Notifications
Clear all
Topic starter
07/06/2026 8:18 pm
TL;DR: Applications can connect Linear and other SaaS tools without building OAuth redirects, refresh logic, or token storage, while still returning a usable access token for API calls, according to WorkOS. The security question is not whether the flow is simpler, but who now owns the trust boundary, token lifecycle, and revocation model.
NHIMG editorial — based on content published by WorkOS: Fetch Linear issue data without OAuth using WorkOS Pipes
Questions worth separating out
Q: How should security teams govern delegated SaaS access without handling OAuth themselves?
A: Security teams should govern delegated SaaS access by treating the integration as a managed non-human identity, not as an invisible convenience layer.
Q: Why do third-party connector patterns create NHI risk even when tokens are refreshed automatically?
A: Automatic refresh reduces friction, but it does not remove identity risk.
Q: What breaks when an app relies on a hidden token broker for external data access?
A: What breaks first is visibility.
Practitioner guidance
- Map delegated integration ownership to a named business process Assign a clear owner for each provider connection, including who approves scope changes, who responds to reauthorization failures, and who removes the connection when the use case ends.
- Review provider scopes as part of NHI access governance Document the minimum provider scopes needed for each integration and make scope expansion a reviewed change, not a code-only update.
- Treat token refresh failure as a governance signal When the backend cannot obtain a fresh token, route the failure to a defined operational queue rather than silently retrying forever.
What's in the full article
WorkOS's full research covers the operational detail this post intentionally leaves for the source:
- Step-by-step Pipes widget setup for Linear and other providers in the WorkOS dashboard
- Code examples for fetching a refreshed provider access token from the backend
- Exact scope selection guidance for read access versus broader provider permissions
- Shared credentials and production credential setup details that matter during implementation
👉 Read WorkOS's tutorial on connecting Linear through Pipes without OAuth →
WorkOS Pipes and Linear: what changes for IAM teams?
Explore further
07/06/2026 10:09 pm
OAuth abstraction creates an NHI governance blind spot: the application no longer owns the credential workflow, so teams can lose sight of where tokens are stored, refreshed, and revoked. The trust boundary moves, but accountability does not. That means the control issue is not whether OAuth is hidden from developers, but whether identity ownership is still explicit across the integration chain.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who should be accountable for third-party account connections in application workflows?
A: Accountability should sit with the team that owns the data use case, not only with the developer who added the connector. The owner must know which provider is connected, what data is in scope, and when the connection should be removed. Without that, delegated access becomes an orphaned access path.
👉 Read our full editorial: WorkOS Pipes shifts OAuth plumbing out of app identity
