Manage access to apps in Zapier

When planning how your teams will use Zapier, one of the most important decisions is how you'll handle apps across your organization. You have two main choices: an open apps policy (where apps are allowed by default) or a closed apps policy (where apps are restricted by default). An open policy lets team members quickly adopt and change the apps they connect with Zapier. A closed policy ensures tighter control by only allowing a small, carefully curated list of apps to be used.

You can use app access settings to control which apps members of your Enterprise account can use. You can choose to either restrict apps (an open policy) or allow apps (a closed policy).

When you enabled either the restricted apps or allowed apps setting, you’ll create a list of restricted or allowed apps depending on your settings:

How it works

When you enabled either the restricted apps or allowed apps setting, you’ll create a list of restricted or allowed apps depending on your settings:

Members will no longer be able to publish any new or edited Zap that includes a prohibited app. They will see a notification that the app is prohibited. If an existing Zap includes a prohibited app, it will remain on but steps that use the prohibited app will be held when the Zap runs. When a member views the Zap run details, they will see a notification on the step run indicating that the step was held due to the restricted app. They will not be able to replay the step as long as the app is prohibited.

You cannot have both settings enabled simultaneously.

Why manage app access?

App usage in Zapier is driven by your day-to-day business processes (like "quote to cash" or "lead routing") which remain relatively consistent. However, the tools you use to perform these steps evolve as your company's tech stack changes.

Your app access policy should balance three factors:

• Speed and innovation: How quickly teams can adopt new tools and experiment.
• Security and compliance: How well you control data flows and maintain regulatory requirements.
• Governance: Who approves new tools and how oversight works.

How to choose your app policy

Planning how your team will access and use apps through Zapier is crucial to scaling your automation strategy. Follow these steps to determine which policy is right for your organization:

1. Understand your business processes

Processes like "quote to cash" or "lead routing" have fundamental steps that remain consistent: capturing information, approving or assigning items, and moving them through a pipeline. The tools used in these steps can vary and may shift as your company's tech stack evolves. When evaluating your app policy, consider how tightly these processes need to be controlled.

2. Evaluate your organization's approach to innovation

Assess how quickly your teams need or want to adopt new tools. If your organization embraces citizen development where individual teams or power users can adopt new tools quickly, an open policy may be more suitable. If you work in a highly regulated or compliance-oriented industry, you might prefer a closed policy where every app must be explicitly allowed.

3. Determine your compliance requirements

Assess your industry's or organization's compliance and security needs. Heavily regulated fields, like financial services or healthcare, often require strict approval flows. A closed (restricted) policy is useful here because, by default, employees cannot connect apps unless they are approved and added to the allowlist. For fields with moderate compliance requirements, and where faster innovation is more important, an open (allowed) policy with Zapier's built-in approvals feature may strike the right balance.

4. Plan your app policy structure

Once you've identified your general approach, set up your app policies in Zapier.

5. Verify your policy with approval flows

No matter which policy you choose, you can use [Zap approvals](https://help.zapier.com/hc/en-us/articles/8496296255373) to add an extra governance layer. This allows open experimentation while maintaining oversight: team members create Zaps freely, but admins review before Zaps publish and run.

Note

Over time, your needs may change. Many organizations start with an open policy and gradually tighten it as they learn which apps are used most frequently. Others begin closed and gradually allow more apps as they gain confidence in their processes.

Prerequisites

• You must be an admin, super admin, or owner of your account to enable this feature.
• Your account must have one or more verified domains.

Select your app access setting

1. Go to your account Settings page.
2. In the left sidebar under the Admin settings section, select Security and privacy.
3. In the Security section, select Allow or restrict apps. You'll be redirected to a new page.
4. If:
   • Allowed apps is enabled, click Change to restricted apps.
   • Restricted apps is enabled, click Change to allowed apps.

Restrict an app Allow an app

Restrict apps

When you restrict an app, no one in your account can use that app. Members can still use any app that is not on your restricted list.

Add a restricted app

1. Go to your account Settings page.
2. In the left sidebar under the Admin settings section, select Security and privacy.
3. Select Allow or restrict app. You'll be redirected to the Restricted apps page.
4. Click Add app. You’ll be redirected to the Add restricted app page.
5. In the Search for an app field, search for and select the app you want to restrict.
   • You’ll see a warning notification if any members are currently using the app.
   • You can review the app connections and any associated Zaps on the Apps page.
6. Click Add restricted app.

Remove a restricted app

1. On the Restricted apps page, select the app. You’ll be redirected to the restriction page for the app.
2. In the top right, click Remove APP restriction. A dialog box will appear.
3. Click Remove to confirm.

(Optional) Add member or team exceptions

You can create exceptions to your restricted list so specific members or teams are permitted to use the app.

1. On the Restricted apps page, select the app. You’ll be redirected to the restriction page for that app.
2. In the Allow app for specific members or teams field, search for and select a member or team in your account.

(Optional) Remove member or team exceptions

1. On the Restricted apps page, select the app. You’ll be redirected to the restriction page for that app.
2. In the Members/teams with access section, click Remove next to the exempted member or team.
3. The button will convert to "Are you sure?".
4. Click Are you sure? to confirm.

