Skip to content

Authorization Code Grant Type

The authorization code grant type is optimized for confidential clients. It provides a few important security benefits.

  • It can authenticate the client.

  • It can transmit the access token directly to the client without passing it through the resource owner’s user-agent.

This grant type is suitable when the resource owner is a user and the client is a website.

How does it work?

The client directs the resource owner to an authorization server, instead of requesting authorization directly from the resource owner. The resource owner is then redirected back to the client with the authorization code which the client will capture and exchange for an access token in the background. Since this is a redirection-based flow, the client must be able to interact with the resource owner's user-agent and receive incoming requests (via redirection) from the authorization server.

The diagram below illustrates the authorization code flow.

Authorization Code grant flow

The commands below can be used to try this grant type.

The URL to get the authorization code:


The cURL command to get the access token:

curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<REDIRECT_URI>" <TOKEN_ENDPOINT>

You will receive a response similar to the format below.


Support for refresh token grant

This grant type issues a refresh token which can be used to obtain new access tokens using the refresh token grant.