{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/rest/guides/sidebars.yaml","oas-products/rest/reference/authorization/auth-code-flow-sample.yaml":"oas-products/rest/reference/authorization/auth-code-flow-sample.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition","partial","json-schema","openapi-code-sample","openapi-response-sample"]},"type":"markdown"},"seo":{"title":"Authorization Code Flow","description":"Embed DailyPay On Demand Pay into your applications with our APIs and SDKs.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":["openapi"],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"authorization-code-flow","__idx":0},"children":["Authorization Code Flow"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The purpose of following the OAuth2 flow is to help you retrieve an authorization ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["code"]}]}," ","and exchange it for an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["access_token"]}]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Complete details of the specification are available in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://www.rfc-editor.org/rfc/rfc6749#section-4.1"},"children":["RFC 6749 section 4.1"]},"."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["We strongly suggest using a standards-compliant ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://oauth.net/code/"},"children":["client library"]}," to perform the next steps, using the configuration values provided by DailyPay."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"1-initiate-an-oauth2-request","__idx":1},"children":["1. Initiate an OAuth2 request"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Construct the request url using the template below, replacing the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["{scope}"]}]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["{client_id}"]}]},", and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["{redirect_uri}"]}]}," parameters with the configuration values accordingly."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Additionally, generate a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["state"]}]}," parameter for the specific request, and a code challenge and verifier (used in a later step) for ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://oauth.net/2/pkce/"},"children":["Proof Key Code Exchange"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Make sure to url-encode each parameter e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user:read_write"]}," becomes ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user%3aread_write"]}]}]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"https://auth.dailypay.com/oauth2/auth\n    ?response_type=code\n    &scope={scope}\n    &client_id={client_id}\n    &redirect_uri={redirect_uri}\n    &state={state}\n    &code_challenge={code_challenge}\n    &code_challenge_method=S256\n"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":5,"id":"example","__idx":2},"children":["Example"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"  https://auth.dailypay.com/oauth2/auth\n    ?response_type=code\n    &scope=user%3aread_write%20openid\n    &client_id=your-client-id\n    &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback\n    &state=9876543fghijklm\n    &code_challenge=hKpKupTM391pE10xfQiorMxXarRKAHRhTfH_xkGf7U4\n    &code_challenge_method=S256\n"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"2-open-a-browser-window-tab-or-secure-mobile-view-to-the-constructed-url","__idx":3},"children":["2. Open a browser window, tab, or secure mobile view to the constructed URL."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The user will be prompted to log in or create a new DailyPay account and will be prompted to allow your application to act on their behalf."]},{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/oauthallowflow.3b87c2ec825292e5b51571d1d6a66729b91ffe92e25858ada842c23507dd7100.4ac275af.png"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"3-handle-the-code","__idx":4},"children":["3. Handle the code"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Users will be redirected in the open tab to your callback url with a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["code"]}," query parameter,"," ","or an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["error"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["error_description"]}," if the user did not consent to your application's request or otherwise encountered an error."," ","You will also be returned the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["state"]}," parameter."