# Incident.io

## Incident.io approval

P0's Incident.io integration allows on-call users to approve access requests based on their on-call schedule assignments. You can configure two types of on-call approval:

* **Auto-approval:** Automatically approve access requests if the requestor is currently on-call for any schedule in your Incident.io account.
* **On-call approver:** Allow users who are on-call for specific schedules to approve others' access requests via access policies. When someone escalates an access request, P0 creates an incident in Incident.io to notify the on-call team.

{% hint style="warning" %}
Any Incident.io user who is currently on-call for an enabled schedule can approve access requests. Ensure your schedule assignments reflect appropriate trust levels.
{% endhint %}

## Installation

{% hint style="info" %}
Installing P0 on Incident.io takes about 2-3 minutes.
{% endhint %}

### Before you begin

* You must be an Incident.io account administrator with access to API key management.
* You must be a P0 organization owner.

### Setting up Incident.io

1. Navigate to "Integrations" on [p0.app](https://p0.app), then select "Incident.io".
2. Create an API key in your Incident.io account with the following permissions. See the [Incident.io API documentation](https://docs.incident.io/integrations/api-overview#where-can-i-find-the-api-keys) for instructions.
   * View data, like public incidents and organization settings
   * Create incidents
   * Edit incidents
   * Manage organization settings
   * View catalog types and entries
   * Read schedules
3. Enter the API key in the P0 integration configuration and click "Install integration". P0 validates the key and creates a custom field in your Incident.io account to associate escalation incidents with on-call schedules that can approve the related request.

## Configuring auto-approval

When using [default approval routing](/access-management/just-in-time-access/approving-access.md#auto-approvals), any installed Incident.io integration automatically approves access requests if the requestor is currently on-call for any schedule.

When using [configured access policies](/access-management/just-in-time-access/request-routing.md), add the Incident.io auto-approval rule to your policy configuration:

```yaml
approval:
  - type: auto
    integration: incidentio
    options: { requireReason: true|false }
```

This rule automatically approves matching access requests for one hour if the requestor is on-call for any schedule in your Incident.io account.

## Configuring on-call approver routing

You can configure access policies that allow users who are on-call for specific Incident.io schedules to approve others' access requests. This uses the escalation approval type with schedule targeting.

When a request matches an escalation rule, P0 creates an incident in Incident.io to notify the on-call team. The incident includes details about the access request and a link to the approval conversation.

### Using the Policy Studio UI

1. Navigate to **Policy Studio** on [p0.app](https://p0.app).
2. Add an approval rule and select **Incident.io On-Call Approval**.
3. Select one or more Incident.io schedules from the dropdown. P0 fetches available schedules from your Incident.io account.
4. Save your policy configuration.

### Using the access policies API

Add an escalation rule to your workflow configuration:

```yaml
approval:
  - type: escalation
    integration: incidentio
    services: [<Incident.io Schedule ID>]
    options: { allowOneParty: true|false, requireReason: true|false }
```

**services**: List of Incident.io schedule IDs. Only users who are on-call for these specific schedules can approve requests matching this rule.

**options**: See the [approval options reference](/access-management/just-in-time-access/request-routing.md#p0) for details.

## How it works

P0 queries the Incident.io Schedules API to determine which users are currently on-call:

1. P0 fetches schedule entries for all schedules within a one-minute window.
2. P0 filters entries to those where the current time falls within the entry's start and end times.
3. P0 collects the email addresses of users who are currently on-call.
4. P0 checks if the requestor's email matches any on-call user across all schedules.

### On-call approver (escalation)

When an access request triggers an escalation rule, P0 creates an Incident.io incident:

1. P0 creates an incident with the configured on-call schedules stored as metadata.
2. The incident includes the requestor, the requested access, and a link to the approval conversation (Slack or Microsoft Teams).
3. On-call users for the configured schedules can approve the request through the normal approval flow.
4. When an approver approves or denies the request, P0 updates the incident summary to reflect the decision.

{% hint style="info" %}
P0 does not automatically resolve incidents. After reviewing the access request, the on-call engineer should manually resolve the incident in Incident.io.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/integrations/approval-integrations/incidentio.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.