OAuth 2.0 is an authorization framework — a standardized way for an application to get permission to call an API on a user’s behalf, without ever seeing that user’s password.
The core idea
Instead of giving an app your credentials, you authorize it once via a trusted identity provider (Google, GitHub, etc.). The app receives an access token that it uses to make API calls. The token can be revoked at any time; it can be scoped to specific permissions; and it never reveals your password.
What OAuth 2.0 does not do
OAuth 2.0 only handles authorization. It does not standardize authentication — knowing who the user is. That’s what OIDC adds on top of OAuth 2.0.
A common mistake is saying “we use OAuth for login.” Usually the person means OIDC.
In practice
When you click “Sign in with Google” on a modern app, the underlying flow is OAuth 2.0 (with OIDC for the identity part). The app redirects you to Google, you approve, Google redirects back with a code, the app exchanges the code for a token, and it uses that token going forward.
See the full auth glossary for related terms like PKCE, JWT, and access tokens.