Skip to main contentSkip to main content
    Back to Glossary
    security
    2 min read

    OAuth 2.0

    OAuth 2.0 is an authorization framework that enables secure delegated access, allowing users to grant third-party apps limited access to their resources without sharing credentials.

    OAuth 2.0 is the industry standard for authorization. It separates authentication (who you are) from authorization (what you can do).

    OAuth 2.0 grant types: - Authorization Code: For server-side apps (most secure) - Authorization Code + PKCE: For mobile/SPA apps - Client Credentials: For machine-to-machine - Refresh Token: For obtaining new access tokens

    Key concepts: - Access Token: Short-lived token for API access - Refresh Token: Long-lived token to get new access tokens - Scopes: Define what permissions are granted - Authorization Server: Issues tokens

    Security best practices: - Use PKCE for all public clients - Short access token lifetime (minutes) - Validate tokens server-side - Use secure token storage

    Why It Matters

    OAuth 2.0 is the foundation of modern API security and third-party integrations. Misimplemented OAuth flows—such as missing PKCE, overly broad scopes, or improper token storage—are common attack vectors that lead to account takeover and data exposure. Understanding OAuth security best practices is essential for any organization building or consuming APIs.

    Key Points

    Standard for delegated authorization
    Always use PKCE for mobile and SPAs
    Access tokens should be short-lived
    Different grant types for different use cases
    Not for authentication—use OpenID Connect for that

    Applicable Compliance Frameworks

    SOC 2ISO 27001

    Related Terms

    Authentication

    Authentication is the process of verifying the identity of a user, device, or system before granting access to resources.

    API Security

    API security encompasses practices and technologies used to protect Application Programming Interfaces from attacks and misuse, including authentication, authorization, rate limiting, and input validation.

    Identity and Access Management (IAM)

    IAM is a framework of policies and technologies that ensure the right individuals have appropriate access to technology resources at the right times and for the right reasons.

    Frequently Asked Questions

    What is the difference between OAuth and OpenID Connect?

    OAuth handles authorization (permissions). OpenID Connect (OIDC) adds authentication (identity) on top of OAuth. Use OIDC when you need to know who the user is.

    What is PKCE?

    Proof Key for Code Exchange prevents authorization code interception attacks. Required for mobile apps and SPAs where client secrets can't be kept secure.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    HIPAA Compliance

    Healthcare data protection requirements for PHI security

    Learn more
    Standard

    PCI DSS Compliance

    Payment card industry data security standards

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with OAuth 2.0?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms