Use this flow when: Your application cannot securely store secrets (SPAs, mobile apps).
Note: This flow typically does not provide refresh tokens for security reasons.
Before starting authorization, generate:
Code Verifier: Random string (43-128 characters)
Code Challenge: SHA256 hash of code_verifier, Base64url encoded (no padding)
Example (JavaScript):
javascript// Generate code verifierconst codeVerifier = generateRandomString(128);// Generate code challengeconst codeChallenge = base64URLEncode(sha256(codeVerifier));
Redirect to the authorization endpoint with PKCE parameters:
GET https://www.make.com/oauth/v2/authorize
Required parameters:
client_id: Your Client ID
client_id
response_type: Set to code
response_type
code
redirect_uri: Pre-registered callback URL
redirect_uri
scope: Requested permissions
scope
state: Random string for CSRF protection
state
code_challenge: Generated in Step 1
code_challenge
code_challenge_method: Set to S256
code_challenge_method
S256
The user:
Logs into Make.com (if not already authenticated)
Reviews and approves the requested permissions
Gets redirected to your redirect_uri with an authorization code
Callback URL format:
https://yourapp.com/callback?code=authorization_code&state=random_state_strin
Make a POST request (can be from frontend or backend):
POST https://www.make.com/oauth/v2/token
Required Parameters:
grant_type: Set to authorization_code
grant_type
authorization_code
code: Authorization code from Step 3
code_verifier: Original code verifier from Step 1
code_verifier
Response:
json{ "access_token": "eyJ...", "id_token": "eyJ...", "token_type": "Bearer", "expires_in": 3600}
Last updated 8 months ago
