What's the difference between OAuth and JWT?

OAuth is an authorisation framework (how to get access). JWT is a token format (how to represent access). OAuth often uses JWTs as access tokens, but they're different concepts.

Why do OAuth tokens expire?

Security. Short-lived tokens limit damage if compromised. Refresh tokens allow getting new access tokens without re-authorisation. Typical access token lifetime: 1 hour.

What is PKCE and why does it matter?

Proof Key for Code Exchange prevents authorisation code interception attacks. Required for mobile and single-page apps where client secrets can't be kept secret. Use it.

How do I store OAuth tokens securely?

Never in source code. Use secure storage (encrypted database, secrets manager). Encrypt at rest. Consider token introspection vs local validation. Handle token refresh gracefully.

Book Free Assessment Calculator

OAuth

An authorisation framework that lets users grant limited access to their accounts on one service to another service, without sharing passwords.

In-Depth Explanation

OAuth is an open standard for access delegation. It lets users authorise applications to act on their behalf without sharing credentials - the foundation of "Login with Google" and API integrations.

OAuth 2.0 flows:

Authorization Code: Server-side apps (most secure)
Client Credentials: Machine-to-machine
Implicit: Browser-based apps (deprecated)
Device Code: Smart TVs, CLI tools
PKCE: Mobile/SPA apps (recommended)

Key OAuth concepts:

Resource Owner: The user
Client: Application requesting access
Authorization Server: Issues tokens
Resource Server: Holds protected resources
Access Token: Grants access to resources
Refresh Token: Gets new access tokens

OAuth vs OpenID Connect:

OAuth: Authorisation (access to resources)
OIDC: Authentication (who is the user)

Business Context

OAuth enables secure integrations without password sharing. It's how your apps connect to Google, Salesforce, and other platforms securely.

How Clever Ops Uses This

We implement OAuth integrations for Australian businesses, enabling secure access to third-party services without credential sharing.

Example Use Case

"Connecting your CRM to LinkedIn for lead enrichment - OAuth lets users authorise access to their LinkedIn data without giving your CRM their password."

Frequently Asked Questions

Learn More

API Integration Patterns: Building Reliable, Scalable LLM Applications

Master patterns for integrating with LLM APIs reliably at scale. Learn error handling, rate limiting, caching, cost optimization, and production-ready architectures for OpenAI, Anthropic, and other providers.

Read article

Notion Object Detection