This guide walks the IT/SysAid administrator through preparing a dedicated least-privilege API identity, creating a SysAid App Key, generating an access token, validating read access to the SysAid REST API endpoints that Info-Tech uses, and entering the connection details in the Info-Tech portal. The integration reads from the SysAid public REST API under /connect/v1.
Two points need confirmation before publishing or relying on this setup:
1. Authentication model. Current SysAid developer documentation uses Client Credentials authentication: create an App Key that returns a Client ID and Client Secret, then use those values to generate a temporary Bearer access token. The
x-sysaid-accountid header is required on the App Key and access-token requests. The older username/password login pattern using /api/v1/login is not the current documented setup flow and is not covered in this guide.2. Confirm Spaces vs. Classic/on-premise. The steps below are written for the current SysAid public API / SysAid Spaces pattern, where examples use
https://YOUR_ACCOUNT.sysaidit.com/connect/v1. If the customer is on SysAid Classic, a legacy tenant, or an on-premise deployment, confirm API availability and the exact URL format with SysAid before relying on this guide.
ABefore you start
You will need:
- SysAid administrator permissions, or an Agent/Service Pro account with permission to create and use App Keys
- A dedicated integration Agent/Service Pro identity, preferably named
infotech-integration - Your SysAid account ID, used in the
x-sysaid-accountidheader on authentication requests - Your SysAid account URL, typically
https://YOUR_ACCOUNT.sysaidit.comfor SysAid Spaces cloud tenants - The Client ID and Client Secret from a SysAid App Key, or permission to create one
- A way to send test requests, such as
curlor Postman - Access to the Info-Tech portal where the connection details will be entered
BSysAid endpoints required
The integration requires read access to the following SysAid REST endpoints under /connect/v1:
Required objects
service-records/search— tickets / service records, the primary sourceactivities/sr/search— ticket activities and worklog/time dataagents— agents / techniciansend-users— end users / requestersgroups— assignment groups and support teams
Required objects (cont.)
categories— category definitions and category hierarchycompanies— company / organization reference data, if the tenant uses company values for reporting or department resolutioncustom-fields— custom field metadataindexes— lookup resolution for status, priority, urgency, department, and other label lookups, for exampleindexes?subject=status&entity=service-record
No service-record create, edit, delete, or write-back permissions are required for the data sync. Creating an App Key and generating an access token are authentication setup steps only.
Note: /connect/v1/users is not a standalone required endpoint. Current SysAid documentation exposes separate agents and end-users endpoints instead. If a tenant-specific /users endpoint exists in a legacy deployment, validate it separately rather than treating it as a default requirement.
Use an Agent/Service Pro identity rather than an End User. Current SysAid documentation describes Agent permissions as the control point for what a user can view, create, edit, delete, manage, and configure. End Users use the Self-Service Portal and do not have admin permissions. Configure the integration identity with the narrowest read permissions that can still access the endpoint families above.
- 1Create the integration Agent / Service Pro
- 2Find your base URL and account ID
- 3Create one App Key
- 4Generate an access token
- 5Verify read access to every endpoint
- 6Enter the connection details in the Info-Tech portal
The App Key and access token inherit the permissions of the SysAid user they are associated with. Create one dedicated, auditable integration identity rather than using a named employee's login.
- Create or designate the integration identity. Use an Agent / Service Pro / Administrator-type user, not an End User. Suggested username:
infotech-integration. - Use SysAid credentials, not SSO-only credentials, if creating the App Key by API. SysAid's authentication guide states that App Key creation through the API requires SysAid account credentials. If the account is SSO-only, create the App Key through the UI instead or configure a compliant local credential process with SysAid.
- Grant the narrowest available read permissions. The identity must be able to view service records, activities/worklog data, agents, end users, groups, categories, companies if used, custom fields, and indexes/lookups.
- Do not grant data write permissions unless another business process requires them. The Info-Tech data sync does not need to create, update, resolve, delete, or write back service records.
- Save the account and record the username. Store any temporary password or activation requirement in your password manager.
- Watch for company-based access limits. SysAid permissions can be applied directly to an Agent or through groups. If the tenant uses company-based access limits, make sure the integration identity is not accidentally restricted away from service records or users that must be included in the reporting scope.
The account ID identifies the SysAid account for authentication. The base URL identifies where the public API lives.
- Find the account URL. For SysAid Spaces cloud tenants, the public API format is typically
https://YOUR_ACCOUNT.sysaidit.com/connect/v1. ReplaceYOUR_ACCOUNTwith the account-specific subdomain. - Find the account ID. In many cloud tenants, this is the same account-specific value used in the subdomain. Use the exact value expected by SysAid in the
x-sysaid-accountidheader. - Record both values. You will need the account ID for App Key and access-token generation, and the base URL for every endpoint test.
- If the customer is not on a Spaces cloud URL, do not guess. Confirm the public API base URL and support status with SysAid before continuing.
An App Key creates the durable Client ID and Client Secret used to generate access tokens. Create one App Key for the Info-Tech integration and reuse it. Do not create a new key every time you need a token.
- Use the UI when possible. Sign in to SysAid as the dedicated integration identity, or use a SysAdmin workflow that creates the key for that integration identity if your tenant supports that. Go to Connect → Manage App Keys, click Create a new App Key, enter a clear name such as
Info-Tech Customer Data Store, and continue. - Save the Client ID and Client Secret immediately. SysAid displays the Client Secret only once during initial creation. Store it in your approved password manager or secrets vault.
