OAuth 2.0 Quick Guide
A practical overview of OAuth 2.0 flows, tokens, and PKCE for modern apps.
Grant Types
| Key / Code | Description |
|---|---|
| Authorization Code + PKCE | Browser/mobile apps with public clients. |
| Client Credentials | Service-to-service access. |
| Device Code | Input-limited devices (TV/CLI). |
| Refresh Token | Long-lived session renewal. |
Tokens
| Key / Code | Description |
|---|---|
| Access Token | Short-lived token used to call APIs. |
| Refresh Token | Used to obtain new access tokens. |
| ID Token (OIDC) | User identity claims (OpenID Connect). |
PKCE Parameters
| Key / Code | Description |
|---|---|
| code_verifier | Random secret generated by the client. |
| code_challenge | Transformed verifier sent to auth server. |
| code_challenge_method | S256 recommended. |
Security Tips
Use HTTPS everywhere, validate redirect URIs, rotate refresh tokens, and use PKCE for public clients.
Knowledge is power.