Paragon Integrations API
Returns the list of integrations enabled for a Paragon project, including Connect Portal configuration and associated workflows, so applications can render available connectors and their state.
Returns the list of integrations enabled for a Paragon project, including Connect Portal configuration and associated workflows, so applications can render available connectors and their state.
openapi: 3.0.3
info:
title: Paragon API
description: >-
Unofficial, community-authored OpenAPI description of Paragon's embedded
integration platform APIs, compiled by API Evangelist from Paragon's public
documentation. Paragon exposes several distinct API surfaces across different
hosts: the Connect API (zeus.useparagon.com) for managing authenticated users,
connected credentials, integrations, workflow triggers, and proxied third-party
requests; ActionKit (actionkit.useparagon.com) for listing and running prebuilt
LLM-ready actions; and Managed Sync (sync.useparagon.com /
managed-sync.useparagon.com) for normalized third-party data ingestion and
permission checks.
Nearly all requests are authenticated with a Paragon User Token, an RS256-signed
JWT that your application signs with the private signing key from the Paragon
dashboard (Settings > SDK Setup) and that Paragon verifies with the matching
public key. In production most developers use Paragon's Connect SDK and Connect
Portal, which sit in front of this API; the raw HTTP surface documented here is
used for server-side and headless integrations.
Endpoint paths and payloads are approximate representations of Paragon's
documented behavior and should be verified against the official docs.
version: '1.0'
contact:
name: Paragon Support
url: https://docs.useparagon.com/
termsOfService: https://www.useparagon.com/legal/terms-of-service
servers:
- url: https://zeus.useparagon.com
description: Connect API (users, credentials, integrations, workflow triggers, proxy)
- url: https://actionkit.useparagon.com
description: ActionKit API (list and run prebuilt actions)
- url: https://proxy.useparagon.com
description: Proxy API (alternate host for passthrough third-party requests)
- url: https://sync.useparagon.com
description: Managed Sync API (data ingestion pipelines)
- url: https://managed-sync.useparagon.com
description: Managed Sync records and Permissions API
security:
- ParagonUserToken: []
tags:
- name: Connect
description: Authenticated users and connected third-party credentials.
- name: Integrations
description: Integrations enabled for a Paragon project.
- name: Users
description: Authenticated user and connected integration state.
- name: Workflows
description: Triggering workflows and checking execution status.
- name: Proxy
description: Passthrough requests to a connected user's third-party API.
- name: ActionKit
description: Prebuilt, LLM-ready actions across connected SaaS providers.
- name: Managed Sync
description: Normalized third-party data ingestion pipelines and records.
- name: Permissions
description: Access control checks for ingested data.
paths:
/projects/{projectId}/sdk/me:
get:
operationId: getAuthenticatedUser
tags:
- Users
summary: Get the authenticated user and integration state
description: >-
Returns the currently authenticated Paragon user (identified by the sub of
the Paragon User Token) together with the state of each of their connected
integrations. Equivalent to the SDK getUser() method.
parameters:
- $ref: '#/components/parameters/ProjectId'
responses:
'200':
description: The authenticated user and connected integration state.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectedUser'
'401':
$ref: '#/components/responses/Unauthorized'
/projects/{projectId}/sdk/integrations:
get:
operationId: listIntegrations
tags:
- Integrations
summary: List integrations enabled for the project
description: >-
Returns the list of integrations enabled for the Paragon project identified
in the path, including Connect Portal configuration and the workflows
associated with each integration.
parameters:
- $ref: '#/components/parameters/ProjectId'
responses:
'200':
description: The integrations enabled for the project.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Integration'
'401':
$ref: '#/components/responses/Unauthorized'
/projects/{projectId}/sdk/resources/{resourceId}/connect:
post:
operationId: connectResource
tags:
- Connect
summary: Connect a user credential to a resource
description: >-
Connects the authenticated user's credentials to a Paragon resource /
integration. This is the server-side equivalent of initiating a connection
through the Connect Portal.
parameters:
- $ref: '#/components/parameters/ProjectId'
- name: resourceId
in: path
required: true
description: The Paragon resource (integration) identifier.
schema:
type: string
requestBody:
required: false
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectResourceRequest'
responses:
'200':
description: The resulting credential / connection state.
content:
application/json:
schema:
$ref: '#/components/schemas/Credential'
'401':
$ref: '#/components/responses/Unauthorized'
/projects/{projectId}/sdk/triggers/{workflowId}:
post:
operationId: triggerWorkflow
tags:
- Workflows
summary: Trigger a workflow (API Trigger)
description: >-
Triggers a Paragon workflow configured with an API Trigger for the
authenticated user. The request body is passed to the workflow as its input
payload. Returns an execution reference that can be used to check status.
parameters:
- $ref: '#/components/parameters/ProjectId'
- name: workflowId
in: path
required: true
description: The identifier of the workflow to trigger.
