Subscribe to the Non-Human & AI Identity Journal
Home Glossary Authentication, Authorisation & Trust Connected app token
Authentication, Authorisation & Trust

Connected app token

← Back to Glossary
By NHI Mgmt Group Updated July 6, 2026 Domain: Authentication, Authorisation & Trust

A connected app token is a delegated credential that lets one system call another on behalf of an approved integration. In NHI governance, it must be treated as a production identity because its scope, ownership, and revocation determine how far a compromise can spread.

Expanded Definition

A connected app token is a delegated credential that authorises one application or service to call another within a defined trust relationship. In NHI operations, the token is not just an integration detail; it is a production identity with an owner, a scope, a lifecycle, and a revocation path.

Definitions vary across vendors because some platforms describe these credentials as oauth token, API tokens, or app grants, but the security question is the same: what can this token do, for how long, and what happens if it is copied or leaked? That is why NHI Management Group treats connected app tokens as governed secrets rather than mere configuration values. The operational controls should align to least privilege, explicit expiry, and event-driven revocation, consistent with guidance in the NIST Cybersecurity Framework 2.0.

The most common misapplication is treating a connected app token as a background setting, which occurs when teams reuse broad-scope tokens across multiple integrations and never tie them to a named owner.

Examples and Use Cases

Implementing connected app tokens rigorously often introduces lifecycle overhead, requiring organisations to balance fast integration delivery against tighter approval, rotation, and revocation discipline.

  • A CRM integration uses a token to sync customer records into a billing platform, but the scope is limited to read and write on a single object set.
  • A CI/CD system uses a token to publish build artefacts, with short expiry and automated rotation to reduce blast radius.
  • A support desk app uses a delegated token to pull ticket metadata, while preventing access to attachments or administrative endpoints.
  • A partner-facing workflow uses a service token to submit signed requests through a controlled API gateway, not direct database access.
  • An incident response team revokes a compromised token after suspicious outbound calls, then rebuilds the integration with a narrower scope.

These patterns are visible in real-world breaches and secret exposure reporting, including the Salesloft OAuth token breach and the Guide to the Secret Sprawl Challenge. For implementation baselines, teams can compare token handling to OAuth and bearer-token expectations in the OAuth 2.0 framework and the Bearer Token Usage specification.

Why It Matters in NHI Security

Connected app tokens become dangerous when they are overprivileged, duplicated, or left active after the integration they support has changed. That is a direct NHI governance problem because the token can persist long after the human who created it has moved roles, or the application that issued it has been replaced. NHI Management Group research shows that 91% of former employee tokens remain active after offboarding, a reminder that token lifecycle failures are not edge cases but common control gaps.

The same risk pattern appears in breaches where a token becomes a lateral-movement path into a SaaS tenant, source repository, or customer dataset. Strong governance requires ownership assignment, scope review, storage controls, and automated revocation triggers. It also requires keeping the token distinct from general secrets hygiene, because a valid token is already an authorised identity with reach. Recent exposure trends in The State of Secrets Sprawl 2026 show how frequently secrets now leak outside code, including collaboration tools and ticketing systems, while the 2025 State of NHIs and Secrets in Cybersecurity documents token exposure at scale.

Organisations typically encounter the true blast radius only after a token is leaked, reused, or discovered active during an incident review, at which point connected app token governance becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Covers improper secret handling and exposed non-human credentials.
NIST CSF 2.0PR.AA-01Addresses identity proofing, credential management, and access control for digital identities.
NIST Zero Trust (SP 800-207)PA-7Zero trust requires continuous evaluation of service-to-service credentials and access.

Continuously validate token use, limit trust boundaries, and revoke on anomalous behavior.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org