What is OAuth?

An open standard for delegated authorization — letting an app access a resource on behalf of a user without sharing the user's password.

Full explanation

OAuth 2.0 is the current version. The flow involves an authorization server, a resource server, and a client app. The user authenticates with the authorization server; the client receives an access token; the client uses the token at the resource server. Secure implementation requires PKCE (for public clients), state parameter (CSRF defense), and audience verification.

Example

'Sign in with Google' — your app redirects the user to Google, user consents, Google redirects back with an authorization code, your app exchanges the code for an access token.

Guide

OAuth + OIDC security — the PKCE and state checks you cannot skip

FAQ

What is OIDC?

OpenID Connect is an identity layer built on top of OAuth 2.0 — it adds an ID token containing user claims, standardizing authentication on top of the authorization flow.

What is OAuth?

Full explanation

Example

Related

FAQ