• Product

    Product Overview

    Discover, secure and manage AI agents & NHIs

    Learn more

    CAPABILITIES

    Discover

    Maintain real-time inventory of all AI agents, MCP servers, and NHIs, with context to understand risk and business usage.
    Secure

    Identify and remediate AI agents and NHIs with excessive privileges, vulnerable configurations, abnormal activity, and policy violations.
    Deploy β€” powered by ACP (Agent Control Plane)

    Provision secure-by-design AI agents with short-lived credentials, just-in-time, precisely scoped access, and policy at creation.

    Supported environments

    Astrix logo: five black and white interlocking loops, symbolizing secure non-human identity and NHI Management leadership.
    A vibrant, ribbon-loop logo in blue, green, yellow, orange, and pink. Astrix: the leader in NHI security and service account protection.
    Astrix, the leading NHI Security platform, expertly manages the security of non-human identities. Alt text: Black silhouette of a featureless cat inside a circle, resembling the GitHub logo.
    Astrix, the leading NHI security platform, ensures robust protection and management for non-human identities.
    Astrix is the leading platform in NHI Management and Service Account Security. *Alt Text: A white ship's wheel symbol inside a blue hexagonal shape, representing leadership in non-human identity security.*.
    A geometric logo with interlocking shapes in red, green, blue, and yellow on a transparent background representing Astrix. Astrix: The leading platform for NHI Management and service account security solutions.
    Astrix, the leading NHI security platform, showcases a blue gradient abstract shape akin to a stylized mountain on white background.
    Blue circular icon with antennae, stylized non-human face; Astrix: the leading NHI Management and service account security platform.
    Astrix is the leading NHI Security platform, providing top-tier service account and non-human identity management solutions.
    Astrix: the leading NHI security platform, safeguarding non-human identities and service account integrity.
    Astrix: Leading platform for NHI Management and service account security.
    Astrix: The leading NHI Security platform, ensuring robust service account and non-human identity protection. Alt text: Blue Windows logo with four rectangles forming a window shape on a transparent background.
    more
  • Use Cases

    AI AGENTS

    Discovery and Governance for AI Agents
    Discovery & Governance for AI Agents

    Set policy to resolve hygiene issues, reduce attack surfaces and prevent compliance violations.

     Agentic Threat Detection & Response (ATDR)
    Access & Lifecycle Management for AI Agents

    Manage AI agents and their NHIs from provisioning to decommissioning.

     Agentic Access & Lifecycle Mgmt
    Agentic Threat Detection & Response (ADRβ„’)

    Detect and respond to threats such as compromised credentials and out-of-scope agent actions.

    non-human identities

    NHI Discovery & Governance

    Control and enforce policies across your NHI attack surface.
    NHI Lifecycle Management

    Manage NHIs from provisioning to decommissioning.
    Non-Human ITDR

    Detect and respond to suspicious NHI activity & 3rd party breaches.
    Secret Management

    Centralized secret management across vaults & cloud.
    Third-Party Risk Management

    Discover and assess third-party apps & vendors accessing your environment.
  • Company

    COMPANY

    About Us

    The industry leader in AI Agent and Non-Human Identity security
    Careers

    The latest job opportunities

    Partners

    Explore partnership opportunities
    News

    Company announcements and press
    Contact Us

    Ask us anything
    The NHI Security Conference

    Watch the sessions on-demand

    Customer Stories

    Astrix is the leading NHI Security platform, safeguarding non-human identities in service account environments. Alt text: Astrix logo with a focus on securing non-human identities and service accounts.
    Workday

    HRTech

     A red sphere with white bands, symbolizing secure NHI Management by Astrix, the leader in NHI and service account security.
    Xerox

    Technology

     Orange HubSpot logo on a light background. Astrix is the leading platform for NHI Management and service account security.
    HubSpot

    Tech - CRM

     Astrix: The leading platform for NHI Management, securing non-human identities and service accounts efficiently. Alt Text: A stylized lowercase blue letter "b" with an orange dot above the upper right curve on a transparent background, representing Astrix, the leading NHI Security platform.
    Boomi

    Technology

     Astrix is the leading platform in NHI Management and service account security, safeguarding your non-human identity assets.
    BigID

    Cybersecurity

     Astrix: Leading NHI Security Platform with Advanced Non-Human Identity Management.
    Workato

    Technology

     Astrix is the leading platform for NHI Management and service account security. Alt text: A black Celtic knot design, showcasing a circular pattern with interconnected loops and swirls.
    Mercury

    Digital Banking

     Astrix's logo: A blue-striped triangular play button with overlapping shapes, embodying our leadership in NHI security. Alt text: Blue-striped triangular play button logo with overlapping shapes, symbolizing three-dimensionality and Astrix's NHI security expertise.
    Pagaya

    Fintech

     Astrix's blue geometric house icon symbolizes excellence as the leading NHI Security platform.
    Guesty

