OAuth 2.0
A delegation framework that lets a user grant a third-party app limited access to resources without sharing their password. The foundation OIDC builds on.
Flows
Authorization Code + PKCE
The recommended OAuth 2.0 flow for web and mobile apps: the app gets a short-lived authorization code via the browser, then exchanges it for tokens over a back channel. PKCE binds the code to the client that started the flow.
13 steps →Client Credentials
Machine-to-machine authorization: with no user involved, the app authenticates as itself to obtain an access token, then calls a protected API with it. Used for service-to-service calls, daemons, and cron jobs.
4 steps →