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"4-exchange-the-code-for-an-access-token","__idx":5},"children":["4. Exchange the code for an Access Token"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Send the following parameters www-form-encoded in the request body to the token endpoint:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Environment"},"children":["Environment"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Token Endpoint"},"children":["Token Endpoint"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Production"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["https://auth.dailypay.com/oauth2/token"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["UAT"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["https://auth.uat.dailypay.com/oauth2/token"]}]}]}]}]},{"$$mdtype":"Tag","name":"JsonSchema","attributes":{"schema":{"$ref":"../../reference/authorization/auth-code-flow-sample.yaml#/components/schemas/AuthCodeFlowCodeExchange"},"options":{},"schemaResolved":{"openapi":"3.1.0","components":{"schemas":{"__root":{"$ref":"#/components/schemas/AuthCodeFlowCodeExchange"},"AuthCodeFlowCodeExchange":{"type":"object","title":"Authorization code flow","required":["grant_type","code","redirect_uri","client_id","state"],"properties":{"grant_type":{"type":"string","description":"The OAuth2 grant type","const":"authorization_code"},"code":{"type":"string","description":"An authorization code received through user authorization flow","example":"50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw"},"redirect_uri":{"type":"string","description":"The url redirected to after the authorization flow was completed by current user.","example":"https://example.com/callback"},"state":{"type":"string","description":"A value used by the client to maintain state between the request and callback. This is used to prevent CSRF attacks. See https://www.rfc-editor.org/rfc/rfc6749#section-10.12 for more detail.","example":"xyzABC123"},"code_verifier":{"type":"string","description":"A PKCE verifier matching the challenge submitted during the authorization code request.","example":"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"},"client_id":{"description":"The client id of the application requesting the token.","type":"string","example":"your_client_id"},"client_secret":{"type":"string","description":"The client secret of the application requesting the token, if available.","example":"your_client_secret"}}}}}},"schemaResolvedErrors":[]},"children":[]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-products/rest/reference/authorization/auth-code-flow-sample.yaml","operationId":"token","parameters":{},"environments":{},"codeSamplesResolved":[{"lang":"javascript","title":"JavaScript","source":"const formData = {\n  grant_type: 'authorization_code',\n  code: '50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw',\n  redirect_uri: 'https://example.com/callback',\n  state: 'xyzABC123',\n  code_verifier: 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk',\n  client_id: 'your_client_id',\n  client_secret: 'your_client_secret'\n};\n\nconst resp = await fetch(\n  `https://auth.dailypay.com/oauth2/token`,\n  {\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/x-www-form-urlencoded'\n    },\n    body: new URLSearchParams(formData).toString()\n  }\n);\n\nconst data = await resp.text();\nconsole.log(data);"},{"lang":"go","title":"Go","source":"package main\n\nimport (\n  \"fmt\"\n  \"net/url\"\n  \"strconv\"\n  \"strings\"\n  \"net/http\"\n  \"io/ioutil\"\n)\n\nfunc main() {\n  reqUrl := \"https://auth.dailypay.com/oauth2/token\"\n  data := url.Values{}\n  data.Set(\"grant_type\", \"authorization_code\")\n  data.Set(\"code\", \"50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw\")\n  data.Set(\"redirect_uri\", \"https://example.com/callback\")\n  data.Set(\"state\", \"xyzABC123\")\n  data.Set(\"code_verifier\", \"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk\")\n  data.Set(\"client_id\", \"your_client_id\")\n  data.Set(\"client_secret\", \"your_client_secret\")\n  req, err := http.NewRequest(\"POST\", reqUrl, strings.NewReader(data.Encode()))\n  if err != nil {\n    panic(err)\n  }\n  req.Header.Add(\"Content-Type\", \"application/x-www-form-urlencoded\")\n  req.Header.Add(\"Content-Length\", strconv.Itoa(len(data.Encode())))\n  res, err := http.DefaultClient.Do(req)\n  if err != nil {\n    panic(err)\n  }\n  defer res.Body.Close()\n  body, err := ioutil.ReadAll(res.Body)\n  if err != nil {\n    panic(err)\n  }\n\n  fmt.Println(res)\n  fmt.Println(string(body))\n}"},{"lang":"csharp","title":"C#","source":"using System;\nusing System.Net.Http;\nusing System.Threading.Tasks;\nusing System.Collections.Generic;\n\npublic class Program\n{\n  public static async Task Main()\n  {\n    System.Net.Http.HttpClient client = new();\n\n\n    List<KeyValuePair<string, string>> postData = new List<KeyValuePair<string, string>>();\n    postData.Add(new KeyValuePair<string, string>(\"grant_type\", \"authorization_code\"));\n    postData.Add(new KeyValuePair<string, string>(\"code\", \"50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw\"));\n    postData.Add(new KeyValuePair<string, string>(\"redirect_uri\", \"https://example.com/callback\"));\n    postData.Add(new KeyValuePair<string, string>(\"state\", \"xyzABC123\"));\n    postData.Add(new KeyValuePair<string, string>(\"code_verifier\", \"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk\"));\n    postData.Add(new KeyValuePair<string, string>(\"client_id\", \"your_client_id\"));\n    postData.Add(new KeyValuePair<string, string>(\"client_secret\", \"your_client_secret\"));\n\n    using HttpResponseMessage request = await client.PostAsync(\"https://auth.dailypay.com/oauth2/token\", new FormUrlEncodedContent(postData));\n    string response = await request.Content.ReadAsStringAsync();\n\n    Console.WriteLine(response);\n  }\n}"},{"lang":"java","title":"Java","source":"import java.net.