Overview
This guide covers the setup and administration of the Ramp corporate card integration in Encore OS. The integration syncs card transactions from your Ramp account for GL coding and financial reporting.Quick Reference
Decision Trees
Connect vs reconnect
- No org connection exists → use Connect Ramp.
- Connection status
expired/error→ use Reconnect. - Connected but stale sync → run Sync Now and verify webhook/scheduler health.
Pattern Library
- Webhook verification pattern: HMAC-SHA256 with timing-safe signature comparison.
- Token storage pattern: encrypted token columns scoped by
organization_id. - Sync idempotency pattern: unique key
(organization_id, ramp_transaction_id)to prevent duplicates.
Common Mistakes
Pre-Flight Checklist
- App credentials and webhook secret configured.
- Webhook endpoint URL and events configured in Ramp portal.
- Required
fa.ramp.*permissions assigned to intended roles. - Initial sync tested and transaction upserts verified.
Setup
1. Enable the Integration
- Navigate to Finance → Settings → Integrations.
- Toggle Enable Ramp Integration to ON.
- Save settings.
2. Configure Ramp API Credentials
The following secrets must be configured in your Supabase project (Settings → Cloud → Secrets):3. Connect Your Ramp Account
- Navigate to Finance → Corporate Card Transactions.
- Click Connect Ramp on the connection card.
- Complete the OAuth authorization flow in the Ramp popup.
- Upon success, the connection status changes to Connected.
4. Configure Webhook (Optional)
To receive real-time transaction updates:- In the Ramp Developer Portal, add a webhook endpoint:
- URL:
https://<your-supabase-url>/functions/v1/ramp-webhook - Events:
TRANSACTION_CREATED,TRANSACTION_UPDATED
- URL:
- Copy the webhook signing secret to the
RAMP_WEBHOOK_SECRETSupabase secret.
Permissions
All permissions are auto-granted to
org_admin via the RBAC trigger.
Database Tables
fa_ramp_connections
Stores OAuth connection state per organization. One row per org (enforced by unique constraint on organization_id).
fa_card_transactions
Stores synced Ramp transactions. Unique constraint on (organization_id, ramp_transaction_id) prevents duplicates.
Security
- Multi-tenant isolation: RLS policies ensure organizations can only see their own data.
- Token storage: OAuth tokens are stored encrypted; never logged or returned to the client.
- Webhook verification: HMAC-SHA256 with timing-safe comparison prevents forged events.
- Edge function auth: All management endpoints require valid JWT + permission checks.