About OAuth 2.0 Flows Explained

Auth code + PKCE, client credentials, device, token types, scopes. Part of the DevTools Surf developer suite. Browse more tools in the Info / Guides collection.

Use Cases

• Backend devs implementing Google or GitHub social login
• Mobile developers securing API access with PKCE authorization flow
• Platform teams designing OAuth scopes for third-party API access
• Security engineers auditing token storage and refresh mechanisms

Tips

• Start with Auth Code + PKCE for any browser-based application
• Check the token types section to understand access vs refresh tokens
• Use the flow decision tree to pick the right grant for your client type

Fun Facts

• OAuth 2.0 (RFC 6749) was published in October 2012 by Eran Hammer, who later resigned from the project calling it 'the road to hell' due to committee compromises.
• PKCE (Proof Key for Code Exchange, RFC 7636) was originally designed for mobile apps in 2015 but is now recommended for all public clients including SPAs.
• The implicit flow, once the standard for SPAs, was formally deprecated by the OAuth Security Best Current Practice draft in 2019 due to token leakage risks.

FAQ

Authorization Code + PKCE — which apps?

Modern web apps, mobile, and SPAs. PKCE adds a challenge/verifier to prevent intercept attacks. The current standard for user-facing auth.

Client credentials?

Service-to-service (no user involved). Client secret authenticates the service; no user redirect. For backend APIs talking to other APIs.

What's the device flow?

For devices without browsers (smart TVs, CLIs). Device shows a code; user logs in on a phone. Think 'setting up Netflix on a Roku'.

Access vs refresh tokens?

Access token is short-lived (minutes to an hour) and carries the auth. Refresh token is long-lived (days to weeks) and gets new access tokens without re-login.