The authorization code grant type is designed for confidential clients (e.g. websites with a server back end) that can keep a secret. This type can request for offline_access scope (i.e. to request for refresh token).

  1. Use the authorization end point to request the authorization code with the following query parameters:

    response_type = code 
client_id = the client unique code
redirect_uri = redirection URL.
state = (Optional) value to echo to us.
scope = (Optional) what permision wanted. If not specified, default permission will be given.
response_mode = (Optional) query

    A login form will be displayed if not yet filled-up before.

    Expected Response

    The redirect_uri with the following query parameters:

    code = The authorization code
state = state value if given.

  2. Use the token end point to do post request for the access token with the following headers:

    Content-Type = application/x-www-form-urlencoded
Authorization = Basic <CREDENTIAL>

    And with the following parameters:

    grant_type = authorization_code.
code = The authorization code from step 1.
redirect_uri = The used from step 1.

    Expected Response

    Header

    Content-Type: application/json

{
"access_token" : <ACCESS_TOKEN>,
"token_type" : "Bearer",
"expires_in" : 3600,
"scope" : <The scope allowed by the server>
}

  3. Call the API with the authorization header like the following syntax:

    Bearer <ACCESS_TOKEN>

Sample implementation can be found here.