OAuth 2.0 Explained: Your All-Access Cruise Card to the Internet
Gautam Singh | Dec 8, 2025
Ever clicked "Sign in with Google" and wondered what's actually happening behind the scenes? Grab a deck chair — we're going on a cruise to find out.
What Is OAuth 2.0, Really?
Picture this: you're boarding a cruise ship.
At the terminal, you hand your passport to the check-in desk. They verify your identity, look up your booking, and hand you a cruise card — that little keycard that becomes your whole life for the next seven days.
That cruise card is not your passport. It doesn't contain your home address or your bank details. But tap it at the pool bar, and you get a drink. Tap it at the restaurant, and they know your table assignment. Tap it at the gangway for a shore excursion, and the crew confirms you're cleared for that specific trip. Try to walk into the bridge? The card scanner flashes red — you're not authorized for that area.
That's OAuth 2.0 in a nutshell.
The check-in desk is the Authorization Server (think Google, GitHub, or Okta). Your passport is your actual credentials (username and password). The cruise card is your Access Token — a scoped, time-limited credential that grants you access to specific resources without ever exposing who you really are. And every scanner on the ship is a Resource Server, verifying your card before letting you through.
The official version: OAuth 2.0 (RFC 6749) is an authorization framework that enables third-party applications to obtain limited access to a web service. It's been the standard since 2012, and virtually every "Sign in with..." button on the internet uses it.
Why Should You Care?
If you build apps, OAuth is unavoidable. If you use apps, you're already using it daily. And if you care about security, understanding OAuth helps you spot the difference between a legitimate login flow and a phishing attempt.
Here's what OAuth solves: the passport-sharing problem. Before OAuth, if an app wanted to read your emails, you'd literally hand over your Gmail password. That's like giving every restaurant on the ship a photocopy of your passport instead of just tapping your cruise card. It gave the app full access to everything, forever. OAuth replaced that mess with scoped, time-limited, revocable tokens.
The Four Characters in Every OAuth Story
Every OAuth flow has the same four characters. And if you've been on a cruise, you've already met all of them:
You — The Passenger (Resource Owner) — You're the person with the valuable stuff. Your data, your accounts, your photos. On the ship, you own the booking, the cabin, and the right to access the amenities you paid for.
The App — The Shore Excursion Company (Client) — This is the third-party application that wants to access your stuff. Just like that snorkeling company at port doesn't need your passport — they just need to know the cruise line authorized you for this excursion.
The Check-In Desk — The Authorization Server — This is Google, GitHub, Apple, or whoever manages your identity. They verify you are who you say you are, check what you're authorized for, and issue the cruise card. They expose two key "windows":
- The Authorization Endpoint — The check-in counter where you show your face and passport (interactive login).
- The Token Endpoint — The back office where the app exchanges paperwork for your card (machine-to-machine, no human involved).
The Ship — The Resource Server (API Backend) — Every scanner, every door, every bar terminal on the ship. They don't know your passport number. They just validate your card and check: "Is this person allowed here?"
How Does the Flow Actually Work?
Let's walk through what happens when you click "Sign in with GitHub" on a new app — or in cruise terms, when you book a shore excursion through a third-party vendor:
-
The excursion vendor redirects you to the cruise line's desk. "Hey cruise line, this passenger wants to book the volcano hike. Can you verify them?"
-
The cruise line shows you a verification screen. "This vendor wants to confirm your name and cabin number. Allow or deny?"
-
You say Allow. The cruise line gives the vendor a one-time confirmation slip (the authorization code) — think of it as a numbered claim ticket.
-
The vendor takes that slip to the cruise line's back office. They exchange it for the real thing: a day pass for the excursion (the access token) and sometimes a season renewal card (the refresh token).
-
The vendor scans your day pass at the excursion check-in. "Yep, this passenger is cleared. Welcome aboard the zodiac."
The key insight: your passport and cabin key never leave the ship. The vendor only gets what they need.
With Supabase, this entire flow is a few lines of code:
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY)
// One line to start the whole OAuth boarding process
const { data, error } = await supabase.auth.signInWithOAuth({
provider: 'github',
options: {
redirectTo: 'https://yourapp.com/auth/callback',
scopes: 'read:user user:email'
}
})What Are Tokens? (And Why Do They Expire?)
