Flow Configuration
1
Prepare Authorization Request
Generate PKCE code_verifier and code_challenge.
code_verifier
code_challenge (S256)
2
Redirect to Authorization Server
User is sent to the `/authorize` endpoint to log in and approve scopes.
Constructed Auth URL
3
Callback Redirect
The server redirects back to your `/callback` URI with an authorization code.
Authorization Code
State (Verified)
4
Exchange Code for Tokens
Post the code and the `code_verifier` to the `/token` endpoint.
HTTP Request
POST /oauth/token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=YOUR_CODE&
client_id=YOUR_CLIENT_ID&
redirect_uri=YOUR_CALLBACK&
code_verifier=YOUR_VERIFIER
JSON Response