Authorization Code + PKCE (Introduction)

This section describes how public clients (SPA/mobile) authenticate using OAuth 2.0 Authorization Code with PKCE.

Important domain separation

• Client Portal Hostname: Hosts the CRM login UI and handles user interaction (e.g. /login).
• Client API Hostname: Hosts the OAuth API endpoints (e.g. /oauth/token).

You can retrieve both domains from your registered OAuth Application in CRM.

Flow summary

1. User is redirected to the login page with PKCE parameters.
2. After successful login/consent, an authorization code is issued and returned to your redirect URI.
3. Your app exchanges the authorization code for tokens using the code_verifier.

API references

• Redirect to Login Page
• Exchange authorization code for token