• not tied to the password • changing password does not revoke access • you can revoke specific clients • Avoids spoofing behavior What is oauth? It’s a protocol to help solve the previous problem. A good analogy is parking your car. Sports car nowadays have two keys You don’t give your main keys to the parking attendant but the one with limited access for example, it only allows 1 mile driving and doesn’t open the trunk So yea, - limited access - not tied to passwords . if we have gone the pw route (and stored them), then user changing pw will revoke all apps that use that pw. - avoids spoofing. if we stored pw, the users learn the behavior of passing passwords around. Bad because hacker and duplicate website. so it’s better if they don’t share pw