Server Side Flow
The server side flow is very similar to Stytch’s M2M Authentication (for B2B, for Consumer) in that we will be exchanging the Connected App’s own credentials for an access token. The difference in this case is that we will also exchange thecode returned from integrating with the SDK or API. This code represents the ability of the client app to act on behalf of the user. Conceptually the code can be thought of as representing permission from the user to enable the app to see their data and act on their behalf.
To perform the token exchange, just as in M2M Authentication, we will make a POST request to your project’s Token Endpoint. The endpoint is located at https://${projectDomain}/v1/oauth2/token (or similar, depending on your Stytch test or production environment or CNAME settings). See this guide to learn more about setting up a custom domain.
The request should contain these parameters:
| Name | Meaning |
|---|---|
grant_type | The type of auth grant we’re seeking. For Authorization Code Flow this is always authorization_code |
code | The code received in a parameter of the request sent to the Redirect URL. |
client_id | The Stytch client app id, which you will receive when configuring a Client App (below) |
client_secret | The Stytch Connected App’s Client Secret - required for confidential clients |
redirect_uri | While there is no redirect issued from this request redirect_uri must be present and identical to the value used in the first part of the flow. |
code_verifier | Required for public clients, see this guide |
curl: