SabNode
Start free
AllConversationsAutomationCustomer DataGrowthAnalyticsCommerceDeveloperExplore products
Developer · OAuth 2 & API Keys

Permissions you can defend in a security review.

SabNode supports OAuth 2.0 with PKCE for third-party apps, scoped API keys for backend integrations and short-lived service tokens for ephemeral jobs. Every credential has fine-grained scopes, optional IP allowlists, configurable lifetime and a full audit log of every API and MCP call it makes.

  • OAuth 2.0 with PKCE for apps
  • Scoped API keys for servers
  • Refresh tokens with rotation
  • IP allowlist + audit log per key
Start free Talk to salesBrowse all features
The problem

A leaked admin token is a six-figure incident

Most CRMs ship a single "API key" that grants full read-write across the entire workspace. The first developer who builds an integration drops it in their .env, the .env leaks to a public Git repo six months later, and now an attacker can export every contact, send broadcasts and delete data. Rotating that key breaks every integration at once because nothing was scoped.

The second pain is OAuth done poorly. Many SaaS products implement a half-OAuth flow without PKCE, without refresh-token rotation, without proper redirect URI validation. Audit teams flag it, customers refuse to install third-party apps, and your marketplace dies before it starts.

The third is auditability. When a regulator asks "who called the contacts export endpoint in February?", you should have a clean answer in 30 seconds. With most CRMs the answer is a Slack archaeology session and a confession that you cannot tell. SabNode treats credentials as a first-class security primitive.

What it is

OAuth 2 & API Keys, in depth.

SabNode supports three credential types. Scoped API keys are long-lived secrets minted in the dashboard for backend integrations — your nightly Snowflake sync, your internal admin script, your Vercel function. Each key has a list of scopes (contacts:read, messages:write, broadcasts:write and so on), an optional IP allowlist, an optional expiry date and a rate limit. Rotating a key issues a new secret while letting the old one keep working for a grace period of up to 30 days.

OAuth 2.0 with PKCE is the path for third-party apps and marketplace integrations. The full authorization-code flow with PKCE is supported (S256 only), refresh tokens rotate on every use, and redirect URIs are validated with strict equality. The OAuth server exposes the standard discovery endpoints (/.well-known/oauth-authorization-server, /.well-known/openid-configuration where relevant) so MCP clients and SDKs that auto-discover endpoints work out of the box. Client-credentials grant is available for machine-to-machine integrations that do not need user context.

Permissions are scoped, not roled. Instead of "admin" or "agent", credentials carry the precise scopes they need: contacts:read, contacts:write, contacts:delete, messages:read, messages:write, flows:execute, broadcasts:write, audit:read, and so on. Workspace admins can define reusable scope bundles ("Marketing Backend", "Support Read-only") that map to common integration shapes. Wildcard scopes are not exposed — every grant is explicit.

Every API and MCP call is written to a tamper-evident audit log with the credential ID, the caller IP, the endpoint, the parameters (PII-redacted), the response code and the duration. The log is searchable in the dashboard for 90 days, exportable to S3 indefinitely, and accessible by the audit:read scope for your SIEM or compliance tooling.

Capabilities

Everything you get with OAuth 2 & API Keys.

7 capabilities
01

OAuth 2.0 + PKCE

Standard authorization-code flow with PKCE S256, strict redirect URI matching and refresh-token rotation. Client-credentials and device-code grants are available for headless integrations and CLI tools.

02

Scoped API keys

Long-lived backend keys with an explicit scope list. No "admin" wildcard. Optional IP allowlist, optional expiry, optional rate-limit override. Rotation grants a 30-day grace period for zero-downtime cutovers.

03

Fine-grained scopes

About 30 scopes covering read, write and delete across every object type. Compose them into reusable bundles for common integration shapes. Wildcard grants are intentionally absent.

04

Refresh-token rotation

Refresh tokens are single-use. On refresh, the old token is invalidated, and the new pair is issued. Token replay attacks against a stolen refresh token are detected and shut down the OAuth grant.

05

IP allowlists

Restrict a credential to a CIDR list. Calls from outside the list return 401 with a structured error. Useful for locking integrations to your VPC NAT or your office static IP.

06

Audit log

Every authenticated call writes an audit entry. Search by credential, IP, endpoint, status or PII access. Export to S3 or stream to your SIEM via webhook for long-term retention and analysis.

07

Service tokens

Short-lived (5-60 minute) tokens minted on demand for ephemeral jobs. Useful for CI pipelines, Vercel Sandbox runs and one-off migrations. Expire automatically, leaving no long-tail attack surface.

Use cases

Built for the way teams actually work.

SaaS
Case 01

Marketplace app install

A third-party analytics app uses OAuth 2.0 with PKCE to ask a SabNode user for read-only access to broadcasts and analytics. The user sees the precise scopes on the consent screen and approves; the app never sees the user's password.

