Skip to main content

Grant types

The OAuth 2.0 specification defines five methods (known as grant types) that an API client can use to request an access token.  The method your application will use largely depends on the following three factors:

  • Required access level.
    • User-level: API authorization is delegated to your application by a marketplace end user so that your application can make API requests as if they were the user.
    • System-level: API authorization is delegated to your application directly, not on behalf of an end user.
  • Ability to keep a client secret secure.
  • Access to an end user's login credentials (username and password).

Use the following table to determine which type of grant type is appropriate for your client.

Grant typeAccess level requiredClient can secure client secretAccess to user credentialsSupports refresh tokenSample use case
Authorization CodeuseryesnoyesWeb server application, Native application (with PKCE)
ImplicitusernononoJavaScript application
PassworduseryesyesyesTrusted web server applications that require direct login
Client credentialssystemnononoSystem-to-system integrations

For some end-user flows (Authorization Code and Password), you can use the optional Refresh Token grant type to automatically obtain a new access token after the current token expires. If you do not use a Refresh Token, the user has to re-authenticate for the API client to acquire a new access token to replace the expired one.

Was this page helpful?