How OAuth 2.0 works
When you connect an app to ZeroTwo, here’s what happens behind the scenes:ZeroTwo initiates the flow
ZeroTwo redirects your browser to the app’s official authorization server (e.g.,
accounts.google.com, github.com/login/oauth).You authenticate and authorize
You log in to the app (if not already logged in) and review the specific permissions ZeroTwo is requesting. You click Allow or Authorize to grant access.
The app issues an access token
The app’s authorization server generates an OAuth access token and refresh token, then redirects back to ZeroTwo with those tokens.
ZeroTwo stores the token securely
ZeroTwo encrypts and stores the access token and refresh token. Your password is never involved or stored at any point.
What ZeroTwo stores
| What is stored | Details |
|---|---|
| OAuth access token | Used to make API calls to the connected app on your behalf |
| OAuth refresh token | Used to obtain new access tokens when the current one expires |
| Authorized scopes | The list of permissions you granted during the OAuth flow |
| Connection metadata | App name, account identifier, connection date |
Automatic token refresh
OAuth access tokens have limited lifetimes — typically 1 hour for most apps. ZeroTwo automatically refreshes tokens before they expire using the stored refresh token. In practice, this means:- You connect once and rarely need to reconnect
- The connector stays active as long as you haven’t revoked access from the app’s side
- If a refresh fails (e.g., you revoked access from within the app), the connector shows “Needs reauthorization” and you’ll need to reconnect
Scopes and permissions
Each connector requests a specific set of OAuth scopes — granular permissions that define exactly what ZeroTwo can do with the app. For example:| App | Example scopes |
|---|---|
| Gmail | gmail.readonly (read emails), gmail.send (send emails) |
| GitHub | repo (read/write repos), issues:write (create issues) |
| Google Drive | drive.readonly (read files), drive.file (create/edit files) |
| Notion | read_content, update_content, insert_content |
Principle of least privilege
Only grant the scopes that match what you actually plan to do. If you only need ZeroTwo to read your Google Drive files, connect with read-only scope. You can always disconnect and reconnect with broader permissions later if your needs change.Revoking access
You can revoke ZeroTwo’s access to a connected app in two places: From ZeroTwo:- Go to Settings → Connectors
- Click the app
- Click Disconnect
- Google: myaccount.google.com → Security → Third-party apps with account access
- GitHub: github.com → Settings → Applications → Authorized OAuth Apps
- Notion: notion.so → Settings → My connections
For complete removal, revoke from both ZeroTwo and the app. Revoking only from the app means ZeroTwo still holds the (now invalid) token until you explicitly disconnect in ZeroTwo.
Security properties
| Property | Details |
|---|---|
| No password storage | ZeroTwo never receives or stores your app password |
| Encrypted tokens | Access and refresh tokens are encrypted at rest |
| Scoped access | ZeroTwo can only perform actions within the scopes you authorized |
| Revocable anytime | You can disconnect any connector instantly, from ZeroTwo or the app |
| No cross-account access | Each connection is tied to your ZeroTwo account only |
| No plaintext transmission | Tokens are never sent over unencrypted connections |