The Authorization Code is the first step in the OAuth 2.0 flow.
After the user logs in and approves access, your app receives a short-lived authorization code via the callback URL.

Steps:

1. Redirect user to the Authorization URL.

2. User logs in and grants permissions.

3. App receives an authorization code at your redirect URI.

🔐 Note: This code must be exchanged quickly for an access token.

Use the authorization code to get an access token, which allows your app to make secure API calls on behalf of the user.

POST request to the token endpoint with:

• grant_type=authorization_code

• client_id and client_secret

• redirect_uri

• code (authorization code)

✅ If successful, you’ll receive:

• access_token

• expires_in

• refresh_token (if requested)

With the access token, your app can now make authorized requests to protected APIs.

Use the token in the HTTP request header like:

Examples of API calls:

• Get user profile info

• Access email, calendar, or CRM data

⚠️ Make sure to handle token expiration and errors gracefully.

Refresh Tokens help maintain user sessions without re-authenticating.
When your access token expires, use the refresh token to request a new one:

POST request to token endpoint with:

• grant_type=refresh_token

• client_id and client_secret

• refresh_token

Response:

• New access_token

• Updated expires_in

🚨 Keep refresh tokens secure — they are powerful and long-lived.