Tools & Infrastructure

How Does OAuth Work?

Learn how OAuth lets you sign in to apps using your Google or Facebook account — without ever giving that app your password.

Scroll to start

01 — The Concept

What Is OAuth?

OAuth is a way to let one website or app use your account from another website — without giving away your password. Think of it like a hotel key card. Instead of handing the hotel your house key (password), they give you a key card (access token) that only works for specific doors.

When you see a button that says "Sign in with Google" on a new app, that's OAuth in action. The new app asks Google: "Is this person who they say they are?" Google checks and says yes — and the new app never sees your actual Google password.

OAuth stands for Open Authorization. It's a set of rules that lets different websites and apps talk to each other safely, on your behalf, with your permission.

02 — Why It Matters

Why Should You Care?

Before OAuth, signing into a new app meant creating a brand new username and password. Most people reuse the same password everywhere — which is risky. If that one app gets hacked, everything is exposed.

OAuth solves that. You can use an account you already trust — your Google or Apple account — to sign into other apps. You don't have to remember yet another password, and the new app never gets to see your real password.

It also means less clutter: fewer accounts to delete, fewer forgotten passwords, fewer data breaches from small apps that can't afford strong security.

Key Insight

OAuth uses the idea of "limited access." When you let an app use your Google account, you can choose exactly what it can see — just your name, or your email, or your profile photo. It can't read your emails or change your Google settings unless you specifically say so.

03 — How It Works

The OAuth Flow in Simple Steps

Here's what happens when you click "Sign in with Google" on a new website:

The OAuth Sign-In Flow

🔗

You Click

Tap "Sign in with Google" on the new app

→

🏠

Redirect

Google asks: "Do you trust this app?"

→

✅

You Approve

You say yes and choose what info to share

→

🎟️

Token Issued

Google gives the app a short-term pass

↺ New app lets you in

At the end, the new app gets a token — a special temporary key. It can use that key to ask Google for your name or email, but it can't use it to do anything else. The token expires after a while, so even if someone steals it, it won't work forever.

04 — Practical Example

What a Sign-In Request Looks Like

When an app wants to use OAuth, it sends a request to Google that asks for specific information. That request looks something like this:

OAuth Request URL

https://accounts.google.com/o/oauth2/v2/auth
  ?client_id=your-app-id
  &response_type=token
  &scope=openid%20email%20profile
  &redirect_uri=https://your-app.com/callback

Here's what each part means:

client_id — The new app tells Google who it is
scope — What information the app wants (openid = who you are, email = your email, profile = your name and photo)
redirect_uri — Where Google sends you back after you approve

If you approve, Google sends you back to that redirect URL with a token attached. The new app reads that token, talks to Google to verify it's real, and logs you in — all without ever seeing your password.

05 — Test Yourself

Knowledge Check

Test what you learned with this quick quiz.

Quick Quiz — 3 Questions

Question 1

What does OAuth actually give a new app when you sign in with Google?

Question 2

Why is using OAuth safer than making a new password for every app?

Question 3

What is a "scope" in OAuth?