{"slug":"oip-what-is-oauth","title":"What Is OAuth","body":"**OAuth is an authorization protocol. It lets one service access another's resources without ever seeing the user's password. It replaces trust with tokens, and secrets with scopes.**\n\n## Why It Matters\n\nPasswords are a catastrophe. Users reuse them. Services store them in hashes that leak. When Site A needs Site B's data, asking for the user's password is a betrayal — of the user, and of both services. OAuth ends that. It introduces a third object: the token. The token carries permission, not identity. It expires. It can be revoked. It can be scoped to a single action. This is not a convenience. It is a structural shift from shared secrets to delegated authority. It makes the web composable. One service builds on another without owning the user's credentials. That is the practical importance. The philosophical importance is deeper: OAuth enforces the principle of least privilege. You get exactly the access you asked for, no more. No implicit trust. No ambient authority. Every permission is explicit, bounded, and auditable. That is the foundation of any system that claims to be open.\n\n## How It Works\n\nOAuth 2.0 has four roles: the Resource Owner (the user), the Client (the app requesting access), the Authorization Server (the token issuer), and the Resource Server (the API holding the data).\n\nStep one: the Client asks the Resource Owner for authorization. It does this by redirecting the user's browser to the Authorization Server with a request that includes a client ID, a redirect URI, and a list of scopes. The client ID is public. It identifies the app. The scopes are the permissions: `read:profile`, `write:posts`, `delete:account`. Each scope is a string. The Authorization Server shows the user what the Client wants. The user approves or denies.\n\nStep two: if the user approves, the Authorization Server redirects the browser back to the Client's redirect URI with an authorization code. This code is single-use, short-lived, and bound to the client ID and redirect URI that started the flow. It proves the user said yes, but it is not a token.\n\nStep three: the Client sends the authorization code to the Authorization Server's token endpoint, along with its client secret. The client secret is private. It never travels in the browser. The Authorization Server validates the code, the secret, and the redirect URI. If all match, it returns an access token and a refresh token. The access token is a bearer token. Whoever holds it can use it. The refresh token is for obtaining new access tokens when the old one expires. The refresh token is typically longer-lived and must be stored securely.\n\nStep four: the Client sends the access token to the Resource Server on every API request, usually in the `Authorization: Bearer <token>` header. The Resource Server validates the token — by signature if it is a JWT, or by introspection if it is opaque — and returns the requested resource. If the token is expired, the Client uses the refresh token to get a new one. If the token is revoked, the request fails.\n\nThe flow above is the Authorization Code grant, the most common and the most secure for server-side apps. Other grants exist: Implicit (deprecated, for SPAs without a backend), Client Credentials (machine-to-machine, no user), and Device Code (for TVs and hardware without browsers). Each solves a specific constraint. Each trades security for convenience. The Authorization Code grant with PKCE (Proof Key for Code Exchange) is the modern standard for mobile and SPA apps. It removes the need for a client secret by adding a code verifier: a random string hashed and sent in the initial request, then verified in the token exchange. This prevents authorization code interception attacks on mobile devices.\n\n## The Contract\n\nThe protocol is a set of HTTP endpoints and JSON payloads. The Authorization Endpoint is a GET request. Parameters: `response_type=code`, `client_id`, `redirect_uri`, `scope`, `state`. The `state` parameter is a random string used to prevent CSRF attacks. The client must verify it matches on the return.\n\nThe Token Endpoint is a POST request. Content-Type: `application/x-www-form-urlencoded`. Parameters: `grant_type=authorization_code`, `code`, `redirect_uri`, `client_id`, `client_secret`. Response: a JSON object with `access_token`, `token_type` (always `Bearer`), `expires_in` (seconds), `refresh_token` (optional), and `scope` (the granted scopes, which may be a subset of the requested scopes).\n\nThe Resource Endpoint is a standard API. The access token travels in the `Authorization: Bearer <token>` header. The Resource Server responds with 200 and the resource, or 401 if the token is missing or invalid, or 403 if the token is valid but lacks the required scope.