AI Rule Engine Docs
Go to App

OAuth & App Authorizations

You can let a third-party app act on your behalf — most often an AI client connecting to the MCP server — by authorizing it through a consent screen, with you in control of exactly what each app may do.

Why authorize an app

Handing an app a long-lived token works, but it is awkward to manage and hard to take back. Letting an app request access instead means it prompts you to approve it, you grant only the scope you choose, and the access it receives is bounded exactly as a connection you set up by hand would be. Because you grant it explicitly, you can also find it again later and revoke it on its own.

When an app requests access, you are taken to a consent screen that names the app and asks you to approve the connection. There you choose what the app may reach:

  • Rule sets — all of them, or a specific allow-list.
  • Files — whether files are readable, and under which folder.
  • Logs — whether execution logs are readable.

Approving grants the app access with exactly the scope you picked; declining sends it away with nothing. Granting access requires an administrator role and a selected environment.

You decide the scope

An app can ask for access, but it only receives what you approve on the consent screen. A request you do not approve grants nothing.

Reviewing and revoking apps

Every app you approve is listed under app authorizations, where you can review which apps have access to the environment and revoke any of them. Revoking an authorization immediately cuts off the app, so it can no longer act on your behalf.