How is this different from your Zapier or Make.com services?

Different work, different audience, different deliverables. Zapier and Make.com are configuration of a no-code platform. This is custom code that lives in your repository, runs on your infrastructure, and integrates at the API level. We pick this service when no-code platforms cannot do the job, when the integration is part of a product feature, or when reliability and scale demand real engineering work.

What languages and frameworks do you work in?

Most commonly Node.js with TypeScript, Python with FastAPI, and Go for high-throughput services. We can work in Java, Rust, or your existing stack if the integration needs to live alongside code your team already maintains. We pick the language to match what your team can take over after handoff, not what we prefer.

Yes, fully. The code lives in your repository. Your team can review every commit, modify anything, and take over maintenance whenever you want. There is no proprietary framework, no licensed components, no lock-in. We build like senior engineers working on your team, not like a vendor protecting their IP.

What does an integration project cost?

Depends on scope and complexity. A simple REST integration with basic auth might be a focused two-to-three week build. A complex multi-system integration with custom auth, queues, and production-grade reliability runs eight to sixteen weeks. We give a fixed scope and price after the discovery and design phases, never before.

Can we hire you for integration work that runs forever?

Yes. Many clients keep us on retainer for ongoing integration work as their needs evolve. We work with both fixed-scope project pricing and ongoing retainer arrangements. We can also operate as embedded engineers inside your team for longer engagements where that fits better.

What if our integration partner does not have great API documentation?

Common. Most enterprise APIs have documentation that ranges from outdated to actively misleading. We are used to it. We read the actual API responses, trace edge cases through real test calls, and document the actual behavior. Sometimes our integration becomes the most accurate documentation of the partner API that anyone has.

Can you work with our existing engineering team?

Yes, often that is the right setup. We work alongside your engineers, in your code review process, in your Slack, attending your standups. Some engagements we run independently and deliver finished work. Some we run as embedded contributors. Either pattern works. We adjust to what your team needs.

What if the integration fails in production?

Two layers. First, the integration is built with monitoring, alerting, and graceful degradation, so failures get caught and contained rather than spreading. Second, if you have a retainer or support agreement, we have a documented response time for production issues, usually four business hours for critical incidents. We have on-call rotation for clients who pay for it.

How do you handle our security and compliance requirements?

We sign mutual NDAs at the start of every engagement. For regulated industries (healthcare, finance), we work inside your compliance posture: VPN access to your environments, code review processes that match your policies, SOC 2 considerations baked in, HIPAA-aware data handling where required. We have built integrations subject to HIPAA, GDPR, PCI, and SOC 2 audits.

Will you sign a contract with our procurement and legal team?

Yes. We work with standard MSAs, SOWs, and NDAs. For enterprise clients we are used to a 30-60 day legal review cycle. We have our own paper that we can offer if you do not have a preferred template. The legal step takes time but does not surprise us.

Services > API and System Integrations

API AND SYSTEM INTEGRATIONS

API and system integrations, built like real engineering work.

Custom code integrations for the work that does not fit Zapier, Make.com, or n8n. Direct API connections, custom auth flows, webhook architectures, ETL pipelines, and embedded integrations. Production-grade reliability, fully owned by you.

YOUR PRODUCTBackend, app, service

REQUEST

API_INTEGRATION.TS

POST /v2/orders
Authorization: Bearer {api_key}
{
"customer_id": "cust_4823",
"items": [...]
}
<- 201 Created
{
"order_id": "ord_8472",
"status": "created"
}

RESPONSE

THIRD-PARTY APIVendor, SaaS, partner

A real integration in 13 lines of code. We write the rest. Auth, retries, validation, monitoring, deployment.

Book an integration scoping call

Production integrations shipped. Node.js, Python, TypeScript, Go. AWS, GCP, on-prem.

WHEN TO PICK THIS

Four scenarios where no-code stops being the answer.

No-code automation platforms are excellent at what they were designed for: standard integrations between common SaaS tools, run at moderate volume, with simple data transformations and standard auth. When the work moves outside those boundaries, the platforms either cannot do it or do it poorly. The four scenarios below are where we usually get called in.

The integration lives inside your product.

