OAuth is a delegated authorization framework that lets one application access resources on a user's behalf without sharing the user's password.
OAuth is a framework for delegated authorization. In plain language, it lets one application obtain limited access to a user’s data or actions in another system without requiring the user to hand over the main account password.
OAuth matters because modern applications often need to interact with APIs and third-party services on a user’s behalf. Without delegated authorization, users may be pushed to share passwords directly with connected apps, which weakens centralized security controls.
It also matters because OAuth can restrict what an integration is allowed to do. Instead of giving broad standing access, the platform can issue a token that is limited by scope, audience, lifetime, or consent boundaries.
OAuth appears in API ecosystems, mobile app integrations, SaaS connectors, cloud developer platforms, and service-to-service authorization. A user may authenticate to an identity platform, approve requested access, and let a connected app receive a limited token instead of the user’s reusable password.
Security teams review OAuth during application integration, API security design, and third-party access governance. They care about token scope, consent boundaries, redirect safety, token storage, and whether the organization is using OAuth for the right problem.
| Role | Plain-language meaning |
|---|---|
| Resource owner | The user or entity whose data or actions are involved |
| Client | The application asking for delegated access |
| Authorization server | The system that approves and issues tokens |
| Resource server | The API or service that accepts the token |
A project-management tool wants to read a user’s calendar so it can schedule meetings. Instead of asking for the user’s email password, the tool redirects the user to the calendar provider. The user approves the requested access, and the tool receives a limited token for calendar operations only.
OAuth is not primarily an authentication protocol. Its main job is authorization delegation. When people say “OAuth login,” the identity portion is often better described by OpenID Connect.
OAuth is also different from SAML. SAML is commonly used for enterprise federation and login assertions, while OAuth is centered on delegated access and token-based API interaction.