What is the OAuth Authorization Code, and why is it only briefly useful?
It's a short-lived, single-use code the authorization server hands back after login, which the client then exchanges for the real tokens — it is not itself a credential to call APIs.
The authorization code is an intermediate value:
- Issued in step 5, delivered to the client via a browser redirect (front channel — so it is visible to the user/browser).
- It's one-time use and short-lived. On its own it grants nothing.
- The client redeems it in the back channel for the actual access/ID tokens.
Why this indirection instead of just handing over tokens in the redirect? Because the redirect passes through the browser, where URLs leak into history, logs, and Referer headers. A leaked code is far less damaging than a leaked token: the code is useless without the client secret, and it can only be redeemed once.
Tip: This is precisely why the flow is called the Authorization Code flow — the code is the safe-to-expose stand-in for the sensitive tokens.