Skip to main content

Per-vendor integration setup

This page is the credential lookup table — what each vendor needs, where to find it in the vendor's portal, and what gets unlocked once the connection is healthy. For the cross-vendor workflow (Test connection, encryption, Integration Status, troubleshooting), see Integrations overview. For Microsoft 365 specifically, see Connect your Partner tenant.

Autotask (PSA)

Type: PSA. Plan tier required: any.

Credentials needed

  • Username (API user) — the API username from the dedicated API user you create in Autotask.
  • Integration code — provided by Datto/Autotask when you register Ops AI as an external integration.
  • Secret — the password generated alongside the API user.
  • Zone URL (optional) — auto-detected on first connection.

How to get them

  1. In Autotask, Admin → Resources/Users → New and select API User as the resource type.
  2. Set the security level to API User (System) (or a more restricted role if your security policy requires).
  3. Generate the username + password. Copy both.
  4. Open Admin → Extensions & Integrations → Integration Vendors and ensure the integration vendor for Ops AI exists; copy the integration code.

What gets unlocked

  • Read tickets, companies, resources, contracts.
  • Write ticket updates, time entries, notes.
  • Webhooks (creates/deletes managed via the Webhooks page — see Webhooks for reconcile).

Integrations page — Autotask, Datto RMM, IT Glue, Pax8, and Datto EDR each shown as a verified instance with the last-verified timestamp

Datto RMM

Type: RMM. Plan tier required: any.

Credentials needed

  • API endpoint — your Datto RMM region's API URL (e.g. https://pinotage-api.centrastage.net for the EU pinotage zone).
  • API key — generated in the Datto RMM admin panel.
  • API secret key — generated alongside the API key.

How to get them

  1. In Datto RMM, sign in as an admin and open Setup → Users.
  2. Pick (or create) an API user, then under Account Information click Generate API Keys.
  3. Copy the key + secret immediately — the secret is shown only once.
  4. The endpoint is the host shown in your browser's address bar when you're signed into the Datto RMM portal — substitute -api into the subdomain (e.g. pinotagepinotage-api).

What gets unlocked

  • Read device inventory, alerts, monitor state.
  • Trigger jobs on devices.

Common pitfall

Datto API keys silently expire. If your integration starts returning 401s "out of nowhere," it's almost always the key's expiry — re-issue and re-paste.

Datto EDR

Type: Security (endpoint detection & response). Plan tier required: any. The Security Incidents sidebar item only appears when this integration is configured.

Credentials needed

  • Endpoint URL — your EDR region's API URL.
  • API key — from the Datto EDR admin panel.
  • Site mapping (optional) — link Datto EDR sites to Ops AI customers via Customer Mapping.

How to get them

  1. In the Datto EDR admin portal, Settings → Integrations → API Keys.
  2. Generate an API key with read + quarantine scope.
  3. Copy the key.

What gets unlocked

IT Glue

Type: Documentation. Plan tier required: any. Read and gated write — see What gets unlocked below, and How Ops AI governs AI actions for exactly how writes are controlled.

Credentials needed

  • API key — from your IT Glue user account.
  • API base URLhttps://api.itglue.com (US) or https://api.eu.itglue.com (EU). This matters — see below.

How to get them

  1. In IT Glue, My Account → API Keys (top-right user menu).
  2. Click Generate API key, name it "Ops AI", and copy the value.

EU vs US accounts

IT Glue hosts accounts on two separate regional servers:

  • If your IT Glue account is on the EU server, you must enter https://api.eu.itglue.com as the API base URL.
  • If you leave the URL blank, the system defaults to the US endpoint.

If you enter the wrong URL, Test connection auto-detects the EU endpoint when it sees the regional redirect and advises you to update the URL — but you'll save a step by setting it correctly upfront. US accounts don't need to set a URL.

What gets unlocked

Read: documentation, configurations, contacts, flexible assets, SSL certificates, and password records. Customer-specific runbook content is surfaced into agent context (see Knowledge base).

Write (all gated — off by default, human-approved): Ops AI can write to IT Glue, and we'd rather tell you exactly what that means than pretend it can't. The tool registry exposes 16 IT Glue write tools — create / update / archive documents, configurations, contacts, flexible assets, SSL certificates, and related items — including four that touch the password vault: create a password, update a password, archive a password, and read a password in plaintext (a plaintext read is treated as a write for gating purposes, so it goes through the same controls).

