Tech Glossary

SSO, OAuth, JWT — What's the Difference? The "Third-Party Login" Trio, Explained with a Hotel Keycard

2026.07.02 · 102 views
SSO, OAuth, JWT — What's the Difference? The "Third-Party Login" Trio, Explained with a Hotel Keycard

The SSO/OAuth/JWT trio, explained with a hotel keycard and a valet key.

Share:

Opening: why explain these three together

You ask a vendor to build a site and mention "let customers log in with Google or Facebook." Three words appear on the quote: SSO, OAuth, JWT. They travel together because they answer three sides of one thing: SSO is the "log in once, go everywhere" experience, OAuth is the "safely borrow another account" authorization, and JWT is the "pass that proves you're logged in." Understand this trio and login quotes won't fool you. Here's each with a hotel/access-control analogy.

Term 1: SSO (Single Sign-On) — one keycard opens every door

One line: log in once, access many systems, no re-entering credentials.

Analogy: a hotel keycard opens your room, the gym, and the parking gate — no re-registering at each door. SSO is that "one card for all."

Example: you're a cram school with a website, a courseware platform, and a parent app. With SSO, parents log in once and all three work — no three passwords for them, no three account systems for you. Using Google Workspace to log into company systems is SSO.

Term 2: OAuth (Open Authorization) — a valet key, not your whole keyring

One line: log into other sites with your Google/Facebook account without handing over your Google password.

Analogy: a valet key starts the car but won't open the trunk — you don't hand over your whole keyring. OAuth is that limited grant — the site gets a scoped, Google-issued pass and never touches your password.

Example: your restaurant's reservation system adds "Log in with Google." A guest clicks; Google prompts "This site wants your name and email — allow?" On consent, the system gets only name and email, not the Google password or inbox. That's OAuth authorizing.

Term 3: JWT (JSON Web Token) — a tamper-proof ID badge you carry after login

One line: a signed, tamper-proof electronic badge proving to the system "I've already logged in."

Analogy: you badge into an office building, then every floor's door just reads the badge — no re-verifying at the lobby. JWT is that badge: it states who you are, what you can do, and when it expires, with a signature that breaks if a single character changes.

Example: in your manufacturing quote system, a salesperson logs in and gets a JWT. On each quote lookup or file download, the browser carries the badge; the server verifies the signature and knows "logged in, is sales, not expired" — no re-entering credentials per action.

How the three relate (concept map)

Picture a login pipeline: user clicks "Log in with Google" → OAuth safely borrows identity from Google (authorization) → the system issues a JWT as the user's pass (credential) → if multiple systems share this, the overall experience is SSO (single sign-on). In one line: OAuth handles "how to safely borrow an account," JWT handles "how to prove identity after login," SSO handles "whether that experience spans multiple systems."

Concrete impact on client decisions

  • Budget: adding third-party login (OAuth) is usually a few days; full cross-system SSO costs notably more due to account integration and per-system wiring.
  • Timeline: simple Google/Facebook login ~3–5 days; enterprise SSO (e.g., Google Workspace/internal directory) can be 1–3 weeks.
  • Risk: if a JWT's signing key leaks or expiry is misconfigured, the pass can be forged. Recent security incidents (e.g., this week's OIDC signature-not-verified issue) are exactly what happens when this mechanism skips verification — which is why "who implements login" matters.

5 questions to ask your vendor

  • Do I want "third-party login (OAuth)" or "cross-system single sign-on (SSO)"? Which fits my actual need?
  • Will user passwords be stored in my system? (With OAuth, ideally "no, delegated to Google/Facebook.")
  • How is JWT expiry set? How do you invalidate old tokens after expiry or logout?
  • How is the signing key stored and rotated? What if it leaks?
  • If I add another system to SSO later, how much extra cost?

Common misconceptions

Most people think "Log in with Google = my site can see their Google data." Not so: OAuth gives only the user-consented, scoped info (usually name and email); your site never gets the Google password or unauthorized data. Another myth: "JWT is encrypted, so it's safe." By default a JWT is only signed against tampering — its contents are readable, so never stuff sensitive data into a JWT.

FAQ

I just want Google login — do I need full SSO?

No. That's just OAuth (third-party login), usually a few days. SSO means "one account across many systems," needed only when you have multiple systems to unify — and it costs much more.

With third-party login, does my site get the customer's Facebook password?

No. OAuth is designed so the site never touches the password — only the limited data the user consents to share (usually name and email). It's actually safer than storing passwords yourself.

Can I store members' personal data or points in a JWT?

Not recommended. A JWT is signed against tampering by default but its contents are readable, so sensitive data risks exposure. Use JWTs for identity/permissions (non-secret); keep PII and points in the backend database.

Is it hard to upgrade from third-party login to full SSO later?

Upgradable, but design ahead. If you implement with standard OAuth/OIDC from the start, adding systems later is smooth; hack it and integration costs balloon. Discuss future plans at the quoting stage.

Call to action

Not sure how deep your login needs go? ScriptWalker offers a 30-minute tech consult to judge — in plain language — whether you need OAuth, JWT, or full SSO, with cost and timeline estimates.

Share:
Tech Glossary Back to Blog