Execute the Implicit Grant Flow

In order to execute an Implicit Grant flow you will need to configure your Client application to send the user to the authorization URL:



  • audience: The target API for which the Client Application is requesting access on behalf of the user.
  • scope: The scopes which you want to request authorization for. These must be separated by a space.
  • response_type: The response type. For this flow you can either use token or id_token token. This will specify the type of token you will receive at the end of the flow. Use id_token token to get only an id_token, or token to get both an id_token and an access_token.
  • client_id: Your application's Client ID.
  • redirect_uri: The URL to which the Authorization Server (Auth0) will redirect the User Agent (Browser) after authorization has been granted by the User. The access_token (and optionally an id_token) will be available in the hash fragment of this URL. This URL must be specified as a valid callback URL under the Client Settings of your application.
  • state: An opaque value the clients adds to the initial request that the authorization server includes when redirecting the back to the client. This value must be used by the client to prevent CSRF attacks.
  • nonce: A string value which will be included in the ID token response from Auth0, used to prevent token replay attacks.

For example:

<a href="https://YOUR_AUTH0_DOMAIN/authorize?scope=appointments%20contacts&audience=appointments:api&response_type=id_token%20token&client_id=YOUR_CLIENT_ID&redirect_uri=https://YOUR_APP/callback">
  Sign In

Extract the Access Token

After the Authorization Server has redirected back to the Client, you can extract the access_token from the hash fragment of the URL:

function getParameterByName(name) {
  var match = RegExp('[#&]' + name + '=([^&]*)').exec(window.location.hash);
  return match && decodeURIComponent(match[1].replace(/\+/g, ' '));

function getAccessToken() {
  return getParameterByName('access_token');

function getIdToken() {
  return getParameterByName('id_token');

$(function () {
  var access_token = getAccessToken();

  // Optional: an id_token will be returned by Auth0
  // if your response_type argument contained id_token
  var id_token = getIdToken();

  // Use the access token to make API calls
  // ...

Use the Access Token

Once you have the access_token you can use it to make calls to the API, by passing it as a Bearer Token in the Authorization header of the HTTP request:

// Use the access token to make API calls
$('#get-appointments').click(function(e) {

    cache: false,
    url: "http://localhost:7001/api/appointments",
    headers: { "Authorization": "Bearer " + access_token }