What is OAuth 2.0?

Turkish: OAuth 2.0

OAuth 2.0 is an authorization framework that allows third-party applications to access resources without the user's password.

What Is OAuth 2.0?

OAuth 2.0 is an authorization standard that lets an application access a user’s data in another system with limited, revocable permission. The third-party app does not receive the user’s password; an authorization server issues an access token that represents approved scopes.

A common example is a reporting tool that asks to read files from Google Drive. The user sees a consent screen, approves specific permissions, and the application can only act within those boundaries.

How OAuth 2.0 Works

  1. Client: The web, mobile, or server app requesting access
  2. Authorization server: The system that authenticates the user and handles consent
  3. Resource server: The protected API or data source
  4. Scope: A permission boundary such as read:orders or profile
  5. Token: The short-lived credential used in API requests

The most common flow for web apps is Authorization Code with PKCE. Mobile and single-page apps also use PKCE, while the older implicit flow is no longer recommended for new systems. Refresh tokens are used to obtain new access tokens without forcing the user through login each time.

Business Use

OAuth 2.0 is used for social login, third-party integrations, marketplace apps, accounting connections, and enterprise SSO scenarios. A CRM connecting to an email account, an e-commerce panel accessing a shipping API on behalf of a user, or a mobile app reading profile data all fit this model.

Implementation details matter: redirect URI validation, narrow scopes, secure token storage, and token lifetime policies all affect risk. OAuth is often seen together with JWT, but OAuth defines the authorization flow; JWT is one possible token format. In a well-designed API, that distinction keeps access control clear.

2FA (Two-Factor Authentication)

2FA adds a second proof, such as an authenticator app, SMS code, or security key, on top of a password during sign-in.

API Gateway Security

API Gateway security centralizes authentication, quotas, WAF rules, and traffic visibility at the API entry point.

API Key

An API key identifies an application or developer and supports quota tracking, access limits, and basic server-to-server security.

API Security

API security protects endpoints with authentication, authorization, encryption, rate limits, and monitoring against misuse or data leaks.

API (Application Programming Interface)

An API is a contract that lets software systems request approved data or actions from one another through documented endpoints.

JWT (JSON Web Token)

JWT is a signed and encoded JSON-based token standard used to carry verifiable claims between APIs, clients, and services.

MFA (Multi-Factor Authentication)

MFA protects sign-ins by requiring extra factors such as an authenticator app, device prompt, biometrics, or a security key.

Passkey

A passkey is a phishing-resistant sign-in method that uses a device-held private key plus biometric or PIN approval instead of passwords.

RBAC (Role-Based Access Control)

RBAC is an authorization model that assigns permissions to job roles instead of individual users, making access management easier to govern.

SAML (Security Assertion Markup Language)

SAML carries signed XML authentication assertions between an identity provider and a service provider, commonly for enterprise SSO.