or Zoho for provider deep-dives.
- RBAC — control who can connect or disconnect tenant-level integrations.