privacy oauth security connected-accounts

Why Connecting Accounts with OAuth 2 Doesn't Share Your Password

When you connect Oura, Whoop, or Withings to Omnio, you sign in on their website, not ours. Here's what OAuth 2 does, what we receive, and what we never see.

Mac DeCourcy · · Updated April 3, 2026

If you’ve ever connected a wearable account and wondered, “Did I just give Omnio my password?”, that’s a great question.

Short answer: with OAuth 2 providers, no.

When you connect an account like Oura, Whoop, or Withings, you sign in directly on that provider’s own login page. Your username, password, and any MFA challenge stay between you and that provider.

Omnio never sees those credentials.

What actually happens when you connect

Here’s the plain-English flow:

  1. You click Connect in Omnio.
  2. We send you to the provider’s authorisation page (for example, Oura or Whoop).
  3. You sign in there and approve what data Omnio can access.
  4. The provider sends Omnio an OAuth token.
  5. Omnio uses that token to sync only the approved data scopes.

Think of OAuth 2 as a valet key. You grant limited, revocable access without handing over your main house keys.

What Omnio receives vs. what Omnio never gets

Omnio receives:

  • Access token (and often a refresh token)
  • The permissions (scopes) you approved
  • Data from those approved scopes

Omnio does not receive:

  • Your provider account password
  • Your MFA code
  • Full account control outside approved scopes

If you revoke access from the provider side, token refresh stops and syncing disconnects.

Why this matters for trust

OAuth 2 changes the trust model:

  • You authenticate with the source provider, not with Omnio.
  • Permissions are explicit and scope-limited.
  • Access can be revoked at any time from the provider account settings.

This is better than sharing raw credentials with every app you use.

Important nuance: not every provider supports OAuth 2

Some ecosystems still do not offer a public OAuth 2 flow for third-party apps. In those cases, integrations may use a different login method.

Today, Garmin in Omnio uses a non-OAuth session flow. For Garmin specifically:

  • Credentials are used once to establish a session.
  • Passwords are not stored by Omnio.
  • Session tokens are stored encrypted at rest.

We call this out clearly because privacy trust depends on precise language, not marketing shortcuts.

Bottom line

For OAuth 2-connected providers, Omnio does not see your password.

You authorise access on the provider’s side, we receive scoped tokens, and you can revoke access whenever you want.

Related reading

← All posts