Your cruise card isn't valid forever — it expires the moment the ship docks on the final day. And that's by design. If someone picks up your lost card on Day 3, they have a few hours of free drinks at worst, not a lifetime pass to your identity.
OAuth tokens work the same way:
| Token | Cruise Analogy | Lifespan | Purpose |
|---|---|---|---|
| Access Token | Your cruise card | Minutes–hours | Tap it at any scanner to access resources |
| Refresh Token | Guest Services renewal | Days–months | Walk up to Guest Services to get a fresh card without re-checking in |
| Authorization Code | The numbered claim slip | Seconds | One-time exchange at the back office for your actual card |
| Client ID | The excursion vendor's business license | Permanent | Public identifier — everyone can see it posted on their booth |
| Client Secret | The vendor's private contract with the cruise line | Permanent | Kept in the vendor's safe — never shown to passengers |
Why not just issue cards that never expire? Because if someone clones your card, the damage is limited to a few hours. And when you get a new card via the refresh token, the old one is automatically deactivated — if anyone tries to use the old card, security knows something's wrong.
// Supabase handles card renewal (token refresh) automatically
supabase.auth.onAuthStateChange((event, session) => {
if (event === 'TOKEN_REFRESHED') {
console.log('Fresh card issued — no trip to Guest Services needed!')
}
})What Are Scopes? (Your Card's Access Level)
Not every passenger gets into the spa. Not every card opens the VIP lounge. That's scopes — the specific permissions encoded into your token.
When the excursion vendor requests access, they specify exactly what they need: "I need this passenger's name and cabin number to check them in." They don't get your credit card on file or your medical records.
In OAuth terms, scopes look like openid profile email — meaning "I want to know who you are, your basic profile, and your email address. Nothing more."
| Scope | Cruise Equivalent | What It Unlocks |
|---|---|---|
openid | Basic boarding pass | Your unique passenger ID |
profile | Passenger manifest entry | Name, photo, loyalty tier |
email | Contact card | Email for follow-up offers |
offline_access | Season pass renewal | A refresh token for long-term access |
// Request only the scopes you need — principle of least privilege
const { data, error } = await supabase.auth.signInWithOAuth({
provider: 'google',
options: {
scopes: 'openid profile email', // Don't ask for the master key
queryParams: { access_type: 'offline', prompt: 'consent' }
}
})What Is PKCE and Why Does Everyone Keep Talking About It?
PKCE (pronounced "pixy") stands for Proof Key for Code Exchange, and it solves a sneaky problem.
Remember our claim slip (the authorization code)? In the original flow, if a pickpocket intercepted that slip between the check-in desk and the back office, they could walk up and claim your cruise card themselves.
PKCE works like a sealed envelope with a combination lock:
- Before boarding, you create a secret combination and lock it in an envelope. You give the sealed envelope to the check-in desk. "Hold onto this."
- After check-in, you get your claim slip as usual.
- At the back office, you tell them the combination. They open the envelope and check: does it match?
- If it matches, you get your cruise card. If a pickpocket stole the claim slip, they can't produce the combination — so they get nothing.
Even if someone intercepts the authorization code mid-redirect, they can't exchange it without the original code verifier that never left your device.
PKCE is now mandatory in OAuth 2.1. If you're building anything new, use it. Supabase enables it by default:
// Supabase handles the sealed envelope (PKCE) automatically
const { data, error } = await supabase.auth.signInWithOAuth({
provider: 'google'
})
// In your callback route — the back office step
const code = new URL(request.url).searchParams.get('code')
const { data, error } = await supabase.auth.exchangeCodeForSession(code)
// Supabase verified the combination behind the scenesOAuth vs. Authentication: They're Not the Same Thing
Here's a common mix-up: OAuth is not authentication. OAuth is authorization — it answers "what areas of the ship can this person access?" not "who is this person?"
That's where OpenID Connect (OIDC) comes in. OIDC is a thin identity layer on top of OAuth that adds a special ID Token — basically a laminated photo ID card that says "This is Jane Doe, Cabin 7042, and yes, we verified her passport."
