Skip to main content
Question

Some questions about Workflow Credentials

  • September 30, 2025
  • 4 replies
  • 123 views
dvdsmpsn
Forum|alt.badge.img+1

We've been using the new workflow credentials feature as we migrate our recipe sentences to the new workflow infrastructure.

In our existing recipe sentences, we control all the logic around the OAuth dance and securing the user tokens. We have [self-service mechanisms to revoke and delete the stored token](https://monday-help.dsapps.dev/microsoft-365-office-embedded/revoking-access-to-microsoft-365) for a single user, and for the account admin to delete all stored tokens for the account for example in the event of a data breach.

When using workflow credentials, monday.com takes absracts away all this logic – you just add some configurations, and it works invisibly.


With this in mind, I have some questions regarding security:

## Revoking access

- What is the mechanism for a single user to revoke their user token?
- What is the mechanism for an admin user to revoke all the user tokens for the account?
- If these is not available, when will they be added?
- If these are available, please link to the documentation so that I can update [our own documentation](https://monday-help.dsapps.dev/microsoft-365-office-embedded/workflow-credentials#Workflowcredentials-HowtorevokeaccesstoMicrosoft365).


## Configurable OAuth scopes

We'd like the ability to configure the scopes using in the OAuth dance per account.

The example being that normally we use the `Sites.ReadWrite.All` scope for auth with Microsoft 365, but for enhanced security, some accounts want to use the `Sites.Selected` scope instead where they have to configure the exact access in their Microsoft 365 tenant.

The former is easy as it just works, but the latter requires domain knowledge of your Microsoft 365 configuration to restrict access down to a selected list of sites.

For our own OAuth dance (used in recipe sentences) we can simply add this as an optional configuration in our app's admin settings. If the account requires the enhanced security version, they configure it there before moving on.

With workflow credentials, there is no way I know of for the scopes to be changed, or overridden on a per account basis.

Is this something that can be added based on a switch we add in the admin settings?

4 replies

dvdsmpsn
Forum|alt.badge.img+1
  • dvdsmpsn
  • Author
  • Participating Frequently
  • September 30, 2025

I also note that there is no way to add a revoke URL in the workflow credentials configuration UI:
 

 

Is this something that is coming soon?

dvdsmpsn
Forum|alt.badge.img+1
  • dvdsmpsn
  • Author
  • Participating Frequently
  • October 9, 2025

id love it if anyone from within mdc who has direct knowledge of workflows could answer some of these questions. 
Cc:​​@OmerK 

N
Forum|alt.badge.img
  • noa.rapoport
  • monday.com Team Member
  • October 20, 2025

Hi ​@dvdsmpsn, I'm Noa, the Product Manager for the Automations Framework team. One of our team's key responsibilities is developing the automations/workflow appFeatures (block, credentials, field, wf template).

For token revocation & connection management-
You are correct: currently, neither users nor admins can revoke tokens for the account. We will address this by EOY via the new "Connection Page" (located under the "Autopilot hub").

  • Timeline: In about a month, users will be able to view and delete their connections. Later this year, we will enable full disconnect/reconnect support for both users and admins.
  • The currently unsupported revoke URL will probably be added as part of this effort.

OAuth Scopes-
Regarding Configurable OAuth Scopes, we are currently working on partial scopes for blocks, but I'm not sure this will fully meet your requirement. We have added your specific request as a feature request for the credentials app feature.

In addition, while I don't outright recommend this path (as I believe the OAuth solution remains the most robust option), we are building a mechanism for a seamless migration from the old to the new infrastructure (coming by EOY Q4).
Once released, your options will include:

  1. Using your existing authorization URL wrapping within the Sentence Builder (but not in the workflow builder). The migration tool will automatically migrate the appFeature integration to an appFeature block, using the authorization URL as its context in the sentence builder.
  2. Building a "Custom Credentials" option (instead of using our standard OAuth) within the new credential feature. This will make it available in both the Sentence Builder and the Workflow Builder.

All new features and documentation will be available by the end of Q4.

dvdsmpsn
dvdsmpsn
Forum|alt.badge.img+1
  • dvdsmpsn
  • Author
  • Participating Frequently
  • October 20, 2025

@noa.rapoport This all seems to be headed in the right direction, thanks. I’ll look forward to further news as it develops. 

N
Terms & ConditionsCookie settingsAccessibility statement