Abstract: A data processing system implements detecting that a first user device associated with a first user has added a first sponsored content item to a host electronic document by adding a first reference to the first sponsored content item to the host electronic document. The first sponsored content item is stored separately in a memory of a cloud-based service from the host electronic document. The data processing system further implements determining that the first user has permission to share the first sponsored content item with other users of the cloud-based service, generating sponsor information to associate the sponsored content item with the host electronic document to permit users having access to the host electronic document to access the sponsored content item, and storing the sponsor information in a sponsored access datastore.

Abstract: The techniques disclosed herein enable applications to seamlessly consume cloud-based services while minimizing exposure to security vulnerabilities. Specifically, an application is enabled to access a cloud service on behalf of a user without the user's active user token. Access is granted in a way that does not also grant access to any other user's cloud service. In some configurations, during an active user session, an artifact token is generated that caches the user's permissions. The artifact token may later be redeemed to gain access to the user's cloud service. For example, an application may request that a cloud service generate an artifact token. The request may be in response to a user scheduling the application to perform a task that depends on the cloud service. When the scheduled task is performed, the application may redeem the artifact token to access the user's cloud service.