WorkOS Pipes and third-party account access: what changes for IAM?

TL;DR: A pattern for connecting GitHub and other third-party services without building OAuth redirects, token storage, or refresh logic in the app, while still returning usable access tokens for API calls, is highlighted in WorkOS’s Pipes tutorial. That shifts the operational burden from application code to the integration layer, which changes how teams think about secret handling, delegated access, and account reauthorization.

NHIMG editorial — based on content published by WorkOS: Fetch GitHub repo data without OAuth using WorkOS Pipes

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

Questions worth separating out

Q: How should security teams govern brokered OAuth connections in SaaS apps?

A: Security teams should govern brokered OAuth connections as part of the identity estate, not as a developer convenience.

Q: Why do brokered access tokens still create identity risk?

A: Brokered access tokens still create identity risk because the application may not store the refresh logic, but the underlying connection can remain active for long periods.

Q: What do teams get wrong about third-party account connections?

A: Teams often treat third-party account connections as temporary integrations rather than managed entitlements.

Practitioner guidance

• Inventory brokered third-party connections Catalogue every application that outsources OAuth, token refresh, or secret storage to a middleware layer, and map each one to the provider, scope set, and owning business service.
• Classify connected-service tokens as NHI credentials Treat access tokens used by backend jobs, integrations, and API calls as non-human identity assets rather than generic app data.
• Enforce scope-minimised provider connections Define the minimum provider scopes needed for each use case, then reject broad grants that are not required for the feature.

What's in the full article

WorkOS's full tutorial covers the operational detail this post intentionally leaves for the source:

• Step-by-step Pipes widget setup for GitHub connection management in a Node application
• Concrete backend code for retrieving refreshed access tokens and calling the GitHub API
• Environment variable and dashboard configuration details for allowed origins, API keys, and provider scopes
• Sample token response structure that helps developers wire error handling and reauthorization flows

👉 Read WorkOS's tutorial on fetching GitHub repo data with Pipes →

WorkOS Pipes and third-party account access: what changes for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →