What is Authorization code flow in Rest API?

Rest APIprogramming~5 mins

Authorization code flow in Rest API

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

The authorization code flow helps apps get permission to access user data safely. It keeps user passwords private by using a temporary code.

When a web app needs to access user data from another service securely.

When you want users to log in using their existing accounts from services like Google or Facebook.

When you want to keep user passwords safe and not handle them directly.

When your app needs long-term access tokens without asking the user every time.

When you want to follow a standard way to get permission from users.

Syntax

Rest API

1. Redirect user to authorization server with client_id and redirect_uri.
2. User logs in and approves access.
3. Authorization server sends a code to redirect_uri.
4. App sends code, client_id, client_secret, and redirect_uri to token endpoint.
5. Server returns access token to app.

The authorization code is a temporary code that your app exchanges for an access token.

The redirect_uri must match what you registered with the authorization server.

Examples

This URL sends the user to the authorization server to approve access.

Rest API

GET https://auth.example.com/authorize?response_type=code&client_id=abc123&redirect_uri=https://myapp.com/callback&scope=read

This request exchanges the authorization code for an access token.

Rest API

POST https://auth.example.com/token
Headers: Content-Type: application/x-www-form-urlencoded
Body: code=AUTH_CODE&client_id=abc123&client_secret=secret&redirect_uri=https://myapp.com/callback&grant_type=authorization_code

Sample Program

This program shows the main steps: sending the user to authorize, getting the code, and exchanging it for an access token.

Rest API

import requests

# Step 1: Redirect user to this URL (simulate by printing)
auth_url = (
    "https://auth.example.com/authorize?"
    "response_type=code&"
    "client_id=abc123&"
    "redirect_uri=https://myapp.com/callback&"
    "scope=read"
)
print(f"Go to this URL to authorize: {auth_url}")

# Step 2: After user authorizes, they get a code (simulate input)
authorization_code = input("Enter the authorization code you received: ")

# Step 3: Exchange code for access token
response = requests.post(
    "https://auth.example.com/token",
    data={
        "grant_type": "authorization_code",
        "code": authorization_code,
        "redirect_uri": "https://myapp.com/callback",
        "client_id": "abc123",
        "client_secret": "secret"
    }
)

if response.status_code == 200:
    token_data = response.json()
    print(f"Access token: {token_data.get('access_token')}")
else:
    print(f"Failed to get token: {response.status_code}")

OutputSuccess

Important Notes

The authorization code flow is safer than sending tokens directly in the browser.

Always keep your client_secret private and never share it in public code.

Redirect URIs must be exact matches to prevent attacks.

Summary

The authorization code flow lets apps get permission without handling passwords.

It uses a temporary code that the app exchanges for an access token.

This flow is common for web apps needing secure access to user data.