Wave · Secure Onboarding

Enterprise intelligence, without the security friction.

The hidden killer of enterprise marketing intelligence deals is not budget, it is the IT security review. Most platforms demand broad OAuth access to your CRM, which is often an automatic no or a six-month review. Wave gives you two paths that need no API keys at all.

Quick answer

No-API-key onboarding lets a team adopt Wave without granting any OAuth scope or API credential. Wave ingests contacts and engagement either through a secure file upload reviewed before commit, or by reading a Snowflake view the customer publishes using key-pair authentication. Both paths are read-only, so the source file or warehouse is never modified.

Key capabilities

  • Secure file upload for people, engagement, and promotions
  • Row-by-row review for people and engagement
  • Batch-approve review for outbound promotions
  • Read-only Snowflake view with key-pair JWT auth
  • Daily sync with view-schema validation
  • Tenant-isolated, encrypted at rest
  • Read-only paths, source never modified

Last updated June 2026

The problem

The deal does not stall on price. It stalls in security review.

Most platforms in this space require broad OAuth access to HubSpot, Marketo, or Salesforce. For a company with a strict third-party data-access policy, that ask is often an automatic no, or a multi-month review cycle that kills momentum.

Broad OAuth is a hard no

Read-all-contacts and read-all-engagement scopes are exactly what a security team is paid to refuse, so an integration request becomes a blocker before evaluation even begins.

Review cycles outlast interest

Even when the answer is eventually yes, a six-month security review outlasts the urgency that started the conversation, and the project quietly dies on the vine.

Some systems cannot be exposed at all

For regulated or government-adjacent teams, live CRM access is off the table entirely, so a platform with only an OAuth path has no way in.

How Wave does it

Two read-only paths that need no API keys.

Wave was deliberately engineered around the security blocker, with two first-class onboarding paths that put the customer in control of exactly what is shared.

  1. 01

    Upload a file you control

    Export a CSV from your platform and upload it to the Wave operator console. Wave supports people, engagement events, and outbound promotions in this path, with no OAuth and no API keys.

  2. 02

    Review before anything commits

    Wave normalizes each row, then shows a review surface before commit. People and engagement get a row-by-row diff you approve; promotions get a reviewed batch-approve summary. Nothing is committed until you say so.

  3. 03

    Or read a Snowflake view

    If your engagement history already lives in a warehouse, Wave reads a view you publish using RS256 key-pair JWT, a credential model most enterprise security frameworks already approve. No CRM access, no webhooks, no ETL pipeline.

  4. 04

    Wave produces intelligence, source stays untouched

    Both paths are read-only. Wave ingests your data, produces person-level intelligence, and writes predictions back to HubSpot today. The source file or warehouse is never modified.

Where it fits

The same full platform, a connection your IT team can approve.

These are onboarding paths into the full Wave platform, not a stripped-down mode. Once data lands, every Wave product runs on it, and you can move to a live connector later without losing history.

Your sources
Wave
HubSpot

Wave reads from a file you upload or a Snowflake view you publish, isolates your data per tenant with database-level row security from the moment it lands, and writes predictions back to HubSpot today, with Marketo next. Uploaded files are stored encrypted under tenant-scoped paths, connector credentials are encrypted at rest, and teams can start with file upload for immediate value, then migrate to a live connector once the IT review clears, carrying their history over.

Works alongside Channel Affinity, Buying Groups, The full Wave platform.

Why Wave is different

Wave respected IT's constraints and built around them.

Most platforms demand an exception to your data-access policy. Wave gives you a path that fits inside it, which makes every competitor that requires broad OAuth the riskier choice in the room.

Most tools
Wave
Onboarding requires broad OAuth into your CRM.
Wave onboards with no API keys, by file upload or a read-only Snowflake view you control.
Import tools silently ingest whatever they receive.
Wave shows a review surface, normalized and annotated, before a single record is committed.
Warehouse access means a custom ETL pipeline and new credentials.
Wave reads a view you publish using key-pair authentication your security team already approves.
Connecting a platform risks changes to your source system.
Both Wave paths are read-only, so your source file or warehouse is never modified.

FAQ

Questions buyers ask about No-API-key onboarding.

Can Wave onboard our data without any API keys?

Yes. Wave has two first-class paths that need no OAuth and no API credentials: a secure file upload reviewed in the operator console before commit, and a read-only Snowflake view your team publishes. Both let a security-conscious IT team approve Wave without opening firewall rules or granting CRM scopes.

What can the file upload path bring in?

The file path supports people, engagement events, and outbound promotions. You export a CSV from your platform and upload it. Wave normalizes fields like email format, suppression status, channel, and timezone automatically before you review the result.

How does the review step work?

Wave shows a review surface before anything is committed. People and engagement are reviewed as a row-by-row diff that you approve, and outbound promotions are reviewed as a batch-approve summary. There is no auto-approve path, so the customer always stays in control.

How does the Snowflake connector authenticate?

Wave reads a tenant-published Snowflake view using RS256 key-pair JWT, the standard enterprise credential model. There are no CRM credentials, no webhooks, and no ETL pipeline. You define a standard view and Wave reads it on a daily sync, validating the view shape on every run.

Does Wave modify our source file or warehouse?

No. Both onboarding paths are strictly read-only. Wave ingests your data, produces person-level intelligence, and writes predictions back to HubSpot today. The source file and the Snowflake view are never written to or modified.

How is the data kept isolated and secure?

Every record is isolated per tenant by database-level row security from the moment it lands, so no cross-tenant data is ever accessible. Uploaded files are stored encrypted under tenant-scoped object paths, and any connector credentials are encrypted at rest and never logged.

Can we start with a file and move to a live connector later?

Yes. Many teams start with file upload for immediate time-to-value, then migrate to a live HubSpot or Snowflake connector once the IT review clears. The contact and engagement history you onboarded carries over, so nothing is lost in the switch.

How do we scope the right path for our security team?

Book a 20-minute walkthrough. We will look at your data-access constraints and show whether file upload, the read-only Snowflake view, or a later live connector is the right first step for your security posture.

See it on your data

See the connection path your security team will approve.

Book a 20-minute walkthrough. We will look at your data-access constraints and show how Wave onboards your contacts and engagement with no API keys.

Request a demo Download the one-pager (PDF)