- Alternative API method. If the UI path is not available, create the App Key with the request below. Replace the placeholders before running it:
curl --request POST \ --url "https://YOUR_ACCOUNT.sysaidit.com/connect/v1/application-keys" \ --header "Content-Type: application/json" \ --header "x-sysaid-accountid: YOUR_ACCOUNT_ID" \ --data '{"userName":"infotech-integration","password":"YOUR_PASSWORD","applicationName":"Info-Tech Customer Data Store","description":"Read-only integration for Info-Tech Customer Data Store","tokenLifetime":86400}' - Expected success. A successful App Key creation returns JSON containing
clientId,clientSecret, andapplicationName. Save the Client Secret immediately. - Note the token lifetime. The
tokenLifetimevalue controls how long access tokens generated from this App Key remain valid. Use a value that matches the customer's security policy and connector refresh design — SysAid's documented default is 24 hours, with a documented maximum of 30 days.
/connect/v1/access-tokens
The Client ID and Client Secret are durable credentials. The Bearer access token is temporary. Use the App Key credentials to generate a token before testing or connecting the integration.
- Send the access-token request. Replace
YOUR_ACCOUNT,YOUR_ACCOUNT_ID,YOUR_CLIENT_ID, andYOUR_CLIENT_SECRET:curl --request POST \ --url "https://YOUR_ACCOUNT.sysaidit.com/connect/v1/access-tokens" \ --header "Content-Type: application/json" \ --header "x-sysaid-accountid: YOUR_ACCOUNT_ID" \ --data '{"clientId":"YOUR_CLIENT_ID","clientSecret":"YOUR_CLIENT_SECRET"}' - Read the response. A successful response returns a token, token type, and expiry. Example:
{ "token": "eyJ...", "tokenType": "Bearer", "expiresIn": 86400 }. - Record the expiry. If the connector is expected to run continuously, it must be able to generate a new token using the Client ID and Client Secret before or after the current token expires.
- If this fails with
401 Unauthorized, recheck the account ID, Client ID, and Client Secret. If the Client Secret was not saved when created, generate a new App Key and update the stored credentials.
Confirm the access token can read every API endpoint the integration needs before entering the connection details in the portal. The read calls below use the Bearer token and the account-specific base URL.
- Custom fields — quick credential check:
Success looks like JSON containing fields such ascurl --request GET \ --url "https://YOUR_ACCOUNT.sysaidit.com/connect/v1/custom-fields?limit=1&offset=0" \ --header "Authorization: Bearer YOUR_ACCESS_TOKEN" \ --header "Accept: application/json"fieldName,fieldCaption,fieldType, andentityType. - Service records — main ticket source:
Success: JSON containing at least one service record, or an empty but valid JSON result if the tenant has no matching records.curl --request GET \ --url "https://YOUR_ACCOUNT.sysaidit.com/connect/v1/service-records/search?limit=1&offset=0" \ --header "Authorization: Bearer YOUR_ACCESS_TOKEN" \ --header "Accept: application/json" - Activities — worklog/time source:
Success: JSON containing service-record activity records. Thecurl --request GET \ --url "https://YOUR_ACCOUNT.sysaidit.com/connect/v1/activities/sr/search?hasTotalTime=true&limit=1&offset=0" \ --header "Authorization: Bearer YOUR_ACCESS_TOKEN" \ --header "Accept: application/json"activities/sr/searchendpoint requires at least one filter parameter, so this test useshasTotalTime=true. - Reference endpoints. Run the same command shape against each endpoint below. Replace
ENDPOINT_PATHwith the exact path shown:curl --request GET \ --url "https://YOUR_ACCOUNT.sysaidit.com/connect/v1/ENDPOINT_PATH" \ --header "Authorization: Bearer YOUR_ACCESS_TOKEN" \ --header "Accept: application/json"agents?limit=1&offset=0end-users?limit=1&offset=0groups?limit=1&offset=0companies?limit=1&offset=0— required when company / organization labels are used in reportingcategoriesindexes?subject=status&entity=service-recordindexes?subject=priority&entity=service-recordindexes?subject=urgency&entity=service-recordindexes?subject=department— verify the correct entity/subject combination for the tenant if department lookup does not return data
- Interpret failures.
401usually means the access token is missing, invalid, or expired.403means the token is valid but the identity lacks permission for that endpoint.400onactivities/sr/searchusually means no valid filter parameter was provided.404means the base URL, path, or API availability is wrong for that tenant. - When every required endpoint succeeds, the SysAid side is ready for portal submission.
https://YOUR_ACCOUNT.sysaidit.com/connect/v1) and account ID.- Go to https://us.app.cioanalytics.ai/
- Open the Connections page.
- On the IT Service Management (ITSM) row, click Connect Tool.
- In the Connect to ITSM Tool dialog, select SysAid from the dropdown.
- Click Continue.
- Follow the instructions in the Setup Guide panel on the right to fill in the fields on the left.
- When every field is complete, click Add Connection.
- Wait for the connection test to finish.
After the connection test succeeds, CIO Analytics takes over the rest of the process automatically.
- You are returned to the Connections page once the connection is saved.
- Your SysAid data syncs automatically for the first time. Depending on how much history is being pulled, the first sync can take anywhere from a few hours to a few days.
- Once that first sync completes, an Info-Tech analyst will reach out to you to continue your onboarding. No further action is needed from you in the meantime.
- SysAid navigation and exact menu paths vary by tenant and version. Use the closest matching menu item if an exact path differs.
- This guide reflects SysAid's current public API / SysAid Spaces documentation. SysAid Classic, older tenants, or on-premise deployments may need tenant-specific confirmation with SysAid or the customer's Customer Success Manager before this guide is relied on.
- Questions about anything in this guide can be directed to your Info-Tech onboarding contact.