    Tech - Real Estate
    More customer stories
  • Learn

    Resources

    AI agent & NHI glossary

    Academy

    Resources

    Blog

    The latest on AI agent & NHI threats, products stories and more
    Events

    Meet Astrix at industry leading events
    Videos

    Watch on-demand sessions and expert insights

    News

    The latest company announcements and press
    Customer Stories

    How our customers secure their NHIs with Astrix
    Whitepapers

    Latest reports and whitepapers about NHI security
    Explore all

    AI agent & NHI glossary

    Agentic AI

    What is Agentic AI and related NHI risks
    Model Context Protocol

    Core concepts, functional components, and technical capabilities
    Service Accounts

    What are they & common vulnerabilities

    Machine Credentials

    How attackers exploit them & how to prevent it

    OAuth Tokens

    The risks they pose & how to secure them
    Non-human identities

    Definition, common use, and why they're important to secure
    Explore all

    Academy

    AI Agent Security Academy

    Become Certified Agentic Security Professional (CASP)

    WHAT’S NEW

    Meet Astrix’s AI Agent Control Plane (ACP)
    Astrix’s Agent Control Plane (ACP): Secure AI Agents from Day One
    NHI Governance for AI Agent Security in the Age of ChatGPT-5
    How a Major Enterprise Implemented a Control Plane Layer for AI Agents Using NHI Security
Book a demo
Results

Β OAuth Security Risks: How Attackers Exploit Tokens and Permissions

Michael Silva January 25, 2024
Image with a dark blue background, displaying white text: "PART 2: How attackers exploit OAuth: A deep dive." Features supply chain security risks. An "A" icon is at the bottom right. Astrix leads in NHI Management and Service Account Security.

β€œIdentity is the new perimeter” has become a common phrase in security, and for good reason. Most organizations have invested heavily in protecting human identities with MFA, SSO, and strict access controls.

But there is another layer of access that often goes unmonitored: OAuth connections.

OAuth enables applications to access your systems without sharing passwords. It powers integrations across tools like Google Workspace, Salesforce, GitHub, and many other SaaS platforms. It is convenient, widely adopted, and critical to modern workflows.

It is also an increasingly common source of hidden security exposure.

Common OAuth security risks include token persistence, excessive permissions, malicious applications, and lack of visibility into third-party access.

OAuth security risks include persistent tokens, excessive permissions, third-party app access, and limited visibility into how that access is used over time.

This article explains the real OAuth security risks, not just how OAuth works, but how tokens, permissions, and third-party applications create persistent access that attackers can exploit.

What Are OAuth Security Risks?

OAuth security risks stem from the way access is granted, stored, and reused across systems.

When a user approves an application via OAuth, they are not just logging in. They are granting ongoing delegated access to their data and systems.

That access is:

  • Token-based (not password-based)
  • Often long-lived
  • Frequently over-permissioned
  • Rarely reviewed after approval

Unlike traditional authentication risks, OAuth security risks often emerge after access has already been granted.

This creates a situation where applications, and anyone who gains access to them, can interact with core systems without relying on repeated user authentication.

Why OAuth Creates Hidden Access Into Your Systems

OAuth works by transferring trust.

When a user approves an application, they extend their permissions to that application through an access token. That token becomes a non-human identity credential that can interact with APIs and systems on behalf of the user.

Unlike human access:

  • Tokens typically operate independently of MFA after initial authorization
  • They are not always subject to behavioral restrictions
  • They can be reused without user interaction
  • They may persist depending on how the integration is implemented and revoked

This means OAuth does not just enable access. It creates a persistent access layer across your environment.

To understand the broader category this sits within, see our guide on
non-human identity security

How OAuth Works (Only What Matters for Risk)

Let’s simplify the process using a real-world scenario.

A user connects a third-party tool (for example, a note-taking app) to a system like Salesforce.

The flow looks like this:

  1. The user is prompted to approve access
  2. The system displays requested permissions (scopes)
  3. The user consents
  4. The application receives an access token
  5. The application uses that token to access data

At this point, the application can act independently using the granted permissions.

The critical point is this:

Once the token is issued, control shifts away from the user and becomes dependent on how the application and integration are managed.

The application can:

  • Store the token
  • Reuse it at any time
  • Expand usage over time
  • Access data without re-authentication

In many cases, tokens do not expire quickly, or are refreshed automatically.

Where OAuth Security Risks Actually Come From

Long-Lived Tokens and Persistent Access

OAuth tokens, especially refresh tokens, can remain valid for extended periods.

Even if a user:

  • Changes their password
  • Leaves the organization
  • Is removed from a system

The token may continue to function depending on how the integration is implemented and revoked.

This creates persistent access that may outlive traditional identity controls.

Excessive Scopes and Permission Creep

Applications often request more permissions than necessary.

For example:

  • Read/write access when read-only would suffice
  • Full account access instead of specific objects

Over time, this leads to permission creep, where applications accumulate broad access across systems.

