# TapAuth > Human-approved delegated access for AI agents. TapAuth lets AI agents request OAuth access tokens through a human-in-the-loop approval flow. ## What TapAuth Does TapAuth is an access gateway for AI agents. An agent requests access to a user's account (Google, GitHub, Slack, Notion, Linear, Vercel, Asana, Sentry, Discord, and more), the user approves with specific scopes, and the agent receives a short-lived OAuth access token. ## Supported Providers - Manual Secret (User-entered password or API key) - Google (View calendar events, Create & edit calendar events, View calendar events (events-only), View calendar list, Full Calendar access, View spreadsheets, Edit spreadsheets, View documents, Edit documents) - GitHub (Access public repositories, Access private repositories (full), Read user profile, Access user email addresses, Read org membership, Create and manage gists, Access notifications, Update GitHub Actions workflows, Full control of organizations, Delete repositories) - Linear (Read issues & projects, Create & edit issues, Create issues, Create comments) - Vercel (View and manage deployments, Access project details, Manage environment variables, Manage domains, Access team info, Read user profile) - Slack (View people in workspace, View email addresses of people, View basic channel info, View messages in public channels, View basic private channel info, View basic DM info, View files shared in channels, Search messages, View workspace info) - Notion (Read your pages & databases, Update existing content, Create new content, Read user info with email) - Asana (View your tasks, Create and update tasks, Delete tasks, View your projects, Create and update projects, Delete projects, View user information, View teams, View your workspaces, View attachments, Upload attachments, Delete attachments, View stories (comments), Create and update stories, View tags, Create and update tags, View custom fields, Create and update custom fields, View portfolios, Create and update portfolios, View goals, View webhooks, Create and update webhooks, Delete webhooks, Verify your identity, View your email address, View your profile info) - Sentry (View organization details, Modify organization settings, View project details, Modify project settings, Manage releases, View team details, Modify teams, View organization members, Invite and modify members, View events and issues, Modify events (resolve, merge)) - Discord (View your username and avatar, View your email address, View your server list, View server member details, Join servers on your behalf, View your connected accounts, Join group DMs on your behalf, Update your role connections, Create webhooks in servers) - Apify (Full API access (web scraping, actors, storage)) - Atlassian (Read Jira issues and projects, Create and edit Jira issues, Read Jira user profiles, Manage Jira project settings, Manage Jira settings and configuration, Read all Confluence content, Read Confluence content summaries, Create and edit Confluence content, Read Confluence space summaries, Create and edit Confluence spaces, Upload files to Confluence, Read Confluence content properties, Edit Confluence content properties, Manage Confluence projects, Manage Confluence settings, Read Confluence user profiles, Read Confluence groups, Manage Confluence groups, Search Confluence, Read Confluence attachments, Read your Atlassian profile, Read your Atlassian account details, Report personal data usage, Maintain access when you're offline) ## API Base URL: `https://tapauth.ai` - POST /api/v1/grants — Create a new OAuth grant (returns grant_id, grant_secret, approval_url) - GET /api/v1/grants/{id} — Without auth: poll status. With `Authorization: Bearer gs_...`: retrieve token (200 active, 202 pending, 410 terminal) - GET /api/v1/providers — List available providers and scopes ## CLI Script TapAuth provides a single bash script (`tapauth`) that wraps the entire flow — grant creation, approval, polling, caching, and token refresh — into one command: ```bash curl -H "Authorization: Bearer $(./tapauth google drive.readonly)" \ https://www.googleapis.com/drive/v3/files ``` First run creates a grant and prompts for approval. Subsequent runs return cached tokens instantly (no network call if not expired). TapAuth also provides a secrets provider script (tapauth-secrets) for OpenClaw integration — resolves OAuth tokens as secrets at agent startup. RECOMMENDED: Use the CLI script — it handles credential storage, caching, and keeps secrets out of your context. Set a timeout of at least 600 seconds (10 minutes) when running the CLI, as users may take time to approve. Do NOT fall back to raw API calls if the CLI times out — this exposes grant secrets to your context. ## Integrations - **gws (Google Workspace CLI):** Set GOOGLE_WORKSPACE_CLI_TOKEN=$(tapauth token google/) to give gws full Google Workspace access. See https://tapauth.ai/blog/connect-ai-agents-google-workspace-gws-cli - CLI docs: https://tapauth.ai/docs - Full LLM docs: https://tapauth.ai/llms-full.txt ## Links - Docs: https://tapauth.ai/docs - Full LLM docs: https://tapauth.ai/llms-full.txt - Website: https://tapauth.ai