What is OAuth
OAuth 2.0 is an authorization framework that lets users grant third-party applications limited access to their accounts on other services — without sharing their password. "Sign in with Google" and "Connect your GitHub" both use OAuth.
How it works
OAuth involves four parties: the user (resource owner), the client application (third-party app), the authorization server (Google, GitHub), and the resource server (the API).
In the authorization code flow (most secure):
- The app redirects the user to the authorization server
- The user logs in and grants specific permissions (scopes)
- The authorization server redirects back with a one-time code
- The app exchanges the code + its client secret for an access token and refresh token
- The app uses the access token to call APIs on behalf of the user
The access token is short-lived (minutes to hours). The refresh token obtains new access tokens without re-prompting the user. The client secret never leaves the server.
Why it matters
OAuth solves the trust problem. Before OAuth, third-party apps needed your actual password to access your data. With OAuth, you grant limited, revocable access without exposing credentials. The authorization server handles authentication — the third-party app never sees the password. Permissions are scoped (e.g., "read email" but not "delete account") and can be revoked at any time.
See How API Authentication Works for the full OAuth 2.0 flow, client credentials, and when to use OAuth vs JWT.