Configure permissions, access, and token security
Bergur DavidsenUpdated 2026-07-14
Application security is the combination of requested permissions, install eligibility, administrator access, grants, token policy, and credential custody. A secure OAuth flow can still be over-privileged if these controls are too broad.
Consent permissions
The application contract supports a list of consent-screen permissions containing a name, description, and whether the permission is custom. When omitted, identity scopes can default to openid, profile, and email in the current management contract.
For every permission:
- use a stable, specific name;
- explain what data or action it enables;
- separate read and write access;
- request it only when needed;
- avoid vague labels such as “full access”;
- remove obsolete permissions carefully after reviewing existing connections.
A consent description should help a user make an informed decision, not hide technical impact.
Install access policies
Released application management supports these policy shapes:
public— eligible users can discover/install according to current marketplace rules;invite-only— limited to invited users;approval-required— connection requires approval;workspace-restricted— limited to explicit workspace IDs.
Choose the narrowest policy that fits the release stage. Use restricted or approval-based access for testing rather than making a draft integration broadly available.
Workspace restriction controls installation eligibility. It does not automatically grant the app access to workspace content.
Application administrators
Application admins can affect identity, connection, and marketplace behavior.
- Keep the list small and current.
- Use named accountable users.
- Review access periodically.
- Remove former maintainers promptly.
- Separate app administration from workspace ownership.
- Require review for grants, scopes, redirects, secrets, and visibility.
Do not place admin IDs or private contacts in public-facing descriptions.
Token and session lifetimes
The current application contract includes access-token lifespan, refresh-token lifespan, and session idle timeout settings.
Use shorter access tokens and refresh only when the workflow requires continuation. Balance usability against exposure:
- access tokens should expire promptly;
- refresh tokens need stricter storage and revocation;
- idle sessions should end;
- development settings should not silently become production defaults;
- lifetime changes should be tested against existing clients.
Do not document one universal recommended number without considering the client and deployed policy.
Offline access
Offline login configuration can include:
- whether offline access is enabled;
- refresh-token expiration;
- rotation policy;
- maximum reuse count where supported.
Enable offline access only for a defined background use case. Prefer rotate-on-use where compatible, detect unexpected reuse, and revoke the token family on compromise.
A long-lived refresh token is a high-value credential even if access tokens are short-lived.
Custom token properties
Application token configuration can define custom properties sourced from user, workspace, or controlled custom mapping logic where supported.
Treat custom claims as a public contract:
- include only data the client requires;
- avoid secrets and unnecessary personal data;
- use stable names and types;
- validate array and numeric values;
- review workspace-derived claims for cross-workspace leakage;
- version breaking changes.
Never place executable or unreviewed user input into mapping logic.
Secret handling
- Store client secrets, refresh tokens, and service credentials in a secret manager.
- Never commit them or place them in Usable fragments.
- Keep secrets out of browser and mobile bundles.
- Redact authorization headers and token responses from logs.
- Use separate credentials by environment.
- Rotate after exposure or maintainer changes.
- Revoke old credentials after verifying replacement.
- Restrict outbound destinations to prevent token forwarding.
A client ID is often an identifier, not a secret. Do not treat that distinction as permission to expose associated configuration or credentials.
Review before beta or active
- Confirm exact redirects and origins.
- Remove unused grants.
- Review every consent permission.
- Confirm install policy and workspace restrictions.
- Review administrators.
- Test token expiry, refresh, revocation, and denial.
- Verify secret rotation.
- Review descriptions and icon origins for public safety.
- Confirm support and incident ownership.
- Promote status only after approval.
Respond to exposure
If a secret, refresh token, Device Code, or bearer credential is exposed:
- Revoke or rotate it immediately.
- Stop affected automation if needed.
- Remove the exposed value from content and logs.
- Inspect application and token activity.
- Verify redirect, grant, scope, and admin settings.
- Restore service with a new credential.
- Document the incident without reproducing the secret.
Deleting a screenshot or fragment is not sufficient if the credential remains valid.
Common failures
Consent shows unexpected access
Review application permissions and custom scopes before approving. Ask the developer to narrow or explain them.
A workspace-restricted app still receives 403
Eligibility and workspace authorization are distinct. Check the connected user's workspace role and granted scopes.
Refresh stops working
The token may be expired, revoked, rotated, reused, or outside the offline policy. Reauthenticate rather than weakening rotation globally.
A browser app requires a client secret
The configuration likely uses an unsuitable confidential-client grant. Revisit application type and grant selection.