The authorization code is a short-lived, single-use value the authorization server returns to the client on a successful OAuth callback. The client exchanges it (plus the client secret and PKCE verifier) for actual access and ID tokens.
Where it comes from
- User clicks “Sign in with Google”
- Your app redirects to Google’s
/authorizewith the request - User authenticates with Google
- Google redirects back to your callback URL with
?code=<authorization_code>
What you do with it
Your server makes a back-channel POST to the token endpoint:
POST /token
code=<authorization_code>
client_id=<your_client_id>
client_secret=<your_secret> (confidential clients only)
code_verifier=<pkce_verifier>
grant_type=authorization_code
redirect_uri=<original_redirect_uri>The server returns:
- An access token
- Possibly a refresh token
- In OIDC: an ID token
Security properties
- Short-lived — typically 10 minutes maximum
- Single-use — once exchanged, it can’t be exchanged again
- Bound to the client and redirect URI — can’t be used by a different app
- Bound to the PKCE verifier — a stolen code is useless without the verifier
The authorization code flow is the secure OAuth default. Always prefer it over implicit flow (deprecated) or direct token issuance.
See the full auth glossary for related terms.