Inbound Apps

Inbound Apps in Descope allow users to sign in to third-party applications using Descope as their identity provider (IdP) via OAuth 2.0. By enabling secure authentication, users retain control over their identity while organizations manage consent, permissions, and API access efficiently.

With Inbound Apps, organizations can secure APIs, simplify integrations, and enhance security for external services, including:

• AI-powered assistants and chatbots authenticating via OAuth-based tokens
• Partner applications managing user sessions while enforcing consent-driven access
• Machine-to-machine (M2M) workflows securely exchanging API requests without manual authentication

By centralizing authentication and consent management, Descope simplifies external integrations while enhancing security, compliance, and user experience.

Why Use Inbound Apps?

Simplify User Consent and Scope Management

When a user authenticates via an Inbound App, Descope enforces a consent flow that ensures only the approved data and permissions are granted to third-party applications.

Example: A freight management platform grants third-party logistics providers access to shipment data but restricts access to financial details based on OAuth scopes.

Enable AI Agents and Automated Workflows

Inbound Apps allow AI-driven assistants to interact securely with APIs while ensuring access is limited to authorized resources.

Example: An AI-powered document processor analyzes customer forms without storing credentials by using a scoped OAuth token generated via an Inbound App.

Automate Machine-to-Machine (M2M) Authentication

Inbound Apps facilitate secure M2M authentication, ensuring that backend services can communicate without manual login processes.

Example: A cloud monitoring service requests OAuth tokens from an Inbound App to collect usage analytics without human intervention.

How Inbound Apps Work

1. A third-party application redirects users to Descope's authorization URL for authentication.
2. The user logs in through Descope, approves the requested OAuth scopes, and grants consent.
3. Descope issues an authorization code and redirects the user back to the application.
4. The application exchanges the authorization code for an access token using Descope's /token endpoint.
5. The access token is used to authenticate API requests, ensuring that users only access authorized resources.

For a step-by-step guide on implementing Inbound Apps, see Configuring an Inbound App.

Key Features of Inbound Apps

• OAuth 2.0 & 2.1
  Inbound Apps use OAuth 2.0 and 2.1 to provide secure authentication, supporting modern authentication standards.

• Customizable Consent Flows
  Define granular permissions for user data and actions via OAuth scopes, ensuring data privacy and least-privilege access.

• Automated API Access
  Use OAuth tokens to authenticate AI agents, M2M workflows, and backend applications, reducing manual authentication overhead.

Role and Scope Association
Be able to define scopes as an OAuth provider, and associate these scopes with distinct roles, using RBAC, that help ensure that end users or machine clients only access authorized resources.

Next Steps

For detailed implementation guides, refer to the following resources:

• Creating Inbound Apps - Learn how to set up an Inbound App in Descope.
• Using Inbound Apps - Learn how to use Inbound Apps in your application.
• Developing APIs with OAuth and Inbound Apps - Learn how to develop APIs that properly support OAuth scopes and permissions.
• Use Cases for Inbound Apps - Use cases for inbound apps, including multi-tenant authentication, agentic auth, and an OAuth marketplace.

For a full working example, see the Descope 3rd-Party Sample App.