Skip to content
Programming Glossary
Networking & APIs Glossary
OAuth 2.0 — Explained with Examples

OAuth 2.0 — Explained with Examples

DodaTech Updated Jun 15, 2026 2 min read

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user’s resources without exposing credentials.

OAuth stands for Open Authorization (version 2.0, defined in RFC 6749). It’s the standard behind “Login with Google” or “Login with GitHub” buttons across the web.

How OAuth 2.0 Works

OAuth involves four roles: Resource Owner (the user), Client (the app requesting access), Authorization Server (which issues tokens), and Resource Server (which holds the user’s data).

User → App: "I want to log in"
App → Auth Server: "Redirect user to authorize"
User → Auth Server: "Logs in and grants permission"
Auth Server → App: "Here's an authorization code"
App → Auth Server: "Exchange code for access token"
Auth Server → App: "Here's your access token"
App → Resource Server: "Access user data with token"
Resource Server → App: "Here's the data"

Real-World Analogy

OAuth is like a hotel key card. You (resource owner) check in at the front desk (authorization server) and get a key card (access token). The key card opens your room door (resource) but not other rooms (limited access). You don’t give the front desk your house key (password) — the card only works for specific doors during your stay.

Authorization Code Flow 

// Step 1: Redirect user to authorization server
const authUrl = 'https://accounts.google.com/o/oauth2/auth?' +
  'client_id=YOUR_CLIENT_ID' +
  '&redirect_uri=https://yourapp.com/callback' +
  '&response_type=code' +
  '&scope=profile%20email';

// Step 2: Exchange code for token
fetch('https://oauth2.googleapis.com/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    code: 'AUTH_CODE',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET',
    redirect_uri: 'https://yourapp.com/callback',
    grant_type: 'authorization_code'
  })
}).then(res => res.json()).then(data => {
  console.log(data.access_token); // short-lived token
  console.log(data.refresh_token); // long-lived token
});

Related Terms

JWT, OpenID Connect, SSO, Authentication vs Authorization, API Gateway

Previous JWT — Explained with Examples Next OpenID Connect — Explained with Examples

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Networking & APIs Glossary