# Authorization Code Grant with Proof Key for Code Exchange (PKCE)
The authorization code protocol is part of OAuth 2.0 (defined in [OAuth 2.0 RFC 7636](https://tools.ietf.org/html/rfc7636)). It involves the exchange of an authorization code for a token. This is the recommended authorization code flow in the [OAuth 2.1 draft](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-10).
## Principle of function
```mermaid
---
title: Authorization Code Grant with Proof Key for Code Exchange (PKCE)
---
sequenceDiagram
actor User
User->>App: Click sign-in link (1)
activate App
Note right of App: Generate code_verifier and
code_challenge
App->>Identity Provider: Authorization code request & code_challenge (2)
deactivate App
Identity Provider-->>User: Redirect to login/authorization prompt (3)
User-->>Identity Provider: Authenticate (3)
Identity Provider->>App: Authorization code (3)
activate App
App->>Identity Provider: Authorization code & code verifier (4)
Note right of Identity Provider: Validate authorization code &
code_verifier
Identity Provider->>App: Access token and ID token (4)
deactivate App
App->>Your API: Request protected data with access token (5)
```
1. The user clicks sign-in within the application.
2. `signinRedirect()` or `signinPopup()` must be used to start the flow.
3. The identity provider authenticates the user and stores the code_challenge and redirects the user back to the application with an authorization code.
4. `signinCallback()` handles this callback by sending this authorization code and code_verifier to the identity provider and receiving in return the access token and ID token.
5. The access token is now accessible via `getUser()?.access_token` and inserted into the requests to your protected API.