OAuth Implicit Flow (Legacy)

A deprecated OAuth 2.0 grant type that returned access tokens directly in the URL fragment after the authorization redirect, without an intermediate code exchange step. Designed for single-page applications before PKCE existed, it exposes tokens in browser history, referrer headers, and server logs. The OAuth 2.0 Security Best Current Practice (RFC 9700) forbids its use; Authorization Code with PKCE is the recommended replacement for all public clients.