SabNode supports OAuth 2.0 with PKCE for third-party apps, scoped API keys for backend integrations and short-lived service tokens for ephemeral jobs. Every credential has fine-grained scopes, optional IP allowlists, configurable lifetime and a full audit log of every API and MCP call it makes.
Most CRMs ship a single "API key" that grants full read-write across the entire workspace. The first developer who builds an integration drops it in their .env, the .env leaks to a public Git repo six months later, and now an attacker can export every contact, send broadcasts and delete data. Rotating that key breaks every integration at once because nothing was scoped.
The second pain is OAuth done poorly. Many SaaS products implement a half-OAuth flow without PKCE, without refresh-token rotation, without proper redirect URI validation. Audit teams flag it, customers refuse to install third-party apps, and your marketplace dies before it starts.
The third is auditability. When a regulator asks "who called the contacts export endpoint in February?", you should have a clean answer in 30 seconds. With most CRMs the answer is a Slack archaeology session and a confession that you cannot tell. SabNode treats credentials as a first-class security primitive.
SabNode supports three credential types. Scoped API keys are long-lived secrets minted in the dashboard for backend integrations — your nightly Snowflake sync, your internal admin script, your Vercel function. Each key has a list of scopes (contacts:read, messages:write, broadcasts:write and so on), an optional IP allowlist, an optional expiry date and a rate limit. Rotating a key issues a new secret while letting the old one keep working for a grace period of up to 30 days.
OAuth 2.0 with PKCE is the path for third-party apps and marketplace integrations. The full authorization-code flow with PKCE is supported (S256 only), refresh tokens rotate on every use, and redirect URIs are validated with strict equality. The OAuth server exposes the standard discovery endpoints (/.well-known/oauth-authorization-server, /.well-known/openid-configuration where relevant) so MCP clients and SDKs that auto-discover endpoints work out of the box. Client-credentials grant is available for machine-to-machine integrations that do not need user context.
Permissions are scoped, not roled. Instead of "admin" or "agent", credentials carry the precise scopes they need: contacts:read, contacts:write, contacts:delete, messages:read, messages:write, flows:execute, broadcasts:write, audit:read, and so on. Workspace admins can define reusable scope bundles ("Marketing Backend", "Support Read-only") that map to common integration shapes. Wildcard scopes are not exposed — every grant is explicit.
Every API and MCP call is written to a tamper-evident audit log with the credential ID, the caller IP, the endpoint, the parameters (PII-redacted), the response code and the duration. The log is searchable in the dashboard for 90 days, exportable to S3 indefinitely, and accessible by the audit:read scope for your SIEM or compliance tooling.
Capabilities
Standard authorization-code flow with PKCE S256, strict redirect URI matching and refresh-token rotation. Client-credentials and device-code grants are available for headless integrations and CLI tools.
Long-lived backend keys with an explicit scope list. No "admin" wildcard. Optional IP allowlist, optional expiry, optional rate-limit override. Rotation grants a 30-day grace period for zero-downtime cutovers.
About 30 scopes covering read, write and delete across every object type. Compose them into reusable bundles for common integration shapes. Wildcard grants are intentionally absent.
Refresh tokens are single-use. On refresh, the old token is invalidated, and the new pair is issued. Token replay attacks against a stolen refresh token are detected and shut down the OAuth grant.
Restrict a credential to a CIDR list. Calls from outside the list return 401 with a structured error. Useful for locking integrations to your VPC NAT or your office static IP.
Every authenticated call writes an audit entry. Search by credential, IP, endpoint, status or PII access. Export to S3 or stream to your SIEM via webhook for long-term retention and analysis.
Short-lived (5-60 minute) tokens minted on demand for ephemeral jobs. Useful for CI pipelines, Vercel Sandbox runs and one-off migrations. Expire automatically, leaving no long-tail attack surface.
Use cases
A third-party analytics app uses OAuth 2.0 with PKCE to ask a SabNode user for read-only access to broadcasts and analytics. The user sees the precise scopes on the consent screen and approves; the app never sees the user's password.
A fintech mints a contacts:read,messages:read API key with an IP allowlist on its NAT egress range and a daily expiry. The nightly job rotates the key automatically through their secrets manager.
A healthcare compliance auditor is granted an audit:read,contacts:read token for 14 days. They can pull the audit log and verify access patterns without being able to write or delete anything in the workspace.
A GitHub Actions workflow mints a 15-minute service token at the start of a deploy, uses it to update flow definitions, and lets it expire. No long-lived credentials sit in CI environment variables.
An agency manages 40 client workspaces with OAuth. Each workspace consents independently. Revoking an agency app from one client does not affect the other 39, and the agency's dashboard shows scopes per workspace.
How it works
OAuth 2 & API Keys is included on every SabNode workspace. No separate billing, no extra setup, flip it on from your workspace settings.
API key for backend integrations, OAuth app for third-party software, service token for ephemeral jobs. Mix and match per workspace.
Select the precise scopes the credential needs. Use a saved scope bundle or compose from the catalogue. No wildcards.
IP allowlist, expiry date, rate-limit override, audit-level logging. Each guardrail is optional and editable post-creation.
API keys are shown once and stored hashed at rest. OAuth secrets follow the standard discovery flow. Service tokens are minted on demand and never persisted.
Audit log shows usage in real time. Rotate keys with a 30-day grace window. Revoke OAuth grants per workspace without affecting others.
Connect directly with your existing stack or leverage the Platform Core tools to extend capabilities natively.
Enhance this feature with deep integrations into our core infrastructure. Connect via API, utilize webhooks, or embed directly using our SDKs.
Manage all settings seamlessly within the core UI.
Extend functionality with custom automated workflows.
Can't find what you're looking for? Talk to our team.
No credit card. No sales call required. Spin up a workspace, plug in a number, and your team is live in under an hour.