Authorization code flow with PKCE (public clients)

Use this flow when: Your application cannot securely store secrets (SPAs, mobile apps).

Note: This flow typically does not provide refresh tokens for security reasons.

Generate PKCE parameters

Before starting authorization, generate:

Code Verifier: Random string (43-128 characters)
Code Challenge: SHA256 hash of code_verifier, Base64url encoded (no padding)

Example (JavaScript):

javascript// Generate code verifierconst codeVerifier = generateRandomString(128);// Generate code challengeconst codeChallenge = base64URLEncode(sha256(codeVerifier));

Redirect user for authorization

Redirect to the authorization endpoint with PKCE parameters:

GET https://www.make.com/oauth/v2/authorize

Required parameters:

client_id: Your Client ID
response_type: Set to code
redirect_uri: Pre-registered callback URL
scope: Requested permissions
state: Random string for CSRF protection
code_challenge: Generated in Step 1
code_challenge_method: Set to S256

User authorization

The user:

Logs into Make.com (if not already authenticated)
Reviews and approves the requested permissions
Gets redirected to your redirect_uri with an authorization code

Callback URL format:

https://yourapp.com/callback?code=authorization_code&state=random_state_strin

Exchange code for tokens

Make a POST request (can be from frontend or backend):

POST https://www.make.com/oauth/v2/token

Required Parameters:

client_id: Your Client ID
grant_type: Set to authorization_code
code: Authorization code from Step 3
code_verifier: Original code verifier from Step 1

Response:

json{  "access_token": "eyJ...",  "id_token": "eyJ...",  "token_type": "Bearer",  "expires_in": 3600}

PreviousAuthorization code flow with refresh token (confidential clients)NextBest practices and error handling

Last updated 6 days ago