Outbound Apps

Descope Outbound Apps are a secure, flexible way to manage third-party integrations for your users and tenants. Outbound Apps can:

Connect to third-party OAuth providers (like Google, Microsoft, LinkedIn, etc.) and manage the full OAuth lifecycle, including consent, token refresh, and scope management.
Act as a token vault for both OAuth tokens and static API keys, allowing you to store, retrieve, and manage secrets for any external service—whether it uses OAuth or not.

Use Cases

Incremental OAuth Scopes Start with minimal permissions (e.g., openid, email, profile) during authentication, then request additional scopes—like access to calendars, contacts, or posting capabilities—only when needed. This keeps your initial login experience simple and user-friendly.
AI Agents & MCP Server Integrations If you're building AI agents or MCP servers that need access to external services (e.g., Google Calendar, Salesforce), Outbound Apps handle secure storage, token refresh, and access control. Your tools can reliably retrieve user/tenant-scoped OAuth tokens or API keys whenever they need to call third-party APIs.
Fine-Grained Access Control Define and enforce who is allowed to retrieve tokens for a given Outbound App using Descope's Access Control Plane. Prevent unauthorized agents or users from accessing sensitive third-party services, even if the connection has already been established.

Create an Outbound App
- Choose a preconfigured OAuth provider, or create a custom app for any service (including API key storage).
Connect Users or Tenants
- Use Descope Flows, SDKs, or APIs to connect users to OAuth providers or to collect and store API keys.
Token Vault
- Descope securely stores and manages all tokens and API keys, making them available for backend or agent use.

To set up an outbound application in Descope, follow the steps in our Creating an Outbound App guide.

Within the token management tab, you can view details of the users who have granted consent to the outbound app.

ID: System-generated ID paring that user's consent to the application.
App ID: The configured application ID which coincides with the token ID.
Associated User: The user ID of the user who's associated with the consent.
Scopes: The consented scopes correlate to the user's consent to the application.
Access Token Expiration: Expiration of the current access token for the user's consent.
Refresh Token: Boolean True/False whether a refresh token is available.
Last Refreshed: The last time the user's access token was refreshed.
Last Refresh Error: If applicable, the last error encountered while trying to refresh the user's access token.
Token Subject: The user reference on the provider side. For this example, it is associated with the unique user ID of the user's Google account.
Access Token Type: Specifies the format or method the access token uses, such as Bearer or MAC, which determines how it is used for authentication and authorization.
Tenant ID: The tenant ID of the tenant associated with the consent.

There are multiple ways you can connect your users to your outbound apps:

Frontend SDKs: Implement OAuth connections using our JavaScript SDKs (Web, React, Next.js)
Descope Flows: Use our no-code flow editor with pre-built OAuth components
APIs: Use our REST API to initiate connections from non-JavaScript platforms

Learn more about implementation details and best practices in our Connection Guide.

Once your users are connected to outbound apps, you can start leveraging the tokens to access third-party APIs:

Token Management: Fetch and refresh user tokens securely through Descope's API
API Integration: Use tokens to make authenticated requests to third-party providers
Best Practices: Implement proper error handling and scope management
Examples: Real-world implementations including AI agent tool calling

Learn more about token usage and implementation patterns in our Usage Guide.

Was this helpful?