What is OAuth?

OAuth solves a specific problem: how can you grant an application access to your data on another service without giving it your password? Before OAuth, the answer was often to hand over your credentials directly — a practice that granted unlimited access with no way to revoke it selectively. OAuth introduces the concept of delegated authorization through access tokens that have limited scope and lifetime.

The OAuth 2.0 flow involves four parties: the resource owner (the user), the client (the third-party application), the authorization server (which issues tokens), and the resource server (which hosts the user's data). The user authenticates with the authorization server, grants specific permissions to the client, and the client receives an access token. This token is used to access the user's resources without the client ever seeing the user's password.

OAuth 2.0 defines several grant types for different scenarios: authorization code flow (for server-side apps), PKCE-enhanced authorization code flow (for public clients like mobile and single-page apps), client credentials (for machine-to-machine communication), and device code flow (for input-constrained devices). The framework is extended by OpenID Connect (OIDC), which adds a standardized identity layer for authentication on top of OAuth's authorization capabilities.

How Vaulted uses OAuth

Vaulted does not implement OAuth because it has no user accounts, no third-party integrations, and no need for delegated authorization. However, OAuth tokens are a common type of sensitive credential that people need to share securely — for example, sharing a service account's client secret with a deployment team. Vaulted provides a safe channel for transmitting these tokens without exposing them in Slack messages, emails, or ticketing systems where they would persist indefinitely.