--- title: Authorization code grant type description: If the grant type is authorization_code, PingOne returns an authorization code in the response to the application's authorization request. The Location HTTP header returned by the /as/resume endpoint contains the authorization code. The authorization code returned in the resume endpoint response is used by the /as/token endpoint to get an ID token, an access token, or both. component: pingone-api page_id: pingone-api:foundations:authentication-concepts/authorization-flow-by-grant-type/authorization-code-grant-type canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/authorization-flow-by-grant-type/authorization-code-grant-type.html section_ids: authorization-code-authorize-request-using-get: Authorization code authorize request using GET authorization-code-authorize-request-using-post: Authorization code authorize request using POST --- # Authorization code grant type If the grant type is `authorization_code`, PingOne returns an authorization code in the response to the application's authorization request. The `Location` HTTP header returned by the `/as/resume` endpoint contains the authorization code. The authorization code returned in the resume endpoint response is used by the `/as/token` endpoint to get an ID token, an access token, or both. PingOne supports `GET` and `POST` HTTP methods for initiating the authorize request. ## Authorization code authorize request using GET **Step 1:** Send an authorize request to the PingOne authorization server using `GET`. ```bash curl --location --request GET '{{authPath}}/{{envID}}/as/authorize?response_type=code&client_id={{appID}}&redirect_uri={{redirect_uri}}&scope=openid' ``` The request requires the following properties in the request URL: * `response_type`: For an authorization\_code grant the response type is `code`. * `client_id`: The application's ID. * `redirect_uri`: The URL to redirect the browser after sign on. * `scope`: The permissions that specify accessible resources. The response returns a `Location` HTTP header that specifies the URL for the sign-on screen and the flow ID for the sign-on workflow. For information about additional optional query parameters that can be set on the request, refer to [Authorize (authorization\_code)](../../../auth/openid-connect-oauth-2/authorize-authorization_code.html#get-authorize-authorization_code-get) in *Platform Auth APIs*. **Step 2:** After the sign-on flow completes, call the resume endpoint. ```bash curl --location --request GET '{{authPath}}/{{envID}}/as/resume?flowId={{flowID}}' \ --header 'Cookie: {{sessionToken}}' ``` The request requires the following properties in the request URL: * `flowID`: The ID for the authentication flow. The `Location` HTTP header returned by the resume endpoint contains the code. Note that the PingOne API uses session token cookies to establish the user's authentication session and maintain the session throughout the workflow, allowing the flow to redirect back to the authorization server to get the token. **Step 3:** Call the token endpoint to exchange the authorization code for a token. ```bash curl --location --request POST '{{authPath}}/{{envID}}/as/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code={{authCode}}' \ --data-urlencode 'redirect_uri={{redirect_uri}}' ``` The request requires the following properties in the request URL: * `grant_type`: The grant type of the token request. In this example, the value is `authorization_code`. * `code`: The authorization code value returned by the resume endpoint. * `redirect_uri`: The URL that specifies the return entry point of the application. The token endpoint response returns the access token, ID token, or both. For information about the authorization code token request based on the application's `tokenEndpointAuthMethod`, refer to [Token](../../../auth/openid-connect-oauth-2/token-intro.html) in *Platform Auth APIs*. ## Authorization code authorize request using POST The authorize request using `POST` is essentially the same as `GET`. The `POST` request accepts all the same parameters as the `GET` request. For the POST request, parameters and their values are Form Serialized by adding the parameter names and values to the entity body of the HTTP request and specifying the `Content-Type: application/x-www-form-urlencoded` request header. **Step 1:** Send an authorize request to the PingOne authorization server using `POST`. ```bash curl --location --request POST '{{authPath}}/{{envID}}/as/authorize' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'response_type=code' \ --data-urlencode 'client_id={{appID}}' \ --data-urlencode 'redirect_uri={{redirect_uri}}' \ --data-urlencode 'scope=openid' ``` The request requires the following properties in the request URL: * `response_type`: For an authorization\_code grant the response type is `code`. * `client_id`: The application's ID. * `redirect_uri`: The URL to redirect the browser after sign on. * `scope`: The permissions that specify accessible resources. The response returns a `Location` HTTP header that specifies the URL for the sign-on screen and the flow ID for the sign-on workflow. For information about additional optional query parameters that can be set on the request, refer to [Authorize (authorization\_code)](../../../auth/openid-connect-oauth-2/authorize-authorization_code-1.html#post-authorize-authorization_code-post) in *Platform Auth APIs*. **Step 2:** After the sign-on flow completes, call the resume endpoint. ```bash curl --location --request GET '{{authPath}}/{{envID}}/as/resume?flowId={{flowID}}' \ --header 'Cookie: {{sessionToken}}' ``` **Step 3:** Call the token endpoint to exchange the authorization code for a token. ```bash curl --location --request POST '{{authPath}}/{{envID}}/as/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code={{authCode}}' \ --data-urlencode 'redirect_uri={{redirect_uri}}' ```