Docs / Service Providers

Manage Service Providers

Connect, configure, and monitor service provider integrations with wavekey continuous authentication.

Navigating to the Page

  1. Log in to wavekey. After authenticating, you'll land on the home page.
  2. Click the Settings gear icon (top-right of the home page). This icon only appears when you are logged in.
  3. On the Settings page, click the "Manage Service Providers" button.

You'll arrive at the Manage Service Providers dashboard, which displays a tile for each supported service provider.

Admin-Only Restriction
Only the tenant admin (the user whose email was provided during organisation setup) can connect, disconnect, or edit service provider integrations. Non-admin users can view connection status and configure their own per-user policy settings (continuous authentication, frequency, notifications), but the connect/disconnect/edit buttons and the "Protect sensitive actions" toggle will be disabled.

Page Overview

The page shows a card/tile for each service provider integration:

Provider Connection Method Status
Salesforce OAuth Available
Google Workspace Domain Delegation Available
HubSpot OAuth Coming Soon

A search bar at the top lets you filter tiles by provider name.

Connecting Salesforce

Requires admin permissions. Non-admin users will see the Salesforce tile but cannot connect or disconnect.
  1. Locate the Salesforce tile. If not yet connected, the status badge will show a red dot and "Disconnected".
  2. Click the green "Connect" button at the bottom of the tile.
  3. You will be redirected to Salesforce's OAuth authorization page.
  4. Sign in to your Salesforce account and authorize wavekey.
  5. After approval, you are redirected back. The tile will update to show:
    • A green "Connected" status dot
    • "OAuth • Connected" subtitle
    • The Scope row showing the date access was granted
  6. The button changes to a red "Disconnect" button.

Disconnecting Salesforce

Click the red "Disconnect" button. The OAuth token is revoked and the tile returns to a disconnected state.

Connecting Google Workspace

Requires admin permissions. Non-admin users will see the Google Workspace tile but cannot connect or edit the configuration.
  1. Locate the Google Workspace tile. If not yet connected, the status badge will show a red dot and "Disconnected".
  2. Click the green "Connect" button at the bottom of the tile.
  3. A modal dialog opens titled "Google Workspace enterprise setup". It contains:
    • Service account client ID (read-only)wavekey's service account client ID. Click "Copy" to copy it.
    • OAuth scopes (read-only) — The required OAuth scope. Click "Copy" to copy it.
    • Workspace domain — Your organization's Google Workspace domain (e.g., acme.com).
    • Admin email — The email of a Google Workspace super admin.
  4. Before saving, authorize wavekey's service account in your Google Admin Console:
    1. Go to admin.google.com → Security → Access and data control → API controls
    2. Click "Manage Domain Wide Delegation" → "Add new"
    3. Paste the Service account client ID (copied from the modal) into the Client ID field
    4. Paste the OAuth scopes into the scopes field
    5. Click "Authorize"
  5. Back in the wavekey modal, fill in your Workspace domain and Admin email, then click "Save".
  6. The tile updates to show a green "Connected" status dot and the button text changes to "Edit".

To close the modal without saving: Click "Cancel", press Escape, or click outside the modal.

Toggle & Setting Reference

Each connected provider tile has the following configurable settings:

Continuous Authentication

What it does Enables conditional access — wavekey will continuously verify the user's identity at the configured frequency while they are using the service provider.
Default Off
When to enable Turn this on to enforce ongoing identity checks, ensuring only the authenticated user retains access.

Scope

A read-only badge displaying when admin access was granted (e.g., "Granted 17 Feb 2026") or "Not granted" if the provider is not connected. This is informational only — not a toggle.

Authentication Frequency

What it does Controls how often wavekey re-verifies identity when continuous authentication is enabled.
Default Every 3 seconds
How to change Click the "Change" button next to the current frequency. A dropdown appears with options ranging from 3 seconds to 1 hour.
Available Intervals

3s • 5s • 10s • 15s • 30s • 1 min • 3 min • 5 min • 10 min • 15 min • 30 min • 1 hour

Notifications

What it does When enabled, sends a notification if a continuous authentication check fails.
Default On (for Salesforce)

Protect Sensitive Actions

What it does Enables browser-level protection via the wavekey Chrome extension. When on, the extension monitors sensitive actions within the service provider's web interface.
Default Off
Important This is a shared setting — toggling it on one provider (Salesforce or Google Workspace) enables it for both.
Requires The wavekey Chrome extension must be installed in your browser.

Extension Status Banner

When Protect sensitive actions is enabled on any provider, an extension status banner appears below the provider tiles. It shows one of three states:

State Meaning
Checking wavekey is verifying whether the Chrome extension is installed and responding.
Verified The extension was detected and confirmed active by the server. The version may also be displayed.
Not found The extension was not detected. You must install the wavekey Chrome extension for browser protection to work.

The extension check runs automatically on page load and whenever the browser tab regains focus.