OAuth
OAuth is an open standard authorization protocol that lets a user grant a third-party application limited access to their resources on another service, without sharing their password with that application.
29 resources across 3 libraries
Glossary Terms(10)
Authorization
Authorization is the process of determining what an authenticated identity is permitted to do within a system — which resources it can read, modify, or delete.…
OAuth
OAuth is an open standard authorization protocol that lets a user grant a third-party application limited access to their resources on another service, without…
JSON Web Token (JWT)
A JSON Web Token (JWT) is a compact, URL-safe, digitally signed token format used to represent claims — such as a user's identity or permissions — that can be…
Session Management
Session management is the set of techniques a web application uses to track a user's state — such as being logged in — across multiple HTTP requests, since HTT…
Kong Gateway
Kong Gateway is an open-source API gateway built on top of Nginx and OpenResty, used to manage, secure, and route traffic to APIs and microservices.
Apigee
Apigee is a full lifecycle API management platform, now part of Google Cloud, used to design, secure, publish, monitor, and monetize APIs.
Tyk
Tyk is an open-source API gateway and management platform, written in Go, used to secure, rate-limit, and monitor traffic to APIs and microservices.
WSO2 API Manager
WSO2 API Manager is an open-source, full lifecycle API management platform for designing, publishing, securing, and analyzing APIs, developed by WSO2.
Passkeys
Passkeys are a passwordless authentication method based on public-key cryptography that lets users sign in to websites and apps using a device-bound credential…
WebAuthn
WebAuthn (Web Authentication API) is a W3C standard that defines a browser API for public-key-based authentication, allowing websites to register and authentic…
Study Notes(17)
OAuth 2.0 in Postman
Understand the OAuth 2.0 authorization framework and how to configure grant types, token retrieval, and token refresh using Postman's OAuth 2.0 Authorization t…
Building an OAuth Client
A step-by-step walkthrough of implementing the OAuth 2.0 authorization code flow with PKCE from registration through token exchange.
Common OAuth Vulnerabilities
A survey of the recurring implementation mistakes that turn OAuth 2.0 deployments into attack surfaces, from code interception to login CSRF.
Implementing OAuth in a Web App
A practical guide to wiring the Authorization Code flow into a server-rendered web application, from callback handling to secure token storage and refresh rota…
OAuth 2.0 Roles and Terminology
A guided tour of the four OAuth 2.0 roles — resource owner, client, authorization server, resource server — and the core vocabulary you'll see in every spec an…
OAuth 2.0 vs OAuth 1.0
A technical comparison of OAuth 1.0's signed-request model against OAuth 2.0's bearer-token, multi-grant-type design.
OAuth Best Practices
The concrete, RFC 9700-aligned security practices every OAuth 2.0 implementation should follow, from PKCE to token storage.
OAuth for Mobile Apps
How native iOS and Android apps should implement OAuth 2.0 per RFC 8252: external user-agents, PKCE, claimed redirect URIs, and hardware-backed token storage.
OAuth for Single-Page Apps
Learn why browser-based SPAs must be treated as public OAuth clients, how PKCE secures the Authorization Code flow, and why the BFF pattern beats storing token…
OAuth Interview Questions
The OAuth 2.0 concepts and edge-case questions that come up most often in backend, security, and full-stack interviews.
OAuth Quick Reference
A condensed lookup of OAuth 2.0 grant types, standard endpoints, token parameters, and common error codes for day-to-day implementation work.
OAuth vs Authentication
Clears up the most common OAuth misconception: OAuth 2.0 is an authorization protocol, not an authentication protocol, and explains where OpenID Connect fits i…
OAuth with API Gateways
How API gateways centralize OAuth token validation, choose between JWT and introspection, enforce scope-based authorization, and apply per-client rate limits.
OAuth with OpenID Connect
Understand how OpenID Connect layers standardized authentication — ID tokens, claims, and the UserInfo endpoint — on top of OAuth 2.0's authorization framework.
What Is OAuth 2.0?
A plain-English introduction to OAuth 2.0 as a delegated authorization framework, covering why it replaced password sharing and how tokens and scopes work.
Your First OAuth Integration
A hands-on walkthrough of building a 'Sign in with GitHub' integration end to end: app registration, the redirect, the callback handler, and using the resultin…
OAuth and OIDC Security Basics
Learn the difference between OAuth 2.0 (authorization) and OpenID Connect (authentication), and the common misconfigurations that lead to token theft and accou…
Interview Questions(2)
What Is OAuth?
OAuth is an authorization framework that lets a user grant a third-party application limited access to their resources on another service, without ever sharing…
What Are the Main API Authentication Methods?
The most common API authentication methods are API keys for simple service-to-service identification, HTTP Basic Auth for quick but weak username/password chec…