Malicious or Compromised Applications

OAuth assumes that applications behave as intended.

In practice:

  • Applications can be malicious
  • Developers can be compromised
  • Vendors can be breached

If an attacker gains access to an application backend, they may be able to use existing tokens to access connected customer environments.

This is one of the most direct paths to enterprise data exposure.

Consent Fatigue and User-Driven Risk

Users frequently approve applications without fully understanding the permissions being granted.

This is known as consent fatigue.

In practice:

  • Users approve tools to get work done quickly
  • Security teams are not always involved
  • Permissions are rarely reviewed after approval

This turns OAuth into a user-driven attack surface.

Lack of Visibility Across SaaS Integrations

Many organizations lack a complete inventory of:

  • Connected applications
  • Active tokens
  • Granted scopes
  • Ownership of integrations

This lack of visibility makes it difficult to:

  • Identify risky connections
  • Monitor behavior
  • Revoke unnecessary access

How Attackers Exploit OAuth in Practice

OAuth attacks rarely start with breaking OAuth itself.

Instead, attackers exploit trust.

Consider this scenario:

  • A third-party application is approved by multiple customers
  • That application is compromised via phishing, malware, or other means
  • Attackers gain access to stored OAuth tokens
  • Those tokens provide access to customer environments

With the granted permissions, attackers may be able to:

  • Extract sensitive data
  • Modify records
  • Access internal systems
  • Move laterally across environments

All without triggering repeated login challenges.

This is why OAuth-based attacks are effective. They operate within existing trusted access paths.

Why OAuth Risk Increases Over Time

The most important, and often overlooked, aspect of OAuth security risk is that it can grow over time.

After approval:

  • Applications remain connected indefinitely
  • Users change roles or leave
  • Permissions are rarely reduced
  • Vendors evolve or change ownership
  • Integrations become dormant but remain active

This can create:

  • Ownership drift (no clear accountability)
  • Stale permissions (no longer needed but still active)
  • Hidden access paths (forgotten integrations)

In many cases, organizations only discover these risks during an incident or audit.

OAuth Is Just One Part of the Problem

OAuth is only one type of non-human access.

Other machine credentials include:

  • API keys
  • service accounts
  • SSH keys
  • personal access tokens

Some of these are even harder to manage than OAuth, as they are not always tied to user lifecycles.

For example:

  • API keys may not expire automatically
  • Tokens may exist outside centralized systems
  • Credentials may persist long after a user is removed

This expands the attack surface beyond OAuth into a broader identity problem.

What Security Teams Actually Need to Control OAuth Risk

Blocking OAuth is not a viable option. Business operations depend on integrations.

Instead, organizations need to focus on:

Visibility

Know which applications are connected and what access they have.

Ownership

Understand who approved the integration and who is responsible for it.

Behavior Monitoring

Identify abnormal usage patterns across applications and tokens.

Permission Alignment

Ensure scopes match the intended use of the application.

Lifecycle Governance

Regularly review and revoke unnecessary access.

Without these controls, OAuth can become an unmanaged access layer across your environment.

Real-World Evidence of OAuth Risk

OAuth risks are not theoretical.

Astrix’s research uncovered a zero-day vulnerability in Google Cloud Platform, Ghost Token, that demonstrated that token lifecycle controls may not always behave as expected.

Learn more here:
Ghost Token vulnerability in Google Cloud Platform

OAuth Is Not Just Authentication

OAuth is often viewed as a login mechanism.

In reality, it is a system for granting ongoing access.

That access:

  • Can persist beyond user sessions
  • Extends across systems
  • May operate outside traditional visibility controls

This makes OAuth an important, and often underexamined, security risk in modern environments.

Continue Learning

OAuth is just one layer of a larger attack surface.

To understand how attackers expand access through third-party connections and supply chains, continue here:
The anatomy of supply chain attacks

Watch: How Attackers Exploit Non-Human Identities

Blue Star About the Author

Michael Silva

Michael Silva

Engineer focused on enterprise cloud solutions. Helping companies realize how having context in their security findings empowers their security teams to close vulnerabilities faster.

Certified Google Cloud Professional Cloud Architect, AWS Certified Solutions Architect and Nutanix Certified Master.
Marine Corps Veteran | Veteran advocate

Learn more

The AI Agent Adoption Blueprint: Understanding AI Agents and How They Really Work

The AI Agent Adoption Blueprint: Understanding AI Agents and How They Really Work

Chris Hughes Co-Founder and CISO, Aquia
What Is AI Agent Security?

What Is AI Agent Security?

Dr. Chase Cunningham Leading Cybersecurity Expert
The Security Challenges of AI Adoption

The Security Challenges of AI Adoption

Daniel Kelley Founder, Cyberou

33 Arch Street Boston,Β MAΒ 02110,Β USA

Β© 2026 Astrix Security. All rights reserved.