---
descriptions:
  workos_connect_token_authorization_code_grant:
    grant_type: Always `"authorization_code"` for this flow.
    code: >
      The authorization code received from authenticating the user, provided
      when the user is redirected back to the client.
    redirect_uri: >
      The URL to redirect the user to after they have logged in. This must be
      the same redirect URI used in the initial `/oauth2/authorize` request.
    code_verifier: >
      The code verifier used for PKCE (Proof Key for Code Exchange). This is the
      original random string

      that was used to generate the `code_challenge` in the authorization
      request. Required when using

      PKCE.


      **Note:** PKCE is only supported by applications created through Dynamic
      Client Registration,

      which is required to use MCP (Model Context Protocol) authorization. For
      setup instructions,

      see our [MCP guide](/authkit/mcp).
reference:
  curl:
    - url: /reference/workos-connect/token/authorization-code-grant
      key: workos_connect_token_authorization_code_grant
      id: workos_connect_token_authorization_code_grant
      title: /oauth2/token
      type: POST
      parameters:
        - key: client_id
          type: string
          description: (workos_connect_token_request.client_id)
        - key: client_secret
          type: string
          description: (workos_connect_token_request.client_secret)
        - key: grant_type
          type: '"authorization_code"'
          description: (workos_connect_token_authorization_code_grant.grant_type)
        - key: code
          type: string
          description: (workos_connect_token_authorization_code_grant.code)
        - key: redirect_uri
          type: string
          description: (workos_connect_token_authorization_code_grant.redirect_uri)
        - key: code_verifier
          type: string
          description: (workos_connect_token_authorization_code_grant.code_verifier)
          optional: true
      returns:
        - key: anonymous
          type: object
          unwrap: true
          properties:
            - key: access_token
              type: string
              description: (workos_connect_token_response.access_token)
            - key: expires_in
              type: integer
              description: (workos_connect_token_response.expires_in)
            - key: id_token
              type: string
              description: (workos_connect_token_response.id_token)
            - key: refresh_token
              type: string
              optional: true
              description: (workos_connect_token_response.refresh_token)
            - key: token_type
              type: '"bearer"'
              description: (workos_connect_token_response.token_type)
originalPath: >-
  .tmp-workos-clone/packages/docs/content/reference/workos-connect/token/authorization-code-grant.mdx
---

### Authorization code grant

Used by WorkOS Connect OAuth Applications to exchange an authorization code for access tokens, ID tokens, and refresh tokens.

<CodeBlock referenceId="workos_connect_token_authorization_code_grant">
  <CodeBlockTab title="Request" file="token-authorization-code-grant-request" />
  <CodeBlockTab
    title="Response"
    file="token-authorization-code-grant-response"
  />
</CodeBlock>