Best of OAuthJanuary 2026

  1. 1
    Article
    Avatar of auth0Auth0·17w

    The API Authorization Hierarchy of Needs

    API authorization must evolve through four progressive levels before supporting AI agents. Start with application-level authorization handling multi-tenancy and granular roles, then add service accounts for machine-to-machine access, implement delegated OAuth flows for third-party apps acting on behalf of users, and finally address AI-specific risks like data leakage and hallucination through intent-based permissions and RAG pipeline authorization. Without mastering human authorization first, AI agent integration will fail catastrophically.

  2. 2
    Article
    Avatar of nordicapisNordic APIs·18w

    What’s New in OpenAPI Specification v3.2.0?

    OpenAPI 3.2.0 introduces incremental but significant improvements to the API specification standard. Key updates include first-class support for streaming media types (text/event-stream, application/jsonl) with schema definitions for individual stream items, hierarchical tag organization for better API navigation, support for extended HTTP methods including the QUERY method through additionalOperations, clarified path templating semantics for consistent routing across tools, clearer example semantics distinguishing data-level from serialized representations, and explicit OAuth 2.0 Device Authorization Flow support. These changes standardize patterns that previously required vendor extensions, making the specification more expressive for modern API designs while maintaining backward compatibility.

  3. 3
    Article
    Avatar of github_updatesGitHub Changelog·17w

    Selectively showing "act on your behalf" warning for GitHub Apps is in public preview

    GitHub has updated the consent page for GitHub Apps to remove the "Act on your behalf" warning when apps only request read permissions for user profile data. Previously, over 50% of app authorizations were for simple sign-in purposes, but users were shown alarming warnings suggesting broader access. Now, the warning only appears when apps request repository, organization, or enterprise permissions, reducing confusion for users signing in with GitHub as an identity provider.

See all OAuth archives