---
title: Hybrid grant type
description: In a hybrid authorize flow, an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. The authorization endpoint's response_type property specifies the code type and it also specifies id_token, or token, or both. An authorization code (specified by the code response type) is always returned in a hybrid flow.
component: pingone-api
page_id: pingone-api:foundations:authentication-concepts/authorization-flow-by-grant-type/hybrid-grant-type
canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/authorization-flow-by-grant-type/hybrid-grant-type.html
section_ids:
  hybrid-authorize-request-using-get: Hybrid authorize request using GET
  hybrid-authorize-request-using-post: Hybrid authorize request using POST
---

# Hybrid grant type

In a hybrid authorize flow, an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. The authorization endpoint's `response_type` property specifies the `code` type and it also specifies `id_token`, or `token`, or both. An authorization code (specified by the `code` response type) is always returned in a hybrid flow.

PingOne supports `GET` and `POST` HTTP methods for initiating the authorize request.

## Hybrid authorize request using GET

**Step 1:** Send an authorize request to the PingOne authorization server using `GET`.

```bash
curl --location --request GET '{{authPath}}/{{envID}}/as/authorize?response_type=code token&client_id={{appID}}&redirect_uri={{redirect_uri}}&scope=openid'
```

The request requires the following properties in the request URL:

* `response_type`: For a hybrid grant the response type always includes `code`, and it also specifies `id_token`, or `token`, or both.

* `client_id`: The application's ID.

* `redirect_uri`: The URL to redirect the browser after sign on.

* `scope`: The permissions that specify accessible resources.

The response returns a `Location` HTTP header that specifies the URL for the sign-on screen and the flow ID for the sign-on workflow. For information about additional optional query parameters that can be set on the request, refer to [Authorize (hybrid)](../../../auth/openid-connect-oauth-2/authorize-hybrid.html#get-authorize-hybrid-get) in *Platform Auth APIs*.

**Step 2:** After the sign-on flow completes, call the resume endpoint.

```bash
curl --location --request GET '{{authPath}}/{{envID}}/as/resume?flowId={{flowID}}' \
--header 'Cookie: {{sessionToken}}'
```

The request requires the following properties in the request URL:

* `flowID`: The ID for the authentication flow.

The `Location` HTTP header returned by the resume endpoint contains the code. In addition, the `Location` header for a hybrid authorization flow also returns the token or ID token (or both) if specified in the `response_type` property.

**Step 3:** Call the token endpoint to exchange the authorization code for a token.

```bash
curl --location --request POST '{{authPath}}/{{envID}}/as/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code={{authCode}}' \
--data-urlencode 'redirect_uri={{redirect_uri}}'
```

The request requires the following properties in the request URL:

* `grant_type`: The grant type of the token request. In this example, the value is `authorization_code`.

* `code`: The authorization code value returned by the resume endpoint.

* `redirect_uri`: The URL that specifies the return entry point of the application.

The token endpoint exchanges the `code` for an access token, ID token, or both. For information about the authorization code token request based on the application's `tokenEndpointAuthMethod`, refer to [Token](../../../auth/openid-connect-oauth-2/token-intro.html) in *Platform Auth APIs*.

## Hybrid authorize request using POST

The authorize request using `POST` is essentially the same as `GET`. The `POST` request accepts all the same parameters as the `GET` request. For the POST request, parameters and their values are Form Serialized by adding the parameter names and values to the entity body of the HTTP request and specifying the `Content-Type: application/x-www-form-urlencoded` request header.

**Step 1:** Send an authorize request to the PingOne authorization server using `POST`.

```bash
curl --location --request POST '{{authPath}}/{{envID}}/as/authorize' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'response_type=code id_token' \
--data-urlencode 'client_id={{appID}}' \
--data-urlencode 'redirect_uri={{redirect_uri}}' \
--data-urlencode 'scope=openid'
```

The request requires the following properties in the request URL:

* `response_type`: For a hybrid grant the response type always includes `code`, and it also specifies `id_token`, or `token`, or both.

* `client_id`: The application's ID.

* `redirect_uri`: The URL to redirect the browser after sign on.

* `scope`: The permissions that specify accessible resources.

The response returns a `Location` HTTP header that specifies the URL for the sign-on screen and the flow ID for the sign-on workflow. For information about additional optional query parameters that can be set on the request, refer to [Authorize (hybrid)](../../../auth/openid-connect-oauth-2/authorize-hybrid-1.html#post-authorize-hybrid-post) in *Platform Auth APIs*.

**Step 2:** After the sign-on flow completes, call the resume endpoint. The `Location` HTTP header returned by the resume endpoint contains the code. In addition, the `Location` header for a hybrid authorization flow also returns the token or ID token (or both) if specified in the `response_type` property.

```bash
curl --location --request GET '{{authPath}}/{{envID}}/as/resume?flowId={{flowID}}' \
--header 'Cookie: {{sessionToken}}'
```

**Step 3:** Call the token endpoint to exchange the authorization code for a token.

```bash
curl --location --request POST '{{authPath}}/{{envID}}/as/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code={{authCode}}' \
--data-urlencode 'redirect_uri={{redirect_uri}}'
```