OAuth (“sign in with…”).
A valet key: you let an app do one specific thing without ever handing over your real password.
Some cars come with a valet key. It starts the engine and opens the door, but it will not open the glovebox or the trunk. You hand it to the parking attendant so they can move the car — without giving them the run of everything you own.
OAuth is that valet key for your accounts. When an app says “sign in with Google,” you are not giving the app your Google password. You are asking Google to hand the app a limited key that does one job, which you can take back any time.
- Your password? …no.1
An app wants your photos. The old way would be to hand it your password — the keys to everything.
- It’s me. Here’s my real key.2
Instead you go to the one you already trust (say, Google) and prove who you are there.
- May I have his photos?3
The app never sees that. It just asks the trusted service on your behalf.
- Photos only.4
You approve exactly what it may touch — “photos only, not your email.”
- 5
The service hands the app a limited key (a token), not your password.
- Revoke? Done.6
The app uses that key for its one job — and you can revoke it any time without changing your password.
Why this is safer
The app never learns your password, so a breach at the app cannot leak it. The key is scoped, so a printing app that asked for “photos” cannot read your email. And because the key is separate, you can cut off one app without touching your password or your other apps.
Authorization, not identity
Plain OAuth is about what an app may do (authorization), not strictly about proving who you are. The familiar “sign in with…” button adds a thin identity layer on top (OpenID Connect), so the app also learns a verified “this is who just logged in.”