Authorization code flow

The web applications that request API resources through their servers follow through the authorization code flow to obtain authorization code. That further exchanges with the authorization server to receive access and refresh tokens. Also, the implementation of authorization code flow for web applications provides crucial security benefits such as client authentication before producing authorization code and server-to-server communication without exposing tokens to others.

The flowchart below illustrates the authorization code grant flow, where an access token is generated, and then used in an API request:

  1. As a prerequisite, register your application with the authorization server to get client credentials such as client ID and client secret. These credentials are helpful to the authorization server in identifying your application while getting authorization code and access tokens.
  2. The actual flow starts from here. In the first step, you must create an authorization request link and provide a way for the user to open the authorization request link.
  3. In the second step, the user who owns the resources must authorize the request by validating the scopes. If the user has already signed in, then the authorization consent page appears automatically. If not, you must sign in first and then either accept or reject the authorization request.
  4. When the user accepts an authorization request, your application will get an authorization code. In the third step, you must request access tokens in exchange for an authorization code.
  5. Your application receives access and refresh tokens. In the fourth step, you can send an API request using the access token for accessing resources.
  6. The access token is a short-lived key that needs to be refreshed. In the fifth step, you can use the refresh token to generate a new access token.
  7. In the last step. you can revoke your refresh token that invalidates your application to access resources. This step is optional and can only be performed when the key tokens are compromised.