APIs based on OAuth-based authorization are not fully ready yet. Upcoming OAuth APIs will be subject to change as we tune them in response to user feedback.
Authorization via OAuth2 is required for accessing user-oriented APIs that can perform actions on behalf of the user.
backpack.tf exposes several idempotent interfaces that allow certain parts of a user account to be controlled. OAuth offers better security over conventional API keys, which are easier to hijack and abuse. This removes the need for end users to handle what are essentially the keys to their own account, instead delegating those responsibilities to the clients they use.
However, it does mean that integrating backpack.tf in your app has a few extra steps, which will be discussed on this page.
It is highly likely you have already used OAuth, if you have ever signed in to a service using Google, Facebook or Twitter. This usually includes a redirect to a page on the provider that gives the user a confirmation prompt, which then redirects the user back to the client.
You may be familiar with Steam's OpenID service — you likely used it to sign in to this website. However, this is not the same as OAuth.
OpenID is about authentication, while OAuth is about authorization. A Steam OpenID login returns just a Steam Community ID to the client, whereas a Twitter OAuth request will return what is essentially a session that allows the client to perform actions on behalf of the user.
You are recommended to use an OAuth consumer library, as this will make integrating OAuth services into your application much, much easier.
Depending on your use case there are several ways to authorize using OAuth, which are all documented here.
OAuth allows users to authorize an app to perform actions on their behalf. For grants that do not require this (e.g. Client Credentials grants), APIs will be scoped to the app owner.