⌘K
We use cookies to improve your experience
We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience.
Definition
OAuth (Open Authorization) is an open standard for delegated authorization. It allows users to grant third-party applications limited access to their accounts on other services (like Google or GitHub) without sharing their passwords. OAuth 2.0 is the current version.
Before OAuth, if a third-party app wanted to access your email contacts, you had to give it your email password. This was terrible for security — the app had full access to your account, you could not revoke access without changing your password, and a breach of the app exposed your email credentials. OAuth solves this by letting you authorize the app through the original service (Google, Facebook, GitHub), which issues a limited-scope access token without ever sharing your password.
The OAuth 2.0 authorization code flow works in steps: (1) your app redirects the user to the authorization server (e.g., accounts.google.com), (2) the user logs in and consents to specific permissions (scopes), (3) the authorization server redirects back with a temporary authorization code, (4) your app exchanges that code for an access token (and optionally a refresh token) via a server-to-server request. The access token is then used to make API calls on the user's behalf.
OAuth is an authorization protocol — it defines what an app can do, not who the user is. OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 that adds identity verification. "Sign in with Google/GitHub/Apple" buttons use OIDC. The distinction matters for developers: if you only need to verify a user's identity, use OIDC. If you need to access their data on another service (read their repos, send emails on their behalf), use OAuth scopes. JWTs are commonly used as the format for OAuth access tokens.