OAuth (Open Authorization) is an open standard protocol that allows users to grant third-party applications limited access to their accounts or data without ever sharing their passwords. It is the mechanism behind familiar prompts like "Sign in with Google" or "Connect with GitHub," and it has become the foundation of delegated authorization across the modern web.
To understand why OAuth matters, consider the alternative. Before such a standard existed, a third-party application that needed access to, say, your email contacts would have to ask for your email password directly. That approach is both insecure and impractical — the application would have unrestricted access to your entire account, and revoking that access would require changing your password entirely. OAuth solves this by introducing a structured handshake between three parties: the resource owner (the user), the resource server (the service holding the data), and the client (the third-party application requesting access).
The process works through the exchange of tokens rather than credentials. When a user authorizes a third-party application, the authorization server issues an access token — a short-lived credential that the application can use to make requests on the user's behalf. This token carries a defined scope, meaning it can be restricted to specific actions, such as reading a calendar without being able to delete entries. The user's actual password is never exposed to the requesting application at any point in this flow.
The current version, OAuth 2.0, was published in 2012 and superseded the original OAuth 1.0 specification. OAuth 2.0 is more flexible and supports a range of authorization flows suited to different application types, including web apps, mobile apps, and server-to-server communication. It is worth noting that OAuth 2.0 is strictly an authorization framework, not an authentication protocol — it governs what an application is allowed to do, not who the user is. For identity verification layered on top of OAuth 2.0, the OpenID Connect (OIDC) protocol is commonly used in conjunction.
OAuth relates closely to several other web security concepts. JSON Web Tokens (JWT) are frequently used as the format for OAuth access tokens, encoding claims in a compact, verifiable structure. Passkeys and two-factor authentication (2FA) address the authentication side of the equation — confirming a user's identity before an OAuth flow even begins. Together, these technologies form the layered security model that underpins most modern web applications.
For developers building integrations or single sign-on experiences, and for marketers evaluating the trust signals of a login flow, understanding OAuth is essential to reasoning about how user data is accessed, scoped, and protected across connected services.