how tos

Configure Grant Types

With a grant, an app can get limited access to a user’s resources. When you add an app to your tenant, Express automatically sets up grants recommended for your app type. You can change the default or optional settings.

To use the Express console: Navigate to Applications > App Name > General.

Grants Native App or SPA Web App Service App
Authorization Code With PKCE Default Default  
Client Credentials   Default Optional
Password   Default  
Refresh Token Optional Default  

Authorization Code with PKCE

When a user authorizes access to their data, the authorization server returns an authorization code. The client application exchanges this code for an access token.

To secure the use of an authorization code grant, you need the Proof Key for Code Exchange (PKCE) protocol. With PKCE, you don’t have to share app client secrets with end user browsers.

As noted in the OAuth 2.0 website, PKCE (pronounced “pixie”) secures public clients that don’t use a client secret.

Client Credentials

The client credentials grant allows non-user resources access to info on a resource server. Client credentials are typically associated with service (M2M) apps. M2M apps don’t require interaction with users.

alt text

The client credentials grant may also be used by web apps.

For more information, see the following section of our Access Management Guide: Client Credentials Grant.


The password grant is also known as the Resource Owner Password Credentials Grant. This is the least secure grant type. With a username and password, a client app can use this grant to get an access token.

The password grant carries risks because it transfers real user credentials and personally identifying information. However, it can be a useful tool during development.

Refresh Token

Refresh tokens prevent repeated sign-ins. When an access token expires, a web app can exchange a refresh token for a new access token. When this exchange occurs, apps don’t have to ask users to “sign in again” when an access token expires.

To configure a refresh token, see Configure JSON Web Tokens .