OAuth Authorization Code Flow

The most secure OAuth 2.0 grant type for server-side applications, where the authorization server issues a short-lived authorization code to the client's redirect URI after the user approves the request. The client then exchanges the code for tokens via a back-channel (server-to-server) request that includes the client secret, keeping tokens out of the browser and logs. Combined with PKCE, this flow is also the recommended approach for public clients.