Documentation
  1. WORKFLOWS STUDIO
  2. Application Workflow

End-user OAuth on connections

Some third-party connectors need each end user to authenticate with their own account rather than running through a single, shared bot-level connection. For example, a workflow that creates a file in the requester's own Google Drive, or posts as the user in Slack, needs that user's authorization — not the admin's.

When a workflow uses such a connection, Leena AI checks whether the user has authorized it. If they haven't, the user is prompted to connect their account before the workflow can proceed. Once they authorize, the workflow continues automatically.

📘

When this applies

Only connectors configured to require end-user (per-user) OAuth trigger this. Connectors that use a single org-level connection don't prompt individual users. Whether a connector requires per-user OAuth is set on the connector in Integrations, not in the workflow builder.

When the prompt appears

The authentication check runs at the two points where a user interacts with the workflow:

  • On initiation — when a user starts a workflow that needs a per-user connection, the check runs immediately. If they're not authenticated, they're asked to connect before the request is created.
  • On opening a task — when a user opens an Input or Approval task whose step uses a per-user connection, the same check runs. The task form is held back until the user connects.

In both cases the user authorizes in a connection pop-up, and the workflow resumes from where it paused — no data is lost.

How the requirement is detected

Builders don't flag this per node — Leena AI works it out automatically:

  1. At publish time, the platform scans the workflow for connections that sit on a user's path — Action steps reachable from the Trigger Input, Input, and Approval nodes — and connector references inside forms (including dynamic dropdowns / async hooks and referenced utility apps).
  2. It asks Integrations which of those connections require per-user OAuth, and stores just those against the relevant step.
  3. At runtime, when the user initiates or opens the task, it checks that user's authorization status for those connections and prompts only if something is missing.
⚠️

Re-publish after connection changes

Because the requirement is computed when you publish, re-publish the workflow after changing which connections a step uses so detection stays accurate. If a connector's "require end-user OAuth" setting is toggled in Integrations, the platform syncs that across existing versions. As a safety measure, if the authorization status can't be confirmed, the system errs on the side of prompting the user to authenticate.

End-user experience

From the employee's side it's simple: when they start a request or open a task that needs their own account, they see a prompt to connect that account, complete a quick authorization, and then continue with the form as normal. After the first authorization, they won't be asked again for that connection unless their access expires or is revoked.