Example

If you add Quickbooks to your restricted apps list, you can add an exception for your accounting team. This will give your accounting team access to Quickbooks, while the rest of your account will still be restricted from using the app.

Limitations

• You can only enable either restricted apps or allowed apps settings. You cannot enable both.
• You can switch settings at any time. If you switch to a setting you previously used:
  • Your last settings will be pre-populated.
  • Any held runs resulting from the previous setting can be replayed as long as the app is now permitted.
• Members of your account will still be able to connect their app accounts and use them to set up triggers and actions (including loading or creating test records), but they will not be able to publish and run the Zap.
• You can only add an exception for one member or team at a time.
• By default, these settings are account-wide. Account admins, super admins, and owners will be affected by these limits unless you add exceptions.

Plan limitation

• If you downgrade your Enterprise account, you will lose access to this feature.

Allow apps

When you add an allowed app, all members of your account can use it. Members cannot use any app that is not in your allowed list.

Add an allowed app

1. Go to your account Settings page.
2. In the left sidebar under the Admin settings section, select Security and privacy.
3. Select Allow or restrict apps. You'll be redirected to the Allowed apps page.
4. Click Add app. You’ll be redirected to the Add allowed app page.
5. In the Search for an app field, search for and select the app you want to allow.
6. Click Add allowed app.
   • You'll see a notification if:
     • Any Zaps in your account use the app (those steps were held during Zap runs). You can review the app connections and any associated Zaps on your Apps page.
     • The app is already allowed.
7. You'll be redirected to the allowance page for the app.
   • By default, everyone in your account will have access to the app.

Remove an allowed app

1. On the Allowed apps page, select the app. You’ll be redirected to the allowed page for that app.
2. In the top right, click Delete app. A dialog box will appear.
3. Click Yes, delete to confirm.

(Optional) Prohibit specific actions

By default, everyone in your account can use all actions in an allowed app. You can limit which actions, including API requests, members can use as well as add exceptions for specific members and teams.

1. On the Allowed apps page, select the app that you want to add an exemption to. You’ll be redirected to the allowed page for that app.
2. Click Everyone. You’ll be redirected to the Actions page for the app.
3. Select the checkbox next to each action you want to disallow.
4. At the top of the list, click the selections menu icon to open the dropdown menu.
5. Select Restrict. A dialog box will appear.
6. Click Restrict to confirm.

(Optional) Remove prohibitions to specific actions

1. On the Allowed apps page, select the app that you want to add an exemption to. You’ll be redirected to the allowed page for that app.
2. Click Everyone. You’ll be redirected to the Actions page for the app.
3. Select the checkbox next to each action you want to disallow.
4. At the top of the list, click the selections menu icon to open the dropdown menu.
5. Select Allow. A dialog box will appear.
6. Click Allow to confirm.

(Optional) Add member or team exceptions

1. In the Allow app for specific members or teams field, search for and select a member or team in your account to except.
2. Click Add.

(Optional) Remove member or team exceptions

• On the Allowed apps page, select the member or team. You’ll be redirected to the Actions page for them.
• In the top right, click Remove access. A dialog box will appear.
• Click Remove to confirm.

Example

• If you add Quickbooks to your allowed apps list, you can add an exception for your accounting team. This will allow only your accounting team to have access to the app. The rest of your account will not be allowed to use the app.
• Juana is a member of the Sales team in her company's Zapier account. The Sales team is allowed to use the Create a lead action in Salesforce. If an admin removes Juana's permission to use the Create a lead action, she will still be allowed to use the action because it's permitted for the Sales team, which she is a member of.

Limitations

• You can only enable either restricted apps or allowed apps settings. You cannot enable both.
• You can switch settings at any time. If you switch to a setting you previously used:
  • Your last settings will be pre-populated.
  • Any held runs resulting from the previous setting can be replayed as long as the app is now permitted.
• Members of your account will still be able to connect their app accounts and use them to set up triggers and actions (including loading or creating test records), but they will not be able to publish and run the Zap.
• You can only add an exception for one member or team at a time.
• By default, these settings are account-wide. Account admins, super admins, and owners will be affected by these limits unless you add exceptions.

App limitations

• You can restrict existing custom actions, but you cannot prevent members from creating new custom actions.

Action prohibitions

• You can only restrict actions at this time.
  • Triggers are not supported. To restrict triggers, you must remove the app from your allowed list entirely.
  • If you restrict all actions for the "Everyone" group, that group will still have access to triggers for the allowed app.
• Zapier will default to allowing the broadest permissions for an app.
  • This may override a specific restricted action setting you've enabled.

Plan limitations

• If your account is on a legacy Company plan with 200,000 tasks or less, you cannot use restricted actions.
• If you downgrade your Enterprise account, you will lose access to this feature.

Planning how your team will access and use apps through Zapier is crucial to scaling your automation strategy. By choosing an open policy, you empower quick experimentation and innovation with minimal friction. This is ideal for organizations embracing citizen development. Alternatively, a closed policy gives you tighter control and ensures compliance, ideal for industries that need more stringent oversight.

No matter which approach you pick, Zapier's approvals feature provides additional governance so that you can fine-tune your workflows, maintain security, and keep your automation strategy aligned with your organizational goals.