Blackbaud Raiser's Edge NXT Installation Instructions
Before you can install the Blackbaud Raiser's Edge NXT subscription, you need to obtain three values from Blackbaud:
Blackbaud Subscription Key: identifies which Blackbaud SKY API subscription is making each call.
Application ClientId: identifies the application requesting access.
Application ClientSecret: authenticates the application against Blackbaud.
These come from a Standard APIs subscription and an application registration in the subscriber's Blackbaud developer account.
You will also need the iPaaS.com OAuth redirect URL, which must be entered exactly into the Blackbaud application registration during the To Register a Blackbaud Application steps below.
NOTE — Environment-specific URLs: The redirect URL differs between iPaaS.com environments. Use the URL that matches the environment you are configuring:
To Create a Blackbaud SKY Developer Account
If you already have a SKY Developer account, skip to To Register a Blackbaud SKY API Subscription below.
Navigate to https://developer.blackbaud.com and sign in with the Blackbaud account that will own the subscription. This account must have administrative permissions in the subscriber's Blackbaud tenant.
If you do not have a developer account, the Create your SKY Developer account page is displayed.
Fill in the required fields and click Create account.
Once the account is created, you are redirected to the developer portal home page.
To Register a Blackbaud SKY API Subscription
From the top navigation at https://developer.blackbaud.com, open Developer account and click My subscriptions.
If a Standard APIs subscription is not already present, click Subscribe on the Standard APIs offering.
Review the SKY API Terms of Use and click Submit to accept.
Once the subscription is active, a Primary access key and a Secondary access key are displayed (masked by default).
Click Show next to Primary access key to reveal the value, then copy it. This becomes the Blackbaud Subscription Key value in the iPaaS.com Subscription Settings.
NOTE: Keep the Secondary access key in a safe place. If the Primary access key is ever rotated or compromised, the Secondary access key can be promoted by updating the iPaaS.com Subscription Setting — no integration code changes are required.
NOTE — Rate limits: The Free tier allows 10 calls per second and 1,000 calls per 24-hour period. If your subscriber's data volume exceeds these limits, click Upgrade to select a higher tier, or reduce the throttle and concurrency settings in iPaaS.com to stay within the Free tier limits.
To Register a Blackbaud Application
While still signed in at https://developer.blackbaud.com, open Developer account and click My applications.
Click + New application.
Fill in the New application form using the values shown in the table below.
The Application name, details, and publisher appear on the Blackbaud authorization screen the subscriber sees during the OAuth Authentication step, so they should clearly identify iPaaS.com as the requesting application.
Field | Recommended value |
Application name |
|
Application details |
|
Publisher (public organization name) |
|
Application logo | Optional. A 512×512 .jpeg or .png under 2MB. |
Application website URL |
Click Save. The application detail page is displayed, showing the generated Application ID (OAuth client_id) and two application secrets (OAuth client_secret).
Copy the Application ID (OAuth client_id). This becomes the Application ClientId value in the iPaaS.com Subscription Settings.
Click Show next to the Primary application secret (OAuth client_secret) to reveal the value, then copy it. This becomes the Application ClientSecret value in the iPaaS.com Subscription Settings.
Keep the Secondary application secret in a safe place as a fallback.
NOTE: If both secrets are lost, return to the application detail page in the Blackbaud developer portal and regenerate them. Update the Application ClientSecret Subscription Setting in iPaaS.com with the new Primary secret, then re-run the OAuth Authentication step below to refresh the tokens.
On the same application detail page, the Settings tab includes left-side sub-tabs for Scopes, Redirect URIs, Add-ins, and Application contributors. The Redirect URIs and Scopes must be configured before the application can be used for OAuth.
Configure Redirect URIs
Click the Redirect URIs sub-tab, then click Edit redirect URIs.
Enter the iPaaS.com OAuth redirect URL that matches your environment (see the NOTE — Environment-specific URLs at the top of this document), then click Save.
Configure Scopes
Click the Scopes sub-tab, then click Edit scopes.
Select Full data access, then click Save.
Installation Instructions for Integration Setup
In the left navigation, expand Subscriptions Management and click Marketplace.
