When you build a custom Application in CharmIQ, it runs inside a 

 iframe. That sandbox restricts what the Application can reach directly — but the CharmIQ bridge (

) provides a first-class secure OAuth pathway that bypasses those restrictions.

Your Application can authenticate with dozens of providers (Google, GitHub, Microsoft, Slack, LinkedIn, and more) using the same encrypted token infrastructure that powers Charm integrations. A dashboard that reads your Google Analytics data. An application that queries the GitHub API. A form that writes to HubSpot. All of it is possible from inside a CharmIQ Application.

The bridge exposes four methods for OAuth:

// 1. Register your application identity (do this once, on load)
await window.charmiq.oauth.register({
  appId: 'com.yourcompany.your-app',   // Unique reverse-domain identifier
  name: 'Your App Name',
  description: 'What this app does',
});

// 2. Request authorization with a provider
const auth = await window.charmiq.oauth.getValidAuth({
  providerUrl: 'https://accounts.google.com',
  scopes: ['https://www.googleapis.com/auth/analytics.readonly'],
});
// auth.accessToken — use this in your API calls

// 3. Refresh an expired token
const refreshed = await window.charmiq.oauth.refreshAuth(auth);

// 4. Revoke access when done
await window.charmiq.oauth.revokeAuth(auth);

 opens a consent popup managed by CharmIQ (the iframe can't open popups directly due to browser sandboxing). Once the user authorizes, CharmIQ returns the access token to your Application. All tokens are encrypted and stored server-side — your Application receives the token in memory; it's never exposed in client storage.

Each Application gets its own isolated token scope. A token that Application A acquired from Google cannot be read or used by Application B — even if both Applications are in the same document and both connect to Google. The isolation key includes your Application's 

Your Company administrator must have a Google (or other provider) Integration configured before your Application can use it. If 

 fails with an authorization error, the Integration for that provider likely hasn't been set up yet.

 you register doesn't need to match anything in your administrator's configuration — it's just an identifier for your specific Application instance. The underlying OAuth infrastructure uses your organization's Integration credentials.

. This is the same Connection model used by MCP servers, just with a different type discriminator. From a security standpoint, the token lifecycle and encryption are identical. The bridge serializes all OAuth communication through 

 since the iframe cannot communicate directly with CharmIQ's backend.

 — The full guide to building Applications in CharmIQ: the bridge API, app-content, app-state and application discovery.

 — How external tools connect to CharmIQ using the same OAuth infrastructure.

 — Administrators: setting up the provider Integrations your Applications depend on.

The admin guide to setting up OAuth providers, configuring MCP servers and controlling what your organization's Charms can access.

OAuth in Applications

Applications Can Connect Too

The Application Bridge OAuth API

Token Isolation

Provider Setup

Patterns

Next Steps