<strong>OAuth 2.0</strong> is an authorization framework that lets users grant third-party apps access to their data without sharing passwords. It's how 'Sign in with Google' works.
The Hotel Key Card Analogy
Hotels don't give you the master key. They give you a key card with limited access (your room, pool, gym). OAuth tokens work the sameβlimited, revocable access.
Hotel (Resource Owner)
Your data
Key Card (Access Token)
Limited access
Room (Protected Resource)
What you're accessing
Wants to Authorize
Google/GitHub
Granted to App
User clicks 'Sign in with Google'
Redirected to Google's login
User authorizes app
Grants permission to access email, profile
Google returns authorization code
Temporary code sent to your app
Exchange code for token
Your app trades code for access token
Access user data
Use token to call Google APIs
Wrong
"OAuth is for authentication"
Correct
<strong>OAuth is for authorization, not authentication</strong>. It grants access to resources, not identity verification. Use OpenID Connect (built on OAuth) for authentication.
Grammarly accessing Google Docs:
You click 'Connect Google Docs' in Grammarly
Google asks: 'Allow Grammarly to read/edit your docs?'
You approve β Grammarly gets access token
Grammarly can now check grammar in your docs
You can revoke access anytime in Google settings