Skip to main content

Overview

This guide covers the setup and administration of the Ramp corporate card integration in Encore OS. The integration syncs card transactions from your Ramp account for GL coding and financial reporting.

Quick Reference

Decision Trees

Connect vs reconnect

  1. No org connection exists → use Connect Ramp.
  2. Connection status expired/error → use Reconnect.
  3. Connected but stale sync → run Sync Now and verify webhook/scheduler health.

Pattern Library

  • Webhook verification pattern: HMAC-SHA256 with timing-safe signature comparison.
  • Token storage pattern: encrypted token columns scoped by organization_id.
  • Sync idempotency pattern: unique key (organization_id, ramp_transaction_id) to prevent duplicates.

Common Mistakes

Pre-Flight Checklist

  • App credentials and webhook secret configured.
  • Webhook endpoint URL and events configured in Ramp portal.
  • Required fa.ramp.* permissions assigned to intended roles.
  • Initial sync tested and transaction upserts verified.

Setup

1. Enable the Integration

  1. Navigate to Finance → Settings → Integrations.
  2. Toggle Enable Ramp Integration to ON.
  3. Save settings.

2. Configure Ramp API Credentials

The following secrets must be configured in your Supabase project (Settings → Cloud → Secrets):

3. Connect Your Ramp Account

  1. Navigate to Finance → Corporate Card Transactions.
  2. Click Connect Ramp on the connection card.
  3. Complete the OAuth authorization flow in the Ramp popup.
  4. Upon success, the connection status changes to Connected.

4. Configure Webhook (Optional)

To receive real-time transaction updates:
  1. In the Ramp Developer Portal, add a webhook endpoint:
    • URL: https://<your-supabase-url>/functions/v1/ramp-webhook
    • Events: TRANSACTION_CREATED, TRANSACTION_UPDATED
  2. Copy the webhook signing secret to the RAMP_WEBHOOK_SECRET Supabase secret.

Permissions

All permissions are auto-granted to org_admin via the RBAC trigger.

Database Tables

fa_ramp_connections

Stores OAuth connection state per organization. One row per org (enforced by unique constraint on organization_id).

fa_card_transactions

Stores synced Ramp transactions. Unique constraint on (organization_id, ramp_transaction_id) prevents duplicates.

Security

  • Multi-tenant isolation: RLS policies ensure organizations can only see their own data.
  • Token storage: OAuth tokens are stored encrypted; never logged or returned to the client.
  • Webhook verification: HMAC-SHA256 with timing-safe comparison prevents forged events.
  • Edge function auth: All management endpoints require valid JWT + permission checks.

Troubleshooting


Architecture

For detailed technical documentation, see the FA-30 spec and integration doc.