Skip to content

What is OAuth 2.0

Key idea:

OAuth 2.0 (RFC 6749) is a delegated-authorization standard: app A gains the right to act on behalf of a user in service B without receiving the user's password. Don't confuse with authentication — "sign in with Google" uses OpenID Connect on top of OAuth 2.0. Core flows: Authorization Code (web), PKCE (mobile/SPA), Client Credentials (service-to-service), Device (TV, CLI).

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • Authorization Code: redirect → code → server exchanges for access_token
  • PKCE (Proof Key for Code Exchange): for public clients, defends against stolen codes
  • Client Credentials: service-to-service, no user, via client_id + client_secret
  • Device Code: for devices without browsers — user confirms on phone
  • Scopes: limit what the token can do (read:email vs write:all)

Example

Authorization: Bearer eyJhbGciOi...

Related Terms

OAuth 2.0 Flow Types Explained

OAuth 2.0 defines several flow types to accommodate different use cases and environments. Understanding these flows is crucial for implementing OAuth securely and effectively.

  • Authorization Code Flow: This flow is primarily used for web applications. It involves redirecting the user to the authorization server, where they log in and grant permissions. The server then redirects back to the application with an authorization code, which the application exchanges for an access token. This flow is secure as the access token is never exposed to the user agent.
  • PKCE (Proof Key for Code Exchange): An enhancement to the Authorization Code Flow, PKCE is designed for public clients, such as mobile and single-page applications (SPAs). It adds an additional layer of security by requiring a code verifier and a code challenge, preventing interception of the authorization code.
  • Client Credentials Flow: This flow is used for server-to-server communication. Here, the application directly requests an access token using its own credentials without user interaction. It’s commonly used for accessing APIs where user context is not required.
  • Device Flow: This flow is intended for devices with limited input capabilities, such as TVs or IoT devices. The user is provided with a code and directed to a URL on another device to enter it. Once authenticated, the device receives an access token.

Each flow serves a specific purpose and is designed to mitigate risks associated with different types of applications and usage scenarios.

Practical Examples of OAuth 2.0 Implementation

Implementing OAuth 2.0 can vary based on the flow type chosen. Below are examples for the Authorization Code Flow and Client Credentials Flow.

Authorization Code Flow Example

1. Redirect to Authorization Server:

GET https://authorization-server.com/auth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_SCOPES

2. Exchange Authorization Code for Access Token:

POST https://authorization-server.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET

3. Use Access Token to Access Protected Resource:

GET https://api.resource-server.com/resource
Authorization: Bearer ACCESS_TOKEN

Client Credentials Flow Example

1. Request Access Token:

POST https://authorization-server.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET

2. Use Access Token to Access API:

GET https://api.resource-server.com/resource
Authorization: Bearer ACCESS_TOKEN

These examples illustrate how to use OAuth 2.0 flows for different scenarios, ensuring secure access to resources.

OAuth 2.0 vs JWT: Understanding the Differences

OAuth 2.0 and JSON Web Tokens (JWT) are often discussed together, but they serve different purposes in the realm of web security.

OAuth 2.0 Overview

OAuth 2.0 is primarily an authorization framework. It allows applications to gain limited access to user accounts on an HTTP service, without exposing user credentials. OAuth 2.0 defines how tokens are obtained and used but does not specify the format of these tokens.

JWT Overview

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure. JWTs can be used as access tokens in OAuth 2.0 flows.

Key Differences

  • Purpose: OAuth 2.0 is an authorization protocol, whereas JWT is a token format.
  • Token Structure: OAuth 2.0 does not define how the tokens should be structured, while JWT has a specific structure that includes a header, payload, and signature.
  • Use Case: OAuth 2.0 is used to delegate access, while JWT can be used for both authorization (as in OAuth) and information exchange.

In summary, OAuth 2.0 is a protocol for authorization, while JWT is a token format that can be used within that protocol. Understanding their roles helps in building secure applications.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

OAuth 2.0 vs OpenID Connect?

OAuth 2.0 is authorization (what). OpenID Connect is a layer on top for authentication (who) via an id_token (JWT).

Is Implicit flow still used?

No — since OAuth 2.1 draft (2019) and most guides mark it deprecated. Replacement: Authorization Code + PKCE.

Is the access token a JWT?

Can be, not required. The OAuth spec does not mandate format. Many providers (Google, Auth0) return JWTs for client convenience.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.