--- title: "The SaaS Integration Migration Playbook: Switching Providers Without Downtime" slug: the-saas-integration-migration-playbook-switching-providers-without-downtime date: 2026-05-27 author: Uday Gajavalli categories: [Guides, Engineering] excerpt: "A complete architectural playbook for extracting OAuth tokens, remapping data models, and switching SaaS integration providers without forcing user re-authentication." tldr: "Migrating off a legacy integration provider requires extracting your OAuth tokens, mimicking legacy API responses using declarative mappings, and implementing client-side rate limit handling." canonical: https://truto.one/blog/the-saas-integration-migration-playbook-switching-providers-without-downtime/ --- # The SaaS Integration Migration Playbook: Switching Providers Without Downtime If you are hitting scaling walls with your embedded iPaaS or legacy unified API, you need a highly structured strategy to extract your OAuth tokens, remap your data models, and swap the underlying infrastructure. Doing this wrong causes immediate data loss, broken webhooks, and the ultimate failure condition: forcing your enterprise customers to click "Reconnect" on their third-party accounts. This guide provides the exact architectural steps to **add a detailed migration playbook for switching providers**. We will cover how to extract your credentials, handle rate limits post-migration, and use declarative mappings to mimic your old API responses so your frontend code stays completely untouched. ## The Hidden Costs of Integration Vendor Lock-In Engineering leaders eventually realize that visual workflow builders or rigid API aggregators create massive technical debt as a product moves upmarket. Early-stage decisions optimize for speed. You use a platform that owns the OAuth application, forces you into their predefined data models, and silently swallows rate limit errors. As your customer base grows, the operational reality changes. The 2025 State of SaaS Integration outlook reports that modern businesses rely on over 250 SaaS applications on average, creating a massive integration backlog for B2B SaaS vendors. Building a single integration in-house typically takes 8 to 12 weeks of engineering time. To avoid building from scratch, teams adopt third-party integration tools. But if that tool is poorly architected, the maintenance burden simply shifts from building endpoints to debugging the vendor's black box. A 2025 Gartner analysis estimated that mid-market SaaS companies spend up to 24 percent of their engineering capacity just maintaining existing APIs. Vendor lock-in occurs when the engineering time and operational cost required to rebuild on top of a vendor's proprietary model makes leaving too expensive. You are effectively held hostage by your own infrastructure. If you do not own the OAuth client credentials, you are locked into your provider. You cannot migrate tokens without forcing users to reconnect, which generates support tickets, introduces immediate churn risk, and burns social capital with your best accounts. Escaping this trap requires transitioning to an architecture that separates your integration logic from your core business application, ensuring you retain ownership of the connection state. ## When to Add a Detailed Migration Playbook for Switching Providers Recognizing the need to migrate is the first step. You should begin drafting a SaaS vendor migration playbook when your engineering team spends more time fighting your integration provider than shipping core features. **Signs you need to execute a migration:** * **The Re-Authentication Cliff:** Your provider routinely drops OAuth connections, and because they own the client ID, you have no access to the raw refresh tokens to debug the failure. * **Silent Rate Limiting:** The provider throttles your requests internally without passing standard HTTP 429 headers, causing asynchronous jobs to fail unpredictably. * **Data Model Rigidity:** Your enterprise customers use highly customized Salesforce or NetSuite instances, and your provider's "unified" model drops custom fields or fails to map polymorphic relationships. * **Missing Endpoints:** A customer requests an obscure endpoint (e.g., a specific custom object in HubSpot), and your provider tells you it will take six months to add it to their roadmap. If you are experiencing these bottlenecks, you need to execute a structured cutover. For teams moving off visual builders, review our [Migration Playbook: From Make.com Prototypes to Native SaaS Integrations](https://truto.one/migration-playbook-from-makecom-prototypes-to-native-saas-integrations/) to understand the architectural shift from graph-based logic to native execution. ## Phase 1: The OAuth Token Extraction and Hot-Swap The highest risk in any infrastructure migration is the credential state. If you lose the active OAuth tokens, your integration breaks. To execute a zero-downtime migration, you must employ the Bring Your Own (BYO) OAuth Client pattern. If you own the OAuth app in the provider's developer console (e.g., you created the app in Salesforce and hold the Client ID and Client Secret), you can move the tokens. If your legacy provider forces you to use their white-labeled OAuth app, you are out of luck and must ask users to re-authenticate. Assuming you own the app, the token extraction and hot-swap follows a strict sequence. ```mermaid sequenceDiagram participant DB as Legacy Provider Vault participant Script as Migration Script participant Truto as Truto Credential Store participant API as Upstream SaaS (e.g., Salesforce) Script->>DB: Export active Access & Refresh Tokens DB-->>Script: Return encrypted token payloads Script->>Truto: Import tokens via Management API Note over Truto: Store tokens against
