LOGBOOK

HELP

Quiz Entry - updated: 2026.05.26

What is the OAuth Authorization Code, and why is it only briefly useful?

It's a short-lived, single-use code the authorization server hands back after login, which the client then exchanges for the real tokens — it is not itself a credential to call APIs.

The authorization code is an intermediate value:

  • Issued in step 5, delivered to the client via a browser redirect (front channel — so it is visible to the user/browser).
  • It's one-time use and short-lived. On its own it grants nothing.
  • The client redeems it in the back channel for the actual access/ID tokens.

Why this indirection instead of just handing over tokens in the redirect? Because the redirect passes through the browser, where URLs leak into history, logs, and Referer headers. A leaked code is far less damaging than a leaked token: the code is useless without the client secret, and it can only be redeemed once.

Tip: This is precisely why the flow is called the Authorization Code flow — the code is the safe-to-expose stand-in for the sensitive tokens.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: May 26, 2026