Authorization Code Flow

The Authorization Code Flow is the most commonly used OAuth 2.0 flow for web applications. It provides a secure way to obtain access tokens while keeping the client secret secure on the server.

Security Note

This flow is recommended for web applications that can securely store a client secret on the server side. The client secret is never exposed to the user's browser.

1. Authorization Request

The client application directs the user to the authorization server.

GET /authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  scope=read write&
  state=RANDOM_STATE_STRING

2. User Authentication

The user authenticates and authorizes the application.

// This happens on the authorization server
// User logs in and approves the requested scopes

3. Authorization Code

The authorization server redirects back with an authorization code.

// Redirect to your application
GET YOUR_REDIRECT_URI?
  code=AUTHORIZATION_CODE&
  state=RANDOM_STATE_STRING

4. Token Exchange

The client exchanges the authorization code for an access token.

POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=AUTHORIZATION_CODE&
redirect_uri=YOUR_REDIRECT_URI&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET

Response Example

The response from the token endpoint

{
  "access_token": "eyJz93a...k4laUWw",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "GEbRxBN...edjnXbL",
  "scope": "read write"
}