Workspace Integrations

Open Workspace → Integrations to manage integrations that belong to the workspace. Email setup lives on this page, not in personal account settings.

What is here

• Shared OAuth and email connections for SMTP sending and IMAP sync
• Bank-account integrations with consent status and renewal actions
• Public API access and API keys
• Payment-provider integrations
• GitHub integration

Bank accounts

• Connected bank accounts show their provider status, linked accounts, last sync, consent expiry, and any stored provider error.
• Connections whose consent has expired or expires within seven days are counted on the Integrations tab and show attention on the bank connection card.
• Use Renew consent to re-authorize an existing connection without losing imported transactions or matches.
• When a provider returns changed account IDs, Einblick reuses matching account rows by IBAN where possible. Accounts no longer returned by the provider are marked inactive instead of deleted.
• Manual bank accounts created from Bank Transactions appear as Manual import connections. They do not use consent renewal and are skipped by provider sync.
• Pending, error, expired, and soon-expiring connections can be retried from the same card. Revoked connections can be deleted.

Public API

• Open Workspace → API when the API feature is enabled for the workspace.
• API settings follow the api role permission. Role grants for read, create, update, and delete control viewing keys and external sites, creating them, changing API-key grants or origins, and revoking or removing them.
• For resource reads, API keys can access only the selected CMS collections and supported native endpoints. The current native collection endpoints are buildings, events, festivals, jobs, and products.
• For every endpoint, choose readable fields and optional server-side filters. Filter-only fields can still stay available without being returned in the payload.
• For standard resource writes, grant create, update, and delete per resource. CMS resources support all three actions. Native resource writes currently support buildings, events, and festivals; jobs and products are read-only through the standard resource API.
• Create and update requests accept only fields selected as writable for that resource. CMS writes use /api/v1/cms/{slug}, native writes use /api/v1/{slug}, and update or delete calls add the record identifier to the path. Native deletes archive the building, event, or festival; CMS deletes remove the CMS record.
• When an admin adds a readable field to a CMS collection, Einblick can offer to add that field to active API keys that already read the collection. Revoked or expired keys and keys without a matching collection grant are skipped.
• Resources with a status field default to status = published; jobs and events also default to visibility = public. If a key should expose another status or visibility, add an explicit filter for that endpoint.
• Event resource fields include event metadata plus computed start, end, allDay, relation summaries, cover image data, and slot data based on the event's slots.
• Raw API tokens are shown only once after creation. Clients authenticate with Authorization: Bearer api_....
• Each key can optionally allow only specific browser origins. Requests from other browser origins fail CORS, while server-to-server calls without an Origin header still work.
• Public commands are separate from resource writes. Granted commands are callable at /api/v1/commands/{name}, discoverable at /api/v1/commands/schema, and currently cover public job application commands, newsletter signup, and trusted external sync commands.
• Resource writes and public commands accept an optional Idempotency-Key header up to 200 characters. Reusing the same key for the same route and payload returns the stored result; reusing it with a different payload returns a conflict.
• The page links to the per-key schema at /api/v1/schema, /api/v1/openapi, and /api/v1/openapi.json and includes install commands for @einblick/sdk. The OpenAPI document exposes separate writable-attribute schemas for create and update requests, so updates only need the fields being changed.
• Collection endpoints support limit, cursor, and sort. Use comma-separated field keys and prefix a field with - for descending order. Without an explicit sort, CMS collections follow the manual record order stored in Einblick, and each record exposes that value as sort in record meta.
• Readable CMS relation fields can be expanded with include. Related records are returned in included and only work when the same key also has access to the related collection.
• CMS richtext fields are returned as structured document JSON. Asset payloads include stable URLs, optional width, height, title, copyright, description, tags, and sort for ordered multi-file fields. When a CMS video has a generated web playback variant, the public asset URL serves that browser-compatible MP4 or WebM file instead of the original upload.
• Browser-origin requests for non-transformed asset URLs are proxied with CORS headers and range support. Server-to-server calls without an Origin header can follow short-lived storage redirects instead.
• The same page also manages External Sites for live in-page editing. Each site stores allowed origins, the publishable site key, and an optional relative revalidation path for host caches.
• When revalidation is configured, CMS content changes post to the site's revalidation path on every allowed origin. The default path is /api/einblick/revalidate; an optional shared secret is sent as x-einblick-revalidate-secret.
• See Einblick SDK In-Page Editing for framework support and host-cache revalidation guidance.

Payment providers

• Stripe payment connections are managed from the payment-provider area on this page. A connected Stripe account can accept payments and refunds when Stripe reports those capabilities.
• Connected Stripe accounts are also picked up by the hourly accounting sync. Einblick imports Stripe balance transactions and payouts, links payment-session references when possible, and creates journal entries through the Stripe clearing and payment-processor-fee accounts.
• The first accounting sync looks back up to 90 days. Later syncs overlap the previous successful run by two days so late Stripe updates can be refreshed.

Email accounts and incoming mail

• To connect Google Workspace or Microsoft 365, use Workspace → Integrations → Connected Services.
• To connect a provider with server credentials, use Workspace → Integrations → SMTP/IMAP Credentials. The SMTP and IMAP sections can test the entered credentials and show the success or error result inline before you save.
• Shared mailboxes can scan incoming mail for invoices, tasks, and inquiries.
• Optional AI is available for supported mail automations, including task and inquiry analysis.
• Incoming mail is checked on an hourly sync schedule.
• IMAP sync reads messages without marking them as read in the upstream mailbox.
• Every captured message remains visible in Mail, where staff can inspect attachments, message text, and created records.
• Mail loads longer inboxes as you scroll and searches subject, sender, recipients, and preview text. You can filter by mailbox; the inbox can also filter to messages with attachments.
• Auto-created inquiries require workspace defaults for issuer organization and currency. If those are missing, the email is still tracked but inquiry creation is blocked.
• Einblick-origin system emails from @einblick.xyz are suppressed by the intake detector so automated notifications do not create new invoices, tasks, or inquiries.

Why events depend on it

Event slots can sync into external calendars, but workspace-wide providers and connection scope are configured here. Personal account/device linking still happens in My Connections.

Related docs: Events, Jobs, My Connections, Workspace Settings