Authentication: OAuth vs Personal Access Token (PAT) vs enterprise service accounts

Heya guys, we have a question regarding authentication: OAuth vs Personal Access Token (PAT) vs enterprise service accounts.

We are Integromat - a user-friendly automation platform with a visual UI that allows you to connect more than 1000 apps (including Asana) together.

One of our clients has asked us whether it would be possible to also start supporting authentication for the enterprise service accounts. The client is an automation agency which is providing services mainly around Asana. The client has dozens nay hundreds of clients of their own. The reason why they asked us about this is that they sometimes have a hard time getting regular “user” accounts from their clients which can be used for authentication via the OAuth flow. Our understanding is that in order to start supporting authentication for enterprise service accounts, we need to start supporting PAT. This is what we see in your documentation: “Use Service Account tokens as organization-level substitutes for Personal Access Tokens.” (link here)
However, we did not originally develop the PAT authentication because we did not want to get into potential trouble since your documentation also states “Personal Access Tokens are designed for accessing the API from the command line or from personal applications.” (link here)

We’ve checked with our developers and we can develop the PAT authentication method but we cannot limit what auth method is used by which user. E.g. even a non-enterprise regular user would be able to use the PAT to authenticate instead of going through OAuth.

We are wondering whether supporting PAT under these rather complicated circumstances would be against your rules or not. Can you please bring more light into this?

Thanks a bunch! :pray:

1 Like

Just be careful about one thing: the service account on the Enterprise account gives you access to really everything… As a client, I would not give Integromat access to my service account…

However asking for someone’s PAT seems ok to me, since they can delete the token when they want to deauthorize the app.

@Phil_Seeman do you have some thoughts?


Heya @Bastien_Siebman, thanks for the reply!

Yep, we understand, it would be up to the customer’s discretion to decide whether they would provide the service account token or not :slightly_smiling_face: And just like you said, deleting the token is just a matter of a few seconds. :+1:

I think you nailed it, @Bastien_Siebman.


Thanks for stepping in @Bastien_Siebman @Phil_Seeman :slightly_smiling_face:

We are still wondering whether supporting PAT under these rather complicated circumstances would be against Asana rules or not. Could you please bring more light into this? Or could you maybe point us towards someone who could give us this kind of information?

You see, the original question still stands - we wouldn’t want to get into compliance trouble with the Asana review/dev team if we also decide to start supporting PAT.

Sooo do you guys know whether we can also start supporting PAT without any “compliance penalties” in the future?

Thanks! :pray:

@Kem_Ozbek @AndrewWong

1 Like

This topic was automatically closed after 6 days. New replies are no longer allowed.