APIs & Authentication
What is OAuth?
A protocol that lets users grant a third-party app limited access to their data on another service, without sharing their password.
OAuth solves the "Login with Google" / "Connect to Slack" problem. Instead of the third-party app asking the user for their Google password, the user is redirected to Google, authenticates there, and approves a specific set of permissions. Google then issues the third-party app a short-lived access token, scoped to exactly those permissions.
OAuth 2.0 (2012) is the version everyone actually uses. Its core flows are authorization code (web apps), authorization code with PKCE (mobile and SPAs), client credentials (server-to-server), and device code (TVs and CLI). Each suits a different client constraint, but the goal is always the same: get a scoped, revocable, expiring access token.
OAuth is famously easy to misimplement, open-redirect bugs, missing PKCE, scope-bypass via refresh tokens. For real production work, use a library (Auth.js, Authlib, oauthlib, Spring Security) and read the relevant RFCs (6749, 7636, 8252) before deviating.
FAQ
OAuth 1.0 vs 2.0?
1.0 was based on cryptographic signing of every request and is effectively dead. 2.0 uses bearer tokens over TLS and is what every modern provider implements.
What is PKCE?
Proof Key for Code Exchange, an extension that prevents authorization-code interception attacks for public clients (mobile, SPAs). It's mandatory for any new OAuth client today.
OAuth vs OpenID Connect?
OAuth is for authorization (granting access). OpenID Connect is an identity layer on top of OAuth that adds an ID token, so you also get authentication. "Sign in with Google" is OIDC.
Related terms
A secret string that identifies and authenticates a client when calling an API, usually passed in a header on each request.
A JSON Web Token, a compact, signed piece of JSON used to convey claims (who the user is, what they can do) between systems.
An Application Programming Interface, a contract that lets one program request actions or data from another in a stable, documented way.