*;\nimport java.net.http.*;\nimport java.util.*;\nimport java.nio.charset.StandardCharsets;\nimport java.util.stream.Collectors;\n\npublic class App {\n  public static void main(String[] args) throws Exception {\n    var httpClient = HttpClient.newBuilder().build();\n\n    HashMap<String, String> params = new HashMap<>();\n    params.put(\"grant_type\", \"authorization_code\");\n    params.put(\"code\", \"50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw\");\n    params.put(\"redirect_uri\", \"https://example.com/callback\");\n    params.put(\"state\", \"xyzABC123\");\n    params.put(\"code_verifier\", \"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk\");\n    params.put(\"client_id\", \"your_client_id\");\n    params.put(\"client_secret\", \"your_client_secret\");\n\n    var form = params.keySet().stream()\n      .map(key -> key + \"=\" + URLEncoder.encode(params.get(key), StandardCharsets.UTF_8))\n      .collect(Collectors.joining(\"&\"));\n\n    var host = \"https://auth.dailypay.com\";\n    var pathname = \"/oauth2/token\";\n    var request = HttpRequest.newBuilder()\n      .POST(HttpRequest.BodyPublishers.ofString(form))\n      .uri(URI.create(host + pathname ))\n      .header(\"Content-Type\", \"application/x-www-form-urlencoded\")\n      .build();\n\n    var response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());\n\n    System.out.println(response.body());\n  }\n}"},{"lang":"python","title":"Python","source":"import requests\n\nurl = \"https://auth.dailypay.com/oauth2/token\"\n\npayload = {\n  \"grant_type\": \"authorization_code\",\n  \"code\": \"50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw\",\n  \"redirect_uri\": \"https://example.com/callback\",\n  \"state\": \"xyzABC123\",\n  \"code_verifier\": \"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk\",\n  \"client_id\": \"your_client_id\",\n  \"client_secret\": \"your_client_secret\"\n}\n\nheaders = {\"Content-Type\": \"application/x-www-form-urlencoded\"}\n\nresponse = requests.post(url, data=payload, headers=headers)\n\ndata = response.json()\nprint(data)"},{"lang":"ruby","title":"Ruby","source":"require 'uri'\nrequire 'net/http'\nrequire 'openssl'\n\nurl = URI('https://auth.dailypay.com/oauth2/token')\n\nhttp = Net::HTTP.new(url.host, url.port)\nhttp.use_ssl = true\n\nrequest = Net::HTTP::Post.new(url)\nrequest['Content-Type'] = 'application/x-www-form-urlencoded'\nrequest.body = URI.encode_www_form({\n  grant_type: 'authorization_code',\n  code: '50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw',\n  redirect_uri: 'https://example.com/callback',\n  state: 'xyzABC123',\n  code_verifier: 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk',\n  client_id: 'your_client_id',\n  client_secret: 'your_client_secret'\n})\n\nresponse = http.request(request)\nputs response.read_body\n"},{"lang":"shell","title":"cURL","source":"curl -i -X POST \\\n  https://auth.dailypay.com/oauth2/token \\\n  -H 'Content-Type: application/x-www-form-urlencoded' \\\n  -d grant_type=authorization_code \\\n  -d code=50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw \\\n  -d redirect_uri=https://example.com/callback \\\n  -d state=xyzABC123 \\\n  -d code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk \\\n  -d client_id=your_client_id \\\n  -d client_secret=your_client_secret"}]},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The resulting access token can be used to make requests to the DailyPay REST API:"]},{"$$mdtype":"Tag","name":"OpenApiResponseSample","attributes":{"descriptionFile":"oas-products/rest/reference/authorization/auth-code-flow-sample.yaml","operationId":"token","responseSamplesResolved":[{"lang":"json","title":"200 application/json","source":"{\n  \"access_token\": \"dpo_38347Ae178B4a16C7e42F292c6912E7710c8\",\n  \"refresh_token\": \"dpo_38347Ae178B4a16C7e42F292c6912E7710c9\",\n  \"token_type\": \"bearer\",\n  \"scope\": \"user:read_write\",\n  \"id_token\": \"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.4FjJ3eZJYJj7J9Jf\",\n  \"expires_in\": 3600\n}"},{"lang":"json","title":"default application/json","source":"{\n  \"error\": \"unexpected_error\",\n  \"error_description\": \"An internal server error has occurred.\",\n  \"status_code\": 500,\n  \"error_hint\": \"string\"\n}"}]},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 bytes."]}]}]},"headings":[{"value":"Authorization Code Flow","id":"authorization-code-flow","depth":1},{"value":"1. Initiate an OAuth2 request","id":"1-initiate-an-oauth2-request","depth":2},{"value":"Example","id":"example","depth":5},{"value":"2. Open a browser window, tab, or secure mobile view to the constructed URL.","id":"2-open-a-browser-window-tab-or-secure-mobile-view-to-the-constructed-url","depth":2},{"value":"3. Handle the code","id":"3-handle-the-code","depth":2},{"value":"4. Exchange the code for an Access Token","id":"4-exchange-the-code-for-an-access-token","depth":2}],"frontmatter":{"seo":{"title":"Authorization Code Flow"}},"lastModified":"2026-07-14T14:30:25.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/rest/guides/auth/authorization-code-flow","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}