Grant types

As of August 2015, Optimizely supports both the authorization code and implicit grant types, as described in the OAuth 2.0 spec. Read below for more information on the difference between these grant types and decide which is most appropriate for your application.

Authorization code grant

The authorization code grant is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. It's more versatile than the implicit grant and can give an application indefinite access to Optimizely on behalf of a user with a single authorization request. However, it's more complex to implement, and it requires the application to implement server-side code as well as a means of securely storing confidential information, including both a client secret and refresh tokens.

Read more about the Authorization Code Grant in the official OAuth 2.0 spec.

Implicit grant

The implicit grant type is optimized for public clients. Such clients will receive a valid access token at their redirection URL immediately after the user authorizes their application. Access tokens expire after two hours.

It's important to note that the implicit grant doesn't support refresh tokens. Therefore, any application using the implicit grant will need to explicitly re-request authorization from the user when an access token expires.

Read more about the Implicit Grant in the official OAuth 2.0 spec.