Developer & API

OAuth

Also known as: OAuth 2.0, Authorization protocol

5 min read·Updated 2026-05-06

Quick definition

OAuth is an open authorization protocol that lets a user grant a third-party application access to their account on another service — without sharing their password. Every social media API in 2026 uses OAuth: Instagram, TikTok, YouTube, X, LinkedIn, Facebook all rely on OAuth for the 'connect your account' flow.

Contents
  1. 1. What is OAuth?
  2. 2. How OAuth works for social media APIs
  3. 3. Common OAuth concepts
  4. 4. Why OAuth matters for security
  5. API example
  6. Common pitfalls
  7. Tips
  8. FAQ

What is OAuth?

OAuth (Open Authorization) is an open protocol that lets a user grant one application limited access to their account on another service. The user authenticates with the source service (e.g., Instagram), grants specific scopes (e.g., 'publish posts on my behalf'), and the source service issues an access token to the requesting application. The third-party app uses that token to make API calls; the user's password never leaves the source service.

OAuth 2.0 (the current widely-used version, finalized 2012) is the standard for every modern social media API. The familiar 'Connect with [Platform]' button on tools like CodivUpload, Buffer, Hootsuite, Postiz, and Ayrshare runs an OAuth flow underneath. The user clicks Connect, gets redirected to the platform's authorization page, approves the permissions, gets redirected back to the third-party app with a code, the app exchanges the code for an access token, and stores the token for subsequent API calls.

How OAuth works for social media APIs

The standard OAuth 2.0 'authorization code' flow has six steps. (1) The user clicks 'Connect Instagram' in the third-party app. (2) The third-party app redirects the user to Instagram's OAuth authorization URL, including the app's client_id and requested scopes (instagram_business_basic, instagram_content_publish, etc.). (3) The user logs into Instagram (if not already) and reviews the requested permissions. (4) Instagram redirects the user back to the app with a one-time authorization code. (5) The third-party app's server exchanges the code (plus its client_secret) for an access token. (6) The app stores the token (encrypted) and uses it for subsequent API calls on behalf of the user.

Tokens have lifetimes — typically 60 days for Instagram, 90 days for X, refresh-token-based for YouTube. The third-party app must handle token expiration: refresh proactively when possible, prompt the user to reconnect when manual reauthorization is required.

Common OAuth concepts

Five terms every developer encounters. (1) Client ID / Client Secret — the third-party app's credentials, registered with the source platform. (2) Scopes — specific permissions the app requests (read posts, publish posts, read analytics, manage comments). Always request minimum scopes needed; over-requesting reduces user trust. (3) Access token — the time-limited credential used in API calls. (4) Refresh token — long-lived credential used to get new access tokens without prompting the user. (5) Redirect URI — where the platform sends the user back after authorization; must be pre-registered with the platform.

Why OAuth matters for security

Three structural advantages over password-sharing approaches. First, the user's password never leaves the source platform — a compromised third-party app can't expose the password. Second, scoped permissions limit damage — even if a token is stolen, it can only do what the scopes allow. Third, the user can revoke access at any time from the source platform's settings — instantly invalidating any third-party token. Compare to the bad-old-days pattern of 'give us your Instagram password and we'll log in for you' — OAuth is dramatically safer for users and developers alike.

OAuth flow for Instagram via CodivUpload's connect endpoint

bash

# 1. Frontend redirects user to CodivUpload's connect endpoint
GET https://app.codivupload.com/connect/instagram?return_url=https://myapp.com/done

# 2. CodivUpload redirects user to Instagram's OAuth page with required scopes
# User logs in, approves "Publish posts on my behalf" + "Read insights"

# 3. Instagram redirects back to CodivUpload with an authorization code
# CodivUpload's server exchanges code for access token, encrypts (AES-256-GCM),
# stores in user_profiles table

# 4. User gets redirected to your return_url with the connected profile_name

# 5. Your app calls CodivUpload's API with the connected profile:
curl -X POST https://api.codivupload.com/v1/posts \
  -H "Authorization: Bearer cdv_..." \
  -d '{"profile_name": "user_main", "platforms": ["instagram"], ...}'

# CodivUpload's API uses the stored Instagram OAuth token to publish on behalf
# of the user. Token refresh happens automatically when needed.

Common pitfalls

  • ×Storing OAuth tokens in plaintext — always encrypt at rest (AES-256-GCM is standard)
  • ×Requesting too many scopes — over-permissioning reduces user trust during the consent screen
  • ×Hard-coding the redirect URI in production — multiple environments need separate redirect URIs registered
  • ×Not handling token refresh — tokens expire; apps must refresh proactively or prompt user to reconnect

Tips

  • Request minimum scopes needed — additional scopes can be requested incrementally as features are used
  • Encrypt tokens at rest with a key separate from the database password — defense in depth
  • Subscribe to platform webhooks for token-revoked events — Instagram and Facebook send these proactively
  • Use a third-party API like CodivUpload to skip OAuth implementation entirely — pre-approved app, scopes, token refresh all handled

Frequently asked questions

What's the difference between OAuth 1.0 and OAuth 2.0?+

OAuth 1.0 (2007) used cryptographic signatures on every request — secure but complex. OAuth 2.0 (2012) simplified the protocol with bearer tokens over HTTPS. Every modern social media API uses 2.0; OAuth 1.0 is legacy and rarely encountered.

Do I need to implement OAuth myself if I use a scheduling API?+

No — the whole point of using a scheduling API is to skip OAuth implementation. CodivUpload, Buffer, Postiz, Ayrshare all run pre-approved OAuth apps with the standard scopes; you just use their API key. Implementing OAuth yourself for each platform takes 6-9 months of development and ~6 weeks of App Review per platform.

What scopes do social media APIs typically require?+

Common scopes: read profile info, publish posts, read post analytics, manage comments, read insights, schedule posts. Each platform has its own scope vocabulary (Instagram uses instagram_business_basic + instagram_content_publish; X uses tweet.read + tweet.write; LinkedIn uses w_member_social, etc.). Always request the minimum needed for your feature.

How long do OAuth tokens last?+

Varies by platform. Instagram: 60 days, refresh-able. X: typically 90 days. YouTube: short-lived access token (~1 hour) with long-lived refresh token. LinkedIn: 60 days. Apps must handle expiration via either proactive refresh or user reconnect prompts.

What's an OAuth scope creep risk?+

Requesting more scopes than your app actually uses 'just in case'. It reduces user trust on the consent screen ('why does this app need to see my DMs?'), increases blast radius if a token is stolen, and makes platform App Review harder. Always request minimum scopes; expand incrementally.

Skip OAuth implementation — use our pre-approved app

CodivUpload runs pre-approved OAuth apps for all 11 platforms. Connect once via dashboard, get an API key, publish anywhere. No App Review, no token refresh code.

Try it free

Read next

Free social media API (no OAuth setup)

Related glossary terms

Scheduled Post
Developer & API
MCP (Model Context Protocol)
Developer & API
BYOP (Bring Your Own Project)
Developer & API
BYOK (Bring Your Own Keys)
Developer & API
Algorithm
Algorithm & Reach
AI Skill
Developer & API
Back to all 209 glossary terms