Authorization Code Flow

The Authorization Code Flow (defined in OAuth 2.0 RFC 6749, section 4.1), involves exchanging an authorization code for a token.

This flow can only be used for confidential applications (such as Regular Web Applications) because the application's authentication methods are included in the exchange and must be kept secure.

How Authorization Code Flow works

Auth - Auth code flow- Authorization sequence diagram
  1. User selects Login within application.

  2. Auth0's SDK redirects user to Auth0 Authorization Server (/authorize endpoint).

  3. Auth0 Authorization Server redirects user to login and authorization prompt.

  4. User authenticates using one of the configured login options, and may see a consent prompt listing the permissions Auth0 will give to the application.

  5. Auth0 Authorization Server redirects user back to application with single-use authorization code.

  6. Auth0's SDK sends authorization code, application's client ID, and application's credentials, such as client secret or Private Key JWT, to Auth0 Authorization Server (/oauth/token endpoint).

  7. Auth0 Authorization Server verifies authorization code, application's client ID, and application's credentials.

  8. Auth0 Authorization Server responds with an ID token and access token (and optionally, a refresh token).

  9. Application can use the access token to call an API to access information about the user.

  10. API responds with requested data.

How to implement Authorization Code Flow

The easiest way to implement the Authorization Code Flow is to follow our Regular Web App Quickstarts.

Alternatively, you can use the Authentication API to implement the Authorization Code Flow. For more information, read Add Login Using the Authorization Code Flow or Call Your API Using the Authorization Code Flow.

Learn more