Freshservice Integration
Keep Freshservice as your system of record. AscendCore becomes the approval-gated system of action on top: tickets flow in, a human approves in Slack or Teams, the runbook executes, and the decision is written back to the ticket as a private note. No migration.
In one sentence
A Freshservice Workflow Automator rule POSTs new tickets to AscendCore, where the ticket is AI-classified into a runbook, held for explicit human approval, executed against your identity stack, and the outcome lands back on the originating ticket as a private note with an audit-chain reference.
How a ticket flows
- Ingest. Your Workflow Automator rule POSTs the ticket to
POST /api/v1/tickets/ingestwith a scoped API key. One ticket is ingested at most once: retries and rule re-fires return the original run instead of posting a second card. - Classify. AscendCore classifies the ticket text into a runbook intent with a confidence score. Low-confidence or unrecognized tickets are received, audit-logged, and left alone (
no_action). Nothing executes on a guess. - Approve.The matching runbook's approval card is posted to your IT admin channel (Slack, or Teams for Teams-channel orgs), with a threaded note showing the originating ticket number, a link back to it, and the AI's classification and confidence. A human approves or denies. Every runbook is approval-gated. There is no autonomous path.
- Execute.On approval, the runbook runs against your stack (Okta, Entra ID, M365) and the action is recorded on the org's tamper-evident SHA-256 audit chain.
- Write back. The decision (approved or denied, by whom, at what time) is appended to the originating ticket as a private note. Your ITSM keeps the complete story.
Step 1: Create a scoped API key
In your admin portal under API, create a key with the ticket:ingest scope. Least privilege applies: a key with only this scope can submit tickets but cannot execute runbooks directly, read audit rows, or browse the catalog.
You will paste this key into the Automator rule's webhook headers in the next step. It is stored inside the rule, visible only to Freshservice admins who can edit workflows.
Step 2: Add the Workflow Automator rule
In Admin โ Automation & Productivity โ Workflow Automator, create a new ticket workflow:
- Event: Ticket is raised. Add a condition (for example, category or group) if you only want a subset of tickets routed to AscendCore.
- Action: Trigger Webhook, with:
- Request type: POST
- URL:
https://ascendcore.ai/api/v1/tickets/ingest - Custom headers:
Authorization: Bearer ak_live_... - Encoding: JSON, with Content set to Advanced (custom payload), below
{
"source": "freshservice",
"ticket": {
"ticketId": "{{ticket.id}}",
"subject": "{{ticket.subject}}",
"description": "{{ticket.description_text}}",
"url": "{{ticket.url}}",
"requesterEmail": "{{ticket.from_email}}"
}
}The {{ticket.id}} placeholder emits a bare number; the API accepts it quoted or unquoted. {{ticket.description_text}} is the plain-text form of the description, which keeps HTML markup out of the classification input. Raise a test ticket to confirm a 200 before relying on the rule.
Payload reference
| Field | Required | Purpose |
|---|---|---|
source | Yes | Must be "freshservice" for this integration. |
ticket.ticketId | Yes | Ticket id (string or number). Idempotency key, write-back target, and shown to the approver as #<id>. |
ticket.subject | Yes | Primary classification input. |
ticket.description | No | Appended to the classification input when present. Use the plain-text placeholder. |
ticket.url | No | Deep link back to the ticket, shown in the approval thread. |
ticket.requesterEmail | No | Target-user fallback when the ticket text names nobody else. |
Supported intents in this release
| Intent | Runbook | System |
|---|---|---|
| MFA reset | RB-002 | Okta |
| Password reset | RB-001 | Okta |
| Offboarding (suspend account) | RB-011 | Okta |
| Account unlock | RB-007 | Microsoft Entra ID |
| M365 license assignment (a SKU named in the ticket is honored) | RB-006 | M365 |
| Group add / remove (group named in the ticket) | RB-013 | Microsoft Entra ID |
| New hire provisioning (name and email in the ticket; named groups and license tier honored) | RB-003 | Okta + M365 |
Tickets that classify to anything else are acknowledged with no_action and audit-logged. Additional intents arrive as additive extensions; your Automator rule does not change.
What the write-back looks like
When the approval reaches a decision (from Slack, Teams, or the dashboard), AscendCore posts a private note on the originating ticket:
[AscendCore] Runbook decision: APPROVED
Runbook: MFA Reset
Target user: Sarah Chen (sarah.chen@acme.com)
Decision by: slack:U0123APPROVER at 2026-06-09T17:42:11.310Z
Action executed by AscendCore after explicit human approval.
This decision is recorded on the org's tamper-evident audit chain in AscendCore.Denied requests get a note too, stating that no changes were made. The note is private (agent-facing, off the requester thread) and is posted with a Freshservice agent API key you provision during onboarding (note permission on tickets; least privilege applies). The write-back is deliberately non-blocking: if your workspace is unreachable, the approval flow itself is unaffected and the decision remains on the AscendCore audit chain.
Security model
- Scoped bearer auth.The integration reuses AscendCore's standard API-key model. Keys are salted-hashed at rest, scope-gated, rate-limited, and revocable from the dashboard.
- Approval-gated, always. Ingested tickets follow the same human-in-the-loop policy as every other trigger. AI classifies; it never executes.
- Audit-chained.Every ingestion (including no-action dispositions) and every decision is recorded on the org's tamper-evident SHA-256 audit chain, usable as evidence for SOC 2 and ISO 27001 reviews.
- Idempotent. Duplicate submissions of the same ticket return the original run. Retry storms cannot flood your approval channel.
- Sandbox-aware. If your org is in Sandbox Mode, ingested tickets exercise the full approval flow with mocked execution and no real write-back.
Full API reference
The complete request/response contract for POST /api/v1/tickets/ingest (dispositions, error codes, schemas) lives in the OpenAPI reference. Using ServiceNow or Jira instead? See the ServiceNow guide or the Jira guide.
