Guides
Migrate off a legacy iPaaS without disrupting customers
How to cut over from a legacy iPaaS or homegrown integration layer without breaking live customer connections: phased parallel-run, OAuth carryover, webhook dual-subscription, and a rollback plan.

Garrett Scott
,
Head of Marketing
Migrate off a legacy iPaaS without disrupting customers
Migrating off a legacy iPaaS or homegrown integrations works best as a phased cutover, not a single switch: run old and new systems in parallel, keep OAuth grants live instead of forcing re-authentication, dual-subscribe webhooks until events match, validate data parity, and roll out by customer segment with a rollback path until the new system is proven.
Whether you're moving off MuleSoft, Workato, Zapier, Make, a unified-API layer like Merge, or a system your own team built, the same mechanics show up in some form: parallel-run, OAuth carryover, webhook dual-subscribe. They aren't identical across categories: Workato's Embedded product and Recipe Lifecycle Management change what's exportable within Workato itself, and Zapier and Make have added agent and MCP layers a straight recipe cutover doesn't touch. This guide covers the mechanics generically, using Paragon's managed-auth and webhook layer as one example of how a target platform can support them. The risk isn't the migration itself; it's the moment your customers notice something changed. (For the broader question of what integration infrastructure needs to look like underneath an AI product, see this guide to AI agent integration infrastructure.)
Why a phased cutover beats a big-bang switch
A phased cutover beats a big-bang switch because it validates each piece of the new system against real traffic before the old one goes away, instead of finding out what broke after every customer is already on the new path. Teams call this a "dual-runtime" or parallel-run phase: both platforms process live or mirrored activity for a defined window, and you cut individual flows over once each is confirmed correct.
The trade-off is real: running two systems side by side costs more compute and engineering attention than a clean swap. But that cost buys the ability to catch a bad field mapping, a missed webhook, or a broken OAuth flow against a handful of accounts instead of your entire base. The failure mode of a big-bang cutover is rarely the migration logic; it's what nobody thought to quiesce: background cron jobs, retried webhooks, or a third-party app still pointed at the old endpoint.
If you're also evaluating surface area, check connector breadth against your actual usage, not just the number of integrations a vendor lists on a page.
How to carry over OAuth connections without a forced re-auth
Whether you can avoid forcing customers to re-authenticate depends on whether the specific provider supports re-pointing an existing, still-valid grant to a new OAuth client registration; most don't expose that path, and there's no generic way to make a token issued under one client_id work under another. Refresh tokens, and confidential-client grants generally, are what's bound to the issuing client_id, though whether a token is a portable bearer credential or cryptographically tied to its client depends on the provider's own implementation.
Refresh-token rotation adds a collision risk during the transition: if both old and new systems try to refresh the same rotating token, providers that implement rotation detection may treat the second attempt as reuse and revoke the entire refresh token family rather than just failing the losing call with invalid_grant, forcing a fresh authorization grant instead of a quick retry. Only one system should hold refresh authority per connection, by design. Forced re-authentication also isn't a minor inconvenience in a multi-tenant B2B product: asking every end user to reconnect is a support and churn event, not a formality.
Paragon's managed authentication handles authorization, token refresh, and encrypted credential storage per end user through an SDK call. The documented case is Paragon's own move from Salesforce Connected Apps to External Client Apps: "existing users will remain connected to your old Connected App, and their requests, workflows, or syncs will not be disrupted," while new users go through the new install path, and the old configuration becomes read-only once migration is confirmed. Treat this as proof the pattern exists for one provider, not a mechanic to assume elsewhere.
Merge sits in a different category here: it normalizes HRIS, ATS, and CRM data behind one API and syncs that data on a schedule. It's not a Paragon-style embedded workflow builder for customer-facing integration workflows; a different primary job entirely. If your legacy setup mostly reads and syncs unified records, Merge's category applies directly; a customer-facing embedded workflow builder is a different kind of platform.
How to migrate webhooks without dropping events
You migrate webhooks without dropping events by subscribing to the same events on both old and new endpoints during the transition, not by cutting over in a single moment. It's the same parallel-run principle applied to events: both systems receive the same triggers, and you retire the old subscription only once the new one is confirmed to catch everything it should.
Running both subscriptions means duplicate events during the overlap. Since you don't control the shape of a third-party payload, build your consumers to be idempotent by keying deduplication off fields the provider already sends: its own event or delivery ID, the object ID, and the event type, discarding anything already processed under that combination instead of adding fields of your own to someone else's payload.
If you're keeping the same public webhook hostname and only re-pointing what answers behind it, lower that hostname's DNS TTL well before cutover (a few minutes is common) so traffic reaches the new backend quickly. That only helps when the hostname doesn't change; if the new platform issues a different callback URL, TTL has no effect, and you must update the webhook registration on the provider's side to the new URL before the old one stops receiving anything.
Paragon's Custom Webhooks let you build a webhook trigger against any integration provider on Paragon, registered either programmatically when a user enables a workflow, or set up manually with a Paragon-provided URL. Validation runs through HMAC, with a custom-code option for your own digest logic. Once events land, Workflows run in an environment built to queue high event volumes, with auto-retry on outbound calls and replay on individual steps, so an event that fails mid-cutover doesn't just disappear.
How to validate data and mapping parity before cutover
You validate parity by running both pipelines against the same trigger and comparing output before trusting the new one, not by assuming a passed test migration means the mappings hold at scale. Concretely: reconcile record counts between old and new systems on a schedule, spot-check field-level mappings on a sample of records rather than only the happy path, and diff the actual output of both pipelines on the same event.
This is standard data-migration discipline applied to an integration cutover, and it deserves the same rigor as the OAuth or webhook mechanics. A mapping off by one field rarely shows up as an error; it shows up weeks later as a customer asking why a record looks wrong. Paragon's Managed Sync handles the sync and mapping layer so you can compare its output against your legacy pipeline's on live data before cutting a given object or customer over, rather than trusting a one-time export as proof.




