Skip to main content
Intercom is Forepost’s longest-running integration, but it isn’t the only one. Front, Plain, and Zendesk are supported via the same OAuth + encrypted-token shape.
OAuth scaffolds are in place for all three. Metric adapters for these providers are still stubs — they’re not yet pulling volume / CSAT / FRT. CSV import remains the live path until those adapters land. See Import data.

What’s the same

For every provider, Forepost:
1

Generates a signed OAuth state

GET /integrations/<provider>/start returns an authorize URL.
2

Redirects to the provider

You approve Forepost in the helpdesk’s UI.
3

Exchanges the code for a token

POST /integrations/<provider>/complete swaps the code for an access (and where supported, refresh) token.
4

Stores the token AES-GCM encrypted

In the same helpdesk_connections table Intercom uses. Refreshes on the same hourly cron as Intercom once a metric adapter ships.

What’s different per provider

Uses app.frontapp.com/oauth/authorize with scope=shared:*. No subdomain needed.
Uses app.plain.com/oauth/authorize. No subdomain needed.
Requires your workspace subdomain. If your Zendesk is acme.zendesk.com, the subdomain is acme. Pass it as ?subdomain=acme on the start endpoint. Scope is read.

Required environment

To enable each provider, set the matching env vars on the worker: 
FRONT_CLIENT_ID, FRONT_CLIENT_SECRET
PLAIN_CLIENT_ID, PLAIN_CLIENT_SECRET
ZENDESK_CLIENT_ID, ZENDESK_CLIENT_SECRET
Without these, the start endpoint returns a 500 with a clear message (“missing FRONT_CLIENT_ID”).

API

GET  /integrations/front/start            # owner/admin: returns auth URL
POST /integrations/front/complete         # owner/admin: body { code, state }

GET  /integrations/plain/start
POST /integrations/plain/complete

GET  /integrations/zendesk/start?subdomain=acme
POST /integrations/zendesk/complete       # body { code, state, subdomain }
The connectedAt, lastRefreshedAt, and lastRefreshStatus fields on /integrations/connections work identically across providers.

What’s not in this release

The OAuth + token-storage path is wired. The metric adapters — the per-provider functions that turn API responses into volume/CSAT/FRT — are stubbed:

Front

Not yet mapped. Front’s Analytics API is the right source.

Plain

Not yet mapped. Plain’s GraphQL needs custom queries.

Zendesk

Not yet mapped. Zendesk’s Search and Views APIs.

CSV import

Live for all three. Use weekly while the live adapters are in flight.
A connected Front/Plain/Zendesk workspace doesn’t auto-populate metrics yet. The token is there so the work to add a real adapter doesn’t have to redo auth.

Privacy

Same posture as Intercom: read-only scopes, AES-GCM encryption at rest, no conversation bodies stored. Tokens can be revoked from your helpdesk’s developer settings and locally via DELETE /integrations/connections?provider=<name>.