response_type=code
- This tells the authorization server that the application is initiating the authorization code flow.client_id
- The public identifier for the application, obtained when the developer first registered the application.redirect_uri
- Tells the authorization server where to send the user back to after they approve the request.scope
- One or more space-separated strings indicating which permissions the application is requesting. The specific OAuth API you’re using will define the scopes that it supports.state
- The application generates a random string and includes it in the request. It should then check that the same value is returned after the user authorizes the app. This is used to prevent CSRF attacks.redirect_uri
specified by the application, adding a code
and state
to the query string.state
value will be the same value that the application initially set in the request. The application is expected to check that the state in the redirect matches the state it originally set. This protects against CSRF and other related attacks.code
is the authorization code generated by the authorization server. This code is relatively short-lived, typically lasting between 1 to 10 minutes depending on the OAuth service.grant_type=authorization_code
- This tells the token endpoint that the application is using the Authorization Code grant type.code
- The application includes the authorization code it was given in the redirect.redirect_uri
- The same redirect URI that was used when requesting the code. Some APIs don’t require this parameter, so you’ll need to double check the documentation of the particular API you’re accessing.client_id
- The application’s client ID.client_secret
- The application’s client secret. This ensures that the request to get the access token is made only from the application, and not from a potential attacker that may have intercepted the authorization code.