Financial Services
Case 02

Locked-down nightly sync

A fintech mints a contacts:read,messages:read API key with an IP allowlist on its NAT egress range and a daily expiry. The nightly job rotates the key automatically through their secrets manager.

Healthcare
Case 03

Auditor read-only access

A healthcare compliance auditor is granted an audit:read,contacts:read token for 14 days. They can pull the audit log and verify access patterns without being able to write or delete anything in the workspace.

EdTech
Case 04

CI deployment token

A GitHub Actions workflow mints a 15-minute service token at the start of a deploy, uses it to update flow definitions, and lets it expire. No long-lived credentials sit in CI environment variables.

B2B
Case 05

Multi-tenant agency

An agency manages 40 client workspaces with OAuth. Each workspace consents independently. Revoking an agency app from one client does not affect the other 39, and the agency's dashboard shows scopes per workspace.

How it works

From signup to first send in minutes.

OAuth 2 & API Keys is included on every SabNode workspace. No separate billing, no extra setup — flip it on from your workspace settings.

  1. 01

    Choose credential type

    API key for backend integrations, OAuth app for third-party software, service token for ephemeral jobs. Mix and match per workspace.

  2. 02

    Pick scopes

    Select the precise scopes the credential needs. Use a saved scope bundle or compose from the catalogue. No wildcards.

  3. 03

    Configure guardrails

    IP allowlist, expiry date, rate-limit override, audit-level logging. Each guardrail is optional and editable post-creation.

  4. 04

    Distribute safely

    API keys are shown once and stored hashed at rest. OAuth secrets follow the standard discovery flow. Service tokens are minted on demand and never persisted.

  5. 05

    Monitor & rotate

    Audit log shows usage in real time. Rotate keys with a 30-day grace window. Revoke OAuth grants per workspace without affecting others.

Plays well with

Works with the tools you already ship on.

OAuth 2.0OIDCGitHub ActionsAWS IAMVaultDopplerVercelOkta
Frequently asked

Questions about OAuth 2 & API Keys.

Can't find what you're looking for? Talk to our team.

Do you support OAuth 2.1?
Our OAuth implementation already follows the OAuth 2.1 best-current-practice profile: PKCE is mandatory for public clients, refresh tokens rotate on every use, the implicit and password grants are not exposed, and redirect URIs are validated by strict string equality with no wildcards. When the 2.1 spec is finalised, we will align to its final wire details without breaking existing apps.
How are API keys stored?
API keys are hashed with bcrypt at rest. The plaintext is shown to the user exactly once at creation and never again. The hash is what is checked on every request. A leaked database dump does not expose any valid API keys — even from a successful attacker on the row level.
Can I scope a key to a single contact segment?
Not yet. Scopes today are operation-level (contacts:read across the workspace). Row-level scoping by segment or tag is on the roadmap and is already available for read tools in MCP when paired with an upstream filter, but native row-level API key scoping ships later this year.
How does revocation propagate?
Revocation is immediate for API keys and OAuth refresh tokens — both go through a cache layer with a sub-second TTL, so the next request after revocation is rejected. Active OAuth access tokens live up to their TTL (default 60 minutes) before they must refresh, at which point the revoked refresh token blocks them.
Is multi-factor required for credential creation?
Yes for workspace admins on the Pro plan and above. MFA is enforced on the create-API-key, rotate-API-key and revoke-OAuth-app operations. Enterprise workspaces can require MFA on every sensitive admin action, with a configurable session-rebind window.
Can I use this for inbound webhooks too?
Inbound webhook receivers use HMAC signing per the Webhooks feature; OAuth is for outbound API and MCP traffic. The two systems share the same audit-log surface, so a security review can see all integration traffic — inbound and outbound — in one place.
How do I integrate with my secrets manager?
We have first-party guides for HashiCorp Vault, AWS Secrets Manager, Doppler and 1Password. The pattern is the same: a script mints the API key, writes it to your manager, and your application reads it at boot. Rotation is automated by a cron job that reads the current key, mints a new one, writes it, and lets the 30-day grace period absorb the cutover.
Related features

Stronger when stacked.

Browse every feature
REST API
Typed REST + webhooks for every object. SDKs for JS, Python and Go.
Read more
Webhooks
Inbound and outbound, with retries, signing and dead-letter queue.
Read more
MCP Server
Plug any LLM into your SabNode workspace via Model Context Protocol.
Read more
Environments
Sandbox → staging → production with per-env credentials and domains.
Read more
Developer · OAuth 2 & API Keys

Ship oauth 2 & api keys into production this week.

No credit card. No sales call required. Spin up a workspace, plug in a number, and your team is live in under an hour.

Start free Book a demoSee pricing