Glossary · Definition
OAuth
OAuth is the open-standard protocol that lets a user grant a third-party app limited, scoped access to their account at another service — without sharing their password. 'Sign in with Google', GitHub OAuth apps, Slack-to-Notion integrations all run on OAuth 2.0.
Definition
OAuth is the open-standard protocol that lets a user grant a third-party app limited, scoped access to their account at another service — without sharing their password. 'Sign in with Google', GitHub OAuth apps, Slack-to-Notion integrations all run on OAuth 2.0.
What it means
OAuth 2.0 (RFC 6749) defines a few flows; the most common is Authorization Code with PKCE: the user clicks 'Sign in with X', the third-party app redirects to X's auth server with a client ID and requested scopes, the user logs in (or is already logged in) and approves, and X redirects back with an authorization code. The app exchanges that code (plus a PKCE verifier) for an access token at X's token endpoint. The access token is then included in API calls. OpenID Connect (OIDC) layers identity on top of OAuth — same flow, but the response also includes an ID token (a signed JWT) so the app actually knows who the user is, not just that they have an access token.
Advertisement
Why it matters
OAuth is how 'log in with' works. Used correctly: scoped tokens that expire, no password sharing, refresh-token rotation. Used badly: leaked client secrets in JS bundles, missing PKCE, accepting access tokens as identity (use OIDC ID tokens instead), redirect-URI matching too loose. Implicit flow and Resource Owner Password Credentials are deprecated — Auth Code + PKCE is the only flow you should use for new SPAs and mobile apps.
Frequently asked questions
OAuth vs OIDC?
OAuth 2.0 is for delegated authorization (this app can read your repos). OIDC is for authentication (this is the user — here's their verified email and ID). OIDC reuses OAuth flows + adds an ID token.
What is PKCE?
Proof Key for Code Exchange. The app generates a random verifier, sends a hash of it (challenge) on the auth request, and the original verifier with the token request. Defeats authorization-code interception even without a client secret. Mandatory for public clients (SPAs, mobile).
Should I store access tokens in localStorage?
No — XSS-readable. Use httpOnly cookies for the refresh token, in-memory for the short-lived access token. Or use BFF (backend-for-frontend) pattern where tokens never leave the server.
Related terms
- DefinitionJWTA JWT (JSON Web Token, pronounced 'jot') is a compact JSON token signed by an issuer. Three base64url-encoded parts joined with dots: header.payload.signature. Used for stateless auth, OIDC ID tokens, and signed messages between services.
- DefinitionHTTPSHTTPS is HTTP wrapped in a TLS-encrypted tunnel. Everything between your browser and the server — URLs, form data, cookies, response bodies — is encrypted in transit so a network observer (cafe Wi-Fi, ISP, anyone in between) can't read it or change it.