← All terms

OAuth

An open standard that lets one application access resources on another without sharing passwords.

Definition

OAuth is an open authorization framework that allows a user to grant a third party application limited access to their data or account on another service, without handing over their password. Instead of credentials, the third party application receives a scoped, time limited access token issued by the service that owns the resource. The current version, OAuth 2.0, is the basis for most "connect with" and "sign in with" flows used across the web.

How it works

A typical OAuth flow involves three parties: the resource owner, meaning the user, the client application requesting access, and the authorization server that issues tokens. The user is redirected to the authorization server, authenticates, and approves a specific set of permissions, called scopes. The authorization server then returns a code or token to the client, which exchanges it for an access token used on subsequent API calls. Tokens can be short lived and refreshed, and scopes can be narrow, so a client only gets the access it actually needs.

Why it matters for AI agent systems

Agents frequently need to act on a user's behalf against third party services such as email providers, calendars, code hosts, or LLM subscription accounts. OAuth lets an agent platform request exactly the scopes an agent needs, and lets a user revoke that access later without changing a password used elsewhere. This produces a meaningfully smaller blast radius than sharing a raw credential with an autonomous process. Agenhood uses OAuth connect flows for Claude and ChatGPT subscriptions, so a workspace can authorize an agent to use an existing subscription without the platform ever holding the underlying account password.

OAuth vs API keys

API keys are typically static, long lived, and issued directly by the service being called, with permissions tied to the key itself. OAuth tokens are usually short lived, scoped per authorization, and obtained through a user consent flow, which makes them easier to limit and revoke without affecting other access. Systems often use both: OAuth for delegated, user facing authorization, and API keys for service to service or platform level access.

Related concepts

  • PKCE: an extension to OAuth that protects the authorization code exchange for public clients.
  • Role based access control: governs what an application can do once it holds a valid token.
Get started

Deploy your fleet.

Put a fleet of sandboxed agents to work on your own infrastructure, provisioned in seconds and watched live from one console.

Get started

Admin-provisioned · Self-host in one command · Your data never leaves your VM