Broad OAuth is a hard no
Read-all-contacts and read-all-engagement scopes are exactly what a security team is paid to refuse, so an integration request becomes a blocker before evaluation even begins.
Wave · Secure Onboarding
The hidden killer of enterprise marketing intelligence deals is not budget, it is the IT security review. Most platforms demand broad OAuth access to your CRM, which is often an automatic no or a six-month review. Wave gives you two paths that need no API keys at all.
Quick answer
No-API-key onboarding lets a team adopt Wave without granting any OAuth scope or API credential. Wave ingests contacts and engagement either through a secure file upload reviewed before commit, or by reading a Snowflake view the customer publishes using key-pair authentication. Both paths are read-only, so the source file or warehouse is never modified.
Key capabilities
Last updated June 2026
The problem
Most platforms in this space require broad OAuth access to HubSpot, Marketo, or Salesforce. For a company with a strict third-party data-access policy, that ask is often an automatic no, or a multi-month review cycle that kills momentum.
Read-all-contacts and read-all-engagement scopes are exactly what a security team is paid to refuse, so an integration request becomes a blocker before evaluation even begins.
Even when the answer is eventually yes, a six-month security review outlasts the urgency that started the conversation, and the project quietly dies on the vine.
For regulated or government-adjacent teams, live CRM access is off the table entirely, so a platform with only an OAuth path has no way in.
How Wave does it
Wave was deliberately engineered around the security blocker, with two first-class onboarding paths that put the customer in control of exactly what is shared.
Export a CSV from your platform and upload it to the Wave operator console. Wave supports people, engagement events, and outbound promotions in this path, with no OAuth and no API keys.
Wave normalizes each row, then shows a review surface before commit. People and engagement get a row-by-row diff you approve; promotions get a reviewed batch-approve summary. Nothing is committed until you say so.
If your engagement history already lives in a warehouse, Wave reads a view you publish using RS256 key-pair JWT, a credential model most enterprise security frameworks already approve. No CRM access, no webhooks, no ETL pipeline.
Both paths are read-only. Wave ingests your data, produces person-level intelligence, and writes predictions back to HubSpot today. The source file or warehouse is never modified.
Where it fits
These are onboarding paths into the full Wave platform, not a stripped-down mode. Once data lands, every Wave product runs on it, and you can move to a live connector later without losing history.
Wave reads from a file you upload or a Snowflake view you publish, isolates your data per tenant with database-level row security from the moment it lands, and writes predictions back to HubSpot today, with Marketo next. Uploaded files are stored encrypted under tenant-scoped paths, connector credentials are encrypted at rest, and teams can start with file upload for immediate value, then migrate to a live connector once the IT review clears, carrying their history over.
Works alongside Channel Affinity, Buying Groups, The full Wave platform.
Why Wave is different
Most platforms demand an exception to your data-access policy. Wave gives you a path that fits inside it, which makes every competitor that requires broad OAuth the riskier choice in the room.
FAQ
Yes. Wave has two first-class paths that need no OAuth and no API credentials: a secure file upload reviewed in the operator console before commit, and a read-only Snowflake view your team publishes. Both let a security-conscious IT team approve Wave without opening firewall rules or granting CRM scopes.
The file path supports people, engagement events, and outbound promotions. You export a CSV from your platform and upload it. Wave normalizes fields like email format, suppression status, channel, and timezone automatically before you review the result.
Wave shows a review surface before anything is committed. People and engagement are reviewed as a row-by-row diff that you approve, and outbound promotions are reviewed as a batch-approve summary. There is no auto-approve path, so the customer always stays in control.
Wave reads a tenant-published Snowflake view using RS256 key-pair JWT, the standard enterprise credential model. There are no CRM credentials, no webhooks, and no ETL pipeline. You define a standard view and Wave reads it on a daily sync, validating the view shape on every run.
No. Both onboarding paths are strictly read-only. Wave ingests your data, produces person-level intelligence, and writes predictions back to HubSpot today. The source file and the Snowflake view are never written to or modified.
Every record is isolated per tenant by database-level row security from the moment it lands, so no cross-tenant data is ever accessible. Uploaded files are stored encrypted under tenant-scoped object paths, and any connector credentials are encrypted at rest and never logged.
Yes. Many teams start with file upload for immediate time-to-value, then migrate to a live HubSpot or Snowflake connector once the IT review clears. The contact and engagement history you onboarded carries over, so nothing is lost in the switch.
Book a 20-minute walkthrough. We will look at your data-access constraints and show whether file upload, the read-only Snowflake view, or a later live connector is the right first step for your security posture.
See it on your data
Book a 20-minute walkthrough. We will look at your data-access constraints and show how Wave onboards your contacts and engagement with no API keys.
Request a demo Download the one-pager (PDF)