Skip to Content
🔐 Faable AuthOAuth 2.0 FlowsWhich flow should I use?

OAuth 2.0 Flows

Faable Auth implements the standard OAuth 2.0 / OpenID Connect grants. Which one you need depends on two questions: is a user logging in? and can your app keep a secret?

Choosing a flow

Your situationUse this flow
A user logs into your web, SPA, or mobile appAuthorization Code with PKCE
A backend service calls an API — no user involvedClient Credentials
A user logs into a CLI tool, Smart TV, or IoT deviceDevice Code
You already have a session and want to renew it without re-loginRefresh Token
A CI job or workload has a JWT from a trusted issuer (GitHub Actions)Token Exchange

At a glance

FlowUser presentNeeds client_secretReturnsTypical client
Authorization Code + PKCEYesNoAccess + ID + Refresh tokenSPA, mobile, server-side web
Client CredentialsNoYesAccess tokenBackend service, cron, CI
Device CodeYesNoAccess + ID + Refresh tokenCLI, Smart TV, IoT
Refresh TokenAlready authenticatedNoNew access + ID + rotated refresh tokenAny client holding a refresh token
Token ExchangeNoNoAccess token (30 min)CI job, federated workload

All of them exchange credentials at the same endpoint — POST /oauth/token on your tenant domain — and return the same standard token response. In the browser, the @faable/auth-js SDK picks and drives the right flow for you (PKCE + automatic refresh).

FAQ

Which OAuth flow should I use?

If a user logs into your web, SPA, or mobile app, use Authorization Code with PKCE. If a backend service calls an API with no user involved, use Client Credentials. If the user logs in on a CLI, Smart TV, or IoT device, use Device Code. To renew an existing session without re-login, use the Refresh Token flow.

Do I ever combine flows?

Yes, all the time: a SPA uses Authorization Code + PKCE to log the user in and Refresh Token to stay logged in, while its backend uses Client Credentials to call other services. Same tenant, same users, same tokens.

What about the Implicit flow or Resource Owner Password?

They’re legacy. OAuth 2.0 best practice (and the OAuth 2.1 draft) replaces the Implicit flow with Authorization Code + PKCE, and discourages sending user passwords through your app. Faable Auth steers you to the modern grants above.

Where do I get the credentials each flow needs?

Register a Client in the Faable Dashboard  — it gives you the client_id (and a client_secret for confidential clients). If your tokens target your own backend, also register an API to get an audience and define permissions.

Last updated on

Last updated on