OAuth 2.0 is an industry-standard authorization protocol that enables applications to obtain limited access to user resources without exposing credentials, forming the foundation for secure delegated access across the modern web. It separates authentication from authorization, allowing resource owners to grant third-party applications specific permissions through structured flows while maintaining control over their data. The protocol's flexibility supports diverse client types—from high-security server applications to browser-based SPAs and native mobile apps—while its extension ecosystem (PKCE, DPoP, PAR, mTLS, CIBA) addresses evolving security threats and deployment scenarios. Understanding OAuth 2.0's flows, token types, and security parameters is essential for building secure APIs, implementing single sign-on, protecting user data in distributed systems, and securing AI agent workflows against an expanding set of threats codified in RFC 9700 (Security BCP, January 2025).
What This Cheat Sheet Covers
This topic spans 19 focused tables and 167 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Core Authorization Flows
Each OAuth 2.0 grant type is designed for a specific use case; choosing the wrong one introduces avoidable security risks. The Authorization Code + PKCE flow is now the universal default for all user-facing clients, with Client Credentials handling machine-to-machine access—every other flow is either specialized or deprecated.
| Flow | Example | Description |
|---|---|---|
GET /authorize?response_type=code&code_challenge=E9Melhoa...&code_challenge_method=S256 | • Most secure flow for web, mobile, and SPA clients • PKCE mandatory in OAuth 2.1 for all client types • exchanges authorization code for tokens at server • protects against code interception attacks using dynamically generated code verifier/challenge pair. | |
POST /tokengrant_type=client_credentials&client_id=xyz&client_secret=abc | • Machine-to-machine (M2M) authentication without user interaction • service accounts exchange client ID/secret directly for access token • ideal for backend microservices, APIs, scheduled jobs, and server-to-server integration. | |
POST /tokengrant_type=refresh_token&refresh_token=tGzv3J... | • Exchanges long-lived refresh token for new short-lived access token without re-authentication • rotation recommended: issue new refresh token on each use and invalidate old one to limit breach impact. | |
POST /device_authorization→ user_code: WDJB-MJHT→ verification_uri: /device | • Designed for input-constrained devices (smart TVs, IoT, CLI tools) • user completes authorization on separate device with full browser • device polls token endpoint using device_code until user approves or request expires. | |
POST /tokengrant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGci... | • Uses signed JWT as authorization grant for trust-based scenarios • enables cross-domain authentication and service-to-service delegation • JWT assertion replaces traditional client secret authentication. |