What Is OAuth 2.0? Delegated Access Without Sharing Passwords
OAuth 2.0 is an authorization framework that lets one application access resources on a user behalf without ever seeing that user password.
OAuth 2.0 is the protocol that powers "Sign in with GitHub" and most app-to-app access on the web. It lets you grant a third-party application limited, revocable access to your resources by issuing it a token, never your password. In CI/CD, OAuth and its tokens underpin how integrations and pipelines obtain scoped access to source hosts and cloud services.
The problem OAuth solves
Before OAuth, sharing access meant handing over your password, giving the other app full control and no easy way to revoke it. OAuth replaces that with a token that is scoped, expirable, and revocable, so you grant only what is needed.
The core roles
- Resource owner: the user who owns the data.
- Client: the app requesting access.
- Authorization server: issues tokens after consent.
- Resource server: holds the data and accepts the token.
The token exchange
The client redirects the user to the authorization server, the user consents, and the server returns an authorization code. The client swaps that code for an access token (and often a refresh token). The client then presents the access token to the resource server on each request.
Authorization, not authentication
OAuth 2.0 is about delegated authorization, not proving identity. OpenID Connect adds an identity layer on top of OAuth to handle authentication. Treating a raw OAuth access token as proof of identity is a well-known anti-pattern.
OAuth in CI/CD
Connecting a CI platform or bot to your source host typically uses an OAuth flow that yields a scoped token. Modern pipelines also use OAuth-derived flows like OIDC to mint short-lived tokens per job, avoiding stored long-lived secrets entirely.
Keeping tokens safe
OAuth tokens are bearer credentials: whoever holds one can use it. They must be stored encrypted, scoped narrowly, and never logged. On ephemeral runners (such as Latchkey managed runners), a token used during a job is destroyed with the environment when the job ends.
Key takeaways
- OAuth 2.0 grants scoped, revocable access via tokens instead of shared passwords.
- It handles authorization; OpenID Connect adds authentication on top.
- Access tokens are bearer credentials and must be scoped, encrypted, and never logged.