PagerDuty + CalloutPay Integration Guide

PagerDuty + CalloutPay Integration Benefits

• Generate finance-ready on-call compensation spreadsheets directly from PagerDuty schedule and incident data — no manual exports, copy-pasting, or rebuilt spreadsheets.
• Apply your organisation's pay policy (stipends, callout fees, hourly rates, minimum-hours billing, business-hours rules, regional bank holidays) to PagerDuty on-call data automatically.
• Run reports for an individual engineer, a whole team, or every schedule in your organisation, in the same consistent format every month.
• Connect once via OAuth — the access token is encrypted at rest and reused for every report, with one-click disconnect at any time.
• CalloutPay reads from PagerDuty only. It never writes back, never creates incidents, and never modifies schedules or services.

How it Works

CalloutPay is a reporting tool, not an alerting integration. When you generate a report, CalloutPay calls the PagerDuty REST API on your behalf using your authorised access token to read on-call schedules, on-call entries, and incidents for the period you have selected.

CalloutPay then applies your configured pay rules — stipends, callout fees, hourly rates, minimum-hours billing, business-hours windows, and regional bank holiday rules — to that data and produces a finance-ready Excel (XLSX) spreadsheet with per-day breakdowns, payable-callout itemisation, and totals.

All processing is request-scoped: schedule and incident data is held in memory only for the duration of the report generation, and is not persisted after the file is delivered. The only PagerDuty data CalloutPay stores against your account is the encrypted OAuth access token itself.

CalloutPay calls the following PagerDuty REST API endpoints (all read-only):

• GET /oncalls
• GET /incidents
• GET /users
• GET /teams
• GET /schedules

Region-aware: tokens issued for PagerDuty's EU region are routed to api.eu.pagerduty.com; US-region tokens are routed to api.pagerduty.com.

Requirements

• An active CalloutPay account. Sign up at calloutpay.com/signup.
• An active PagerDuty account with permission to authorise third-party applications. Some PagerDuty plans require an Admin or Account Owner role to approve OAuth applications. If you are not an Admin, please ask an Admin or Account Owner in your organisation to complete the connection step on your behalf.
• The PagerDuty user authorising the integration should belong to the same account whose schedules and incidents you want to report on.

Support

If you need help with this integration, please email support@calloutpay.com. We aim to respond within one business day.

Integration Walkthrough

CalloutPay does not use Global Event Routing or a PagerDuty Service Integration because it does not send events into PagerDuty. Instead, it uses PagerDuty's OAuth 2.0 (Classic User OAuth) flow to obtain a read-only access token, which is used to read schedule and incident data from your account.

In CalloutPay

1. Sign in at calloutpay.com/login with your CalloutPay credentials.
2. You will land on the report generator. At the top of the form, locate the PagerDuty connection card.
3. Click the Connect PagerDuty button. CalloutPay will redirect your browser to PagerDuty's OAuth authorisation page.

In PagerDuty

1. If you are not already signed in to PagerDuty, sign in with the account you want to authorise. You will be presented with a CalloutPay authorisation prompt.
2. Review the requested scope. CalloutPay requests the readscope only — this allows CalloutPay to read schedules, on-call entries, incidents, users, and teams from your PagerDuty account. It does not grant write access.
3. Click Authorize to grant access. PagerDuty will redirect you back to CalloutPay.

Back in CalloutPay

1. You will be returned to the report generator. The PagerDuty connection card will now display PagerDuty connected with the date the connection was authorised.
2. You can now generate reports without entering any further credentials. CalloutPay will use your stored access token to fetch schedule and incident data on your behalf.

How the access token is stored

• The OAuth access token is encrypted at rest using AES-128 (Fernet) before being stored against your CalloutPay account. The encryption key is held server-side only.
• The token is never returned to your browser in plaintext, never written to log files, and never included in exported spreadsheets.
• CalloutPay only reads from PagerDuty — the read scope is sufficient because the integration does not need to create, modify, or delete any PagerDuty objects.

Optional: connect with a Read-only API key instead

If your organisation prefers using a Read-only API Key over OAuth (for example, for audit reasons), CalloutPay supports this as an alternative. In the report generator, click Use a manual API key instead beneath the PagerDuty connection card and paste a Read-only API Key generated from Integrations → API Access Keys in PagerDuty. The key is encrypted at rest using the same mechanism as the OAuth token.

How to Uninstall

You can revoke CalloutPay's access to PagerDuty at any time, from either side of the integration.

From CalloutPay

1. Sign in to CalloutPay and open either the report generator or your account page.
2. Locate the PagerDuty connection card.
3. Click the Disconnect button. The encrypted access token is deleted from CalloutPay's records, and future reports will require reconnecting before they can run.

From PagerDuty

1. Sign in to PagerDuty as the user who authorised the integration.
2. Click your user avatar in the top-right and select My Profile.
3. Open the Connected Appstab (or the equivalent “Authorised Applications” section, depending on your PagerDuty plan).
4. Find CalloutPay in the list and click Revoke. The access token will be invalidated immediately on PagerDuty's side.

If you fully close your CalloutPay account, all stored credentials including any encrypted PagerDuty access token are deleted as part of account closure (see our Privacy Policy).