schema:
type: string
requestBody:
required: false
content:
application/json:
schema:
type: object
additionalProperties: true
description: Arbitrary JSON payload passed to the workflow.
responses:
'200':
description: The workflow execution was accepted.
content:
application/json:
schema:
$ref: '#/components/schemas/WorkflowExecution'
'401':
$ref: '#/components/responses/Unauthorized'
/projects/{projectId}/sdk/workflows/{workflowId}/executions/{executionId}:
get:
operationId: getWorkflowExecution
tags:
- Workflows
summary: Get workflow execution status
description: >-
Returns the status and result metadata for a specific workflow execution
triggered for the authenticated user.
parameters:
- $ref: '#/components/parameters/ProjectId'
- name: workflowId
in: path
required: true
schema:
type: string
- name: executionId
in: path
required: true
schema:
type: string
responses:
'200':
description: The workflow execution status.
content:
application/json:
schema:
$ref: '#/components/schemas/WorkflowExecution'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
description: Execution not found.
/projects/{projectId}/sdk/proxy/{integrationType}/{apiPath}:
post:
operationId: proxyRequest
tags:
- Proxy
summary: Proxy a request to a connected third-party API
description: >-
Forwards a request to the connected user's third-party API for the given
integration type (for example, `salesforce` or `slack`) at the given
provider path. Paragon injects the user's stored OAuth credentials so your
application never handles the third-party token. GET, PUT, PATCH, and DELETE
are also supported against the same path. Also reachable at
https://proxy.useparagon.com.
parameters:
- $ref: '#/components/parameters/ProjectId'
- name: integrationType
in: path
required: true
description: The integration type slug (e.g. salesforce, slack, googledrive).
schema:
type: string
- name: apiPath
in: path
required: true
description: The third-party provider API path to call (may contain slashes).
schema:
type: string
requestBody:
required: false
content:
application/json:
schema:
type: object
additionalProperties: true
responses:
'200':
description: The proxied response from the third-party API.
content:
application/json:
schema:
type: object
additionalProperties: true
'401':
$ref: '#/components/responses/Unauthorized'
/projects/{projectId}/actions:
get:
operationId: listActions
tags:
- ActionKit
summary: List available ActionKit actions
description: >-
Returns the catalog of prebuilt, LLM-ready actions available to the
authenticated user across their connected integrations. The response is
designed to be handed to an AI agent as tool definitions.
servers:
- url: https://actionkit.useparagon.com
parameters:
- $ref: '#/components/parameters/ProjectId'
- name: categories
in: query
required: false
description: Optional filter limiting the actions returned by category or provider.
schema:
type: string
responses:
'200':
description: The list of available actions and their JSON schemas.
content:
application/json:
schema:
$ref: '#/components/schemas/ActionList'
'401':
$ref: '#/components/responses/Unauthorized'
/projects/{projectId}/actions/run:
post:
operationId: runAction
tags:
- ActionKit
summary: Run an ActionKit action
description: >-
Executes a single prebuilt action for the authenticated user by name (for
example, `SLACK_SEND_MESSAGE`) with the action-specific parameters. Paragon
returns the API response of the last underlying request used to run the
action; the response shape varies by provider.
servers:
- url: https://actionkit.useparagon.com
parameters:
- $ref: '#/components/parameters/ProjectId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RunActionRequest'
responses:
'200':
description: The result of running the action.
content:
application/json:
schema:
$ref: '#/components/schemas/RunActionResponse'
'400':
description: Invalid action name or parameters.
'401':
$ref: '#/components/responses/Unauthorized'
/api/syncs:
post:
operationId: createSync
tags:
- Managed Sync
summary: Create a Managed Sync pipeline
description: >-
Enables a fully managed, normalized ingestion pipeline for the authenticated
user's connected integration (CRM, ticketing, file storage, or accounting).
Paragon performs an initial backfill and then keeps data current with
incremental syncs, emitting record_updated webhooks on change.
servers:
- url: https://sync.useparagon.com
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSyncRequest'
responses:
'201':
description: The created sync pipeline.
content:
application/json:
schema:
$ref: '#/components/schemas/Sync'
'401':
$ref: '#/components/responses/Unauthorized'
get:
operationId: listSyncs
tags:
- Managed Sync
summary: List Managed Sync pipelines
description: Lists the sync pipelines configured for the authenticated user.
servers:
- url: https://sync.useparagon.com
responses:
'200':
description: The list of syncs.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Sync'
'401':
$ref: '#/components/responses/Unauthorized'
/sync/{syncId}/records:
get:
operationId: listSyncRecords
tags:
- Managed Sync
summary: List normalized records for a sync
description: >-
Returns a page of normalized, unified records ingested by the given sync
pipeline. Use the returned cursor to page through the full replica.
servers:
- url: https://managed-sync.useparagon.com
parameters:
- name: syncId
in: path
required: true
schema:
type: string
- name: cursor
in: query
required: false
schema:
type: string
- name: limit
in: query
required: false
schema:
type: integer
default: 100
responses:
'200':
description: A page of normalized records.
