Developer Console

Choose an Authorization Grant

The two mechanisms websites can use to obtain access tokens are the Implicit Grant and the Authorization Code Grant. Both authorization grants work by redirecting the user-agent (the user's browser) to for them to login.

After they have logged in, if the website requested an Implicit Grant, the access token is embedded as a fragment in a URI that redirects the user-agent back to the client website. The website then uses a script to obtain the data from the user-agent. If the website requests an authorization code, the user-agent is redirected back to the website and the authorization code is passed as a query string in that URI. The website then makes a secure HTTP call to Amazon behind the scenes to exchange the authorization code for an access token. 

Before you implement a Login with Amazon application, you must choose which authorization grant you will use.

Which grant type is right for your application?

In general, the advantages of one grant mirror the disadvantages of the other grant. The advantage of the Authorization Code Grant is that it can be more secure than the Implicit Grant. The user is not involved in the request for the access token, as that takes place directly between the client website and the authorization service . The Authorization Code Grant also features refresh tokens , which gives the client website almost indefinite access to the user's profile data.

The disadvantage to the Authorization Code Grant is that it can be harder to implement, and it relies on server-side scripting. The Authorization Code Grant also uses more round trips than the Implicit Grant.

The advantage of the implicit grant is that it is relatively simple to implement, as it relies on the web browser to receive and store the access token. If the client architecture does not support server-side scripting, this is the only authorization grant that will work with the Login with Amazon authorization service. The Implicit Grant also makes fewer round trips than the Authorization Code Grant.

The disadvantage of the Implicit Grant is that because the user's browser makes the access token request, the user is exposed to the access token. From a strict security perspective, it can be preferable to conceal this information. Also, in the Implicit Grant, when an access token expires, the user must re-authenticate to continue accessing the resources. The Authorization Code Grant features refresh tokens that can be used to obtain a new access token without involving the user.

If you cannot use server-side scripting, the Implicit Grant is your only choice. If you can use server-side scripting, we recommend choosing the Authorization Code Grant.