About OAuth 2.0

Applies to ReadyAPI 3.9, last modified on September 16, 2021
OAuth 2.0 Logo

OAuth 2.0 provides access to resources through the HTTP protocol.
You can use OAuth 2.0 in your applications or use it to access a service manually.

When you use OAuth 2.0, your application gets an access token that represents a user's permission to access their data. The token is used by the application to authenticate a request to an API endpoint.

Facebook OAuth 2.0 flow

OAuth Versions

There are two versions of OAuth: OAuth 1 (it uses HMAC-SHA signature strings) and OAuth 2.0 (it uses access tokens sent over HTTPS).

There is also a specific version of OAuth 2.0 that is used in Microsoft Azure Active Directory. It uses additional fields when you get an access token. If your service uses Azure Active Directory, select the OAuth 2.0 (Azure) authentication type.

OAuth 2.0 Terms

OAuth 2.0 has a few interacting components. The resource server (the API server) contains the resources to be accessed. Access tokens are provided by the authorization server, which can be the same as the API server. The server acts as the resource owner when you access the resources. An application that uses credentials and API is called a client.


Clients use a token endpoint to get an access token (and optionally refresh the token) from the authorization server.

Note: When using the implicit grant, no token endpoint is used. Instead, an access token is sent from the authorization endpoint directly.


The two token types involved in OAuth 2.0 authorization are Access Token and Refresh Token.

Access Token

An access token is a string used for authorization and authentication when getting access to resources on the resource server. It can have different formats and structures based on the resource server security requirements.

There are two types of access tokens: bearer tokens and MAC tokens.

Bearer tokens are sent over HTTPS to ensure secure transfer even if requests are neither signed nor encrypted. A request with a bearer token is considered as having been authorized.

MAC tokens are more secure than bearer tokens. They are similar to signatures, as they allow you to perform partial cryptographic verification of requests.

Refresh Token

Refresh tokens are normally sent along with access tokens. Refresh tokens are used to get a new access token when the old one expires. Instead of performing the normal grant procedure, the client provides a refresh token and receives a new access token. Using refresh tokens makes expiration time for access tokens on the resource server shorter and expiration time for accessing the authorization server longer.


You get access tokens from the authorization server by using grants. The same grant type can be used, for example, to request a token and validate it on the resource server.

The four basic grant types are Authorization Code, Implicit, Resource Owner Credentials, and Client Credentials. For more information about the grant types, see the OAuth 2.0 Grant Types section.


In OAuth 2.0, scope is a way to provide access only to specific areas. Normally, you specify areas as a list of comma-separated or space-delimited strings. Each string indicates the area you can access.

More Information

See Also

Automation Script
OAuth 2.0 Grant Types
OpenID Connect Grant Types
Advanced Options
OAuth 2.0 and OAuth 2.0 (Azure)

Highlight search results