Authorization Code Grant Type

When to use: For web or client apps that require secure user login flow with redirect.

Note:

• Provides user identity and roles via id_token.
• Both access and refresh tokens are issued.
• Ideal for user-based API calls or delegated permissions.

Sample code

curl --location 'https://<idcs_domain_url>/oauth2/v1/token' --header "Authorization: Basic $encoded" --header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'code= eyJ4NXQjUzI1NiI6InlMTk16d1FuamZFNXp5U2...'

Sample code with mTLS enabled

curl --location ' https://<idcs_secure_domain>/oauth2/v1/token' --cacert ./ca.crt --cert ./client.crt --key ./client.key --header "Authorization: Basic $encoded" --header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --data-urlencode 'grant_type= authorization_code' --data-urlencode 'code= eyJ4NXQjUzI1NiI6InlMTk16d1FuamZFNXp5U2...'

Sample response

{ "access_token": "eyJraWQiOiJrZXkxIiwiYWxnIjoiUlMyNTYifQ...", "refresh_token": "bc12cde3-xxxx-xxxx-xxxx-xxxx", "token_type": "Bearer", "expires_in": 3600, }

For more details, see Authorization Code Grant Type.