# Authorization Code Flow The purpose of following the OAuth2 flow is to help you retrieve an authorization code and exchange it for an access_token via the request access token endpoint. Complete details of the specification are available in [RFC 6749 section 4.1](https://www.rfc-editor.org/rfc/rfc6749#section-4.1). We strongly suggest using a standards-compliant [client library](https://oauth.net/code/) to perform the next steps, using the configuration values provided by DailyPay. ## 1. Initiate an OAuth2 request - Construct the request url using the template below, replacing the {scope}, {client_id}, and {redirect_uri} parameters with the configuration values accordingly. - Additionally, generate a state parameter for the specific request, and a code challenge and verifier (used in a later step) for Proof Key Code Exchange. - Make sure to url-encode each parameter e.g. user:read_write becomes user%3aread_write ``` https://auth.dailypay.com/oauth2/auth ?response_type=code &scope={scope} &client_id={client_id} &redirect_uri={redirect_uri} &state={state} &code_challenge={code_challenge} &code_challenge_method=S256 ``` ##### Example ``` https://auth.dailypay.com/oauth2/auth ?response_type=code &scope=user%3aread_write%20openid &client_id=your-client-id &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback &state=9876543fghijklm &code_challenge=hKpKupTM391pE10xfQiorMxXarRKAHRhTfH_xkGf7U4 &code_challenge_method=S256 ``` ## 2. Open a browser window, tab, or secure mobile view to the constructed URL. The user will be prompted to log in or create a new DailyPay account and will be prompted to allow your application to act on their behalf. img ## 3. Handle the code Users will be redirected in the open tab to your callback url with a `code` query parameter, or an `error` and `error_description` if the user did not consent to your application's request or otherwise encountered an error. You will also be returned the `state` parameter. ## 4. Exchange the code for an Access Token Send the following parameters www-form-encoded in the request body to the token endpoint: | Environment | Token Endpoint | | --- | --- | | Production | https://auth.dailypay.com/oauth2/token | | UAT | https://auth.uat.dailypay.com/oauth2/token | The resulting access token can be used to make requests to the DailyPay Public REST API: > The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 bytes.