Skip to main content
devinsta — design and development agency
Free consult
Web Development

OAuthOpen Authorization

An industry-standard protocol that lets users grant a third-party application access to their data on another service without sharing their password.

· Reviewed by senior engineers

OAuth 2.0 is the protocol that lets a user grant one application access to their data in another, without handing over a password. When you click "Sign in with Google" or connect a Shopify store to a third-party app, you are using OAuth. The user authenticates with the source of truth, consents to specific scopes, and the third party receives a time-limited access token.

The flows matter. Authorization Code with PKCE is the modern default for web and mobile apps with user logins. Client Credentials covers server-to-server use cases where no user is involved. Device Code handles input-limited devices like TVs. Implicit and Password grants are deprecated; if you see them in a new build, push back.

OAuth is widely misunderstood as an authentication protocol. It is not. OAuth grants authorization to call APIs; OpenID Connect (OIDC) is the layer that adds standardised user identity on top. Mixing the two up causes real security bugs — passing access tokens around as proof of identity, accepting them across audiences, ignoring expiry.

Devinsta implements OAuth/OIDC using audited libraries — never hand-rolled — and treats token storage, refresh, rotation and scope minimisation as design decisions, not implementation details.

Related services

Related terms

← Back to glossary