Dev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideProduct feedbackGitHubNuGetDev CommunitySubmit a ticketLog In

Grant types

Describes the two grant types that Optimizely supports: authorization code grant and implicit grant.

As of August 2015, Optimizely Web Experimentation supports both the authorization code and implicit grant types, as described in the OAuth 2.0 spec.

Authorization code grant

The authorization code grant is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. It's more versatile than the implicit grant and can give an application indefinite access to Optimizely on behalf of a user with a single authorization request. However, it's more complex to implement, and it requires the application to implement server-side code as well as a means of securely storing confidential information, including both a client secret and refresh tokens.

See Authorization Code Grant in the official OAuth 2.0 spec.

Implicit grant

The implicit grant type is optimized for public clients. Such clients will receive a valid access token at their redirection URL immediately after the user authorizes their application. Access tokens expire after two hours.

📘

Note

The implicit grant does not support refresh tokens. Therefore, any application using the implicit grant will need to explicitly re-request authorization from the user when an access token expires.

See Implicit Grant in the official OAuth 2.0 spec.