Oauth2 Authorization code with PKCE flow

If the calling client cannot keep the credentials secret, the 'Authorization Code with PKCE' is the recommended flow to use. This flow is primarily used by builders of integrated apps for the Floriday application.


  • A client ID is required:

JSON web token

After registration, the Client ID is provided per application by email.

In this flow, after the user has entered his login details, the app receives a code after sending the Client ID and challenge with a redirect URL.

This code can then be safely exchanged for a JWT (JSON web token) with a limited period of validity (1 hour). This token is accompanied by a refresh token, which can subsequently be used to obtain a new token with a longer validity period (7 days).

This JWT is an encrypted JSON message. To inspect the contents and learn more about this token, please visit www.jwt.io.

By using the API-key alongside the JWT-token, the user's data can be accessed.

The implementation will then look as follows:

More information can be found on the Okta developer section.