Grant Types

Choosing a grant type

Choosing the appropriate grant type for your use case is straight forward. Client Credentials is the easiest to implement but lacks a user context. In most case you will choose both Authentication Code and Client Credentials when setting up your application. This way you can conduct testing of endpoints easily in a tool such as Postman but utilize Authentication Code to have a user context in your application.

There is no separate selection for Authentication Code with PKCE. The authentication flow is the same for Authentication Code but with a slightly different implementation.

Authorization Code

Authorization code grant type is the most common OAuth grant type. It is used by applications when they need to access APIs on behalf of a user. The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.

Authorization Code with PKCE

Authorization Code with Proof Key for Code Exchange (PKCE) flow is an extension of the Authorization Code grant flow. However, with PKCE, requests do not need to include the client_secret in the /token request. The PKCE flow reduces security risks for desktop and mobile applications because the client_secret does not need to be embedded in source code.

Client Credentials

The client credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user’s resources.