Which grant for a Next.js app?

Authorization code with PKCE, usually via the BFF pattern or a secure server component—not implicit in the browser.

Can I use refresh tokens in SPAs?

Only with strict rotation, secure storage, and provider support. Many teams use HTTP-only cookies on a same-site backend instead.

OAuth 2.0 Grant Types

The different flows OAuth supports for obtaining access tokens.

Grant types define how a client proves identity and obtains tokens. The authorization code grant (today always paired with PKCE for public clients) drives browser and mobile login. Client credentials serve machine-to-machine APIs with a stored secret. Device flow covers input-constrained TVs and printers. Implicit and password grants are deprecated for new work because they cannot protect refresh tokens or codes the same way.

Why developers care

Using client credentials from a SPA, or enabling implicit flow because a tutorial said so, creates audit findings and real account takeover paths. The wrong grant type also produces confusing errors—unsupported_grant_type, silent failures in iframes, or refresh tokens where they are forbidden.

Example

Authorization Code + PKCE — user login in browser/mobile; auth code redeemed server-side or in app with PKCE verifier.

Client Credentials — backend job calls API with client_id + client_secret (no user context).

Device Flow — user visits verification URL on phone while device polls token endpoint with device_code.

Spec

RFC 6749 · OAuth.net — grant types

Debug OAuth with OAuthFixer →