Tech Terms Explained Open in the app →

OAuth

Security · Intermediate · 5 min read

What is it?

OAuth is a standard that lets you grant an app limited access to your accounts on other services without sharing your password.

Explain like I'm 5

OAuth is like a hotel key card: the front desk gives a guest a card that opens only their room for a few days, instead of handing over the master key.

Why was it created?

Apps used to ask for your actual password to access your data elsewhere, which was dangerous. OAuth was created to delegate limited access safely via tokens.

Where is it used?

  • 'Log in with' social sign-in
  • Apps accessing your cloud files or calendar
  • Granting APIs scoped access
  • Third-party integrations

Why should developers care?

Every 'Log in with Google/GitHub' button uses OAuth. Developers integrating third-party access need to understand it.

How does it work?

Instead of giving an app your password, you're redirected to the real provider to approve specific permissions (scopes). The provider then issues the app a limited access token it uses to call APIs on your behalf.

Real-world example

A scheduling app asks to read your calendar; you approve on the provider's site, and the app receives a token that can only read calendar events — not change your password.

Common use cases

  • Delegated access to user data
  • Social and single sign-on flows
  • Scoped API access for integrations
  • Avoiding password sharing

Advantages

  • No password sharing
  • Granular, revocable permissions
  • Industry standard
  • Tokens can expire and be scoped

Disadvantages

  • Conceptually complex
  • Easy to implement insecurely
  • Multiple flows to choose between

When should you use it?

When an app needs limited access to a user's data on another service.

When should you avoid it?

For simple internal authentication where a session or basic token suffices.

Alternatives

API keysSession-based loginSAML (enterprise SSO)

Related terms

JWTSessionAmazon CognitoHTTPS

Interview questions

Beginner

  • What problem does OAuth solve?
  • What is a scope?

Intermediate

  • What is an access token versus a refresh token?
  • Why redirect the user to the provider?

Senior

  • Why is the authorization code flow with PKCE recommended?
  • How do you revoke and rotate tokens safely?

Common misconceptions

  • "OAuth is an authentication protocol" — it's primarily for authorization; OpenID Connect builds login on top of it.
  • "OAuth shares your password with the app" — the whole point is that it never does.

Fun facts

  • OAuth stands for Open Authorization.
  • OpenID Connect adds a standard identity layer on top of OAuth 2.0 for login.

Timeline

  • 2012 — OAuth 2.0 published

Learning resources

Quick summary

OAuth lets users grant apps limited, revocable access to their accounts using tokens instead of passwords.

Cheat sheet

  • Delegated authorization standard
  • Tokens, not passwords
  • Scopes limit access
  • OpenID Connect adds login

If you remember only one thing

OAuth grants apps limited access via tokens so you never share your password.