Click the Blackbaud Raiser's Edge NXT integration tile.
Click the Subscribe button.
The Subscription Settings page opens. Fill in the following fields:
Name — Enter a unique subscription name.
Format: [Product Name] - [Environment/Purpose]
Example: Blackbaud Raiser's Edge NXT – Release
Versions — Select a version from the dropdown.
Create Default Mappings — Leave checked (recommended). Un-check only if you want to create all mappings yourself.
API Url — Leave at the default unless Blackbaud has provisioned the subscriber on a non-standard endpoint.
Default Value:
api.sky.blackbaud.com
oAuth Url — Leave at the default unless Blackbaud has provisioned the subscriber on a non-standard endpoint.
Default Value:
oauth2.sky.blackbaud.com
Blackbaud Subscription Key — The Primary key copied from My subscriptions in the Before You Begin section.
Application ClientId — The Application ID copied from the Private Application registration in the Before You Begin section.
Application ClientSecret — The Primary application secret copied from the Private Application registration in the Before You Begin section.
API Throttle Limit — Default:
500. Controls the maximum number of API calls per throttle window.API Throttle Seconds — Default:
60. The duration of each throttle window in seconds.API Throttle Limit (to iPaaS.com) — Default:
500. Controls the maximum number of inbound API calls per throttle window.API Throttle Seconds (to iPaaS.com) — Default:
60. The duration of each inbound throttle window in seconds.Concurrent Connections — Default:
2. The number of simultaneous connections to the Blackbaud API.Concurrent Batch Executions — Default:
10. The number of batch operations that can run simultaneously.
NOTE: The throttle and concurrency settings control the frequency and volume of data movement. Reduce these values if you are encountering Rate Limit errors from Blackbaud.
Click Apply to save the settings.
NOTE — Webhook API Key: After saving, the Webhook API Key field is auto-generated by iPaaS.com and used to authenticate inbound webhook calls from Raiser's Edge NXT. This value is set automatically and does not require any action during initial installation.
OAuth Authentication
To initiate the OAuth 2.0 flow and generate access and refresh tokens:
Go to your Blackbaud Raiser's Edge NXT Subscription Settings.
Click the Authorize action (the lock icon) in the row of actions in the top-right of the subscription page.
NOTE: The subscription settings must be saved (via Apply) before the Authorize action will work. If you have unsaved changes, save them first.
iPaaS.com redirects to Blackbaud's authorization page. The subscriber's authorized Blackbaud user signs in and reviews the request.
Review the authorization request, which shows the iPaaS.com application requesting access to your Blackbaud data, and the source environment (e.g., SKY Developer Cohort - SKY Developer Cohort Environment 1). Click Authorize to grant access.
Blackbaud redirects back to iPaaS.com, which exchanges the authorization code for an access token and a refresh token. iPaaS.com stores both tokens with the subscription and uses them for all subsequent API calls.
iPaaS.com displays an Authorization is complete please close page confirmation. Click Close Page.
Return to the subscription page in iPaaS.com and refresh. The Subscription Settings page now shows the AccessToken, RefreshToken, and EnvironmentId values stored from the OAuth exchange, along with the OAuth process complete confirmation.
NOTE: The refresh token issued by Blackbaud is long-lived. iPaaS.com silently refreshes the access token as needed without further user interaction. Re-authorization is only required if the application credentials are regenerated, the subscriber revokes access in their Blackbaud account, or Blackbaud's authorization is otherwise invalidated.
Post-Installation Verification
After completing the installation, perform these tests to verify the installation.
Data Sync Test
Initiate a sample data pull (to iPaaS.com) — for example, fetch a known constituent record from Raiser's Edge NXT.
Initiate a sample data push (from iPaaS.com) — for example, update an address on a test constituent.
Functionality Test
Run an end-to-end business process that covers constituent and address synchronization.
Validate key features like field mappings, workflow triggers, and logging.
Review integration logs in iPaaS.com under Integration Monitoring and Diagnostics.
