🛠️Custom Resource

Integrate P0 with any internal system you own, or with systems that do not have a built-in integration yet.

The Custom Resource integration is designed to let you securely manage access to external or on-premise applications. Whenever a user is granted or revoked access through P0, your configured endpoint will be invoked automatically — giving you full control over how that access is provisioned or removed in your own systems.

The Custom Resource integration leverages AWS Lambda or Google Cloud Run to invoke your external applications securely and flexibly. This approach offers several key advantages:

No credentials to manage: Authentication is handled via IAM or identity tokens, so there's nothing to rotate or store.
Full control: You can filter, transform, or enrich the data before it reaches your downstream systems.
Easier debugging: Logs live in your cloud environment, making it easy to trace, monitor, and troubleshoot.
Zero infrastructure lock-in: Use any language or runtime your service supports — it's just a web endpoint.
Scales with your needs: Cloud-native scaling handles bursty workloads without pre-provisioning.

Both deployment methods will receive the same standardized event payload, as defined by our OpenAPI specification. This makes it easy to reuse the same logic across environments or switch providers later with minimal effort.

Set up Custom Resource Integration

Configuration Parameters

These parameters are configured by you during setup.

The examples use an integration that connects users to an internal application for customer administration at a multi-tenant B2B company.

Parameter

Description

Example Value

Application ID

The identifier of the system you are integrating*

customerAdminApp

Application name

The name of the custom resource integration

Internal Customer Admin App

* Identifiers in P0 do not allow whitespace. By convention use camel-casing. Not visible to users.

OpenAPI Specification

This specification describes the API endpoint you must implement to create a custom resource integration in P0.

Handle access request event

post

Grant a user access to a resource

Authorizations

AuthorizationstringRequired

P0 generates a keypair during integration setup. Each http request sent by P0 to your endpoints contains a JWT signed with the private key in the Authorization header. Your endpoints must use the public key retrieved during integration setup, to decode the JWT and verify its claims. The claims are: sub (Subject) iss (Issuer), aud (Audience), iat (Issued At), exp (Expiry)

Body

Responses

200

Success

application/json

objectOptional

201

Success

application/json

202

Success

application/json

default

Error

application/json

post

POST / HTTP/1.1
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 278

{
  "eventType": "grant",
  "data": {
    "requestId": "00iJ7cFPzE8rXb9bwto8",
    "type": "internalEnvironmentViewerApp",
    "principal": "access-receiver@example.com",
    "requestor": "access-initiator@example.com",
    "reason": "I need access to troubleshoot an issue",
    "permission": {
      "item": "my-customer-inc"
    }
  }
}

{}

PreviousRequesting GitHub access NextInstalling a custom resource integration

Last updated 7 months ago