API v.1

OAuth 2.0 Authorization Code Flow

OAuth 2.0 Authorization Code Flow is a secure way for third-party applications to obtain access to user resources. This flow is designed for server-side applications and provides the highest level of security by keeping the client secret confidential.

OAuth 2.0 Flow Diagram

OAuth 2.0 Authorization Code Flow

OAuth 2.0 Authorization Code Flow Steps

The Authorization Code Flow consists of the following steps:

  1. Authorization Request:

    The client application redirects the user to the authorization server with the following parameters:

    • response_type=code - Indicates that the client expects an authorization code
    • client_id - The client identifier
    • redirect_uri - The URI to redirect to after authorization
    • scope - The requested permissions (optional)
    • state - A random value to prevent CSRF attacks (optional but recommended)

  2. User Authentication:

    If the user is not already authenticated, they are prompted to log in to the authorization server. The user's credentials are verified against the identity provider.

  3. User Authorization:

    The user is presented with a consent screen showing what permissions the client application is requesting. The user can grant or deny access to their resources.

  4. Authorization Code:

    If the user grants access, the authorization server generates a short-lived authorization code and redirects the user back to the client application with this code.

  5. Token Exchange:

    The client application exchanges the authorization code for an access token by making a secure request to the token endpoint with:

    • grant_type=authorization_code
    • code - The authorization code received
    • redirect_uri - Must match the one used in step 1
    • client_id and client_secret - For authentication

  6. Access Token:

    The authorization server responds with an access token (JWT) and optionally a refresh token. The access token contains user information and permissions.

  7. Resource Access:

    The client application can now use the access token to make authenticated requests to protected resources on behalf of the user.

Security Benefits

  • Client Secret Protection: The client secret is never exposed to the user's browser
  • Short-lived Authorization Codes: Authorization codes expire quickly (typically 10 minutes)
  • One-time Use: Authorization codes can only be used once
  • PKCE Support: Can be enhanced with PKCE for additional security

Supported Grant Types

  • authorization_code - For server-side applications (recommended)
  • refresh_token - For obtaining new access tokens

Available Endpoints

Authorization Endpoint Token Endpoint User Info Endpoint
An error has occurred. This application may no longer respond until reloaded. Reload 🗙