Obtaining an Access Token

The Phoenix API supports the following Authorisation Flows:

Authorisation Code Flow with Proof Key for Code Exchange (PKCE). The Authorisation Code grant type is used by confidential and public clients to exchange an authorisation code for an access token. After the user returns to the client via the redirect Uri, the application will get the authorisation code from the URL and use it to request an access token. PKCE (RFC 7636) is an extension to the above (formerly know as Authorisation Code Flow) to prevent CSRF and authorisation code injection attacks.

Client Credentials Flow. The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources. This flow is best suited for Machine-to-Machine (M2M) applications, such as CLIs, daemons, or backend services, because the system must authenticate and authorise the application instead of a user.