What is OAuth?

OAuth is a standard that lets users log into your app using their existing accounts (Google, GitHub, Facebook, etc.) instead of creating a new password. You delegate authentication to a trusted provider—they handle login security, you get a token proving the user is who they say they are. No password storage, no password reset flows, no breach liability.

When Should You Use This?

Use OAuth when you want to reduce friction (users hate creating accounts), offload security risk (you don't store passwords), or need access to user data from providers (Google Calendar, GitHub repos). Most modern apps use OAuth as the primary or only login method. For B2C apps, "Sign in with Google" alone covers 80%+ of users. Implement with libraries like NextAuth, Auth0, or Clerk—don't roll your own.

Common Mistakes to Avoid

• •Rolling your own OAuth implementation—use battle-tested libraries (NextAuth, Auth0, Passport.js)
• •Not validating redirect URIs—attackers can steal tokens by hijacking the callback URL
• •Storing tokens in localStorage—use httpOnly cookies to prevent XSS attacks
• •Only offering OAuth—some users want email/password; offer both or use magic links as backup
• •Forgetting to handle token expiration—implement refresh tokens or re-auth flows

Real-World Examples

• •Notion—"Continue with Google" is the default login, email/password is secondary
• •Vercel—GitHub OAuth for devs, auto-imports repos and deploys from Git
• •Linear—supports Google, GitHub, SSO for enterprise customers
• •Figma—OAuth for login, also uses it to access Google Drive for file imports