LET'S TALK
← All work
OAuth 2.1 §2.5GDPR Art 7 + Art 28CCPA §1798.115Google OAuth VerificationDeep Prototype

OAuthConsentLog — Third-Party OAuth Grants ON Your Users

28 third-party apps with active OAuth grants on YOUR users. Per app: vendor, granted scopes (with criticality), user count, grant age, last-used, vendor-side breach status, recommended action (allow / step-up / review / dormant / consent-renewal-needed / block). Surfaces 4 dormant grants with sensitive scopes + 2 vendors needing user reconsent + 1 unknown-vendor mail.modify grant.

OAuthConsentLog — Third-Party OAuth Grants ON Your Users preview
Open live →

What it is

The companion to ScopeCreep (batch 9, OAuth grants we hold on others) and APITokenAudit (batch 13, our non-OAuth keys). OAuthConsentLog is the OTHER direction — the third-party apps with grants ON our users.

What’s in it

  • 28 third-party apps spanning productivity (Notion, Slack, Calendly, Asana, Zoom, Productboard), CRM (HubSpot, LinkedIn SalesNavigator), analytics (PartnerCo Insights, Google Analytics, Heap, Mixpanel), AI (BookkeeperGPT, TaskAI Companion), expense (BookkeepingCo, OldExpense), payments (Stripe Connect), and unknowns.
  • Per-app shape:
    • Vendor + category
    • Granted scopes with criticality (low/med/high/crit)
    • User-grants count + grant age + last-used (avg)
    • Vendor risk score (1-5)
    • Vendor breach status
    • Recommended action (allow / step-up / review / dormant / consent-renewal / block)
  • Worst-offender findings:
    • OA-027 UnknownAppId — UNKNOWN VENDOR with mail.modify (CRITICAL scope), used 300d ago. URGENT BLOCK.
    • OA-011 EmailBoost — mail.read + mail.send dormant 420d. URGENT BLOCK.
    • OA-008 PartnerCo Insights — VENDOR BREACH disclosed 2024-08. Force USER RECONSENT for all 88 grants.
    • OA-006 Email Snooze — mail.modify + mail.send, 300d dormant. RECONSENT or BLOCK.
    • OA-021 VendorXSearch — search.history scope, 420d dormant. BLOCK.
  • Per-app user-comms recommendation — “force USER RECONSENT for all N grants. Email + in-app banner. Block traffic until reconsent.”

Why this shape

OAuth grants accumulate silently. Users authorize an app once; the grant lives forever even if the app is deprecated, the vendor breached, or the scope was over-asked. Google + Microsoft Graph have rolled out App Governance dashboards in 2024 to surface these. OAuthConsentLog prototypes the inventory + decision matrix — the artifact that turns “we have X third-party app integrations” into “we know which 4 to block this week.”

How it ships

Single HTML file, ~18KB. Zero dependencies. 28 apps × per-scope criticality + decision matrix + comms recommendation in 200 lines of vanilla JavaScript.

Open the tool →