Protocols OAuth 2.0Authorization Code Flow

Authorization Code Flow

The standard OAuth 2.0 flow for server-side applications with a confidential client (RFC 6749 §4.1). The authorization code is exchanged server-to-server, keeping access tokens away from the browser.

Try in Looking Glass

Authorization Code Flow

Try in Looking Glass

Server-side

Sequence Diagram

Click any step for details

Request

Response

Redirect

Internal

Step-by-Step Breakdown

Authorization Request

Client → Authorization Server

User Authentication

User → Authorization Server

User Consent

User → Authorization Server

Authorization Code Response

Authorization Server → Client

Token Exchange Request

Client → Authorization Server

Token Response

Authorization Server → Client

API Request with Token

Client → Resource Server

Protected Resource Response

Resource Server → Client

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

RFC 6749 §4.1 — Authorization Code Grant

Security & privacy

· Dedicated security and privacy considerations.

RFC 9700 §2.1 — Protecting Redirect-Based Flows

All ProtocolsBack Open Looking GlassLooking Glass

Sequence Diagram

Implementation Example— JavaScript (Browser + Server)

Step-by-Step Breakdown

Token Inspector

Core specs

Security & privacy