Definition
OAuth
OAuth is an open standard for delegated authorization: it lets a user grant one application limited access to their data in another, without sharing their password. Instead of handing over credentials, the user approves a scoped grant and the app receives a token it presents on the user's behalf. OAuth handles authorization — what an app may do — not who the user is.
Key takeaways
- OAuth is an open standard for delegated authorization — granting an app limited, scoped access to your data without sharing your password.
- The user approves specific scopes and the app receives a revocable token it presents on the user's behalf.
- It handles authorization (what an app may do), not authentication (who the user is) — identity is layered on via OpenID Connect.
- Scoped, short-lived, independently revocable tokens make OAuth a natural fit for least-privilege third-party integrations.
Before OAuth, letting one app act on your behalf in another meant giving it your username and password — handing over the keys to everything, with no way to limit or revoke access short of a password change. OAuth replaces that with delegated, scoped tokens: the user is redirected to the resource owner, authenticates there, approves specific permissions (scopes), and the requesting app receives an access token rather than the credentials themselves.
The crucial distinction is authorization versus authentication. OAuth governs what an application is permitted to do with which resources; it does not, by itself, prove who the user is. That identity layer is provided by OpenID Connect, which is built on top of OAuth — a common source of confusion when teams say they use OAuth to log users in.
Tokens are scoped (limited to specific permissions), often short-lived (paired with refresh tokens), and revocable independently, which makes OAuth a natural fit for least-privilege access and for any integration where you want to grant narrow, auditable, withdrawable access to a third party.
Planoda uses OAuth-based authorization for its integrations, so connected tools receive scoped, revocable access rather than a user's credentials.
Related terms
- SSO (Single Sign-On)Single sign-on (SSO) lets users access many applications with one set of credentials, authenticating through a central identity provider instead of a separate login per app. Sign in once and you're recognized everywhere connected. SSO improves security and user experience at once — fewer passwords to reuse or forget, and centralized control over who can access what.
- SCIMSCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity data between an identity provider and the apps an organization uses. It lets IT provision, update, and deprovision accounts centrally: when someone joins, changes roles, or leaves, those changes propagate automatically to every connected application.
- Principle of Least PrivilegeThe principle of least privilege holds that every user, service, or process should be granted only the minimum permissions needed to do its job — and nothing more. By default-denying access and granting narrowly, you shrink the attack surface: a compromised account or buggy component can only reach what it was explicitly allowed, limiting the blast radius of any failure.
- RBAC (Role-Based Access Control)Role-based access control (RBAC) governs what users can do by assigning them roles — such as admin, member, or viewer — that carry defined permissions, rather than granting rights to each person individually. It scales access management: change a role's permissions once and every user with that role updates, and onboarding becomes assigning a role, not wiring up dozens of grants.
- MCP ServerAn MCP server implements the Model Context Protocol, an open standard that lets AI assistants connect to external tools and data through a uniform interface. Rather than building a bespoke integration per assistant, a tool exposes one MCP server describing its available actions and resources, and any MCP-capable AI can discover and use them safely.