Implicit authentication flow

Implicit grants are simplified authorization code flows. This flow is made for clients implemented via a browser. No authorization code is issued, but rather the access token is issued directly to the client.

When should I use this flow? 🤔

We recommend against using the implicit grant authorization flow unless absolutely necessary.

Where possible, use the Authorization Code with PKCE flow.

Implicit grants are great for improving responsiveness for clients as the steps are minimized since the access token is issued directly. However, because the access token is transmitted in the URI fragment, it’s more vulnerable to security threats.

Flow

auth with implicit flow