OAuth app listings: are your marketplace controls keeping up?

TL;DR: Marketplace presence is not a security review, according to Offroad AI’s research: 677 apps asked for permissions beyond their stated function, 206 had dead publisher domains, and 49 AI-powered apps carried broad write access, based on its scan of major OAuth marketplaces. That pattern turns OAuth grants into persistent business risk rather than one-time consent.

NHIMG editorial — based on content published by Offroad AI: Introducing OhAuth and the state of OAuth app exposure

By the numbers:

• 677 apps ask for at least one permission beyond their stated function, representing a combined 1.82 billion installs.
• 206 apps have dead publisher domains.
• 49 AI-powered apps with broad write access represent an 81.6M install footprint.

Questions worth separating out

Q: What breaks when marketplace-listed OAuth apps are treated as approved by default?

A: What breaks is the assumption that a marketplace badge means the app is safe, proportionate, or still accountable.

Q: Why do OAuth apps create persistent identity risk for IAM teams?

A: OAuth apps create persistent identity risk because the access token or grant can remain active long after the point of approval.

Q: How do security teams know whether an OAuth app is over-privileged?

A: Security teams should compare the app’s actual business function with the permissions it requests and then look for delete, admin, or cross-system scopes that are not essential.

Practitioner guidance

• Reconcile every active OAuth grant against business need Build an inventory of all marketplace-connected grants, then compare each scope to the app’s current function and owner.
• Treat publisher infrastructure as part of the trust decision Check whether the publisher domain is active, supportable, and controlled before approving or renewing high-scope apps.
• Separate AI-mediated grants from deterministic apps Flag OAuth apps that use AI to generate, schedule, or execute actions on behalf of users.

What's in the full report

Offroad AI's full research covers the operational detail this post intentionally leaves for the source:

• A continuous scanning model for marketplace OAuth apps, including how the community index tracks publisher infrastructure and grant exposure.
• Breakdowns of broad-scope patterns across Google Workspace and GitHub marketplace apps, including how the permissions map to real business surfaces.
• Examples of dead, buyable, and threat-intel-flagged publisher domains that illustrate why lifecycle accountability matters after consent.
• The AI-powered app category analysis, including how model-driven actions change the practical meaning of a static OAuth scope.

👉 Read Offroad AI's research on OAuth marketplace risk and standing grants →

OAuth app listings: are your marketplace controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →