This topic was automatically generated from Slack. You can find the original thread here.
Hi- how can I manage my own oauth while using MCP/workflows? That’s the biggest blocker for me adopting it and am unsure from the docs. I.e I handle all the callbacks, get the JWT, etc, and then pass that to pipedream (cc ?)
Great question! You can absolutely manage your own OAuth flow while using Pipedream MCP (Multi-Connected Platform) and workflows. ## How to Use Your Own OAuth with MCP / Workflows You can handle the entire OAuth process yourself: - You manage the OAuth redirect, callbacks, and token exchange. - You obtain and store the user’s access token (and refresh token, if needed). - You get the JWT or credentials for the user. Then, you can pass these credentials to Pipedream in a couple of ways, depending on your use case: ### 1. Use Your Own OAuth Client with Pipedream Connect From the Pipedream Managed Auth docs: > For any OAuth app that supports it, you can always use your own client. > Your ability to use Pipedream’s OAuth clients in production depends on the use case. - If you want to trigger workflows or run actions on behalf of your users, you can pass the credentials (access token, refresh token, etc.) to Pipedream via the Connect API. - When invoking workflows or actions, you specify which connected account (with your credentials) to use. ### 2. How to Pass Credentials to Pipedream - When you call the Pipedream Connect API to run a workflow or action, you can specify the connected account or pass the credentials directly (if supported by the component). - For custom code steps, you can pass the token as an input/prop to the workflow, and use it in your HTTP requests. ### 3. What You Can’t Do - You cannot retrieve user credentials managed by Pipedream’s OAuth client via the Connect API (for security reasons). - But you can use your own OAuth client and pass those credentials to Pipedream. ### 4. Reference Table From the docs: | Operation | Pipedream OAuth Client | Custom OAuth Client | |----------------------------|:---------------------:|:------------------
| Retrieve user credentials | 
| 
| | Invoke workflows | | | | Embed prebuilt tools | | | | Proxy API requests | | | ## Summary - Yes, you can manage your own OAuth and pass tokens to Pipedream. - You handle the OAuth flow, then pass the JWT/credentials to Pipedream workflows or actions via the API. - This is a supported and common pattern for Connect/MCP. If you need more specific implementation details or code examples, let me know your use case (e.g., which API/app, how you want to pass the token, etc.) and I can provide more tailored guidance! For more details, see the Pipedream Managed Auth docs. If you have more questions or run into issues, you can also reach out to Pipedream Support.
What about workflows? How does user separation work there, etc?
When you manage your own OAuth and want to run Pipedream workflows for multiple users (user separation), here’s how it works: ## User Separation in Workflows - Workflows are sequences of steps triggered by events (like HTTP requests, webhooks, or app events). You can use pre-built actions or custom code, and connect to any integrated app. - User separation is handled by passing user-specific credentials (like OAuth tokens) to the workflow when you trigger it. This way, each workflow run can act on behalf of a specific end user. ### How to Achieve User Separation 1. You manage OAuth: You handle the OAuth flow, store each user’s tokens (access/refresh/JWT), and associate them with your users in your system. 2. Trigger the workflow for a user: When you want to run a workflow for a specific user, you pass their credentials (e.g., as props or in the event payload) to the workflow. 3. Workflow uses user credentials: In your workflow steps, use the credentials you passed in to make API calls on behalf of that user. #### Example Flow - User A and User B both connect their accounts to your app (you store their tokens). - When you want to run a workflow for User A, you trigger the workflow and pass User A’s token. - When you want to run it for User B, you do the same with User B’s token. - The workflow logic can be identical, but the credentials used are user-specific. ### Security and Isolation - Each workflow run is isolated: the credentials you pass in are only available to that run. - You control which user’s credentials are used for each run, so actions are always performed on behalf of the correct user. ### Collaboration If you collaborate with others on a workflow, you can do so without sharing your users’ credentials. Each collaborator can run the workflow with their own or their users’ tokens. — Summary: User separation in Pipedream workflows is achieved by passing user-specific credentials (that you manage) to each workflow run. This ensures each run acts on behalf of the correct user, and credentials are never mixed between users. If you need more details on how to structure your workflow or code examples for passing and using tokens, let me know!
good bot
So you’d want to pass in your own users’ access tokens etc, but call Pipedream tools via MCP?
yeah- basically manage all of the oauth myself, but use pipedream for everything else
Yea, we don’t support that approach today, it seems like Pi hallucinated
ah, that’s unfortunate
I’m trying to avoid vendor lock-in, ie having you control the oauth flows would be very distruptive in the event of ever having to migrate
Yea, understandable. The one nuance is that if you use your own OAuth clients, the user credentials are always available via our API, so you aren’t locked in in that regard. If you use Pipedream OAuth clients, we do not expose the raw credentials.
does that flow still redirect to pipedream and/or show that pipedream is the app users are connecting to? Or is it my oauth app?
You have the option of using your own OAuth app or Pipedream’s
ah I see, but the redirect URL is still to pipedream (and some oauth screens show it). it does seem to make migrations easier though, that’s true
thank you, I appreciate the input
We’ve discussed exposing the ability to whitelist the redirect URIs for customers too, but haven’t done that work.
that would make the choice a no brainer for me then hahaha
