/ˈoʊ-ˌɔːθ/
n. “Let someone borrow your keys without giving them the whole keyring.”
OAuth, short for Open Authorization, is a protocol that allows secure delegated access to resources without sharing credentials. Instead of giving a third-party app your username and password, OAuth enables the app to access certain parts of your account on your behalf via tokens that can be scoped and revoked.
Originally designed for web applications, OAuth has become ubiquitous in mobile apps, APIs, and cloud services. Services like Google, GitHub, and Twitter use it to let users authorize external apps while keeping their passwords private. When you “Sign in with Google,” you’re likely using OAuth.
At its core, OAuth separates authentication from authorization. Authentication is confirming identity, while authorization is granting specific access rights. With OAuth, users can grant a limited set of permissions — for example, allowing a photo printing app to access your gallery but not your contacts. The authorization server issues a token that the client uses to access the resource server, keeping your credentials safely stored.
A practical scenario: a productivity app wants to access your calendar. Using OAuth, the app redirects you to your calendar provider, you log in there, and consent to the permissions requested. The provider returns a short-lived access token to the app. The app can now read events without ever seeing your password. Tokens can expire or be revoked at any time, giving users granular control.
Security considerations are central to OAuth. Tokens must be securely stored and transmitted over HTTPS. Refresh tokens allow long-lived sessions without exposing credentials. Implementing OAuth incorrectly — such as using insecure redirect URIs or failing to validate tokens — can lead to account compromise.
OAuth has evolved through versions. OAuth 1.0 introduced signatures and complex cryptography, while OAuth 2.0 simplified flows and added support for modern web and mobile applications. Extensions like OpenID Connect layer authentication on top of OAuth for identity verification, making it a powerful framework for single sign-on (SSO).
Integration with APIs is also crucial. Many APIs require OAuth tokens to interact securely. This ensures that even if an application is compromised, the attacker cannot misuse the user’s credentials elsewhere. Tokens are scoped — limiting the actions that can be performed — which enhances security while maintaining usability.
In essence, OAuth allows safe, controlled, and revocable access delegation across systems. It balances convenience and security, enabling a connected ecosystem of apps and services without sacrificing the integrity of user credentials. When done right, it feels seamless; when done wrong, it can expose accounts, reminding developers that careful implementation is critical.