Think of it this way: OAuth is the cruise card (gets you through doors), OIDC is the photo on the card (proves you're actually you). Without the photo, anyone holding the card could use it. With the photo, the bartender can glance down and confirm the card belongs to the person tapping it.
Most modern providers (Google, GitHub, Supabase) use both together seamlessly. You get authorized and identified in a single boarding process.
What's Old, What's New, and What's Next
The OAuth world evolves fast. Here's your captain's briefing:
Retired from the Fleet
- Implicit Grant — Returned tokens directly in the URL, like printing your cabin number on the outside of your luggage. A security nightmare. Removed in OAuth 2.1.
- Password Grant — Let apps collect your actual password, like handing your passport to the shore excursion vendor. Defeated the whole purpose of OAuth. Also removed.
- OAuth 1.0a — Required cryptographic signing of every single request, like needing a notarized letter for every drink order. Secure but painfully complex. Replaced by OAuth 2.0.
Currently Sailing
- Authorization Code + PKCE — The gold standard for almost every use case. Your sealed-envelope boarding process.
- Client Credentials — For ship-to-ship communication (no passengers involved). Think: the cruise line's reservation system talking to the port authority's database.
- Device Flow — For smart TVs and IoT devices — the "enter this code on your phone" screen. Like checking in for the cruise via a kiosk that can't read your passport, so it gives you a code to verify on your phone instead.
Just Launched (2025–2026)
- OAuth 2.1 — Not a new ship, but a thorough refit. Mandates PKCE, removes deprecated flows, tightens security defaults. Already adopted by Anthropic's MCP and many others.
- DPoP (Demonstrating Proof of Possession) — Makes tokens theft-proof by cryptographically binding them to your specific device. It's like your cruise card having a fingerprint reader — even if someone steals the physical card, it won't scan for them. Only your finger activates it.
- GNAP (Grant Negotiation and Authorization Protocol) — A ground-up redesign. JSON-native, no browser redirects required, natively supports IoT. If OAuth 2.0 is a classic cruise liner, GNAP is the next-generation vessel being designed in the shipyard — not sailing yet, but the blueprints look incredible.
- Passkeys/WebAuthn — Not OAuth per se, but they're replacing passwords at the boarding gate. Your fingerprint or face becomes your passport. No more remembering cabin codes.
Quick-Start: Board Your App with Supabase Auth
Here's the complete setup for a modern, secure authentication flow — from check-in to shore excursion and back:
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(
'https://your-project.supabase.co',
'your-anon-key'
)
// 1. Board with any provider (the check-in desk)
async function signInWithProvider(provider) {
const { data, error } = await supabase.auth.signInWithOAuth({
provider, // 'google', 'github', 'apple', etc.
options: { redirectTo: window.location.origin + '/auth/callback' }
})
}
// 2. Complete boarding (PKCE exchange at the back office)
async function handleCallback() {
const code = new URL(window.location.href).searchParams.get('code')
if (code) {
await supabase.auth.exchangeCodeForSession(code)
}
}
// 3. Check passenger identity at any scanner
async function getUser() {
const { data: { user } } = await supabase.auth.getUser()
return user // null if not on board
}
// 4. Lock the doors — Row Level Security (the ship's scanners)
// ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
// CREATE POLICY "Own cabin only" ON posts
// FOR ALL USING (auth.uid() = user_id);
// 5. Disembark
async function signOut() {
await supabase.auth.signOut()
}That's it. Supabase handles PKCE, token refresh, session management, and secure cookie storage — like a well-run cruise line handling all the logistics so passengers can just enjoy the voyage.
The TL;DR
OAuth 2.0 is your cruise card: it lets apps access your stuff without your passport. PKCE is the sealed-envelope system that stops pickpockets from stealing your boarding pass. OpenID Connect is the photo on the card that proves you're actually you. Scopes decide whether you get pool-deck access or VIP-lounge access. And the future — DPoP, GNAP, passkeys — is like adding fingerprint scanners, AI-powered security, and biometric boarding to the next generation of ships.
If you're building an app in 2026, start with Supabase Auth + PKCE. It's the sweet spot of security, simplicity, and developer experience.
Now go build something. The ship's about to sail.