AIAPIDate & TimeImageJSONMathNext.jsSecuritySEOTextDesignDatabase
All ToolsWorkspacesWorkflowsLearnError EncyclopediaAboutPrivacyTermsContactEmail

© 2026 Web Util Slyce. All tools run client-side — your data stays private.

Back to Learn

What is OAuth 2.0? — Authorization Framework Explained

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user's resources without exposing their credentials. It is the foundation of modern API authorization used by Google, Facebook, GitHub, and virtually every major platform.

What Is It?

OAuth 2.0 defines four grant types for different scenarios: Authorization Code (for server-side apps), Implicit (deprecated, for SPAs), Client Credentials (for machine-to-machine), and Resource Owner Password Credentials (for trusted apps). The key players are the Resource Owner (user), Client (app), Authorization Server, and Resource Server.

How It Works

In the Authorization Code flow, the client redirects the user to the authorization server's login page. After authentication, the user grants permission, and the server redirects back to the client with an authorization code. The client exchanges this code (along with its client secret) for an access token and optionally a refresh token. The access token is then sent with API requests to access protected resources.

Key Characteristics

  • Delegated authorization — users grant apps access without sharing passwords
  • Token-based — access tokens are short-lived, refresh tokens can obtain new access tokens
  • Scoped permissions — tokens can be limited to specific actions and resources
  • Multiple grant types — different flows for different application architectures
  • Widely adopted — industry standard for API authorization across all major platforms

Common Use Cases

  • Sign-in with Google, Facebook, GitHub, or Apple (social login)
  • Third-party app access to APIs (calendar, email, drive, photos)
  • Mobile app authentication without exposing user credentials to the app
  • Enterprise SSO with identity providers like Okta, Auth0, and Azure AD
  • API authorization for microservices with token introspection

Free Online Tools

JWT Decoder JWT Generator JWT vs Session Password Generator

Frequently Asked Questions

What is the difference between OAuth 2.0 and JWT?

JWT is a token format, while OAuth 2.0 is an authorization framework. OAuth 2.0 can use JWTs as access tokens, but they are independent concepts. OAuth handles authorization, JWT is a token format.

Is OAuth 2.0 an authentication protocol?

No, OAuth 2.0 is an authorization protocol. For authentication on top of OAuth 2.0, use OpenID Connect (OIDC), which adds an ID token and userinfo endpoint.

What is the difference between OAuth and SAML?

OAuth 2.0 is a modern, lightweight authorization framework ideal for APIs and mobile apps. SAML is an older XML-based protocol primarily used for enterprise SSO. OAuth is simpler and more flexible.