OAuth 2.0 (RFC 6749) is an authorization framework that lets a user delegate limited access to a resource without handing their password to a third-party app. The classic scenario is 'let this app read only my Google Calendar' without giving it your Google password.
Authorization: Bearer <access_token> (obtained via an authorization flow)The key actors are the resource owner (user), client (third-party app), authorization server (issues tokens), and resource server (the API). The recommended flow today is the Authorization Code Grant with PKCE: (1) the app redirects the user to the authorization server's `/authorize` to log in and consent, (2) the server redirects back to redirect_uri with a one-time authorization code, (3) the app exchanges that code at `/token` for an access token, and (4) it then presents the token to the API as `Authorization: Bearer`.
PKCE (Proof Key for Code Exchange) has the app generate a code_verifier and send its hash (code_challenge) up front in step 1, then submit the original verifier in step 3, so a stolen authorization code cannot be exchanged. Originally for mobile and SPAs, it is now recommended for all clients. The older Implicit Grant and Password Grant are deprecated.
The most important distinction: OAuth 2.0 is authorization (what you may do), not authentication (who you are). An access token only asserts 'the holder may call this API'; it does not, by standard, tell you the user's identity. When you need identity, use OpenID Connect layered on top of OAuth.
Authorization: Bearer ya29.a0AfH6SMBx3k...access-token...GET /authorize?response_type=code&client_id=abc123
&redirect_uri=https://app.example.com/callback
&scope=openid%20profile%20email
&state=xyz&code_challenge=E9Me...&code_challenge_method=S256 HTTP/1.1
Host: auth.example.comcurl -X POST https://auth.example.com/token \
-d grant_type=authorization_code \
-d code=SplxlOBeZ... \
-d redirect_uri=https://app.example.com/callback \
-d client_id=abc123 \
-d code_verifier=dBjftJeZ4CVP...fetch('https://api.example.com/me', {
headers: { Authorization: 'Bearer ' + accessToken }
});