When the integration is a feature your customers see, it cannot live in a third-party automation tool. Customer-facing reliability, latency, and brand control all require the integration to run in your own infrastructure as part of your own product code.

TELLTALE SIGN

Your customers experience the integration as part of your software, not as "we use Zapier under the hood."

The auth flow is more complicated than an API key.

OAuth 2.0 with refresh token rotation, mTLS, signed webhooks, enterprise SSO, custom JWT handling. The moment the auth model requires real implementation work, no-code platforms either lack support or implement it in ways that fail in edge cases.

TELLTALE SIGN

Your vendor's auth docs are longer than two pages.

Volume or latency demands push past what the platform can do.

At very high volume, no-code platforms either become expensive or hit rate limits. At very low latency, the abstractions in no-code platforms add overhead you cannot afford. Custom code lets you tune for the actual constraints.

TELLTALE SIGN

Your integration needs to run in under 200ms, or your monthly task usage on Zapier crossed six figures.

The data transformation is genuinely complex.

Iterating over nested arrays, joining responses from multiple APIs, computing derived fields with business logic, validating against a complex schema, denormalizing for a downstream system. At some point, the work becomes engineering work, not configuration work.

TELLTALE SIGN

Your no-code workflow has more than ten Formatter or Function nodes in a single scenario.

INTEGRATION PATTERNS

Six architectures we ship most often.

Most integration work falls into one of six architectural patterns. Picking the right pattern is half the build. The other half is implementing it without skipping the parts that make production reliable.

REST API integration

PATTERN

The default for most modern SaaS integrations. We build clients that handle authentication, pagination, rate limits, retries, and schema validation. Often the foundation that other patterns sit on top of.

Webhook receiver with queue

PATTERN

Accept high-volume webhook events into a queue, process them in workers, handle retries on failure. The right architecture when you cannot guarantee the downstream system will be available when the event fires.

GraphQL aggregation

PATTERN

A single GraphQL endpoint that aggregates data from multiple backend APIs. Reduces round trips for client applications, lets you evolve the API contract without coordinating with every consumer.

ETL data pipeline

PATTERN

Extract from one system, transform with business logic, load into another. Scheduled or event-driven. For data warehouse loads, reporting feeds, or system-to-system migrations that need to run repeatedly.

Event-driven architecture

PATTERN

Publish events to a bus (Kafka, SNS, EventBridge, Pub/Sub). Multiple downstream services subscribe and react independently. The right pattern when one upstream change needs to trigger many downstream actions reliably.

Embedded customer integrations

PATTERN

Integrations your customers configure inside your product to connect their tools. White-labeled, multi-tenant, with secure credential storage and per-customer error isolation. Common in vertical SaaS and platform companies.

AUTHENTICATION

The unsexy part that breaks every integration.

Most integration failures happen in the authentication layer. Tokens expire. Refresh flows break. API keys leak. The five auth methods below cover almost everything we work with. We implement each one with the failure modes baked in.

METHOD	TYPICAL USE	WHAT WE HANDLE	COMPLEXITY
API key	Simple server-to-server integration. Most SaaS APIs default to this.	Secret storage in env vars or vault, rotation, scoped keys per environment	LOW
OAuth 2.0	User-authorized integrations. Connecting on behalf of an end user.	Full authorization flow, refresh token rotation, scope management, expiry handling, error recovery	HIGH
JWT / signed tokens	Service-to-service with short-lived credentials. Common in microservice and enterprise architectures.	Token generation, signature verification, key rotation, claim validation, clock skew tolerance	MEDIUM
HMAC signed requests	High-security webhook verification or partner integrations where request integrity matters.	Signature generation and verification, timestamp validation, replay protection, key versioning	MEDIUM
mTLS / certificate-based	Regulated industries, B2B partner integrations, enterprise SaaS with strict security requirements.	Certificate provisioning, mutual verification, cert rotation, CA management, fallback handling	VERY HIGH

We have also implemented enterprise SSO (SAML, OIDC), custom auth schemes from legacy systems, and the long tail of one-off auth requirements that show up in real integration work.

REAL PROJECTS

Five integrations we have shipped to production.

