Guides and Tutorials/Inbound Apps

Use Cases for Inbound Apps with Descope

Inbound apps in Descope enable third-party applications, services, and automated systems to securely access APIs and perform actions on behalf of users or organizations. By leveraging OAuth, inbound apps can authenticate using client credentials flow, enforce fine-grained authorization through scopes and roles, and integrate with external systems that require centralized authentication and access control.

This document outlines key use cases for inbound apps:

Managing Multi-Tenant Authentication for SaaS Applications

Overview

For multi-tenant SaaS applications, inbound apps provide tenant-specific authentication and authorization, ensuring:

  • Each tenant has its own identity and access control policies
  • Tenant-specific OAuth settings are applied dynamically
  • Applications can enforce different roles and scopes per tenant

Example Use Case

A SaaS CRM application needs to:

  1. Allow companies to integrate their own identity providers
  2. Ensure users from different tenants cannot access each other's data
  3. Dynamically assign scopes based on tenant policies

Using inbound apps:

  • Each tenant's identity provider is registered as an inbound app
  • Tenant-specific OAuth policies are enforced via scopes
  • Access tokens include the tenant ID, ensuring strict data isolation

OAuth Provider Implementation Patterns

Building an OAuth Provider for Marketplaces: The GitHub Model

Overview

Marketplaces need to integrate with multiple third-party applications while maintaining secure authentication. GitHub Marketplace exemplifies this pattern, where external applications request access to user repositories through OAuth.

How It Works

  1. Applications register as OAuth clients, defining required scopes
  2. Users authorize access through consent screens
  3. OAuth tokens are issued with specific permissions
  4. The marketplace enforces scope restrictions on all API calls

Example: Developer Tools Marketplace

A developer tools marketplace uses Descope as its OAuth provider:

  • Third-party tools register as inbound apps
  • Users grant permission through standardized consent flows
  • The marketplace enforces uniform security controls across all integrations
  • Users manage app permissions through a centralized dashboard

Implementing MCP Server Authorization

Overview

Model Context Protocol (MCP) servers can use Descope as their OAuth authorization service, providing standardized authentication for AI model access.

Implementation

  1. Configure Descope Project:

    • Create inbound application in Descope Console
    • Define MCP-specific scopes (e.g., models.invoke, context.read)
    • Set appropriate token lifetimes

  2. Integrate with MCP Server:

    // Validate tokens in MCP API endpoints
async function validateMcpAccess(req, res, next) {
  const token = extractToken(req);
  const validation = await descopeClient.validateSession(token);
  
  // Check for required model access permissions
  if (!validation.scopes.includes('models.invoke')) {
    return res.status(403).send('Insufficient permissions');
  }
  
  next();
}

  3. Client Implementation:

    • Clients obtain tokens through standard OAuth flows
    • Tokens are used to authenticate model invocation requests
    • Permissions can be restricted to specific models or operations

Machine-to-Machine Authentication

Overview

A critical use case for inbound apps is providing secure authentication for non-interactive systems like partner services, AI agents, and automation tools.

Implementation with Client Credentials Flow

Learn more about client credentials flow in the OAuth 2.0 specification.

Unlike user-centric authentication, machine-to-machine scenarios rely on the OAuth client credentials flow:

curl -X POST "https://api.descope.com/oauth2/v1/apps/token" \
  -d "grant_type=client_credentials" \
  -d "client_id=your-client-id" \
  -d "client_secret=your-client-secret" \
  -d "scope=api.read api.write"

Example: Logistics API

A logistics company secures its shipment tracking API:

  • Partner systems authenticate using client credentials
  • Each partner receives scopes limited to their shipments
  • AI agents use the same protocol to fetch data for predictions
  • All access is logged and can be audited centrally

Conclusion

Inbound apps in Descope provide a flexible, secure way to authenticate third-party applications, AI agents, and machine-to-machine systems across multiple scenarios:

  • User-delegated access for marketplace integrations
  • Service-to-service communication for backend systems
  • Multi-tenant isolation for SaaS applications
  • Model access control for MCP servers

By leveraging OAuth's standardized flows and Descope's implementation, organizations can enforce consistent security policies, simplify credential management, and provide seamless integration experiences for both users and automated systems.

Was this helpful?

Next

Developing APIs with OAuth

Next

One-time Password (OTP)

On this page