OAuth separates the role of the client from that of the resource owner/eZ Publish user. In OAuth, the client (which is usually not the resource owner/eZ Publish user, but is acting on the user's behalf) requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. Clients obtain an access token (a string which denotes a specific scope, duration, and other attributes). Tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.

For example, a web user (resource owner) can grant a printing service (client) access to protected photos stored at a photo sharing service (resource server), without sharing user name and password with the printing service. Instead, he/she authenticates directly with an authentication service trusted by the photo sharing service (authorization server) which issues the printing service delegation-specific credentials (token).