Anonymized for client confidentiality. The architecture and decisions are real. The metrics are approximations where exact numbers would identify the client.

B2B SAAS

Embedded Salesforce integration for a vertical SaaS product.

Our client's customers wanted to sync their CRM data into our client's product without IT lift. We built an embedded Salesforce integration where customers connect their own org via OAuth, choose which objects to sync, and the data flows in real-time through webhooks plus a fallback sync.

WHY CUSTOM CODE

Customer-facing reliability and multi-tenant credential storage made no-code platforms unsuitable. The integration is a product feature, not a backend automation.

FINTECH

High-volume webhook receiver with idempotency and replay protection.

A payment processor sending 50,000+ webhook events per day to our client. The existing webhook handler was missing events under load and double-processing on retries. We rebuilt it with proper queue topology, idempotency keys, and replay protection.

WHY CUSTOM CODE

At this volume, no-code platforms either rate-limit or silently drop events. The reliability requirements demanded a real engineering solution with monitoring and dead-letter queues.

HEALTHCARE

HL7 to FHIR bridge for a HIPAA-regulated workflow.

A healthcare client needed to bridge an older HL7-based clinical system with a modern FHIR-compatible application. Required full HIPAA compliance, audit logging of every message, and no third-party data processing.

WHY CUSTOM CODE

HIPAA compliance, custom message format translation, and on-prem deployment requirements ruled out every no-code option. This was bespoke middleware work.

E-COMMERCE

Multi-channel order pipeline aggregating Shopify, Amazon, and three other channels.

An e-commerce brand selling on five channels needed a single internal source of truth for orders. Each channel had different webhook payloads, refund flows, and inventory deduction logic. We built the aggregation layer that normalized everything into a single canonical order model.

WHY CUSTOM CODE

Five distinct schemas, complex deduplication logic, and downstream fulfillment routing made this far beyond what no-code platforms can model cleanly.

B2B SAAS PLATFORM

OAuth provider for a customer-facing integration marketplace.

A SaaS platform wanted to offer customers an integration marketplace where third-party developers could build apps that connect to customer accounts. We built the OAuth provider side of the equation: app registration, consent flows, scoped tokens, revocation, audit logs.

WHY CUSTOM CODE

Being the OAuth provider (not consumer) is engineering work that no-code platforms do not even attempt. This required deep understanding of the OAuth 2.0 spec and PKCE flows.

THE STACK

What we actually build with.

No religion about languages or frameworks. We pick what fits the use case, the team that will inherit the code, and the infrastructure already in place. Below is the spread of what we work with most.

LANGUAGES

Languages and runtimes

Node.jsTypeScriptPythonGoJavaRust

FRAMEWORKS

Frameworks and libraries

ExpressFastifyNestJSFastAPIDjangogRPC

INFRASTRUCTURE

Cloud and runtime

AAWS

Google Cloud

AAzure

Vercel

Cloudflare Workers

Kubernetes

Docker

DATA AND QUEUES

Data stores and queues

Postgres

MongoDB

Redis

MySQL

Kafka

RabbitMQ

SQSBullMQRabbitMQ

OBSERVABILITY AND OPS

Plus the operational stack

DatadogSentryNew RelicPagerDutyGrafanaPrometheusHoneycombOpenTelemetry

PRODUCTION RELIABILITY

Six things we never skip.

The difference between an integration that works in a demo and one that survives in production is the six things below. Skip any of them and the integration becomes someone's problem at 2am within a year. We build them in from day one.

Idempotency

Every operation that creates or modifies data should be safe to retry. Network failures happen. Workers crash. Requests time out. Without idempotency, a retry causes duplicate orders, duplicate charges, duplicate emails. We build it in by default.

WHAT WE BUILD IN

Idempotency keys, deduplication windows, exactly-once delivery semantics where possible, at-least-once with safe-to-retry handlers everywhere else

Retry logic with backoff

Transient failures are the rule, not the exception. Network blips, vendor API hiccups, rate limit windows. Retries should be smart: exponential backoff, jitter to avoid thundering herd, max retry caps to avoid infinite loops, dead-letter queues for what cannot be saved.

