Explain the OAuth 2.0 authorization flow.

OAuth 2.0 delegates authorization without sharing credentials. Authorization Code flow (most secure): 1) App redirects user to auth server. 2) User authenticates, grants permissions. 3) Auth server redirects back with authorization code. 4) App exchanges code for access token (server-side). 5) App uses token to access API. Other flows: Implicit (deprecated, token in URL), Client Credentials (service-to-service), PKCE (mobile/SPA security). Access tokens have scopes and expiration; refresh tokens for renewal.