Clarify that client credentials are not passed in the URL

The term "query parameters" suggested that the credentials are passed in the URL which is insecure and is actually not true as the credentials are passed in the request body. See

Change-Id: Id0a83f8d317fed30e18310b30860000109dafe88
GitHub-Last-Rev: 3961bc9affcbdb16a6e0b4db58ce0526da8e728b
GitHub-Pull-Request: golang/oauth2#358
Reviewed-by: Brad Fitzpatrick <>
1 file changed
tree: bf8e5803353133bad3ab4b26ef43b62839e0e765
  1. .travis.yml
  7. amazon/
  8. bitbucket/
  9. cern/
  10. clientcredentials/
  11. example_test.go
  12. facebook/
  13. fitbit/
  14. foursquare/
  15. github/
  16. gitlab/
  17. go.mod
  18. go.sum
  19. google/
  20. heroku/
  21. hipchat/
  22. instagram/
  23. internal/
  24. jira/
  25. jws/
  26. jwt/
  27. kakao/
  28. linkedin/
  29. mailchimp/
  30. mailru/
  31. mediamath/
  32. microsoft/
  33. nokiahealth/
  34. oauth2.go
  35. oauth2_test.go
  36. odnoklassniki/
  37. paypal/
  38. slack/
  39. spotify/
  40. stackoverflow/
  41. token.go
  42. token_test.go
  43. transport.go
  44. transport_test.go
  45. twitch/
  46. uber/
  47. vk/
  48. yahoo/
  49. yandex/

OAuth2 for Go

Build Status GoDoc

oauth2 package contains a client implementation for OAuth 2.0 spec.


go get

Or you can manually git clone the repository to $(go env GOPATH)/src/

See godoc for further documentation and examples.

App Engine

In change 96e89be (March 2015), we removed the oauth2.Context2 type in favor of the context.Context type from the package. Later replaced by the standard context package of the context.Context type.

This means it‘s no longer possible to use the “Classic App Engine” appengine.Context type with the oauth2 package. (You’re using Classic App Engine if you import the package "appengine".)

To work around this, you may use the new "" package. This package has almost the same API as the "appengine" package, but it can be fetched with go get and used on “Managed VMs” and well as Classic App Engine.

See the new appengine package's readme for information on updating your app.

If you don't want to update your entire app to use the new App Engine packages, you may use both sets of packages in parallel, using only the new packages with the oauth2 package.

import (
	newappengine ""
	newurlfetch ""


func handler(w http.ResponseWriter, r *http.Request) {
	var c appengine.Context = appengine.NewContext(r)
	c.Infof("Logging a message with the old package")

	var ctx context.Context = newappengine.NewContext(r)
	client := &http.Client{
		Transport: &oauth2.Transport{
			Source: google.AppEngineTokenSource(ctx, "scope"),
			Base:   &newurlfetch.Transport{Context: ctx},

Policy for new packages

We no longer accept new provider-specific packages in this repo. For defining provider endpoints and provider-specific OAuth2 behavior, we encourage you to create packages elsewhere. We'll keep the existing packages for compatibility.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the oauth2 repository is located at