Authorization Code + PKCE: Browser/mobile apps with public clients. | Client Credentials: Service-to-service access. | Device Code: Input-limited devices (TV/CLI).

Access Token: Short-lived token used to call APIs. | Refresh Token: Used to obtain new access tokens. | ID Token (OIDC): User identity claims (OpenID Connect).

code_verifier: Random secret generated by the client. | code_challenge: Transformed verifier sent to auth server. | code_challenge_method: S256 recommended.

OAuth 2.0 Quick Guide

A practical overview of OAuth 2.0 flows, tokens, and PKCE for modern apps.

Grant Types

Key / Code	Description
Authorization Code + PKCE	Browser/mobile apps with public clients.
Client Credentials	Service-to-service access.
Device Code	Input-limited devices (TV/CLI).
Refresh Token	Long-lived session renewal.

Tokens

Key / Code	Description
Access Token	Short-lived token used to call APIs.
Refresh Token	Used to obtain new access tokens.
ID Token (OIDC)	User identity claims (OpenID Connect).

PKCE Parameters

Key / Code	Description
code_verifier	Random secret generated by the client.
code_challenge	Transformed verifier sent to auth server.
code_challenge_method	S256 recommended.

Security Tips

Use HTTPS everywhere, validate redirect URIs, rotate refresh tokens, and use PKCE for public clients.

Choosing the Right Flow

Use Authorization Code with PKCE for browser and mobile apps, Client Credentials for machine-to-machine calls, and Device Code when the device cannot host a normal browser login. Avoid mixing flows without a clear reason, because each one implies different token storage and trust boundaries.

Knowledge is power.