OAuth 2.0
What is OAuth 2.0?
OAuth 2.0An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
OAuth 2.0 separates the resource owner (user), the client (application), the authorization server (issues tokens) and the resource server (hosts the API). The client obtains an access token through a defined grant flow — authorization code with PKCE for interactive apps, client credentials for service-to-service calls, device code for input-constrained devices — and then calls the API with that token, typically as a bearer credential. Scopes and audiences constrain what the token can do. OAuth 2.0 is the foundation of OpenID Connect, API access in cloud platforms and "Sign in with…" buttons. Common pitfalls include using implicit grants, missing PKCE, weak redirect URI validation and storing tokens insecurely on the client.
● Examples
- 01
A mobile app obtaining an access token via authorization code with PKCE to call a banking API.
- 02
A backend service using client credentials to publish events to a third-party API.
● Frequently asked questions
What is OAuth 2.0?
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials. It belongs to the Identity & Access category of cybersecurity.
What does OAuth 2.0 mean?
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
How do you defend against OAuth 2.0?
Defences for OAuth 2.0 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OAuth 2.0?
Common alternative names include: OAuth2.