> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how the Hybrid Flow works to provide optimum access to the ID Token while still leveraging the Authorization Code Flow for the secure and safe retrieval of Access and Refresh Tokens.

# Hybrid Flow

Applications that are able to securely store [Client Credentials](/docs/secure/application-credentials) may benefit from the use of the Hybrid Flow (defined in the [OpenID Connect specification, section 3.3](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth)). The Hybrid flow allows your application to have immediate access to an <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> while ensuring secure and safe retrieval of <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=access+tokens">access tokens</Tooltip> and <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip>. This can be useful in situations where your application needs to immediately access information about the user, but must perform some processing before gaining access to protected resources for an extended period of time.

## How it works

The Hybrid Flow combines steps from the [Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) and [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow):

1. User selects **Login** within application.
2. Application redirects user to Auth0 Authorization Server ([`/authorize` endpoint](https://auth0.com/docs/api/authentication#authorization-code-flow)), passing along `response_type` parameter indicating type of requested credential (ID token and authorization code), and `response_mode` parameter of `form_post` to ensure security.
3. Auth0 Authorization Server redirects user to login and authorization prompt.
4. User authenticates using one of the configured login options, and may see a consent prompt listing the permissions Auth0 will give to the application.
5. Auth0 Authorization Server redirects user back to application with single-use authorization code, and ID token, access token, or both, depending on provided `response_type`.
6. Application sends authorization code, application's client ID, and application's credentials, such as Client Secret or Private Key JWT, to Auth0 Authorization Server ([`/oauth/token` endpoint](https://auth0.com/docs/api/authentication?http#authorization-code-flow43)).
7. Auth0 Authorization Server verifies authorization code, application's client ID, and application's credentials.
8. Auth0 Authorization Server responds with second ID token and access token (and optionally, a refresh token).
9. Application can use second access token to call an API to access information about user.
10. API responds with requested data.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If your application only needs to use Hybrid Flow for sign-on, you will not need a Refresh Token or an Access Token, only an ID Token with claims.
</Callout>

## How to implement it

You can follow our tutorial to use the Authentication API to [Call Your API Using the Hybrid Flow](/docs/get-started/authentication-and-authorization-flow/hybrid-flow/call-api-hybrid-flow).

## Learn more

* [Auth0 Rules](/docs/customize/rules)
* [Auth0 Hooks](/docs/customize/hooks)
* [Tokens](/docs/secure/tokens)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)
* [Which OAuth 2.0 Flow Should I Use?](/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use)
* [Application Credentials](/docs/secure/application-credentials)