Integrations

A small business website in 2026 isn't "just a website" anymore. It's the front door to a stack of OAuth-connected services — calendars, CRMs, ad platforms, analytics, payments, email — that the business runs on day-to-day. The question of whether those integrations come pre-wired in your custom website or you build them yourself one at a time after launch is one of the single biggest cost drivers nobody talks about. This piece breaks down what pre-wired OAuth means, what it actually costs to build from scratch, and why bundling it into the buy-once price beats the DIY approach by a wide margin.

The "Connect This and Watch Magic Happen" Pitch

If you've ever signed up for a SaaS dashboard, you've seen the integrations grid. Sixty logos. "Connect Salesforce." "Connect Slack." "Connect Stripe." Click a logo, log in, magic. The implication is that these connections are easy.

They are easy for the user. They are not easy for the engineer building the dashboard. Each one of those logos represents days to weeks of engineering work. Token storage, refresh logic, scope management, callback handling, error states, rate-limit handling, multi-account isolation, security review. The "magic" the user sees is the surface of a substantial engineering iceberg.

For a small business buying a custom website, the question is: who pays for that engineering work? Two answers.

The DIY Path: How Much Each Integration Actually Costs

If your custom website launches without integrations and you bolt them on one by one, here's a realistic estimate of the engineering cost per provider (at $100-150/hour for a competent developer):

Google Calendar / Microsoft 365 Calendar. Two-way sync with conflict resolution. Roughly 12-20 hours = $1,200-$3,000.

Google Analytics 4. OAuth + property selection + report API integration. 8-14 hours = $800-$2,100.

Google Search Console. OAuth + site selection + query API. 8-12 hours = $800-$1,800.

Google Ads. OAuth + account selection + reporting API + multi-account handling. 16-24 hours = $1,600-$3,600.

Meta Ads. OAuth + ad account selection + insights API. 14-20 hours = $1,400-$3,000.

HubSpot CRM. OAuth + contact/deal sync + webhook ingestion. 16-24 hours = $1,600-$3,600.

Pipedrive. Same scope. 14-22 hours = $1,400-$3,300.

Stripe. Subscription billing or one-off. 12-20 hours = $1,200-$3,000.

Resend / SendGrid / Postmark. Transactional email with templating. 4-8 hours = $400-$1,200.

A typical small business operating in 2026 ends up needing 6-8 of these. Total DIY cost, conservatively, is $10,000-$20,000 AUD on top of whatever they paid for the website. And that's just the build. Maintenance — when providers rotate their APIs, when tokens stop refreshing because someone changed a password, when scopes shift — is another 4-8 hours per provider per year.

The Pre-Wired Path

The alternative is buying a custom website that ships with these integrations already built. The work has been done once, the patterns have been hardened, the edge cases have been resolved — and the cost is amortised across every customer who uses the same template.

Velocity X, as one example in this category, ships with OAuth pre-wired to:

• Google (Calendar, Search Console, Analytics 4, Ads)
• Microsoft 365 (Calendar, Mail, Teams)
• Meta (Ads, Pages, Instagram)
• LinkedIn (Ads, Company Page)
• HubSpot, Pipedrive, Attio (CRMs)
• Stripe (one-off payments and subscriptions)
• Resend (transactional email)
• WhatsApp Business API (for messaging-based ops)

The integration code lives in the template. The token storage pattern (AES-256-GCM encryption at rest, RLS-gated access, refresh-on-401 retry) is consistent across providers. Adding a connected account is "log in with Google" → the dashboard now has data from that account.

The customer pays once for the package and inherits the integration work as part of the price. Versus the $10,000-$20,000 they'd otherwise spend on bespoke builds.

The Technical Patterns That Have to Be Right

Building OAuth integrations well requires getting several things right that are easy to get wrong. The biggest pitfalls:

Token Storage

OAuth refresh tokens are long-lived secrets that allow continued access to a user's account. Storing them in plaintext in your database is a security catastrophe waiting to happen. The right pattern is encrypted-at-rest storage: tokens get encrypted with AES-256-GCM before insertion, decrypted only at the moment of use, and the encryption key lives in environment variables (not in the database).

