Activity Forums Salesforce® Discussions Differenciate Between Auth1.0 and Auth2.0 in Salesforce.

  • Vikas Kumar

    December 23, 2016 at 1:11 pm

    Hi All,

    what is the basic difference between Auth1.0 and Auth2.0 while using Rest Api?


  • sushant

    January 19, 2017 at 1:58 pm

    Hi Vikas,

    To summarize, here are the key differences:

    More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, in OAuth 1.0, desktop applications or mobile phone applications had to direct the user to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the application. The main criticism here is against the user experience. With OAuth 2.0, there are now new ways for an application to get authorization for a user.

    OAuth 2.0 no longer requires client applications to have cryptography. This hearkens back to the old Twitter Auth API, which didn't require the application to HMAC hash tokens and request strings. With OAuth 2.0, the application can make a request using only the issued token over HTTPS.

    OAuth 2.0 signatures are much less complicated. No more special parsing, sorting, or encoding.

    OAuth 2.0 Access tokens are "short-lived". Typically, OAuth 1.0 Access tokens could be stored for a year or more (Twitter never let them expire). OAuth 2.0 has the notion of refresh tokens. While I'm not entirely sure what these are, my guess is that your access tokens can be short lived (i.e. session based) while your refresh tokens can be "life time". You'd use a refresh token to acquire a new access token rather than have the user re-authorize your application.

    Finally, OAuth 2.0 is meant to have a clean separation of roles between the server responsible for handling OAuth requests and the server handling user authorization. More information about that is detailed in the aforementioned article.


  • Avnish Yadav

    September 30, 2018 at 3:21 am


    OAuth 1.0 is based on having shared secrets between the server and consumer which are used to calculate signatures. Those signatures are then used to verify the authenticity of API requests. The community found that implementing signatures correctly was quite difficult. OAuth 2.0 removes signatures and instead relies on SSL to secure the secret. If you want to see a concise explanation and detailed flow (with diagrams) of OAuth, you can check out The OAuth Bible (


Viewing 1 - 3 of 3 posts

Log In to reply.

Popular Salesforce Blogs

Popular Salesforce Videos