What is OAuth? What is OAuth? Wherein I [try to] answer a seemingly straightforward question: “WTF is OAuth, anyhow?” Blaine February 21, 2026 4 10 0 @geoffreylitt.com recently asked a question about OAuth on dead-Twitter: I desperately need a Matt Levine style explanation of how OAuth works. What is the historical cascade of requirements that got us to this place? There are plenty of explanations of the inner mechanical workings of OAuth, and lots of explanations about how various flows etc work, but Geoffrey is asking a different question : What I need is to understand why it is designed this way , and to see concrete examples of use cases that motivate the design In the 19 years (!) since I wrote the first sketch of an OAuth specification, there has been a lot of minutiae and cruft added, but the core idea remains the same. Thankfully, it’s a very simple core. Geoffrey’s a very smart guy, and the fact that he’s asking this question made me think it’s time to write down an answer to this. It’s maybe easiest to start with the Sign-In use-case, which is a much more complicated specification ( OpenID Connect ) than core OAuth . OIDC uses OAuth under the hood, but helps us get to the heart of what’s actually happening. OIDC is functionally equivalent to “magic link” authentication. We send a secret to a place that only the person trying to identify themselves can access, and they prove that they can access that place by showing us the secret. That’s it. The rest is just accumulated consensus, in part bikeshedding (agreeing on vocabulary, etc), part UX, and part making sure that all the specific mechanisms are secure. There’s also an historical reason to start with OIDC to explain how all this works: in late 2006, I was working on Twitter, and we wanted to support OpenID (then 1.0) so that ahem Twitter wouldn’t become a centralized holder of online identities. After chatting with the OpenID folks, we quickly realized that as it was constructed, we wouldn’t be able to support both desktop clients and web sign-in, since our users wouldn’t have passwords anymore! (mobile apps didn’t exist yet, but weren’t far out). So, in order to allow OpenID sign-in, we needed a way for folks using Twitter via alternative clients to sign in without a password. There were plenty of solutions for this; Flickr had an approach, AWS had one, delicious had one, lots of sites just let random other apps sign-in to your account with your password, etc, but virtually every site in the “Web 2.0” cohort needed a way to do this. They were all insecure and all fully custom. Rather than building TwitterAuth, I figured it was time to have a standard. Insert XKCD 927: Standards Fortunately, the charging one has been solved now that we've all standardized on mini-USB. Or is it micro-USB? Shit. https://xkcd.com/927/ Thankfully, against all odds, we now have one standard for delegated auth. What it does is very simple: At its core, OAuth for delegation is a standard way to do the fo

Source: Hacker News | Original Link