So in this scenario, most such third party apps issue tokens so that you can talk to them. Many people use these tokens to also talk to their own backend (which is usually done in an insecure way). What you can do is continue using SuperTokens as you normally do, and save the JWT / refresh tokens provided by this third party service only on your backend. If these tokens are per user, then you can associate these tokens as JWTPayload or map them against userIds in your backend. This way, whenever you need to query this third party service, you verify the supertokens session (like you normally do), and the get the JWTPayload to get these tokens. Or from the userId, get these tokens. If you need these tokens on your frontend, you can save them localstorage and use those to query the third party service. If these tokens are compromised, then your APIs won't (cause your APIs don't use these tokens to give access).