---
title: Authorization flow by grant type
description: The authorization request flow depends on the grant type you have selected for the application.
component: pingone-api
page_id: pingone-api:foundations:authentication-concepts/authorization-flow-by-grant-type
canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/authorization-flow-by-grant-type.html
---

# Authorization flow by grant type

The authorization request flow depends on the grant type you have selected for the application.

* [Authorization code grant type](authorization-flow-by-grant-type/authorization-code-grant-type.html)

  If the application's grant type is `authorization_code`, PingOne returns an authorization code in the response to the application's authorization request. The authorization code is used by the `/as/token` endpoint to get an ID token, an access token, or both.

* [Implicit grant type](authorization-flow-by-grant-type/implicit-grant-type.html)

  If the application's grant type is `implicit`, the response to the authorization request is an `id_token`, a `token` (access token), or both, depending on the value of the `response_type` parameter in the authorization request.

* [Hybrid grant type](authorization-flow-by-grant-type/hybrid-grant-type.html)

  In a hybrid authorize flow, an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. The authorization endpoint's `response_type` property specifies the `code` type and it also specifies `id_token`, or `token`, or both.

* [PKCE parameters](authorization-flow-by-grant-type/pkce-parameters.html)

  For added security, you can also include Proof Key for Code Exchange (PKCE) parameters in the authorization request for the code and hybrid grant types. PKCE for OAuth uses either plain text or a cryptographic hash of a random string that is included in the authorization request (`code_challenge`) along with the encoding method used (`code_challenge_method`). When the authorization code is issued in the response, the original plain text or random string (`code_verifier`) is included in the token request.

* [Device code grant type](authorization-flow-by-grant-type/device-code-grant-type.html)

  If the grant type is `device_code`, PingOne returns an activation code in the response to the `POST /{{envID}}/as/device_authorization` request. It starts a flow that gives OAuth-enabled devices, such as smart TVs, the ability to complete user authorization and access protected resources.

* [Token exchange grant type](authorization-flow-by-grant-type/token-exchange-grant-type.html)

  If an application's grant type is `token_exchange`, PingOne returns an access token in response to the `POST /{{envID}}/as/token` request. The application presents a `subject_token` and optionally, an `actor_token`. Currently, this grant type only issues custom resource access tokens, and not PingOne API access tokens (those with an audience of `https://api.pingone.<region>`).

* [CIBA grant type](authorization-flow-by-grant-type/ciba-grant-type.html)

  If the grant type is `ciba`, PingOne returns an `auth_req_id` value in the response to the `POST /{{envID}}/as/cibaAuthorization` request. The application then polls the `POST /{{envID}}/as/token` endpoint for tokens, including the `auth_req_id` value in the body of the request.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The PingOne platform also supports the `client_credentials` grant type for admin applications, which is not covered in this topic. For information about admin applications that use the `client_credentials` grant type, refer to [Authorization and authentication by application type](authorization-and-authentication-by-application-type.html) and [Token Admin App (client\_credentials)](../../auth/openid-connect-oauth-2/token-admin-app-client_credentials.html#post-token-admin-app-client_credentials) in the *PingOne Platform APIs*. |