Implicit Flow

The Implicit Flow is a simplified version of the Authorization Code Flow, typically used by single-page applications (SPAs) where the client application cannot securely store a client secret.

Security Warning

This flow is less secure than the Authorization Code Flow because the access token is exposed in the URL. It should only be used for legacy applications or when the Authorization Code Flow with PKCE is not available.

1. Authorization Request

The client application directs the user to the authorization server.

GET /authorize?
  response_type=token&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  scope=read write&
  state=RANDOM_STATE_STRING

2. User Authentication

The user authenticates and authorizes the application.

// This happens on the authorization server
// User logs in and approves the requested scopes

3. Access Token

The authorization server redirects back with an access token in the URL fragment.

// Redirect to your application
GET YOUR_REDIRECT_URI#
  access_token=ACCESS_TOKEN&
  token_type=Bearer&
  expires_in=3600&
  state=RANDOM_STATE_STRING

JavaScript Example

How to handle the access token in a single-page application

// Extract the access token from the URL fragment
function getAccessToken() {
  const fragment = window.location.hash.substring(1)
  const params = new URLSearchParams(fragment)
  return params.get('access_token')
}

// Use the access token to make authenticated requests
async function fetchUserData() {
  const token = getAccessToken()
  const response = await fetch('https://api.example.com/user', {
    headers: {
      'Authorization': `Bearer ${token}`
    }
  })
  return response.json()
}