OAuth 2.1 is a delegated authorization protocol: it lets an application access, on behalf of a user, resources hosted by another service, without ever passing on that user's password. Instead, the resource service issues an access token (access token) with a limited lifetime and a restricted scope, which the application presents on every request.
OAuth 2.1 is a consolidation of OAuth 2.0: it brings together the security best practices accumulated since 2012 and makes some of them mandatory. These include the systematic use of PKCE (Proof Key for Code Exchange) for the authorization code flow, the removal of flows deemed insecure (the implicit flow and the password flow), as well as strict rules on the exact matching of redirect URLs.
The mechanism relies on scopes (authorization perimeters) that precisely limit what the token allows, and on refresh tokens (refresh tokens) that renew access without the user having to re-authenticate. It is the standard that secures “Sign in with…” buttons and, more broadly, third-party applications' access to REST APIs.
eyeot implements OAuth 2.1 with PKCE to authenticate the agents and applications that interact with its AI interface (MCP), alongside the identity management provided by SCIM. This approach ensures that delegated access remains revocable and confined to the operations that are explicitly authorized.