In this article
March 19, 2026
March 19, 2026

Pipes MCP: Session-scoped authorization for AI agents

Grant agents time-limited access to OAuth connections using Pipes and MCP.

Ryan Cooke
March 19, 2026

OAuth is built for human workflows. A User connects Snowflake, Google Drive, Salesforce, or another third party to an application, and the app receives long-lived tokens. As long as the User doesn't revoke the connection, the application can continue acting on their behalf.

This authority model does not transfer well when agents are using the connection, however, as agents today can take actions that are unpredictable compared to the User's normal workflow.

So the question becomes, if an agent can access a User’s connected systems, how long should that access last?

Should it persist beyond the task the agent was assigned?

Should it be renewable without additional approval?

Pipes MCP introduces a concrete answer: Give agents access for the duration of a task, and no longer.

What is Pipes MCP?

Pipes MCP introduces session-scoped authorization for agents using existing Pipes connections.

It allows an agent to access OAuth-connected systems (like Snowflake, Google Workspace, Salesforce, etc.) but only within a time-limited session.

When the session ends, access ends.

Pipes MCP is a deployable MCP server that developers host in their own infrastructure.

It does three things:

  1. Leverages existing Pipes OAuth connections.
  2. Exposes each connected provider as a discoverable tool via MCP.
  3. Enforces time-bound access to those tools.

If you already use Pipes to connect to third-party systems, there is no additional provider-side integration required. Pipes MCP sits on top of that connectivity layer and changes how agents access it.

How session-scoped authorization works

With Pipes today, OAuth tokens are long-lived and refreshable. Your application can use them indefinitely.

With Pipes MCP:

  1. An agent must request access to Pipes-backed tools.
  2. A human approves the start of a session.
  3. During that session, the agent can invoke provider tools, with specific authorization granted.
  4. When the session expires, tool access is revoked.
  5. The agent cannot renew the session on its own.

If the agent attempts to use a provider tool after the session has ended, it receives a permission error. A new session must be explicitly approved.

The OAuth connection itself still exists. What changes is the authorization layer between the agent and that connection.

Each Pipes provider becomes an agent tool

Pipes MCP exposes connected providers through the Model Context Protocol.

For an agent, that means:

  • Snowflake can appear as a queryable tool.
  • Google Drive can appear as a document access tool.
  • Salesforce can appear as a CRM interaction tool.

The MCP server advertises these capabilities, and the agent can select and invoke them as part of its planning.

The difference is that tool availability is session-bound. The MCP server enforces access checks on every invocation.

This makes authorization explicit and enforceable at runtime.

Why this approach

There is active debate about agent identity and authorization models.

Some approaches give agents long-lived credentials tied to a user. Others treat agents as independent workloads with their own permanent identities. Some advocate fine-grained approval per action.

Session-scoped authorization is intentionally narrower.

It assumes:

  • Agents are acting on behalf of a user.
  • Access should be time-bound to a task or session.
  • Human approval gates the start of that access.
  • Authorization does not silently extend itself.

It does not attempt to redefine OAuth or override provider scopes. It introduces an additional control layer at the application boundary.

Available now: Deploy Pipes MCP and try session-scoped authorization

Pipes MCP is available today as a deployable MCP server.

If you’re building agent workflows that interact with third-party systems, you can:

  • Deploy Pipes MCP in your own infrastructure.
  • Expose your existing Pipes connections as agent tools.
  • Enforce time-limited, session-based access for those tools.
  • Require explicit approval before agents gain access.
  • Automatically revoke access when the session ends.

If you’re working with agent identity, workload authorization, or human-in-the-loop approval models, we’d love to hear how this fits into your architecture.

Pipes MCP is our first step toward practical, runtime authorization for agents. The direction it takes next will be shaped by your feedback.

Use our starter template to get started with Pipes MCP today.

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.