Skip to main content
This tutorial will help you call your own API using the Authorization Code Flow. If you want to learn how the flow works and why you should use it, see Authorization Code Flow. If you want to learn to add login to your regular web app, see Add Login Using the Authorization Code Flow.
Auth0 makes it easy for your app to implement the Flow using:

Prerequisites

Before beginning this tutorial:
  • Register your Application with Auth0.
    • Select an Application Type of Regular Web Apps.
    • Add an Allowed Callback URL of {https://yourApp/callback}.
    • Make sure your Application’s Grant Types include Authorization Code. To learn how, read Update Grant Types.
    • If you want your Application to be able to use refresh tokens, make sure the Application’s Grant Types include refresh token. To learn how, read Update Grant Types. To learn more about Refresh Tokens, read refresh tokens.
  • Register your API with Auth0
    • If you want your API to receive refresh tokens to allow it to obtain new tokens when the previous ones expire, enable Allow Offline Access.

Steps

This step may include one or more of the following processes:
  • Authenticating the user
  • Redirecting the user to an Identity Provider to handle authentication
  • Checking for active Single Sign-on (SSO) sessions
  • Obtaining user consent for the requested permission level, unless consent has been previously given.
To authorize the user, your app must send the user to the authorization URL.

Example authorization URL

Parameters
Note that for authorizing a user when calling a custom API, you:
  • must include an audience parameter
  • can include additional scopes supported by the target API
As an example, your HTML snippet for your authorization URL when adding login to your app might look like:

Response

If all goes well, you’ll receive an HTTP 302 response. The authorization code is included at the end of the URL:
Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL.

Example POST to token URL

Parameters

Response

If all goes well, you’ll receive an HTTP 200 response with a payload containing access_token, refresh_token, id_token, and token_type values:
Validate your tokens before saving them. To learn how, read Validate ID Tokens and Validate Access Tokens.
ID tokens contain user information that must be decoded and extracted.Access tokens are used to call the Auth0 Authentication API’s /userinfo endpoint or another API. If you are calling your own API, the first thing your API will need to do is verify the Access token.Refresh tokens are used to obtain a new access token or ID token after the previous one has expired. The refresh_token will only be present in the response if you included the offline_access scope and enabled Allow Offline Access for your API in the Dashboard.
Refresh tokens must be stored securely since they allow a user to remain authenticated essentially forever.
To call your API from a regular web application, the application must pass the retrieved access token as a Bearer token in the Authorization header of your HTTP request.
You have already received a refresh token if you’ve been following this tutorial and completed the following:
  • configured your API to allow offline access
  • included the offline_access scope when you initiated the authentication request through the authorize endpoint.
You can use the Refresh Token to get a new access token. Usually, a user will need a new access token only after the previous one expires or when gaining access to a new resource for the first time. It’s bad practice to call the endpoint to get a new access token every time you call an API, and Auth0 maintains rate limits that will throttle the amount of requests to the endpoint that can be executed using the same token from the same IP.To refresh your token, make a POST request to the /oauth/token endpoint in the Authentication API, using grant_type=refresh_token.
Example POST to token URL
Parameters
Response
If all goes well, you’ll receive an HTTP 200 response with a payload containing a new access_token, its lifetime in seconds (expires_in), granted scope values, and token_type. If the scope of the initial token included openid, then the response will also include a new id_token:
Validate your tokens before saving them. To learn how, read Validate ID Tokens and Validate Access Tokens.

Sample use cases

Customize tokens

You can use Auth0 Actions to modify the scopes of an and/or add custom claims to access and . To learn more about Actions, see Understand how Auth0 Actions Work. To do so, add the following Post-Login Action, which will run after the user authenticates:
Auth0 returns profile information in a structured claim format as defined by the OpenID Connect (OIDC) specification. This means that custom claims added to ID tokens or access tokens must conform to guidelines and restrictions to avoid possible collisions.

Learn more