OAuth 2.0 authorization code flow step by step

OAuth 2.0 Authorization Code Flow

OAuth 2.0 is an authorization framework, not an authentication protocol. It lets users grant your app access to their data on another service without sharing their password.

The authorization code flow — the only flow you should use for server-side apps:

1. Authorization request: Redirect user to the provider's auth URL with your client_id, redirect_uri, scope, and a random state parameter.
2. User grants permission: Provider authenticates the user and asks for consent.
3. Authorization code: Provider redirects back to your redirect_uri with a short-lived code and the state you sent.
4. Verify state: Check that the state matches what you sent — this prevents CSRF on the OAuth callback.
5. Token exchange: Your server POSTs to the provider's token endpoint with code, client_id, and client_secret. You receive an access token (and optionally a refresh token).
6. API calls: Use the access token to fetch user data from the provider's API.

The authorization code is single-use and short-lived (minutes). Tokens are only exchanged server-to-server — the client never sees the client secret or the access token exchange. This is why this flow is secure for server-side apps.