Executing the Implicit Grant Flow

Limited Region Support

This feature is only available for tenants under the US region. We will rollout this feature to every region in the following weeks.

In order to execute an Implicit Grant flow you will need to configure your Client application to send the user to the authorization URL:



  • audience: The target API for which the Client Application is requesting access on behalf of the user.
  • scope: The scopes which you want to request authorization for. These must be separated by a space.
  • response_type: The response type. For this flow you can either use token or id_token token. This will specify the type of token you will receive at the end of the flow.
  • client_id: Your application's Client ID.
  • redirect_uri: The URL to which the Authorization Server (Auth0) will redirect the User Agent (Browser) after authorization has been granted by the User. The access_token (and optionally an id_token) will be available in the hash fragment of this URL. This URL must be specified as a valid callback URL under the Client Settings of your application.
  • state: An opaque value the clients adds to the initial request that the authorization server includes when redirecting the back to the client. This value must be used by the client to prevent CSRF attacks.
  • nonce: A string value which will be included in the ID token response from Auth0, used to prevent token replay attacks.

For example:

<a href="https://YOUR_AUTH0_DOMAIN/authorize?scope=appointments%20contacts&audience=appointments:api&response_type=id_token%20token&client_id=YOUR_CLIENT_ID&redirect_uri=https://myclientapp.com/callback">
  Sign In

Extracting the Access Token

After the Authorization Server has redirected back to the Client, you can extract the access_token from the hash fragment of the URL:

function getParameterByName(name) {
  var match = RegExp('[#&]' + name + '=([^&]*)').exec(window.location.hash);
  return match && decodeURIComponent(match[1].replace(/\+/g, ' '));

function getAccessToken() {
  return getParameterByName('access_token');

function getIdToken() {
  return getParameterByName('id_token');

$(function () {
  var access_token = getAccessToken();

  // Optional: an id_token will be returned by Auth0
  // if your response_type argument contained id_token
  var id_token = getIdToken();

  // Use the access token to make API calls
  // ...

Using the Access Token

Once the access_token has been obtained it can be used to make calls to the Resource Server by passing it as a Bearer Token in the Authorization header of the HTTP request:

// Use the access token to make API calls
$('#get-appointments').click(function(e) {

    cache: false,
    url: "http://localhost:7001/api/appointments",
    headers: { "Authorization": "Bearer " + access_token }