content:
application/json:
schema:
$ref: '#/components/schemas/RecordPage'
'401':
$ref: '#/components/responses/Unauthorized'
/sync/{syncId}/records/{recordId}/content:
get:
operationId: getRecordContent
tags:
- Managed Sync
summary: Get the content of a synced record
description: >-
Retrieves the underlying content for a single normalized record (for
example, the file body for a file-storage ingestion).
servers:
- url: https://managed-sync.useparagon.com
parameters:
- name: syncId
in: path
required: true
schema:
type: string
- name: recordId
in: path
required: true
schema:
type: string
responses:
'200':
description: The record content.
content:
application/octet-stream:
schema:
type: string
format: binary
application/json:
schema:
type: object
additionalProperties: true
'401':
$ref: '#/components/responses/Unauthorized'
/permissions/check:
post:
operationId: checkPermission
tags:
- Permissions
summary: Check access to a synced object
description: >-
Evaluates whether a given user/role can access a specific object in the
source system, using the permissions ingested alongside Managed Sync data.
Used to enforce source-of-truth access control (for example, permission-aware
retrieval).
servers:
- url: https://managed-sync.useparagon.com
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PermissionCheckRequest'
responses:
'200':
description: The permission decision.
content:
application/json:
schema:
$ref: '#/components/schemas/PermissionCheckResponse'
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
ParagonUserToken:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
A Paragon User Token: an RS256-signed JWT whose subject identifies the end
user. Sign it with the private signing key from Settings > SDK Setup in the
Paragon dashboard; Paragon verifies it with the matching public key.
parameters:
ProjectId:
name: projectId
in: path
required: true
description: The Paragon project identifier.
schema:
type: string
responses:
Unauthorized:
description: Missing or invalid Paragon User Token.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
schemas:
ConnectedUser:
type: object
properties:
userId:
type: string
description: The end-user identifier (the JWT subject).
integrations:
type: object
additionalProperties:
$ref: '#/components/schemas/IntegrationState'
description: Map of integration type to that integration's connection state.
IntegrationState:
type: object
properties:
enabled:
type: boolean
configuredWorkflows:
type: object
additionalProperties: true
credentialStatus:
type: string
enum: [VALID, INVALID, NOT_CONNECTED]
Integration:
type: object
properties:
type:
type: string
description: The integration type slug (e.g. salesforce).
name:
type: string
connectPortalEnabled:
type: boolean
workflows:
type: array
items:
type: object
additionalProperties: true
ConnectResourceRequest:
type: object
additionalProperties: true
description: Optional connection configuration for the resource.
Credential:
type: object
properties:
id:
type: string
provider:
type: string
status:
type: string
enum: [VALID, INVALID]
createdAt:
type: string
format: date-time
WorkflowExecution:
type: object
properties:
executionId:
type: string
workflowId:
type: string
status:
type: string
enum: [PENDING, RUNNING, SUCCEEDED, FAILED]
result:
type: object
additionalProperties: true
startedAt:
type: string
format: date-time
ActionList:
type: object
properties:
actions:
type: array
items:
$ref: '#/components/schemas/Action'
Action:
type: object
properties:
name:
type: string
example: SLACK_SEND_MESSAGE
description:
type: string
provider:
type: string
example: slack
parameters:
type: object
description: JSON Schema for the action's parameters.
additionalProperties: true
RunActionRequest:
type: object
required:
- action
- parameters
properties:
action:
type: string
example: SLACK_SEND_MESSAGE
parameters:
type: object
additionalProperties: true
example:
channel: C0123456789
text: Hello from ActionKit
RunActionResponse:
type: object
description: The provider API response of the last request used to run the action.
additionalProperties: true
CreateSyncRequest:
type: object
required:
- integration
- pipeline
properties:
integration:
type: string
description: The integration type to sync (e.g. salesforce).
pipeline:
type: string
description: The named ingestion pipeline (e.g. crm, tickets, files, accounting).
configuration:
type: object
additionalProperties: true
Sync:
type: object
properties:
id:
type: string
integration:
type: string
pipeline:
type: string
status:
type: string
enum: [INITIALIZING, BACKFILLING, ACTIVE, PAUSED, ERROR]
createdAt:
type: string
format: date-time
RecordPage:
type: object
properties:
data:
type: array
items:
type: object
additionalProperties: true
nextCursor:
type: string
nullable: true
PermissionCheckRequest:
type: object
required:
- object
- user
properties:
object:
type: string
description: The identifier of the object being accessed.
user:
type: string
description: The identifier of the user requesting access.
role:
type: string
description: Optional role to evaluate access for.
PermissionCheckResponse:
type: object
properties:
allowed:
type: boolean
reason:
type: string
Error:
type: object
properties:
message:
type: string
code:
type: string