protocol Introduced in L3

OAuth 2.0

The protocol behind "Sign in with Google." Delegated authorization without giving someone your password.

Mindmap

hover · click to navigate
this tech depends on / used by alternative Shipyard anchor
What it is

The plain-English version

OAuth 2.0 is an authorization protocol — not a login system per se, but the standard for letting one app act on another app's behalf. "Sign in with Google" works because Google issues an OAuth token to the app, which the app uses to identify the user and (sometimes) call Google APIs. OpenID Connect is the layer on top that makes OAuth specifically about login.

Why it exists

The problem it solves

Before OAuth, apps that needed access to your data asked for your password. OAuth replaced that with delegated tokens that have specific scopes and can be revoked. It's the foundation of every modern social login.

What it competes with

Alternatives

AlternativeTypeWhen it wins
Auth.jsauth libraryThe Node/Next-native authentication library. Was NextAuth; renamed Auth.js. Handles OAuth, email-link, credentials.
Where it shows up in Shipyard

Deep links

Vocabulary

The words you'll hear

Authorization Code flow
The standard server-side flow. Code → token exchange happens server-to-server.
PKCE
Proof Key for Code Exchange. Extension that makes the code-flow safe in browsers and mobile apps.
Client ID / Secret
The credentials your app uses to identify itself to the provider.
Scope
What the token can do: read:user, email, repo.
Access token / Refresh token
Short-lived access / long-lived refresh.
OpenID Connect (OIDC)
Login layer on OAuth. Adds an id_token with user identity claims.
Prompting

Bad vs. good prompt for OAuth 2.0

✕ Bad prompt
add google login
✓ Good prompt
Walk through the OAuth 2.0 Authorization Code + PKCE flow that happens when a user clicks 'Sign in with Google' in a Next.js app using Auth.js. Number each redirect and what's in each request/response. Don't write code; write the sequence so I can debug a stuck redirect.

Why it works: Asks for understanding, not implementation. The diagrammatic walk-through is what you actually need when OAuth breaks — and it always breaks at a specific redirect step.

Pitfalls

What bites real teams

⚠ Implicit flow is dead

The old OAuth 'Implicit' flow is deprecated. Use Authorization Code + PKCE. Old tutorials may still show Implicit.

⚠ Storing tokens in localStorage

Access tokens shouldn't sit in JavaScript-readable storage. HttpOnly cookies are safer.

⚠ Forgetting refresh

Access tokens expire. Without refresh handling, users get mysteriously logged out at the access-token-lifetime mark.

References

Official docs only