OAuth vs JWT — The Difference Every Developer Should Know

Roshan ShresthaRoshan Shrestha
3 min read

Table of contents

If you’ve ever been confused between OAuth and JWT, you’re not alone. Many developers mix them up because they often appear together in modern applications. But here’s the truth: OAuth is not JWT, and JWT is not OAuth. They are different, but they work well together. Let’s understand them in the simplest way possible.

What is OAuth?

OAuth is an authorization framework — it’s about permissions, not passwords. It allows one application to securely access another application’s data without asking for the user’s password.

Example:
When you click “Login with Gmail” or “Continue with GitHub”, you’re using OAuth. The app you’re logging into never sees your Gmail or GitHub password. Instead, OAuth gives the app a temporary key to perform certain actions, like reading your email address or accessing your profile, for a limited time.

Purpose:
Grant limited and time-bound access securely — like giving someone a key to one room in your house, not the whole house.

What is JWT?

JWT stands for JSON Web Token. It’s a small, self-contained piece of data that proves your identity or permissions.

Think of it as:
A digital passport your application can show when it needs to prove who you are or what you’re allowed to do.

A JWT usually contains:

  • User identity (who you are)

  • Expiry time (how long it’s valid)

  • Signature (to ensure it hasn’t been changed)

Common Uses:

  • Authenticating users in SPAs (Single Page Applications)

  • Securing API requests

  • Managing sessions without storing them on the server

How They Work Together

Here’s how it works if your app has a “Login with Gmail” button:

  1. You click the button.

  2. OAuth handles the secure login and permission flow with Gmail.

  3. Gmail sends back a token — often a JWT.

  4. Your app stores this JWT securely (e.g., in an HttpOnly cookie or memory).

  5. Whenever you make API requests, you attach this JWT to prove your identity and access rights.

The Key Difference

  • OAuth = How you get access

  • JWT = The proof you have access

Without OAuth, you wouldn’t get the JWT.
Without JWT, you couldn’t prove you belong.

Conclusion

OAuth and JWT are often mentioned together, but they solve different problems.

  • OAuth is all about the process of getting access — deciding who can do what.

  • JWT is about carrying proof — showing you have the right to do it.

Think of OAuth as the security check and JWT as the pass you carry afterward.

When combined, they make applications both secure and user-friendly — protecting user data while providing smooth login and authorization flows.

If you’re a developer, understanding the difference will save you from common mistakes and help you design better, more secure applications.

1
Subscribe to my newsletter

Read articles from Roshan Shrestha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

oauthJWTkeycloakSSO

Written by

Roshan Shrestha
Roshan Shrestha

"Tech-savvy Computer Engineer with a passion for ML, NLP, and cloud solutions. AWS explorer and Full Stack problem solver—always up for a new tech challenge, one line of code at a time!"