Support and Troubleshooting
Click the Help button on any iPaaS.com page to contact iPaaS.com Support at support@ipaas.com or to search our documentation.
Documentation: Search our documentation at the top of this article
Support Portal: Click the Help and Support button at the lower-right of this window.
Contact Information: Email iPaaS.com Support at support@ipaas.com.
Common issues
Symptom | Likely cause | Resolution |
Authorization page shows invalid client | The Application ClientId Subscription Setting does not match the Application ID in the Blackbaud application registration. | Re-copy the Application ID from the Blackbaud developer portal, paste it into the iPaaS.com Subscription Setting, save, and re-authorize. |
Authorization page shows redirect URI mismatch | The Redirect URI configured in the Blackbaud application does not exactly match the iPaaS.com redirect URL. | Compare both values character-by-character (scheme, host, port, path, trailing slash). Update the Blackbaud application registration to match the iPaaS.com-provided URL exactly. |
All API calls fail with 401 Unauthorized immediately after authorization succeeds | The Blackbaud Subscription Key Subscription Setting is missing or incorrect, or the SKY API subscription is not active. | Verify the Subscription Key matches the Primary key shown in My subscriptions; verify the subscription status is active. |
API calls fail with 403 Forbidden — insufficient scope | The application registration is missing required scopes, or the subscriber denied a required scope at the authorization screen. | Open the application registration in the Blackbaud developer portal and confirm the required scopes are checked. Re-run the OAuth Authentication step so the subscriber can grant the scopes. |
API calls fail with 403 Out of call volume quota | The subscriber has exhausted their SKY API daily quota. | Transient — iPaaS.com automatically reschedules the work for after the reset window. Confirm the subscriber's SKY API quota tier matches the expected transfer volume; upgrade the tier if quotas are being exhausted regularly. |
429 Too Many Requests errors during a large initial sync | Per-second rate limit reached. | iPaaS.com handles this automatically by deferring the requeued work until Blackbaud's reset window. No action required unless the rate limit is consistently exceeded, in which case Blackbaud should be contacted about the subscriber's tier. |
Authorization succeeded but inbound webhooks don't arrive | Raiser's Edge NXT webhooks must be subscribed via the integration's configuration. | Confirm the subscription has the relevant webhook scopes enabled. Trigger a test change in Raiser's Edge NXT and review the integration logs in iPaaS.com. |
Subscription Settings Reference
Field | Required | Default Value | Description |
Name | Yes | — | Unique identifier for this subscription |
Versions | No | — | Integration version |
Create Default Mappings | No | Checked | Auto-creates standard field mappings |
API Url | Yes |
| Hostname of the Blackbaud SKY API |
oAuth Url | Yes |
| Hostname of the Blackbaud OAuth service |
Blackbaud Subscription Key | Yes | — | Primary subscription key from the Blackbaud SKY API subscription |
Application ClientId | Yes | — | Application ID from the registered Blackbaud Private Application |
Application ClientSecret | Yes | — | Primary application secret from the same registered application |
API Throttle Limit | Yes |
| Maximum number of API calls per throttle window |
API Throttle Seconds | Yes |
| Duration of each throttle window in seconds |
API Throttle Limit (to iPaaS.com) | Yes |
| Maximum number of inbound API calls per throttle window |
API Throttle Seconds (to iPaaS.com) | Yes |
| Duration of each inbound throttle window in seconds |
Concurrent Connections | Yes |
| Number of simultaneous connections to the Blackbaud API |
Concurrent Batch Executions | Yes |
| Number of batch operations that can run simultaneously |
Additional Notes
The Application ClientSecret, AccessToken, and RefreshToken are stored within the iPaaS.com subscription and are visible on the Subscription Settings page to users with access to the subscription. Limit subscription access to authorized users only.
Rotating the Application ClientSecret in Blackbaud requires updating the iPaaS.com Subscription Setting and re-running the OAuth Authentication step. The subscriber's Raiser's Edge NXT data is not affected during rotation — only the credential changes.
If a subscriber cancels their iPaaS.com subscription, revoke the application's authorization in the subscriber's Blackbaud account so any cached refresh token can no longer be used.