Systems and methods are provided that securely authenticate a user of a web application. For example, the user may utilize a bot from within a first application, such as a chat application. The user may request the bot to access a second application (e.g., a social-networking application) that is remote from the first application. If the bot does not have authorization, the bot may redirect the user to a webpage for the second application, where the user may enter login credentials. Upon verification, the second application may provide an access token to a webpage associated with the bot. To authenticate the bot user, the bot webpage may generate and cache a nonce that is transmitted back to the first application, which then transmits it to the bot. The bot may then compare the received nonce with the cached nonce. If the nonces match, the user may be securely authenticated.