OAuth 2.0 Grant Types

Last updated: April 2026

OAuth 2.0 grant types define how an application obtains an access token. Choosing the wrong grant type is a common security mistake.

Authorization Code + PKCE (recommended for web and mobile)

# 1. Generate code_verifier and code_challenge
code_verifier = base64url(random(32))
code_challenge = base64url(sha256(code_verifier))

# 2. Redirect to authorization endpoint
GET /authorize
  ?client_id=CLIENT_ID
  &response_type=code
  &redirect_uri=https://yourapp.com/callback
  &scope=openid profile
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256

# 3. Exchange code for token
POST /token
  code=AUTH_CODE
  &grant_type=authorization_code
  &code_verifier=CODE_VERIFIER
  &client_id=CLIENT_ID

Client Credentials (server-to-server)

POST /token
  grant_type=client_credentials
  &client_id=CLIENT_ID
  &client_secret=CLIENT_SECRET
  &scope=api:read

Deprecated — do not use

Implicit — returns tokens in the URL fragment. Deprecated in OAuth 2.1. Tokens in URLs are logged and leaked.

Resource Owner Password — user sends username/password directly to your app. Deprecated. Use Authorization Code instead.