OAuth is how you grant limited access without giving Hive Citadel your provider password. When you choose Connect, the provider—not Hive Citadel—authenticates you and displays the requested permissions. Nothing is connected unless you approve that provider screen.
1. Why this page exists
Provider consent screens use technical scope names that can be difficult to evaluate on their own. This page gives the missing product context: the user-facing feature behind a permission, the data involved, whether an action can change provider data, and how to stop access.
It also provides the public, stable disclosure expected during OAuth and app-review processes. It complements—not replaces—the provider consent screen, in-product notices, our Privacy Policy, and our Terms.
2. Four boundaries control every connection
- Provider permission. The scopes you approve are the maximum provider-side capability.
- Workspace authorization. Your role, workspace, connection ownership, and administrator policy determine availability.
- Product capability. An agent can use only tools and operations implemented and enabled for it.
- Instruction and approval. The agent must have a relevant request or approved automation. Sensitive external writes generally require confirmation.
A broad provider scope is not standing permission for an agent to act without a relevant feature, valid user/workspace authority, and the required approval.
3. Current OAuth permission purposes
The provider’s live consent screen is authoritative for the exact permissions presented to you. The table below explains the current connector configuration and intended use.
| Connection | Data and capability requested | User-facing purpose |
|---|---|---|
| Gmail | Read/modify, compose and send mail; calendar access | Search and organize mail, draft/send approved messages, triage conversations, and support calendar workflows from the executive-assistant experience |
| Google Drive & Sheets | Read Drive files; read/write spreadsheets | Find and index selected documents and create or update spreadsheets requested by the user |
| Google Calendar | Read/write calendars and events | List availability and create, update, RSVP to, or delete events with the required confirmation |
| Google Contacts | Read contacts | Resolve people and contact details for user-requested communication and scheduling |
| YouTube | Manage channel data and upload videos | Inspect the connected channel and upload or publish user-approved video content |
| Microsoft Outlook | Read/write and send mail; read/write calendar; basic profile; offline access | Email assistance, message triage, and scheduling while preserving a long-lived connection |
| OneDrive | Read/write files; basic profile; offline access | Find, ingest, create, and update user-requested files |
| SharePoint | Read/write files and sites; basic profile; offline access | Search and operate on authorized site documents where Microsoft’s delegated model requires tenant-level file/site scope |
| Microsoft Teams | Read team/channel/chat context; send chat/channel messages; people and profile; offline access | Search collaboration context and send a message only through an enabled, authorized workflow |
| Basic profile; member/organization publishing and organization administration context | Identify the connected profile or organization and publish approved social content | |
| Basic profile and media | Identify the connected account and retrieve media needed for supported workflows | |
| X | Read/write posts and media; read users; follow/like/bookmark writes; offline access | Research account context and perform only the social action the user requests and approves |
| TikTok | Profile/stats, video list, upload and publish | Inspect the connected profile and upload or publish user-approved videos |
| GitHub | Profile, repository, and workflow access | Inspect authorized repositories and perform requested repository or automation operations |
| Jira | Identity, Jira work/user read, issue write, offline access | Find projects and issues and create or update work items requested by the user |
| WHOOP | Profile, body measurements, recovery, cycle, sleep, and workout read; offline access | Provide user-requested health and fitness analysis from the connected member’s data |
| Stripe Connect | Permission shown by Stripe for the configured connection | Access the connected Stripe account only for enabled financial operations and reporting |
Some enterprise connectors use customer-managed API keys or service credentials rather than OAuth. Those credentials are presented separately and remain subject to the same workspace, tool, instruction, and approval controls.
4. Why some connections request offline access
offline_access or equivalent permission allows the provider to issue a refresh token so a connection can continue after a short-lived access token expires. This is necessary for user-requested background sync, schedules, and automations. Refresh access does not bypass revoked consent, disabled accounts, provider policy, or Hive Citadel authorization.
5. Why write permissions may appear
Features such as sending email, updating a spreadsheet, publishing a video, creating a calendar event, or editing an issue require provider write scopes. Providers often define one scope for several operations rather than offering a separate scope for every product button. Hive Citadel narrows that technical capability through tool design, workspace access, contextual instructions, audit records, and confirmation gates.
6. What is stored
- Connection provider, account identifiers, granted scopes, status, and synchronization metadata.
- Encrypted access and refresh tokens, where the provider issues them.
- Content or metadata retrieved for enabled features, such as indexed source documents, messages, events, or workflow results.
- Bounded operational and audit information needed for reliability, security, support, and accountability.
Tokens are server-side credentials. They are not intentionally exposed to agents, chat transcripts, public URLs, or other users.
API-key connections do not have a provider consent screen. The connect form therefore identifies the credential fields, provider setup page, selected environment where applicable, and the capability boundary. Use scoped tokens where the provider supports them, create credentials only in the provider’s own console, and rotate or revoke them at the provider after disconnecting.
7. Data-use commitments
- We do not sell connected-service data.
- We do not use connected-service data for advertising.
- We do not use connected-account data to train generalized AI/ML models.
- We use data only for user-facing features, security, support with appropriate authorization, legal compliance, and the limited purposes described in the Privacy Policy.
Our use of information from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.
8. Disconnecting and revoking access
Disconnect in Hive Citadel to remove the stored connection credential and stop future product use of it. Revoke at the provider to invalidate the provider-side grant. For the strongest result, do both.
- Google: Google Account third-party connections
- Microsoft: account or organization consent controls in Microsoft Entra
- GitHub: Settings → Applications → Authorized OAuth Apps / GitHub Apps
- Other providers: connected-app, security, integrations, or authorized-app settings
Use the Data Removal page to delete stored connection data and other account data. Provider-side data remains with the provider unless you delete it there.
9. Questions or unexpected permissions
Do not approve a connection if the provider screen identifies a different app, publisher, domain, or unexpected permission. Cancel the flow and contact support@hivecitadel.com with the provider name and a screenshot that contains no token, password, or one-time code.