OAuth 2.0 is everywhere.
You use it every time you:
- sign in with Google
- connect an app to your GitHub account
- authorize a payment system
- grant access to a third-party tool
But OAuth documentation is famously confusing — full of jargon like "authorization servers," "resource owners," and "clients."
Let's drop the jargon and explain OAuth like you're hearing it for the first time.
⭐ What Problem Does OAuth Actually Solve?
Imagine you want App A to access data from App B without giving App A your password.
Example:
You want Notion (App A) to access your Google Calendar (App B).
- You don't want to give Notion your Google password.
- You do want Notion to read/write to your calendar.
OAuth makes this secure and possible.
OAuth lets you give apps limited access to your data — without sharing your password.
⭐ The Real Players (But in Normal Language)
Forget the official names. Here's what they really mean:
| Official Term | Plain English |
|---|---|
| Resource Owner | You (the user) |
| Client | The app that wants access (Notion) |
| Resource Server | The API holding your data (Google Calendar API) |
| Authorization Server | The login page where you grant permission (Google Login) |
That's it. Four players — one of which is you.
⭐ Step-by-Step: What Actually Happens During OAuth
Let's use the example:
➡️ Notion wants permission to access your Google Calendar.
Here's what happens behind the scenes:
Step 1 — Notion sends you to Google to log in
You click: "Connect Google Calendar"
Notion does not collect your Google password. Instead, it redirects you to Google's login page.
Step 2 — Google asks: "Do you allow this?"
You see a page that says:
"Notion wants to view your calendar. Allow or Deny?"
This is Google's authorization server verifying whether YOU want this connection.
Step 3 — You click "Allow"
Google now issues Notion a one-time authorization code. This code is short-lived and useless if stolen.
Step 4 — Notion exchanges the code for an access token
Notion sends the code to Google (secretly, from the backend):
Here's the authorization code.
Please give me an access token.
Google replies:
Here's your access token.
You can now access the user's calendar.
Step 5 — Notion uses the access token to call the calendar API
This token works like a temporary key.
- It does NOT reveal your password
- It expires
- It has limited permissions
- It may only allow read-only access
Final Step — Access token expires → Notion uses a refresh token
To keep you logged in silently:
- the access token expires quickly
- the refresh token lasts longer and can request new access tokens
This keeps everything secure.
⭐ The OAuth Flows Explained Simply
OAuth has multiple "flows." These are just different ways to perform the same basic idea depending on the app.
Here they are in plain English:
⭐ 1. Authorization Code Flow (Most Popular)
Used by:
- SaaS products
- Web apps
- Backend apps
- Anything with a server
Why? Most secure. Tokens are exchanged on the backend.
Simple definition: Redirect user → ask permission → get a code → exchange code for token.
⭐ 2. PKCE Flow (For Mobile & Single-Page Apps)
Pronounced "pixie."
Used by:
- React apps
- Mobile apps
- Any frontend without a backend
Why? These apps can't safely store secrets. PKCE protects the code exchange.
Simple definition: Authorization Code Flow but with extra steps to prevent interception.
⭐ 3. Client Credentials Flow (Machine → Machine)
Used by:
- microservices
- servers calling other servers
- No user involved
Simple definition: The app logs in as itself using its own credentials.
⭐ 4. Device Code Flow (For TVs, PlayStations, etc.)
Used when you:
- log in on your TV
- see a code
- go to a website on your phone
- authorize the device
Simple definition: Device shows a code → you approve from another device.
⭐ 5. Refresh Token Flow
Not truly a flow — more like a system.
Used when:
- access token expires
- app requests a new one without asking you to log in again
Simple definition: Silent re-authentication.
⭐ Why OAuth Exists (In One Sentence)
OAuth lets apps access your data safely, without sharing your password, and with limited permissions.
That's it.
⭐ The Most Common Misunderstanding
Many people think OAuth = login.
It's not.
- Logging in → Authentication
- Allowing access → Authorization
OAuth handles authorization. Hence the name: Open Authorization.
⭐ When Should You Use OAuth in Your Product?
Choose OAuth if:
- ✔ Your app connects to Google, GitHub, Slack, Notion, Stripe, etc.
- ✔ You need to access user data from another platform
- ✔ You want to avoid storing passwords
- ✔ You want granular permissions
- ✔ You want security best practices
- ✔ You want scalable authentication/authorization
Skip OAuth if:
- ❌ You're building a small internal tool
- ❌ You just need a username/password
- ❌ You don't integrate with third-party services
⭐ Final Thoughts
OAuth is powerful — but the explanations often make it sound more complicated than necessary.
At its core, OAuth is just:
- sending users to a trusted login page
- getting permission
- receiving a safe, limited token
- using that token to access an API
If you understand the why, the how becomes simple.