Share OAuth Tokens

Transfer OAuth access tokens and refresh tokens securely between team members.

Why secure share oauth tokens matters

OAuth 2.0 (RFC 6749) splits authorization into two artifacts with sharply different lifetimes, and that asymmetry is why these tokens leak badly. An access token is a short-lived bearer string — roughly 60 minutes on Google, around 90 on Microsoft Graph, an hour on Auth0. A refresh token is its quiet cousin: useless alone, but POSTed to the issuer's token endpoint it mints fresh access tokens silently, often for 90 days (Entra default) until revocation.

Chat substrates are the wrong place for either. JWT-bearer access tokens (RFC 9068) decode in any browser tab, revealing sub, scp, and aud claims over a shoulder. GitHub scans for ghp_, gho_, ghs_, ghu_ prefixes plus Slack's xoxb-, xoxp-, and rotating xoxe.xoxp- patterns, but scanning only fires once a value reaches a public surface. Inside private Teams DMs or Notion pages the same strings persist indefinitely.

PasteOnce slots into the narrow case where a token must cross a human boundary: bootstrapping a CI integration before workload identity is wired, sending a Postman Authorization header mid-debug, or seeding a sandbox connector during a vendor proof-of-concept. Pair every handoff with the RFC 7009 revocation endpoint when work ends, mint at the tightest scope, and prefer device authorization (RFC 8628) when the recipient can complete consent themselves.

What goes wrong when share oauth tokens is shared insecurely

Refresh-half lifetime dwarfs the access-half. Google offline_access refresh tokens stay valid until revoked at myaccount.google.com/permissions; Entra ID slides a 90-day window every renewal. A leaked refresh token plus client_id mints new access tokens long after the chat thread scrolled away.
Consented scopes outlive the original purpose. A token granted googleapis.com/auth/drive or Mail.ReadWrite carries every permission the consent dialog approved. Engineers request offline_access plus an admin scope during setup, then forget the surface area when the same refresh token is reused months later.
Bot tokens reach across an entire workspace. A Slack xoxb- value owns chat:write and files:read in every channel it joined; new apps require token rotation, but legacy bots still hold non-rotating strings. A leaked GitHub ghs_ installation token clones every repo until the owner revokes it.
Fine-grained tokens get treated as coarse. GitHub fine-grained PATs (github_pat_) and Microsoft application permissions support per-repo or per-resource limits, but operators paste them with the original generous scope rather than minting narrower ones. Recipients bake the over-privileged value into pipelines.

Share OAuth Tokens

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share oauth tokens work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share oauth tokens

Drive consent through device-code flow

RFC 8628 removes human-to-human token transfer entirely. The gh CLI, az login --use-device-code, gcloud auth login --no-launch-browser, and stripe login print a short user_code; the recipient completes consent in their browser and the issuer delivers tokens directly.

Mint a fresh, scope-tightened token before sharing

Never reshare a token minted for your broader use. Generate a new one with the narrowest set: gmail.readonly instead of mail.modify, repo:status instead of full repo, chat:write only. GitHub fine-grained PATs let you target a single repository.

Hit the revocation endpoint when work concludes

RFC 7009 defines a uniform revoke endpoint. POST oauth2.googleapis.com/revoke for Google, /oauth/revoke for Auth0, auth.revoke for Slack, DELETE /applications/{client_id}/token for GitHub. Revoke the refresh token explicitly — killing only the access half leaves the refresh re-issuable.

Bind public clients with PKCE rather than secrets

If you are sharing a client_secret next to a token, the integration is using the wrong flow. Public clients — desktop apps, mobile, SPAs, CLIs — should authorize via PKCE (RFC 7636) with code_challenge_method=S256. Reserve secret-bearing flows for backends.

Related Secure Sharing Tools

Share API Key Securely Share SSH Private Key Share .env Variables Share Database Credentials Share Software License Key Share Encryption Keys Share VPN Credentials Share Private Keys Securely

Real situations this is built for

Salesforce sandbox refresh token for a vendor

A connector vendor needs a refresh token for your Salesforce sandbox so their integration mints access tokens unattended during a two-week proof-of-concept. The connected app is scoped to one custom object; revocation happens via Setup > Connected Apps OAuth Usage afterward.

Microsoft Graph batch failure at 1 AM

A nightly Graph job is failing and the on-call needs to reproduce the call. The platform engineer mints a client-credentials access token scoped to the failing app role only, sends it through PasteOnce on a one-hour TTL, and it expires before standup.

Self-hosted GitHub runner before App rollout

A new ARC runner needs a ghs_ installation token to clone private repos until the GitHub App's long-term private key lands in the secret manager. PasteOnce carries the value to the operator; the bootstrap token is revoked within the hour.

Frequently Asked Questions

what is the difference between an oauth access token and a refresh token

The access token is a bearer string presented to a resource server (the Authorization: Bearer header) and lives roughly an hour. The refresh token goes only to the issuer's token endpoint with grant_type=refresh_token and lives much longer. Treat them as separate handoffs.

how do I revoke a leaked oauth refresh token immediately

Hit the issuer's RFC 7009 endpoint with token_type_hint=refresh_token. Google: POST oauth2.googleapis.com/revoke. Auth0: POST /oauth/revoke. GitHub OAuth Apps: DELETE /applications/{client_id}/token. Pass the refresh token explicitly — revoking only the access half leaves refresh live.

is it safe to share an oauth client_secret over a one-time link

Safer than a chat thread, but the better question is why a human is moving one at all. Confidential clients should fetch the value from a vault — HashiCorp Vault, AWS Secrets Manager, Doppler — at runtime. Public clients should not have one; switch to PKCE.

can you tell what scopes an oauth token has by inspecting it

Sometimes. JWT-bearer access tokens (RFC 9068, common on Entra ID and some Auth0 setups) carry scp or roles claims that decode without verification. Google, GitHub, and Slack issue opaque strings whose grants surface only through introspection (RFC 7662) or a tokeninfo call.

Why secure share oauth tokens matters

What goes wrong when share oauth tokens is shared insecurely

Refresh-half lifetime dwarfs the access-half. Google offline_access refresh tokens stay valid until revoked at myaccount.google.com/permissions; Entra ID slides a 90-day window every renewal. A leaked refresh token plus client_id mints new access tokens long after the chat thread scrolled away.

Consented scopes outlive the original purpose. A token granted googleapis.com/auth/drive or Mail.ReadWrite carries every permission the consent dialog approved. Engineers request offline_access plus an admin scope during setup, then forget the surface area when the same refresh token is reused months later.

Bot tokens reach across an entire workspace. A Slack xoxb- value owns chat:write and files:read in every channel it joined; new apps require token rotation, but legacy bots still hold non-rotating strings. A leaked GitHub ghs_ installation token clones every repo until the owner revokes it.

Fine-grained tokens get treated as coarse. GitHub fine-grained PATs (github_pat_) and Microsoft application permissions support per-repo or per-resource limits, but operators paste them with the original generous scope rather than minting narrower ones. Recipients bake the over-privileged value into pipelines.

How does share oauth tokens work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share oauth tokens

Drive consent through device-code flow

Mint a fresh, scope-tightened token before sharing

Hit the revocation endpoint when work concludes

Bind public clients with PKCE rather than secrets

Real situations this is built for

Salesforce sandbox refresh token for a vendor

Microsoft Graph batch failure at 1 AM

Self-hosted GitHub runner before App rollout

Frequently Asked Questions

what is the difference between an oauth access token and a refresh token

how do I revoke a leaked oauth refresh token immediately

is it safe to share an oauth client_secret over a one-time link

can you tell what scopes an oauth token has by inspecting it