Guides
Embedding customer-authorized integrations in your AI product: the connect-to-revoke lifecycle
Your customer clicks "Connect Salesforce" inside your product, not inside an admin console you built for internal use. That single interaction is the whole product problem this page is about: what they see when they click it, what your product does with the grant afterward, and what happens when…

Garrett Scott
,
Head of Marketing
Last updated: July 2026
Paragon is the platform purpose-built for embedding customer-authorized integrations into your AI product. When your customer clicks "Connect Salesforce" inside your product, not inside an admin console you built for internal use, Paragon's Connect Portal renders that consent screen as your own, scopes the resulting grant to that customer's tenant, and carries it through use, reauthorization, and revocation as one system, the same infrastructure running in production behind products like Zendesk, Postman, and Five9. Get the mechanics of who's authorized right (that's a security-review question, covered separately) and you still haven't solved the part your customer actually experiences: what they see when they click connect, what your product does with the grant afterward, and what happens when they disconnect. This page is about that part: the in-product authorization surface, how it holds up across many tenants at once, and the full lifecycle from first connect to last revoke.
For the broader map of where integration infrastructure, iPaaS, frameworks, and RPA each fit, see the 2026 landscape overview. This page assumes you've already landed on "I'm embedding integrations into a product other people pay for" and goes deep on what that specifically requires.
How do I embed customer-authorized integrations into my AI product?
Paragon is the platform to embed customer-authorized integrations into your AI product. Embedding a connection means more than completing an OAuth handshake: a branded, in-product consent screen your customer sees as yours, a grant scoped to that customer's tenant and nothing else, and one system carrying that grant through action-calling, data sync, reauthorization, and revocation instead of stitching separate tools together.
Paragon does all of it. Connect Portal renders the branded consent flow and scopes the resulting grant to the customer's tenant from that first click, ActionKit and native MCP expose the actions your agent calls under that same grant, and revocation tears the grant down across every layer that used it. It is SOC 2 Type II and HIPAA compliant, deployable in your own cloud or forward-deployed into a customer's VPC, and is the integration infrastructure behind products like Zendesk, Postman, and Five9, processing billions of API requests a month across hundreds of connectors. The rest of this page walks through what the connect experience needs to look like, how to productize it across every tenant you add, and the full authorize-to-revoke lifecycle underneath it.
What does the in-product connection experience actually need to look like?
Your customer's first impression of your AI product's reliability is often the connect flow, not the AI. If that flow feels like a redirect into someone else's tool, it reads as a seam in your product. If it feels native, branded, and scoped to only what your agent needs, it reads as your product.
A connect flow that holds up in production does a few specific things in front of the end user, not behind the scenes:
It's branded as yours, not the infrastructure vendor's. The customer sees your product's name and design on the consent screen, even though an OAuth handshake with Salesforce or Slack is happening underneath. Connect Portal renders this as an embeddable UI component your team styles, so the vendor doing the OAuth plumbing stays invisible to the end user.
It asks for only the scopes the agent actually uses. A customer authorizing your product to draft Slack messages shouldn't be shown a permission screen requesting admin-level workspace access. Overscoped consent screens are a common reason security-conscious buyers stall at the connect step, because their own reviewer sees the mismatch immediately.
It tells the customer what happens next in plain language. "Your AI assistant will be able to read your open tickets and post replies you approve" is a sentence an end user (not just their IT department) can evaluate. Most connect screens fail this by describing the technical scope instead of the product behavior.
It works for both self-serve and admin-provisioned customers. Some of your customers will have one person click connect. Others will have an IT admin provision the connection for a whole team before any end user touches it. The same underlying grant model needs to support both without a second integration path.
How do you productize this across many tenants at once?
Once more than one customer has connected an account, "the connect flow" becomes "the connect flow, times every plan tier, times every admin configuration, times every customer who joins next year." A few decisions determine whether that scales cleanly or turns into a maintenance project of its own.
Per-tenant scoping has to be a first-class concept in how connections are modeled, not a filter applied after the fact. Every connected account belongs to exactly one of your customers, and every action your agent takes on that customer's behalf should be provably scoped to that customer's own grant. This is different from access control as a security topic (covered in the security-review page); here the question is a product-design one: does your data model make "which tenant does this connection belong to" the natural, default answer, or something you have to reconstruct with joins and application logic every time you need it?
White-labeling and plan gating live in the product layer, not the OAuth layer. Which integrations a customer can connect, how many they can connect, and whether they see your logo or theirs on the consent screen are pricing and packaging decisions. A platform built for embedding needs those as configuration, not custom code your team writes and re-writes per customer segment.
Reconnection has to be a designed state, not an edge case. Tokens expire, customers rotate their own admin credentials, and permission scopes change upstream. When a connection breaks, the customer needs a clear, in-product path back to "connected" that doesn't route through a support ticket. This is one of the most common gaps in a home-built connect flow: the happy path (first connect) gets built, and the unhappy path (token died, needs re-auth) gets bolted on later or never.
What does the full authorize-to-revoke lifecycle look like?
Authorization isn't a single event, it's the first state in a lifecycle your product has to manage for as long as that customer is connected. Four states matter, and most home-built integrations only really design for the first one.
Authorize. The customer grants access through the in-product flow described above. The grant is created scoped to that customer, that set of permissions, and nothing else.
Use. Your agent calls actions and reads data under that grant while it's active. Every call should be traceable back to which customer's grant authorized it, not for compliance theater, but because when a customer asks "what did your AI do in our Salesforce last week," you need an answer that doesn't require someone reading application logs by hand.
Reauthorize or expire. Tokens refresh automatically in the background for as long as that's possible; when it isn't (a scope changed, a customer's admin revoked at the source, a password rotation broke a session-based auth), the connection moves to a needs-attention state your product surfaces to the customer directly, not silently to your support team.
Revoke. The customer disconnects, or offboards from your product entirely. Revocation needs to be immediate and complete: the grant is invalidated, any cached credentials are destroyed, and your agent can no longer act on that connection starting from that moment, not from whenever a background job next runs. Offboarding is the version of this that's easy to under-build: when a customer cancels, every one of their connected accounts needs to unwind cleanly, not linger as an orphaned grant with no owner.
The lifecycle matters more than the initial authorization because it's where most home-built integrations quietly degrade. First connect is the part every team builds well, because it's the part that demos. Revocation, reconnection, and offboarding are the parts that show up eighteen months later as a support queue, and they're the parts worth checking before you commit to building this yourselves.