In Postgres, the canonical format is bytea with a hex prefix ('\\x' + hex(encrypted_bytes)). Using base64 or JSON serialisation here is a common bug that breaks decryption non-obviously.

Refresh-on-401

Access tokens expire (typically 1 hour). When an API call returns 401, the integration needs to refresh the access token (using the long-lived refresh token), retry the call, and only fail if the retry also fails. Implementing this naively can produce infinite retry loops if the refresh itself fails; the right pattern is a single retry with a circuit breaker on repeated failure.

Scope Minimisation

Every OAuth integration should request the minimum scopes needed. "Read all your data" scopes are easier to implement but harder to justify to users and harder to pass security reviews. Production-grade integrations explicitly enumerate the scopes they need and don't ask for more.

Multi-Account Isolation

If your customer has three Google Ads accounts (one for each brand), the integration needs to handle account selection cleanly. Saving "the user's Google Ads connection" without an account selector is a bug that surfaces the moment a multi-account user uses the dashboard.

Rate Limit Handling

Most providers rate-limit aggressively. Production integrations buffer requests, retry on 429s with exponential backoff, and surface "this would take 4 minutes" warnings to the user instead of locking up. Getting this wrong produces a dashboard that intermittently doesn't work.

The Two-View Dashboard Pattern

Once the OAuth integrations are wired, the question is how to surface the data. The pattern that works for small business in 2026 is the two-view dashboard:

Ops view for the people doing the work. Calendar sync, CRM map, lead pipeline, AI follow-up drafts. The "open it every morning" tool for sales reps, field staff, and the front desk.

SLT view for the people running the business. Multi-channel traffic rollup (GSC + GA + Meta + Google Ads on one dual-axis chart), conversion funnel, revenue dashboard, campaign performance. The "review it weekly" tool for leadership.

Both views share the same Supabase backend, gated by role-based row-level security so each user sees only their authorised data. OAuth tokens are shared at the organisation level (all admins can connect new accounts; non-admins can read data but not connect or revoke).

Frequently Asked Questions

Why don't all custom website builders include integrations?

Because building them well is expensive and most freelance developers / agencies can't recoup the engineering cost on a single project. The economics only work when the same integration code is reused across dozens or hundreds of customer sites. Templates like Velocity X make this work by amortising the engineering across every buyer of the template.

What if I only need one integration?

You'll still benefit from the pre-wired pattern because the encryption, refresh, and storage code is shared across providers. Adding a single integration to a site that has none is roughly the same effort as adding the second integration to a site that has one — most of the work is the platform, not the specific provider.

What about Zapier or Make?

Workflow automation tools like Zapier and Make are great for one-off automations but they're not a substitute for proper OAuth integrations in your dashboard. They cost $20-$200/month, they introduce latency, and they don't give your dashboard direct access to the data — they shuffle it around between APIs. For one-time event triggers, Zapier is fine. For "show this customer their Google Ads spend last month inside my dashboard", you want a direct integration.

How do I know the integrations are secure?

Three things to check on any custom website with pre-wired integrations: tokens are encrypted at rest, secrets live in environment variables not in the repo, and row-level security policies gate which users can see which tokens. Ask for documentation on each. A reputable builder will have written it.

What happens when providers change their APIs?

Periodic. Roughly one of the major integrations changes meaningfully every 2-4 months. With a pre-wired template, the maintainer (Aiden, in Velocity X's case) ships an update to all customer sites at once. With DIY integrations, each customer has to chase the update themselves or hire someone to do it.

Can I add more integrations later?

Yes. The pattern is extensible. Adding a new provider follows the same template (OAuth callback, encrypted token storage, refresh logic, scoped API client). With Claude Code, adding a new provider takes 2-4 hours of engineering for a competent developer.

The Bottom Line

OAuth-pre-wired dashboards are the single biggest hidden value-add of a properly-built custom business website in 2026. The DIY cost for 6-8 integrations is $10,000-$20,000 plus ongoing maintenance; a bundled template absorbs it as part of the buy-once price. For service businesses with CRM, calendar, ads, and analytics workflows — basically all of them — this is the difference between "a marketing site" and "an operating system". Ask explicitly about integrations the next time you commission a website. The answer tells you whether you're being sold a website or a launchpad.