If you are working with APIs I am sure you have heard about OAuth 2. It is used for securing access to APIs.

OAuth 2 is a standard for delegating authorization for accessing resources via HTTP.

OAuth 2 offers a solution for the scenarios of the examples in the previous post without the risks of the password anti-pattern. With OAuth 2 we can give access rights to the mobile app, without providing the password. Instead, a token is handed to the app. The token represents the access rights for a subset of the data, for a short time frame. To obtain the token, the user first logs in on the website of the OAuth server. The generated token can be an authorization code, an access token, or a refresh token. An access token allows access to a resource during a limited time period. In case the token gets compromised, the access rights associated with the token can be revoked.

Sarah and Tim from the examples in the previous post will not notice any difference, whether OAuth is used or not. They can use their mobile apps and cloud apps in a secure manner if OAuth is used under the hood.

Learn more about OAuth2.0.

What is OAuth 2?

Also published on Medium.

Matthias Biehl

As API strategist, Matthias helps clients discover their opportunities for innovation with APIs & ecosystems and turn them into actionable digital strategies. Based on his experience in leading large-scale API initiatives in both business and technology roles, he shares best practices and provides both strategic and practical guidance. He has stayed a techie at heart and at some point, got a Ph.D. Matthias publishes a blog at api-university.com, is the author of several books on APIs, and regularly speaks at technology conferences.