Integration Security
Fintra replaces 5–7 tools, but it still connects to banks, payroll providers, and the rest of your stack - and every connection is a trust decision. Integrations use OAuth with narrow scopes, tokens are least-privilege and revocable, webhooks are signed, and when AI agents use integrations as tools, AgentFence firewalls those calls like any other.
Connecting third-party services
Integrations authenticate with OAuth wherever the provider supports it - you grant consent in the provider’s own UI, Fintra receives scoped tokens, and we never see or store your passwords for those services. Scopes are the minimum the integration needs (read-only wherever possible), tokens are encrypted at rest, refreshed automatically, and revocable instantly from Fintra or the provider side. Bank connections flow through established, regulated aggregation partners rather than credential screen-scraping.
API access to Fintra
Programmatic access to your Fintra data is governed as strictly as human access.
- API tokens are scoped per permission and per role - a reporting token cannot write journal entries.
- Tokens are tied to an owning identity (human or NHI), expiring by default, rotatable, and revocable immediately.
- All API activity lands in the append-only audit log with the acting token identified.
- Rate limits per token contain abuse and leaked-token blast radius.
Webhooks and outbound data
Events Fintra sends outward are signed with per-endpoint secrets (HMAC), so receivers can verify authenticity and reject spoofed payloads. Deliveries use TLS, payloads carry the minimum data needed for the event, and failed endpoints back off and alert rather than retrying forever. Outbound destinations are configured by admins only, and destination changes are audit-logged.
AI agents and integration tools
When Fintra’s agents use integrations - reading bank feeds, syncing payroll - those are tool calls, and AgentFence governs them like any other: allowlisted per agent role, argument-constrained by policy, rate-limited, and ledger-recorded. An agent granted read access to a bank feed cannot suddenly invoke a payment API; the firewall enforces the boundary regardless of what the model asks for. Third-party MCP tools brought into the environment go through the same policy layer.
Frequently asked questions
Does Fintra store my bank password?
No. Bank and service connections use OAuth or regulated aggregation partners - you authenticate with the provider directly, and Fintra holds only scoped, encrypted, revocable tokens.
How do I revoke an integration?
Admins can disconnect any integration instantly from Fintra settings, which revokes the stored tokens. You can also revoke from the provider’s side; either action severs access immediately, and the revocation is audit-logged.
How do I verify webhooks really came from Fintra?
Every webhook is signed with your endpoint’s HMAC secret. Verify the signature header against the payload before processing; unsigned or mismatched deliveries should be rejected.
Can AI agents use my connected integrations?
Only within policy. Agent access to integration tools is allowlisted per role, constrained by AgentFence’s tool-call firewall, and every call is recorded in the trust ledger - so agents get the access their job needs and nothing more.
Questions about integrations?
Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.
Talk to our security team