Core concept
Channels & OAuth
ContentBrain publishes to six social platforms. Each integration is per-workspace and stored as an AES-256-GCM-encrypted OAuth token bound to tenant_integrations.
Supported platforms
- Meta — Facebook pages + Instagram business accounts via Graph API v25.
- TikTok — Content Posting API (PKCE flow).
- LinkedIn — Marketing API v2 (company pages).
- X — v2 API (PKCE flow).
- YouTube — Data API v3 (channel uploads).
- Pinterest — v5 API (boards + pins).
Operator prerequisites
Before any workspace can connect a channel, the platform operator must create an OAuth app on each provider's developer portal, and store the client_id + client_secret via /settings/api-keys. Without those slots populated, the Connect button returns 503.
Connecting a channel
From /settings/integrations click Connect. We redirect to the platform's authorise URL with the workspace bound to the OAuth state token. On success the platform sends us back to /v1/integrations/<provider>/callback and we store the encrypted token.
Disconnecting
Disconnect deletes the row from tenant_integrations and revokes the token via the provider's revoke endpoint where available. Future runs that target this channel will fail until the workspace reconnects.
Token rotation
Tokens are stored at rest and decrypted server-side at tool execution time only — never sent to the LLM prompt context. The encryption key is PLATFORM_SECRETS_KEY, rotated via the operator runbook.