Introducing OhAuth
Alongside our enterprise platform, today we publish OhAuth (https://ohauth.ai), a community index of OAuth apps, the over-broad scopes they carry, and the publisher infrastructure that quietly sits behind them. This post is the research that started it all.
Our research team did a deep dive on the status of OAuth apps across the most widely used marketplaces. The driving question: when an app appears in an official marketplace, does that listing actually signal safety? Most administrators treat "it's in the Google Workspace Marketplace" or "it's in the GitHub Marketplace" as shorthand for "it's been vetted." We weren't convinced, so we set our agent loose across these marketplaces and what we found surprised us.
Marketplace presence feels like approval. It isn’t.
A single click to “install” or “authorize” doesn’t just add a feature. It creates a standing OAuth grant into the systems that run the business: email, files, calendars, repositories, CI workflows, organization settings, and secrets. That grant doesn’t expire when the app is forgotten, when the user leaves, or when the publisher disappears. It persists, silently, until someone deliberately revokes it.
The consent screen shows a list of permissions for a few seconds at authorization time. It does not show whether those permissions are wider than the app needs, whether the publisher behind them still exists, or whether an AI model is making decisions on the other side of the grant. Those are exactly the things we set out to measure.
What our agent does
Our agent is continuously auditing the thousands of publicly listed OAuth apps across all marketplaces. Their combined reported install footprint is at least 4.39 billion. For every app, the agent is scanning for structural exposure signals, patterns a listing never surfaces before you authorize: scopes wider than the app’s stated function, dead, buyable, or threat-intel-flagged publisher domains, AI components with write access, and brand-like app names published by third parties. Because it runs continuously, the picture below is a snapshot of what the agent is seeing right now, not a one-time report.
What the agent is finding
“We took a random sample from our database: 2,000 apps from two of the world’s most widely used marketplaces.”
1. The permission mismatch
The largest finding by install footprint is the gap between what an app says it does and the scopes it actually requests. 677 apps ask for at least one permission beyond their stated function - a combined 1.82 billion installs. A few examples the agent keeps surfacing:
Some of these are outright unrelated: a graphing calculator holding read-and-delete on every Doc and Slides deck, a text-case converter with delete access on every Sheet. Others are subtler: Google offers no “edit without delete” scope for Sheets, Docs, or Calendar, so an app that legitimately needs to write to one spreadsheet must take the scope that can delete every spreadsheet the user can touch. That second category is a structural limit in the OAuth scope catalog itself, not just sloppy developers.
2. The publisher infrastructure gap
OAuth assumes the publisher stays reachable and accountable for as long as the grant survives. The marketplace doesn’t enforce that. Right now the agent is surfacing 206 apps with dead publisher domains, 89 apps (across 85 distinct domains) whose publisher domain is currently available to buy at a standard registrar, and 36 apps whose publisher domain is flagged on the same commercial threat-intel blocklists enterprise security gateways use to block phishing and malware.
The buyable domains are the sharpest edge. Register the dormant domain and you inherit the publisher’s real email identity - valid SPF, DKIM, and DMARC, plus a path to trigger account-recovery flows and try to take over the marketplace app itself. In one case, a single buyable domain anchored three Workspace apps with a combined 9 million installs. In another, a Workspace backup product authorized by 180,000+ organizations had a publisher domain independently flagged by five threat-intel feeds, while its grant still covered read, edit, and delete on every file, email, calendar event, and contact in those tenants.
3. AI with write access
The agent flags 49 AI-powered apps with broad write access, an 81.6M install footprint. These aren't just another category of over-privileged app; they represent a fundamentally different kind of risk. Consider what "send email on your behalf" actually means when an AI is behind it. A traditional app sends an email when you click a button. An AI-powered app might monitor your inbox, decide a thread needs a response, draft that response, and send it - all before you've opened your laptop. The scope on the consent screen is identical. The autonomy behind it is not. We've seen apps in this category with access to send mail, edit files, and manage calendar events, where the decision of when and why those permissions fire is delegated entirely to a model whose reasoning is opaque, whose behavior can shift with a prompt update, and whose actions leave behind no audit trail distinguishable from your own. Traditional OAuth risk assumes a human or a deterministic process is holding the keys. AI apps break that assumption silently, and the consent screen will never tell you.
Why this becomes business risk
None of this depends on malicious intent. The risk is structural: once a broad OAuth grant exists, a compromise of the publisher or its infrastructure turns a perfectly legitimate app into a software supply-chain path into every customer environment at once. The blast radius is whatever was already granted.
And the surfaces are deep. On the Workspace side alone the agent counts 281 apps with broad Drive access (1.47B installs), 316 touching Sheets (1.02B), 220 reaching into Gmail (818M), plus Docs, Calendar, and Contacts. On GitHub: repository administration, organization settings, secrets, webhooks, and Actions runners. These aren’t simple utilities, they’re access to the systems the business actually runs on.
So we built OhAuth.ai
Every scan points at the same conclusion: a marketplace listing is not a security review.
People are going to keep granting permissions and broad scopes to third-party apps, and that's fine. We're not in the business of limiting what your teams can use. Offroad doesn't lock the marketplace down. Instead, our agent keeps an eye on the actual usage behind every grant, watching how a scope is really being exercised, identifying the moment that usage stops looking right, and blocking it immediately. The permission can exist; the misuse can't.
In practice, that means the agent continuously:
- Identifies every OAuth grant across marketplaces, and flags overprivileged scopes.
- Monitors usage continuously - mail sends, file edits and deletions, repo changes, secret access, webhooks and CI activity. Unexplained high-privilege actions should trigger investigation, not a quarterly review. Our agent blocks suspicious activity immediately.
- Checks publisher infrastructure for dead, parked, or for-sale domains and missing support channels.
That’s only one of the things Offroad does. Our agents work across your existing identity providers, cloud environments, SaaS apps, developer systems, and security tools - turning OAuth from a one-time consent click into a governed, monitored, revocable part of your identity surface. No new dashboard required.
Audit your OAuth before it becomes “oh no.”
Browse the full community index at ohauth.ai, learn more about Offroad at offroad.ai, or reach the research team at info@offroad.ai.