None of these run on their own. Every one is subject to the full write-safety stack:

  • The integration must be connected and enabled — no connection, no writes.
  • Draft-then-apply on the most sensitive tools — the password-vault tools and archive operations can only be drafted by the AI; applying them is a separate, explicit step. (The document, configuration, contact, and flexible-asset writes aren't held behind this extra step — but on a propose-only customer they still can't apply without human approval; see the next point.)
  • Per-customer autonomy mode — new customers default to propose-only, which routes every write to the Approvals queue for a human to approve or reject before anything changes. A customer only writes autonomously if you explicitly switch it to full-auto.
  • Agent-type restriction + approval gates — the same per-MSP approval thresholds that gate every other vendor write apply here too.

If you want IT Glue to be strictly read-only for a given customer, set that customer's autonomy mode to read-only and no write — password or otherwise — can ever be applied against it.

Pax8

Type: Marketplace. Plan tier required: any.

Credentials needed

  • Client ID — from your Pax8 OAuth application.
  • Client secret — generated alongside the client ID.

How to get them

  1. In the Pax8 admin panel, Account → API Access.
  2. Create an OAuth application named "Ops AI" and grant it the read + order-write scopes.
  3. Copy the client ID and secret.

What gets unlocked

  • Read — companies, order history, subscription state.
  • Write (all gated with Approval by default) — these have real billing impact, so they run through the same write-safety stack as every other vendor:
    • Change a subscription's seat quantity (pax8_update_subscription_quantity).
    • Cancel a subscription (pax8_cancel_subscription).
    • Place an order (pax8_create_order).
    • Create / update companies and company contacts.

Common pitfall

Pax8 secrets rotate periodically. Set a calendar reminder; the API stops working without warning when a rotation happens server-side.

UniFi

Type: Networking. Plan tier required: any.

Credentials needed

  • Controller URL — the URL of your UniFi controller (e.g. https://unifi.example.com:8443).
  • Username — a local UniFi controller account with admin privileges.
  • Password — for the same account.
  • Site name (optional) — defaults to default.

How to get them

UniFi credentials are local to your controller — there's no portal-side OAuth. Create a dedicated local admin user in the UniFi Network Application Settings → Admins rather than using your personal account.

What gets unlocked

  • Read — site, device, and client inventory.
  • Write (all gated with Approval by default) — UniFi has a broad write surface; every one runs through the write-safety stack:
    • Block / unblock and reconnect clients.
    • Restart access points, switches, and gateways.
    • Create and update WLANs and networks; toggle switch-port PoE.
    • Create, update, enable, and delete firewall rules and port-forward rules (unifi_create_firewall_rule, unifi_create_port_forward, and related).
    • Create guest vouchers.

Common pitfall

Self-signed certificates on the controller. The integration will fail with "SSL certificate verify failed" — either install a trusted certificate on the controller, or contact Ops AI Support to allow-list your controller's certificate fingerprint.

Microsoft 365 (CSP / GDAP)

Type: Productivity. Plan tier required: any. Setup path: dedicated wizard, not the Integrations form.

Microsoft 365 doesn't use the standard credential-paste flow. It uses the CSP/GDAP wizard (see Connect your Partner tenant), which provisions a per-MSP Entra app on your side, mints a client secret, creates the GDAP relationship, and rotates secrets automatically.

What gets unlocked

  • Read users, groups, mailboxes, license state across every onboarded customer tenant.
  • Lifecycle write operations via Microsoft Graph: create / disable / license users (always with Approval by default).

Multiple instances of the same vendor

If you have two Autotask accounts (one per region) or two UniFi controllers, add each as a separate integration instance. Mark one as the default; agents use the default when no specific instance is named on the SOP step. Multi-instance is uncommon — most MSPs run one of each.

Where to look when something goes wrong

  • 401 / 403 immediately — credentials are wrong or rotated; re-paste fresh from the vendor portal.
  • Timeout — vendor IP allow-list problem; ask Ops AI Support for our outbound IP list.
  • Worked yesterday, broken today — open Integration Status for the last error message; usually credential expiry.
  • Vendor-specific quirks — see the per-vendor "Common pitfall" notes above.

For the cross-vendor troubleshooting tree, see Troubleshooting.