Authorization Code


The Authorization Code grant type is used when the client wants to request access to protected resources on behalf of another user (i.e. a 3rd party). This is the grant type most often associated with OAuth.

Read more about authorization code

Use Cases


Create an instance of OAuth2\GrantType\AuthorizationCode and add it to your server

// create a storage object to hold new authorization codes
$storage = new OAuth2\Storage\Pdo(array('dsn' => 'sqlite:authcodes.sqlite'));

// create the grant type
$grantType = new OAuth2\GrantType\AuthorizationCode($storage);

// add the grant type to your OAuth server

Example Request

Authorization Codes are retrieved using the Authorize Controller. The client must send the user to the OAuth server’s authorize URL.

First, redirect the user to the following URL:


A successful authorization will pass the client the authorization code in the URL via the supplied redirect_uri:


Once this is done, a token can be requested using the authorization code.

$ curl -u TestClient:TestSecret -d 'grant_type=authorization_code&code=xyz'

A successful token request will return a standard access token in JSON format:

Fork me on GitHub