Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Authorization Code Flow

Training Camp • Cybersecurity Glossary

What is Authorization Code Flow?

The OAuth 2.0 authorization code flow exchanges a redirect-issued code for access and refresh tokens, hardened by PKCE for public and confidential clients.

Glossary > Identity & Access Management > Authorization Code Flow

Understanding Authorization Code Flow

The authorization code flow is the most widely used OAuth 2.0 grant type, in which a client redirects the user to an authorization server, receives a short-lived authorization code after the user consents, and then exchanges that code at the token endpoint for access and refresh tokens. Keeping tokens off the front channel reduces exposure, and the PKCE extension, defined in RFC 7636, is now recommended for all clients, including public ones such as single-page and mobile apps. It underpins both OAuth authorization and OpenID Connect authentication.

Learn More About Authorization Code Flow:

Ready to Get Certified?

Authorization Code Flow is one of the topics you'll master in the Security+ Boot Camp.

Security+ Boot Camp →