OAuth2 Visualizer
A simple visual guide to common OAuth2 flows used in API integration and backend security.
Authorization Code Flow
Used when a user signs in through an authorization server and the application receives an authorization code that is exchanged for tokens.
Browser-based user login flow using redirect-based authentication.
Tokens involved
Security notes
Used for
Real-World Examples
OAuth2 can feel complicated, so here are two simple examples with realistic-looking values. The important idea is: the app first proves who it is, then receives a token, and then uses that token to call an API.
Sign in with Microsoft
A person signs in to the app. First, the app receives a temporary login code. Then the app exchanges that code for an access token that allows it to call APIs. An access token is like a temporary digital key that allows an app to use an API on behalf of a user or system.
-
1.
The user opens the app:
https://portal.contoso-app.com
- 2. The user clicks Sign in with Microsoft.
-
3.
The browser goes to the login server:
https://login.microsoftonline.com/contoso/oauth2/v2.0/authorize
-
4.
The app sends a login request with these values:
These values tell Microsoft which app is asking, what access it wants, and where the user should be sent back after login.
client_id=84f2a9ab-demo-client scope=openid profile email User.Read redirect_uri=https://portal.contoso-app.com/callback response_type=code -
5.
After login, the app receives a temporary login code:
code=OAQABAAIAAAD-demo-code
-
6.
The backend swaps the temporary login code for an API access token:
POST /oauth2/v2.0/token
-
7.
The app can now call Microsoft Graph:
GET https://graph.microsoft.com/v1.0/me Authorization: Bearer eyJhbGciOiJSUzI1Ni-demo-token
Backend Service Integration
This is used when one computer system talks to another computer system. No person signs in. Instead, the backend service proves its identity and receives an access token for API access. An access token is like a temporary digital key that allows one system to securely use another system’s API.
- 1. A nightly backend job starts automatically.
-
2.
The backend service identifies itself:
client_id=inventory-sync-service client_secret=•••••••••••••••• -
3.
The backend asks the login server for an API access token:
POST /oauth2/v2.0/token grant_type=client_credentials scope=api://inventory-api/.default -
4.
The login server returns an access token:
access_token=eyJhbGciOiJSUzI1Ni-demo-token
-
5.
The backend calls the protected API:
POST https://api.contoso-inventory.com/orders Authorization: Bearer eyJhbGciOiJSUzI1Ni-demo-token - 6. The systems can now synchronize data automatically.