What are the OAuth 2.0 grant types and when do you use each?
Answer
OAuth 2.0 has four main grant types. Authorization Code: the user authorizes via a browser redirect, the server returns an authorization code, which the backend exchanges for tokens. Safest — tokens never exposed to the browser. Authorization Code + PKCE (Proof Key for Code Exchange): same as above but for public clients (SPAs, mobile apps) that cannot keep a client secret — PKCE prevents code interception attacks. Now recommended for all clients. Client Credentials: machine-to-machine authentication where there is no user — the client authenticates directly with client_id and client_secret to get an access token. Used for backend services and cron jobs. Implicit (deprecated): returned tokens directly to the browser — now replaced by Authorization Code + PKCE. Avoid implicit flow in new implementations.
Previous
How does HTTP caching work in REST APIs with ETag and Cache-Control?
Next
What is JWT and how is it validated in REST APIs?
More REST API Design Questions
View all →- Intermediate What is HATEOAS and how is it implemented?
- Intermediate What are the main API versioning strategies in REST and what are their tradeoffs?
- Intermediate What are the pagination strategies in REST APIs?
- Intermediate What is rate limiting and how is it communicated in REST APIs?
- Intermediate How does HTTP caching work in REST APIs with ETag and Cache-Control?