Share

How Hevo Authenticates Sources and Destinations using OAuth

Hevo has a central authorization service that takes care of user authentication and authorization across all the Hevo regions. This also covers authorization for:

  • The various OAuth-based Sources, Destinations, and Activate Targets that Hevo integrates with
  • Google sign-ins
  • Enabling Slack notifications

The authorization service is hosted centrally in the Hevo Asia region (with a backup service in the US region coming soon) for security purposes. It follows the design principles of other services operating at a global scale, such as Amazon and Google, whereby a user can log in to any region or any service with a single account. This design also enforces that no application data is stored or exchanged by the authorization service. The Pipeline created in your account-specific region (https://<region>.hevodata.com) handles all the application data, with the Authorization service providing just the required access token.

To enable the OAuth service to run, you must, therefore, whitelist the Hevo Asia IP address.

The following example illustrates how the authorization service works.

Example:

Let us suppose that you want to replicate your Salesforce data that lies in the Europe (Eu) region, and for this, you have created a Hevo Pipeline in the Europe region.

Salesforce (and any other OAuth-based Source at Hevo) expects an OAuth token to be provided for authorizing the user (Hevo) to access and ingest data. The OAuth token has a limited time validity. Once the validity expires, the OAuth token has to be refreshed.

Hevo’s Authorization service, hosted in the Asia region, does this OAuth token refresh, and subsequently, the Europe server uses the refreshed token to fetch the data from your Salesforce account. All data movement from the Source to the Destination is performed across servers in Europe itself.
Last updated on Apr 12, 2024

Tell us what went wrong

Skip to the section