More granular OAuth 2.0/Personal Access Tokens and Asana?


These may be naive questions, but…

  1. Is there any way to characterize the risk of granting access? I understand, from the nice Asana API pages, that this is only done by granting a temporary, refreshable-every-hour token, which can only be used alongside the client app’s already-registered token. (I’m probably misusing some terminology here.) With so many integration tools (IFTTT, Zapier, others), I think twice about whether I want to authorize each one.

  2. Even if the risk in (1) is low, I, and organizations (enterprises) I’ve worked with, understandably, would not want their data accessible in such a way. That is, if I as an Asana user am a member of Org A and Org B, and I want to do some automation with Org A and they’re ok with that but Org B isn’t, what’s my recourse? Have you considered tokens that would apply to a single Organization/Workspace? Or even a way for me in Asana to designate a set of Workspaces/Organizations that a single token would apply (but not to all the others I’m a member of? Another use case is for me to do personal automation but not put at risk any other Workspaces/Organizations. Different logins would isolate things but that’s not convenient in many cases and not how I’d prefer to work in Asana.

Thanks very much for a great API and product.


I think @Matt_Bramlage will be able to give his insight about this.