What Is OAuth?
OAuth 2.0 Authorization Framework
OAuth 2.0 is an authorization framework that lets users grant third-party applications limited access to their accounts without sharing passwords. When you 'Sign in with Google,' OAuth handles the handshake — the app gets a token to access your data, not your password.
How OAuth Works
OAuth flow: User clicks 'Sign in with GitHub' → redirected to GitHub → user approves → GitHub redirects back with an authorization code → your server exchanges the code for an access token → use the token to call GitHub API on behalf of the user. The user's password never touches your app.
OAuth defines four grant types: Authorization Code (web apps), PKCE (SPAs/mobile), Client Credentials (server-to-server), and Device Code (smart TVs). Authorization Code + PKCE is the recommended flow for most apps.
Why Developers Use OAuth
Every modern web application uses OAuth. It powers social logins, API integrations, and microservice authentication. Libraries like NextAuth.js, Passport.js, and Auth0 handle the complexity.
Key Concepts
- Access Token — A credential that grants API access — short-lived (minutes to hours)
- Refresh Token — Used to get new access tokens without re-authentication — long-lived, stored securely
- Scopes — Permissions defining what the app can access — e.g., read:user, repo, email
- Authorization Code Flow — The most secure flow — involves server-side code exchange, used by web apps
Frequently Asked Questions
OAuth vs API keys?
OAuth for user-context authorization (acting on behalf of a user). API keys for server-to-server authentication (acting as the application itself).
Do I need to implement OAuth from scratch?
No. Use libraries like NextAuth.js, Auth0, Clerk, or Supabase Auth. They handle the complexity and security pitfalls.