new Integrated Account ID Truto->>API: Execute test call using imported token API-->>Truto: HTTP 200 OK Note over Script: Token state successfully migrated ``` When you export tokens from your legacy provider, you must capture the `access_token`, the `refresh_token`, and the exact `expires_at` timestamp. OAuth token refresh flows are highly susceptible to concurrency issues. If your old provider and your new provider attempt to refresh the same token simultaneously, the upstream API will likely issue an `invalid_grant` error, revoking all access. To prevent this, you must pause all background syncs on the legacy provider before importing the tokens into the new system. Once imported, the new system takes over the token lifecycle. For a highly specific example of this process, read [How to Create an Apideck-to-Truto Migration Guide](https://truto.one/how-to-create-an-apideck-to-truto-migration-guide-without-re-authenticating-users/) or our broader piece on [OAuth App Ownership Explained](https://truto.one/oauth-app-ownership-how-to-avoid-vendor-lock-in-when-choosing-a-unified-api-provider/). ## Phase 2: Mapping the Unified Data Models Most unified API platforms solve API differences with brute force. Behind their facade, they maintain separate code paths for each integration - `if (provider === 'hubspot') { ... } else if (provider === 'salesforce') { ... }`. They have integration-specific database columns and hardcoded business logic. When you migrate away from these platforms, your frontend and backend systems are still expecting data in that specific, rigid format. Changing your internal application logic to handle a new data shape is risky and time-consuming. Instead of rewriting your application, use a declarative transformation layer to mimic the legacy provider's response. Truto's architecture contains zero integration-specific code. Integration behavior is defined entirely as data using JSONata expressions. You can intercept the response from the upstream SaaS API and reshape it to look exactly like your old provider's payload. ```json // Example JSONata mapping to mimic a legacy unified CRM response { "id": $.id, "legacy_unified_format": { "first_name": $.properties.firstname, "last_name": $.properties.lastname, "email_addresses": [ { "email": $.properties.email, "type": "work" } ], "custom_fields": $.properties.custom_enterprise_identifier } } ``` By pushing the transformation logic to the edge via JSONata, your core application remains unaware that the underlying infrastructure has changed. The endpoints return the exact same JSON schema your frontend expects. If you encounter an edge case where the unified model simply cannot represent the data you need, you should fall back to a Proxy API. A Proxy API allows you to bypass the unified model entirely and make raw, authenticated REST calls directly to the underlying provider (e.g., hitting the NetSuite SuiteQL endpoint directly) while the platform handles the authentication headers automatically. ## Phase 3: Handling Rate Limits and Webhooks Post-Migration Operational realities surface immediately after the cutover. The two most common failure points are unhandled rate limits and malformed webhook payloads. ### Transparent Rate Limiting Many legacy integration platforms attempt to hide rate limits by silently queueing and delaying requests. This creates unpredictable latency and makes debugging impossible. > [!WARNING] > **Architectural Constraint:** Truto does not retry, throttle, or apply backoff on rate limit errors. When an upstream API returns HTTP 429, Truto passes that error directly to the caller. Instead of silent throttling, Truto normalizes upstream rate limit information into standardized headers per the IETF specification. Regardless of whether you are calling Jira, Salesforce, or QuickBooks, you will receive consistent headers: * `ratelimit-limit`: The maximum number of requests permitted in the current window. * `ratelimit-remaining`: The number of requests remaining in the current window. * `ratelimit-reset`: The time at which the current rate limit window resets. The calling application is entirely responsible for implementing retry logic. You must build an exponential backoff algorithm in your worker queues that reads the `ratelimit-reset` header and pauses execution until the window clears. This explicit contract prevents silent failures and gives your engineering team full control over queue priority. ### Webhook Normalization and Delivery Third-party webhooks are notoriously difficult to standardize. Providers use different signature verification methods, different payload structures, and different retry policies. Truto supports two inbound webhook ingestion patterns: account-specific and environment-integration fan-out. When an event arrives from a provider, Truto uses JSONata-based configuration for provider-specific event normalization. Outbound delivery to your customer endpoints uses a queue and object-storage claim-check pattern with signed payloads. Because normalized payloads can exceed standard HTTP size limits, large payloads are written to object storage, and a reference is sent to your endpoint. You must verify the `X-Truto-Signature` header on every incoming request to ensure the event actually originated from your new infrastructure and was not spoofed. ## Phase 4: The Silent Cutover and Deprecation The final phase is routing traffic to the new infrastructure without causing a disruption. Never execute a "big bang" cutover where you flip all read and write traffic simultaneously. **Step 1: Dark Reads.** Route a percentage of your read requests (e.g., fetching a list of contacts) through the new infrastructure while continuing to serve the application from the legacy provider. Log the responses from both systems and diff them asynchronously. If the JSONata mappings from Phase 2 are correct, the diffs will be identical. **Step 2: Write Traffic Cutover.** Once the read diffs are clean, begin routing write operations through the new infrastructure. Monitor your API logs closely for HTTP 400 validation errors or HTTP 429 rate limits. Because you implemented the IETF rate limit headers in Phase 3, your queues should gracefully back off if the upstream provider is saturated. **Step 3: Deprecation.** Once 100 percent of traffic is flowing through the new infrastructure and the OAuth tokens are successfully refreshing, you can safely spin down the legacy provider. By treating integrations as declarative data rather than hardcoded logic, and by retaining absolute ownership over your OAuth clients, you eliminate the threat of vendor lock-in. For a deeper understanding of the operational costs of maintaining these systems, review [The SaaS Product Manager's Integration Rollout Playbook](https://truto.one/the-saas-product-managers-integration-rollout-playbook-operational-runbook/). > Ready to migrate off your legacy integration provider without forcing your customers to reconnect? Talk to our engineering team about executing a zero-downtime cutover. > > [Talk to us](https://cal.com/truto/partner-with-truto)