@roelandp: The private keys don't leave beet. For authentication on bitshares.eu using BEET, a message (random token) is signed. The signed message is returned and evaluated at the server. If the signature matches the user that tries to sign in, the server grants access to the account.
Oauth2 works on top of that login process.
Again, the key never leaves the BEET app and bitshares.eu never sees your keys.