A method for controlling third-party access of a protected data resource is disclosed. The method includes: receiving an access token associated with a first application, the access token indicating access permissions for the first application to access a user account at a protected data resource; receiving a first request to perform a first access operation of accessing the user account using the access token; determining whether the first access operation is permitted based on the access permissions; in response to determining that the first access operation is not permitted: modifying the first request to obtain a second request for performing a second access operation of accessing the user account using the access token, the second access operation complying with the access permissions for the first application; transmitting the second request to a server associated with the protected data resource.