WHAT WE BUILD IN

Exponential backoff with jitter, retry caps (typically 3-5 attempts), dead-letter queue routing after exhaustion, alerting on DLQ growth

Rate limit handling

Every third-party API has rate limits. The polite integration respects them. The smart integration uses them as a signal for self-pacing. Our integrations track remaining quota, slow down before hitting the wall, and queue requests instead of hammering the API.

WHAT WE BUILD IN

Token bucket or leaky bucket pacing, 429 response handling, retry-after header respect, per-tenant quota tracking for multi-tenant integrations

Monitoring and alerting

If you cannot see it, you cannot fix it. Every integration ships with metrics on throughput, error rate, latency, and queue depth. Alerts fire on anomalies. The first time you know something is wrong is not a customer complaint.

WHAT WE BUILD IN

Per-endpoint metrics, structured logging, error rate alerts, latency p95/p99 alerts, queue depth alerts, runbook documentation for each alert

Secret management

API keys, OAuth tokens, signing secrets, certificates. Storing them in env vars or config files is how integrations end up in breach reports. We use proper secret stores with rotation, audit logging, and per-environment isolation.

WHAT WE BUILD IN

AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or your existing solution. Per-environment isolation. Rotation hooks built in.

Graceful degradation

When a downstream system is down, your integration should not bring down your application. We design for partial failure: feature flags, circuit breakers, fallback paths, cached responses where appropriate. The integration fails softly while the rest of the system keeps running.

WHAT WE BUILD IN

Circuit breaker patterns, timeout budgets, fallback to cached data, feature flag kill-switches, separate failure domains per integration

HOW WE BUILD

Five phases. Engineering reviews at every step.

Integration work that ends up in production needs to be reviewed like production engineering work, not like configuration work. Below is how we build it, including the checkpoints where your team signs off before we move forward.

Discovery and scoping

1 WEEK

Map the systems involved, understand the data flows, identify the auth requirements, sketch the architecture options. We document constraints (volume, latency, compliance) before designing anything.

REVIEW POINT

You review and approve the architectural approach before we move to design.

Design and contract

1 WEEK

Detailed design: API contracts, data schemas, error handling strategy, deployment topology, monitoring approach. Documented as written specs your team can review like a real design doc.

REVIEW POINT

Your engineering team reviews the design doc. We adjust based on feedback before writing code.

Build in dev

2-6 WEEKS

Implementation against the design. Test-driven where it makes sense. Includes unit tests, integration tests, and load tests proportional to the production volume the integration will see.

REVIEW POINT

Code review by your team if you want one. We push to a branch in your repo (or ours) with documented PRs.

Production deploy

1-2 WEEKS

Deploy to your staging environment first. Run end-to-end tests with real (test mode) credentials. Cut over to production with monitoring in place from the first minute. Rollback plan documented.

REVIEW POINT

Production cutover happens on a schedule you control, with you in the room or on the call.

Handoff and operate

1 WEEK + ONGOING

Full documentation: architecture diagrams, runbooks, incident response procedures, on-call playbook. Optional retainer if you want us to stay on for ongoing operations and improvements.

REVIEW POINT

Your team can either take operations from here or retain us for ongoing support. Both are common.

API and system integrations, built like real engineering work.

Four scenarios where no-code stops being the answer.

The integration lives inside your product.

The auth flow is more complicated than an API key.

Volume or latency demands push past what the platform can do.

The data transformation is genuinely complex.

Six architectures we ship most often.

The unsexy part that breaks every integration.

Five integrations we have shipped to production.

Embedded Salesforce integration for a vertical SaaS product.

High-volume webhook receiver with idempotency and replay protection.

HL7 to FHIR bridge for a HIPAA-regulated workflow.

Multi-channel order pipeline aggregating Shopify, Amazon, and three other channels.

OAuth provider for a customer-facing integration marketplace.

What we actually build with.

Six things we never skip.

Idempotency

Retry logic with backoff

Rate limit handling

Monitoring and alerting

Secret management

Graceful degradation

Five phases. Engineering reviews at every step.

Discovery and scoping

Design and contract

Build in dev

Production deploy

Handoff and operate

Frequently asked questions.

Bring us the integration that does not fit a no-code tool. We build the real thing.