Grant type, also known as OAuth 2.0 grant type or authorization grant, is a method used in the OAuth 2.0 framework for obtaining an access token, which allows a client application to access protected resources on behalf of a user.

OAuth 2.0 defines several grant types to support different use cases and security requirements. The choice of grant type depends on factors such as the client type, the level of trust between the client and the authorization server, and the user’s authentication context.

Here are some common grant types used in OAuth 2.0:
OAuth grant types can be classified based on the type of application that is requesting access to protected resources. The following are the most common types of OAuth grant types:

• Authorization code grant: This is the most common type of OAuth grant type. It is used by web applications and mobile apps that need to access protected resources on behalf of a user. The authorization code grant involves the following steps:
  1. The user grants the application access to protected resources.
  2. The application receives an authorization code from the authorization server.
  3. The application exchanges the authorization code for an access token.
  4. The application uses the access token to access protected resources.
• Implicit grant:_{( Barely deprecated )} This grant type is used by web applications and mobile apps that do not need to store a client secret. The implicit grant involves the following steps:
  1. The user grants the application access to protected resources.
  2. The application receives an access token from the authorization server.
  3. The application uses the access token to access protected resources.
• Client credentials grant: This grant type is used by server-to-server applications that need to access protected resources without user interaction. The client credentials grant involves the following steps:
  1. The application sends a request to the authorization server with its client ID and client secret.
  2. The authorization server grants the application an access token.
  3. The application uses the access token to access protected resources.
• Refresh token grant: This grant type is used to obtain a new access token when the old access token has expired. The refresh token grant involves the following steps:
  1. The application sends a request to the authorization server with its refresh token.
  2. The authorization server grants the application a new access token.
  3. The application uses the new access token to access protected resources.
• PKCE enhanced Authorization code grant type: PKCE (Proof Key for Code Exchange) is an enhancement to the Authorization Code Grant type in OAuth 2.0. It is designed to improve the security of native and mobile applications that cannot securely store a client secret. PKCE provides an additional layer of protection against authorization code interception attacks.
• The Password Grant Type:_{( Barely deprecated )} also known as Resource Owner Password Credentials Grant Type, is one of the grant types defined in the OAuth 2.0 framework. It allows a client application to obtain an access token by presenting the user’s credentials (username and password) directly to the authorization server.

The following table summarizes the different OAuth grant types and the types of applications that can use them:

It is important to note that not all OAuth grant types are supported by all OAuth providers. When choosing an OAuth grant type, it is important to consult the documentation of the OAuth provider that you are using.