\n\nTokens are opaque to the Client. The Client does not parse them. It presents them. The Resource Server decides what they mean. If the token is a JWT, it contains claims: `sub` (subject, the user ID), `iss` (issuer), `aud` (audience, the Resource Server), `exp` (expiration), `iat` (issued at), `scope` (the granted permissions). The Resource Server validates the signature against the Authorization Server's public key. It rejects tokens with bad signatures, expired `exp`, or mismatched `aud`.\n\n## Real Examples\n\n**GitHub OAuth Apps.** A developer wants to build a CI dashboard that shows the user's repositories and recent commits. The dashboard redirects the user to `github.com/login/oauth/authorize` with `client_id` and `scope=repo`. The user approves. GitHub redirects back with a code. The dashboard exchanges the code for a token using `client_id`, `client_secret`, and the code. The token has `repo` scope. The dashboard calls `api.github.com/user/repos` with `Authorization: Bearer <token>`. GitHub returns the repositories. The dashboard never sees the user's GitHub password.\n\n**Google Sign-In.** A third-party app wants to let users sign in with Google. It redirects to `accounts.google.com/o/oauth2/v2/auth` with `scope=openid profile email`. The user approves. Google returns an authorization code. The app exchanges it for an access token and an ID token. The ID token is a JWT containing the user's `sub`, `email`, `name`, and `picture`. The app validates the ID token's signature against Google's public keys and uses the claims to create or authenticate a local user account. The access token lets the app call Google APIs like Calendar or Drive if the user granted those scopes.\n\n**Slack Apps.** A team installs a Slack app. The app requests `scope=chat:write:bot,channels:read`. The team admin approves. Slack returns an access token to the app's backend. The token is stored server-side. The app uses it to post messages to channels and read channel listings. If the admin revokes the app in Slack's settings, the token becomes invalid. The next API call returns 401. The app cannot post anymore. The admin never shared a password.\n\n**Stripe Connect.** A marketplace wants to pay sellers. It redirects sellers to Stripe's OAuth flow with `scope=read_write`. The seller connects their Stripe account. Stripe returns an access token that represents the seller's account. The marketplace stores the token and uses it to create charges on the seller's behalf. The token is scoped to the seller's account. The marketplace cannot access other sellers' data. The seller can revoke access in their Stripe dashboard. The token dies. The marketplace loses access. No password was ever exchanged.\n\n**Apple Sign In.** An iOS app wants to authenticate users without creating a password system. It uses the Authorization Code grant with PKCE. The app generates a code verifier (a random 128-character string) and a code challenge (SHA256 of the verifier, base64url-encoded). It sends the challenge to Apple's authorization endpoint. Apple redirects back with a code. The app sends the code plus the original verifier to Apple's token endpoint. Apple hashes the verifier and checks it against the challenge. If they match, Apple returns the tokens. The verifier never leaves the device. An attacker who intercepts the authorization code cannot exchange it without the verifier.\n\n## Common Mistakes\n\nDevelopers store the client secret in mobile apps. The client secret is not secret on a device. Anyone can extract it. Mobile apps must use PKCE and omit the client secret entirely.\n\nDevelopers send tokens in URLs. URLs end up in logs, browser history, and referrer headers. Tokens must travel in headers or POST bodies. Never in query strings.\n\nDevelopers skip the `state` parameter. Without `state`, an attacker can craft a login link that redirects the user to the attacker's account after the OAuth flow. The app thinks the user is the attacker. This is a session fixation attack. Always validate `state`.\n\nDevelopers request more scopes than they need. Each scope is a liability. If your app leaks, the attacker gets every scope you requested. Request the minimum. If you need more later, re-authorize.\n\nDevelopers treat the access token as a session token. It is not. It is an authorization credential for a specific set of APIs. Session management is a separate concern. Do not put user identity in a session token and call it OAuth. Use an ID token for identity, an access token for authorization.\n\nDevelopers build their own OAuth server. OAuth is a protocol, not a library. Implementing it correctly requires handling token rotation, revocation, scope validation, JWT signing, key rotation, and PKCE. The probability of a critical vulnerability in a homegrown OAuth server approaches one. Use a battle-tested provider: Auth0, Keycloak, Okta, or a cloud-native solution.