The Authorization Code Flow (defined in OAuth 2.0 RFC 6749, section 4.1), involves exchanging an authorization code for a token. This flow can only be used for confidential applications (such as Regular Web Applications) because the application's authentication methods are included in the exchange and must be kept secure.

Learn about the OAuth 2.0 grant type, Authorization Code Flow with Proof Key for Code Exchange (PKCE). Use this grant type for applications that cannot store a client secret, such as native or single-page apps.

This tutorial will help you call your own API using the Authorization Code Flow. If you want to learn how the flow works and why you should use it, see Authorization Code Flow. If you want to learn to add login to your regular web app, see Add Login Using the Authorization Code Flow.

Authorization Code Flow with Proof Key for Code Exchange (PKCE) During authentication, mobile and native applications can use the Authorization Code Flow, but they require additional security. Additionally, single-page apps have special challenges.

The Authorization Code Flow is used by server-side applications that are capable of securely storing secrets, or by native applications through Authorization Code Flow with PKCE. The OIDC-conformant pipeline affects the Authorization Code Flow in the following areas: Authentication request. Authentication response. Code exchange request

You can add login to your regular web application using the Authorization Code Flow. To learn how the flow works and why you should use it, read Authorization Code Flow . To call your API from a regular web app, read Call Your API Using the Authorization Code Flow .

For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side, and this flow can return Refresh Tokens. To learn more about how this flow works and how to implement it, see Authorization Code Flow with Proof Key for Code Exchange (PKCE) .

Authorization Code Flow: used by Web Apps executing on a server. This is also used by mobile apps, using the Proof Key for Code Exchange (PKCE) technique. Implicit Flow with Form Post: used by JavaScript-centric apps (Single-Page Applications) executing on the user's browser.

This tutorial helps you call your own API from a native, mobile, or single-page app using the Authorization Code Flow with PKCE. To learn how the flow works and why you should use it, read Authorization Code Flow with Proof Key for Code Exchange (PKCE).

Learn how to use JWT-Secured Authorization Requests (JAR) with the Authorization Code Flow.