Skip to content

Trust center / Legal

OAuth & app permissions

A pre-connection explanation of why permissions are requested, what agents can do with them, how authorization is constrained, and how access ends.

OAuth is how you grant limited access without giving Hive Citadel your provider password. When you choose Connect, the provider—not Hive Citadel—authenticates you and displays the requested permissions. Nothing is connected unless you approve that provider screen.

1. Why this page exists

Provider consent screens use technical scope names that can be difficult to evaluate on their own. This page gives the missing product context: the user-facing feature behind a permission, the data involved, whether an action can change provider data, and how to stop access.

It also provides the public, stable disclosure expected during OAuth and app-review processes. It complements—not replaces—the provider consent screen, in-product notices, our Privacy Policy, and our Terms.

2. Four boundaries control every connection

  1. Provider permission. The scopes you approve are the maximum provider-side capability.
  2. Workspace authorization. Your role, workspace, connection ownership, and administrator policy determine availability.
  3. Product capability. An agent can use only tools and operations implemented and enabled for it.
  4. Instruction and approval. The agent must have a relevant request or approved automation. Sensitive external writes generally require confirmation.

A broad provider scope is not standing permission for an agent to act without a relevant feature, valid user/workspace authority, and the required approval.

3. Current OAuth permission purposes

The provider’s live consent screen is authoritative for the exact permissions presented to you. The table below explains the current connector configuration and intended use.

ConnectionData and capability requestedUser-facing purpose
GmailRead/modify, compose and send mail; calendar accessSearch and organize mail, draft/send approved messages, triage conversations, and support calendar workflows from the executive-assistant experience
Google Drive & SheetsRead Drive files; read/write spreadsheetsFind and index selected documents and create or update spreadsheets requested by the user
Google CalendarRead/write calendars and eventsList availability and create, update, RSVP to, or delete events with the required confirmation
Google ContactsRead contactsResolve people and contact details for user-requested communication and scheduling
YouTubeManage channel data and upload videosInspect the connected channel and upload or publish user-approved video content
Microsoft OutlookRead/write and send mail; read/write calendar; basic profile; offline accessEmail assistance, message triage, and scheduling while preserving a long-lived connection
OneDriveRead/write files; basic profile; offline accessFind, ingest, create, and update user-requested files
SharePointRead/write files and sites; basic profile; offline accessSearch and operate on authorized site documents where Microsoft’s delegated model requires tenant-level file/site scope
Microsoft TeamsRead team/channel/chat context; send chat/channel messages; people and profile; offline accessSearch collaboration context and send a message only through an enabled, authorized workflow
LinkedInBasic profile; member/organization publishing and organization administration contextIdentify the connected profile or organization and publish approved social content
InstagramBasic profile and mediaIdentify the connected account and retrieve media needed for supported workflows
XRead/write posts and media; read users; follow/like/bookmark writes; offline accessResearch account context and perform only the social action the user requests and approves
TikTokProfile/stats, video list, upload and publishInspect the connected profile and upload or publish user-approved videos
GitHubProfile, repository, and workflow accessInspect authorized repositories and perform requested repository or automation operations
JiraIdentity, Jira work/user read, issue write, offline accessFind projects and issues and create or update work items requested by the user
WHOOPProfile, body measurements, recovery, cycle, sleep, and workout read; offline accessProvide user-requested health and fitness analysis from the connected member’s data
Stripe ConnectPermission shown by Stripe for the configured connectionAccess the connected Stripe account only for enabled financial operations and reporting

Some enterprise connectors use customer-managed API keys or service credentials rather than OAuth. Those credentials are presented separately and remain subject to the same workspace, tool, instruction, and approval controls.

4. Why some connections request offline access

offline_access or equivalent permission allows the provider to issue a refresh token so a connection can continue after a short-lived access token expires. This is necessary for user-requested background sync, schedules, and automations. Refresh access does not bypass revoked consent, disabled accounts, provider policy, or Hive Citadel authorization.

5. Why write permissions may appear

Features such as sending email, updating a spreadsheet, publishing a video, creating a calendar event, or editing an issue require provider write scopes. Providers often define one scope for several operations rather than offering a separate scope for every product button. Hive Citadel narrows that technical capability through tool design, workspace access, contextual instructions, audit records, and confirmation gates.

6. What is stored

  • Connection provider, account identifiers, granted scopes, status, and synchronization metadata.
  • Encrypted access and refresh tokens, where the provider issues them.
  • Content or metadata retrieved for enabled features, such as indexed source documents, messages, events, or workflow results.
  • Bounded operational and audit information needed for reliability, security, support, and accountability.

Tokens are server-side credentials. They are not intentionally exposed to agents, chat transcripts, public URLs, or other users.

API-key connections do not have a provider consent screen. The connect form therefore identifies the credential fields, provider setup page, selected environment where applicable, and the capability boundary. Use scoped tokens where the provider supports them, create credentials only in the provider’s own console, and rotate or revoke them at the provider after disconnecting.

7. Data-use commitments

  • We do not sell connected-service data.
  • We do not use connected-service data for advertising.
  • We do not use connected-account data to train generalized AI/ML models.
  • We use data only for user-facing features, security, support with appropriate authorization, legal compliance, and the limited purposes described in the Privacy Policy.

Our use of information from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.

8. Disconnecting and revoking access

Disconnect in Hive Citadel to remove the stored connection credential and stop future product use of it. Revoke at the provider to invalidate the provider-side grant. For the strongest result, do both.

  • Google: Google Account third-party connections
  • Microsoft: account or organization consent controls in Microsoft Entra
  • GitHub: Settings → Applications → Authorized OAuth Apps / GitHub Apps
  • Other providers: connected-app, security, integrations, or authorized-app settings

Use the Data Removal page to delete stored connection data and other account data. Provider-side data remains with the provider unless you delete it there.

9. Questions or unexpected permissions

Do not approve a connection if the provider screen identifies a different app, publisher, domain, or unexpected permission. Cancel the flow and contact support@hivecitadel.com with the provider name and a screenshot that contains no token, password, or one-time code.