Modern web applications are often backed by APIs. These APIs depend on OAuth 2.0 to implement access control. Since OAuth 2.0 is a delegation framework, implementing access control is not as simple as it seems. In this course, we look at the architecture of a back-end application using OAuth 2.0. We investigate the security properties of different kinds of access tokens. We also look at the importance of token introspection, and how to use that data to make access control decisions.