API Auth: Authorization Code Grant
Caution: Preview Feature
This is a preview feature and may be changed prior to launch. You are advised to contact support before using this feature in a production application as future changes could be breaking.
The Authorization Code Grant (defined in RFC 6749, section 4.1) is a redirect-based flow where the User Agent receives an
authorization_code from the Authorization Server and transfers this to the Client. The Client will then interact with the Authorization Server and exchange the
authorization_code for an
access_token (and optionally also a
refresh_token). The Client can now use this
access_token to call the Resource Server on behalf of the Resource Owner.
- The Client initiates the flow and redirects the user to the Authorization Server
- The user authenticates
- The Authorization Server redirects the user to the Client with an
authorization_codein the querystring
- The Client sends the
authorization_codetogether with the Redirect Uri and the Client Id/Client Secret to the Authorization Server
- The Authorization Server validates this information and returns an
access_token(and optionally a
- The Client can use the
access_tokento call the Resource Server on behalf of the user
The first time the user goes through this flow a consent page will be shown where the permissions are listed that will be given to the Client*(eg: post messages, list contacts, ...).
- Allow the Client to make calls to the Resource Server on behalf of the Resource Owner (Delegation)
- The Client is typically a traditional web application