Identity and Access Management
client_id
and client_secret
provide access to all your data, so keep them secure. Do not share them publicly by checking them into GitHub or client side code.expires_in
value and requesting a new token before the
current one expires if you need longer sessions for machine-to-machine
authentication.offline_access
scope is requested.
Flow Type | Application Type | Client Secret Required | Refresh Token Support |
---|---|---|---|
Client Credentials | Machine-to-machine | ✅ Yes | ❌ No |
Authorization Code | Traditional web apps | ✅ Yes | ✅ Yes |
Authorization Code + PKCE | SPAs, mobile apps | ❌ No | ✅ Yes |
offline_access
scope to receive refresh tokens