Legal Updated March 19, 2026

OAuth 2 and Connected Account Credentials

How OAuth 2 connections work in Omnio, what credentials we never receive, what tokens we store, and how revocation works.

Summary

For providers that support OAuth 2 (such as Oura, Whoop, and Withings), Omnio does not receive or store your provider password.

You authenticate directly with the provider, then the provider returns scoped OAuth tokens to Omnio for data sync.

OAuth 2 flow in Omnio

  1. You click Connect from Sources > Accounts.
  2. Omnio redirects you to the provider’s OAuth authorisation page.
  3. You sign in on the provider domain and approve requested scopes.
  4. The provider redirects back to Omnio with an authorisation code.
  5. Omnio exchanges that code for tokens and stores tokens encrypted at rest.
  6. Omnio syncs data only within approved scopes.

Credential boundaries

For OAuth 2 providers:

  • Provider passwords are entered on the provider’s site, not in Omnio.
  • Omnio does not receive provider passwords.
  • Omnio does not receive MFA secrets or one-time codes.
  • Omnio receives access/refresh tokens and scope grants only.

Token storage and use

  • Tokens are stored encrypted at rest in Omnio’s credential store.
  • Tokens are used only for sync jobs and token refresh.
  • Failed refresh or revoked grants mark the source disconnected until reconnected.

Scope-limited access

OAuth tokens are constrained by provider-granted scopes. Omnio can only fetch data allowed by those scopes.

If a scope is not granted, Omnio cannot access that data category.

Revocation and disconnect behavior

You can stop access in two ways:

  • Disconnect the account in Omnio (stops future syncs).
  • Revoke the app in the provider’s own security/app settings (invalidates token refresh).

After revocation, Omnio cannot continue pulling new data.

Provider exception note

Not all providers expose a public OAuth 2 integration path.

Garmin currently uses a non-OAuth session workflow in Omnio:

  • Credentials are used to establish a Garmin session.
  • Passwords are not persisted by Omnio.
  • Session tokens are stored encrypted at rest.

This exception is provider-specific and does not change OAuth 2 behavior for Oura, Whoop, or Withings.

← All docs Something wrong? Let us know