Blackbaud Raiser's Edge NXT Connections and Settings
The Blackbaud Raiser's Edge NXT integration connects iPaaS.com to Blackbaud's SKY API platform using OAuth 2.0 authentication with a Bearer token. All API requests are routed through the Blackbaud SKY API gateway and authenticated using a combination of the subscriber's Blackbaud Subscription Key and an OAuth 2.0 access token.
The integration supports constituent and constituent address synchronization in both directions (to iPaaS.com and from iPaaS.com), with webhook-driven inbound data flows and outbound trigger-driven outbound data flows.
Subscription Settings
The following subscription settings are configured on the iPaaS.com Subscription Settings page during installation and are available for ongoing reference and updates.
For step-by-step first-time setup instructions, including how to obtain each credential from Blackbaud's developer portal, see the Blackbaud Raiser's Edge NXT Installation Instructions.
Setting Name | Required | Purpose | Default Value |
API Url | Yes | The Blackbaud SKY API base URL. All REST API calls are prefixed with this host. |
|
oAuth Url | Yes | The Blackbaud OAuth 2.0 token endpoint host. Used during initial authorization and automatic token refresh. |
|
Blackbaud Subscription Key | Yes | The Primary access key from the subscriber's Blackbaud SKY API subscription. Sent as the | None |
Application ClientId | Yes | The OAuth client_id from the subscriber's Blackbaud application registration. Used during the OAuth authorization code exchange and token refresh. | None |
Application ClientSecret | Yes | The OAuth client_secret (Primary application secret) from the subscriber's Blackbaud application registration. Used during the OAuth authorization code exchange and token refresh. | None |
API Throttle Limit | No | Maximum number of outbound (from iPaaS.com) API calls per throttle window. |
|
API Throttle Seconds | No | Duration of each outbound throttle window in seconds. |
|
API Throttle Limit (to iPaaS.com) | No | Maximum number of inbound (to iPaaS.com) API calls per throttle window. |
|
API Throttle Seconds (to iPaaS.com) | No | Duration of each inbound throttle window in seconds. |
|
Concurrent Connections | No | Number of simultaneous connections to the Blackbaud API. |
|
Concurrent Batch Executions | No | Number of batch operations that can run simultaneously. |
|
NOTE: The throttle and concurrency settings control the frequency and volume of data movement. Reduce these values if you are encountering Rate Limit errors from Blackbaud. See the Throttling section below for more detail.
For a visual reference of these fields on the Subscription Settings page, see the screenshot in the Installation Instructions:
Authentication Methods
OAuth 2.0 (Primary)
The integration authenticates using the OAuth 2.0 Authorization Code flow with PKCE. This is the only supported authentication method.
How it works:
The subscriber initiates the OAuth flow by clicking the Authorize action (lock icon) on the iPaaS.com Subscription Settings page.
iPaaS.com redirects the subscriber to Blackbaud's authorization page, where they sign in with their Blackbaud account and authorize the iPaaS.com application.
Blackbaud returns an authorization code to iPaaS.com's redirect URL.
iPaaS.com exchanges the authorization code for an access token and a refresh token using the Application ClientId and Application ClientSecret via a POST to
https://[oAuth Url]/token.Both tokens are stored in iPaaS.com's persistent storage with expiration timestamps.
Token lifecycle:
Access token: Short-lived. Sent as the
Authorization: Bearer {token}header on every API call. When the access token expires, iPaaS.com automatically refreshes it using the refresh token with no subscriber interaction required.Refresh token: Long-lived. Used to obtain new access tokens without requiring the subscriber to re-authorize. Re-authorization is only required if the application credentials are regenerated, the subscriber revokes access in their Blackbaud account, or Blackbaud's authorization is otherwise invalidated.
Request headers sent on every API call:
Header | Value |
|
|
|
|
| The Blackbaud Subscription Key from Subscription Settings |
|
|
Error conditions:
If the refresh token is expired or missing, the integration throws: "Unable to refresh access token." Re-run the OAuth Authorization step to generate new tokens.
If the authorization code exchange fails, the integration throws: "Unable to complete OAuth process in ProcessAuthorization. Failed to convert temporary code into a permanent token." Verify the Application ClientId, Application ClientSecret, and redirect URI configuration.
For the full step-by-step authorization procedure, see the OAuth Authentication section in the Installation Instructions.
Credential Rotation
Rotating the Blackbaud Subscription Key
In the Blackbaud developer portal, navigate to Developer account > My subscriptions.
Regenerate or switch to the Secondary access key.
In iPaaS.com, update the Blackbaud Subscription Key Subscription Setting with the new key value.
Click Apply. No re-authorization is required.
Rotating the Application Secret
In the Blackbaud developer portal, navigate to Developer account > My applications > select the application.
Regenerate the application secret.
In iPaaS.com, update the Application ClientSecret Subscription Setting with the new secret.
Click Apply.
Re-run the OAuth Authorization step to refresh the tokens, since the new secret invalidates the existing token refresh chain.
Rotating the Access and Refresh Tokens
Tokens are managed automatically by iPaaS.com. If tokens become invalid (e.g., after credential rotation or revocation in Blackbaud), re-run the OAuth Authorization step from the Subscription Settings page.
Connection Validation
After the OAuth authorization completes, the integration validates the connection by confirming that the stored access token is present and not expired. If validation succeeds, the integration sets its connection status to connected and all subsequent API calls use the stored Bearer token.
To verify the connection is working after installation or credential changes:
Initiate a manual sync of a known constituent record (to iPaaS.com direction).
Check the integration logs in iPaaS.com under Integration Monitoring and Diagnostics for successful API call entries.
Initialization Support
Currently, initialization (bulk data import on first connect) is not supported for Blackbaud Raiser's Edge NXT in iPaaS.com. All data synchronization and mappings must be configured manually during the integration process.
Throttling
The integration uses configurable throttle settings to control the rate and volume of API calls to the Blackbaud SKY API. These settings are pre-populated with recommended defaults during installation and can be adjusted on the Subscription Settings page.
API Throttle Limit / API Throttle Seconds: Controls outbound (from iPaaS.com) call rate. Default: 500 calls per 60-second window.
API Throttle Limit (to iPaaS.com) / API Throttle Seconds (to iPaaS.com): Controls inbound (to iPaaS.com) call rate. Default: 500 calls per 60-second window.
Concurrent Connections: Limits simultaneous API connections. Default: 2.
Concurrent Batch Executions: Limits simultaneous batch operations. Default: 10.
NOTE: The Blackbaud SKY API Free tier allows 10 calls per second and 1,000 calls per 24-hour period. If the subscriber's data volume exceeds these limits, upgrade to a higher SKY API tier in the Blackbaud developer portal, or reduce the throttle and concurrency settings in iPaaS.com to stay within the Free tier limits.
For more details on throttle configuration, see Subscription Configuration - Edit.