OAuth 2.0
OAuth 2.0 is an authorization framework that grants apps scoped, token-based access to user resources without sharing passwords.
OAuth 2.0 is the industry-standard framework for delegated authorization. It allows a user to grant a third-party application limited access to their resources on another service, without sharing their password. The classic example is letting an app read your calendar by approving access rather than handing over your login.
How It Works
OAuth defines four roles: the resource owner (the user), the client (the app requesting access), the authorization server (which authenticates the user and issues tokens), and the resource server (which holds the protected data). After the user consents, the authorization server issues an access token with a limited scope and lifetime. The client presents this token to the resource server to access data.
OAuth supports several grant types, or flows. The authorization code flow, now combined with PKCE, is recommended for web and mobile apps. The client credentials flow handles machine-to-machine access. Tokens are often JSON web tokens, and refresh tokens let clients obtain new access tokens without re-prompting the user.
Importantly, OAuth is about authorization, not authentication. It answers "what can this app do," not "who is this user."
Why It Matters
OAuth removed the dangerous practice of sharing passwords with third-party apps. Scoped, expiring tokens limit damage if a token leaks, and access can be revoked without changing a password.
OAuth is everywhere: "Sign in with" buttons, API access, and integrations between SaaS products. It is the foundation on which OpenID Connect adds authentication.
Misuse is common, so following current best practices, such as PKCE and short-lived tokens, is essential.
Related Terms
OAuth 2.0 underpins OpenID Connect and often uses JSON web tokens. It enables single sign-on and is an alternative to SAML for delegated access.