OAuth is a standard that lets users log into your app using their existing account from another service — Google, GitHub, Facebook, etc. — without giving you their password.
When you click “Sign in with Google,” that’s OAuth.
The problem OAuth solves
Without OAuth, to let users log in with their Google account, you’d need their Google password. That’s terrible for everyone:
- Users don’t want to give you their Google password
- You don’t want to store Google passwords
- Google doesn’t want you to have their users’ passwords
OAuth solves this: Google confirms the user’s identity and gives your app a token. You never see the password.
How “Login with Google” works
- User clicks “Sign in with Google” on your app
- Your app redirects to Google’s login page
- User logs in to Google (on Google’s site, not yours)
- Google asks: “Do you want to give MyApp access to your name and email?”
- User clicks “Allow”
- Google redirects back to your app with an authorization code
- Your server exchanges that code for an access token
- Your server uses the token to get the user’s name and email from Google
- You create an account (or log them in) in your app
The user never typed their Google password on your site.
Key concepts
Access Token — a short-lived key that lets your app access the user’s data. Expires in minutes to hours.
Refresh Token — a long-lived key used to get new access tokens without making the user log in again.
Scopes — what your app is allowed to access. Examples: email, profile, read:repos. Users see these when they click “Allow.”
Authorization Code — a one-time code exchanged for tokens. This is the most secure flow (used by server-side apps).
OAuth vs. other auth methods
| Method | How it works | Best for |
|---|---|---|
| OAuth | ”Login with Google/GitHub” | Apps that want social login |
| Username + password | User creates account on your site | Simple apps, full control |
| Magic link | Email a login link | Passwordless, simple |
| API key | Static key in headers | Server-to-server |
| JWT | Signed token with user data | Stateless auth after login |
OAuth is for authentication (who is this user?) and authorization (what can they access?). JWT is often used after OAuth to maintain the session.
When to use OAuth
Yes:
- You want “Login with Google/GitHub/etc.”
- You’re building an app that accesses user data on another platform (GitHub repos, Google Drive files)
- You don’t want to handle passwords yourself
No:
- Simple internal tool with a few users (just use passwords)
- Server-to-server communication (use API keys)
- You need full control over the auth flow
Implementing OAuth (the easy way)
Don’t implement OAuth from scratch. Use a library:
Next.js: NextAuth.js / Auth.js
// One line to add Google login
import NextAuth from 'next-auth';
import Google from 'next-auth/providers/google';
export default NextAuth({
providers: [
Google({
clientId: process.env.GOOGLE_ID,
clientSecret: process.env.GOOGLE_SECRET,
}),
],
});Other popular options:
- Clerk — drop-in auth UI + backend
- Auth0 — managed auth service
- Supabase Auth — built into Supabase
- Firebase Auth — built into Firebase
- Passport.js — Node.js middleware (more manual)
Setting up OAuth (general steps)
- Go to the provider’s developer console (Google Cloud Console, GitHub Settings → Developer Settings)
- Create an OAuth app / client
- Set the redirect URI (
http://localhost:3000/api/auth/callback/google) - Get the Client ID and Client Secret
- Use them in your auth library
The provider-specific setup varies, but the pattern is always the same: register your app, get credentials, configure redirect URLs.