\n\nDevelopers ignore token expiration. An access token expires. The refresh token expires too, eventually. If you do not handle 401 responses by refreshing, your app breaks. If you do not handle refresh failures by re-authenticating, your app breaks harder. Build the full lifecycle.\n\n## Connection to OIP\n\nOAuth is a protocol, not a product. It is defined by RFC 6749 and RFC 7636. Anyone can implement it. Anyone can audit it. That is openness. The token itself is a deterministic object. Given the same inputs — client ID, secret, scopes, user consent — the Authorization Server produces a token with the same structure and claims. The Resource Server's validation is deterministic too. Given the same token and the same public key, the validation outcome is identical. That is determinism. Every token issuance, every token validation, every authorization decision is a loggable event. The scopes are explicit. The permissions are bounded. The user can revoke. The admin can audit. That is auditability. OAuth is not a philosophy. It is a working protocol. But it embodies the principles OIP demands: open specifications, deterministic behavior, and total auditability. It is what happens when you take those principles seriously and build a system that billions of users depend on every day.\n\n## Connection to the Grain Philosophy\n\nThis protocol is part of the [Open Inventory Protocol](/a/philosophy) — a living system of self-describing voxels that serves the Grain philosophy. The OIP is the interface. The philosophy is the core.\n","hero":null,"images":[],"style":{},"tags":["oip","protocol"],"model":null,"ledger":null,"embeds":[],"widgets":[],"home":true,"claims":[],"sources":[],"reviews":[],"extra":{},"has_traversal":false,"register":"oip_protocol","status":"published","revisions":1,"contributions":[],"provenance":[],"energy":{"passes":0,"tokens_in":0,"tokens_out":0,"tokens_total":0,"cost_usd":0,"models":{},"head":"genesis"},"posted_at":"2026-07-04T18:30:59.212Z","created_at":"2026-07-04T18:30:59.212Z","updated_at":"2026-07-04T19:01:05.882Z","machine":{"shape":"article.machine/v1","slug":"oip-what-is-oauth","kind":"article","read":{"human":"https://miscsubjects.com/a/oip-what-is-oauth","json":"https://miscsubjects.com/api/articles/oip-what-is-oauth","bundle":"https://miscsubjects.com/api/articles/oip-what-is-oauth/bundle?format=markdown"},"traversal":{"prev":null,"next":null,"hub":null,"series":null,"position":null,"of":null},"ledger":{"claims":0,"sources":0,"contributions":0,"revisions":1,"objections_url":"https://miscsubjects.com/api/articles/oip-what-is-oauth/objections","thread_state_url":"https://miscsubjects.com/api/protocol/thread-state?target=oip-what-is-oauth","proof_rule":"An action is proven by its ledger receipt, never by a 200 or a description."},"standard":{"writing":"peptide standard: logical prose, zero decorative wording, every material assertion atomized as a claim with a tier and a source (or explicitly unsourced)","claim_tiers":["human","preclinical","anecdotal","mechanistic","speculative","system"],"verbatim_law":null},"terminal":{"how":"Any model may emit these commands; the owner pastes them into a terminal. $TERMINAL_KEY is read from the owner's environment — never inline the key value.","claim_append":"curl -s -X POST https://miscsubjects.com/api/protocol/claim -H \"x-terminal-key: $TERMINAL_KEY\" -H 'content-type: application/json' -d '{\"slug\":\"oip-what-is-oauth\",\"text\":\"<one atomized claim>\",\"tier\":\"<human|preclinical|anecdotal|mechanistic|speculative|system>\",\"source_ids\":[],\"who_claims\":\"<model>\",\"rationale\":\"<why material>\"}'","source_append":"curl -s -X POST https://miscsubjects.com/api/protocol/sources -H \"x-terminal-key: $TERMINAL_KEY\" -H 'content-type: application/json' -d '{\"slug\":\"oip-what-is-oauth\",\"sources\":[{\"type\":\"review\",\"url\":\"<url>\",\"title\":\"<title>\",\"quote\":\"<verbatim quote>\",\"summary\":\"<one line>\"}]}'","objection":"curl -s -X POST https://miscsubjects.com/api/articles/oip-what-is-oauth/objections -H 'content-type: application/json' -d '{\"actor\":\"<model>\",\"objection\":\"<attack>\",\"surface\":\"S1-S8\",\"minimum_patch\":\"<patch>\"}'  # open intake, no key","thread_update":"curl -s -X POST https://miscsubjects.com/api/protocol/thread-update -H 'content-type: application/json' -d '{\"actor\":\"<model>\",\"target\":\"oip-what-is-oauth\",\"raw_text\":\"<material delta>\"}'  # open intake, no key","read_back":"curl -s https://miscsubjects.com/api/articles/oip-what-is-oauth | python3 -c 'import json,sys; d=json.load(sys.stdin); print(json.dumps(d[\"claims\"][-3:], indent=1))'"}}}